[PATCH 1/1] ipc: limit next_id allocation to the valid ID range

Next message: Ethan Nelson-Moore: "Re: [PATCH v2] ARM: orion5x: update board check in mss2_pci_init() to use the DT"
Previous message: Ethan Nelson-Moore: "[PATCH v2] ARM: orion5x: update board check in mss2_pci_init() to use the DT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ren Wei

Date: Sun May 10 2026 - 01:43:50 EST

From: Linpu Yu <linpu5433@xxxxxxxxx>

The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request
to idr_alloc() with an open-ended upper bound.

If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.

Prevent that by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.

Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id")
Cc: stable@xxxxxxxxxx
Reported-by: Yuan Tan <yuantan098@xxxxxxxxx>
Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
Reported-by: Xin Liu <bird@xxxxxxxxxx>
Signed-off-by: Linpu Yu <linpu5433@xxxxxxxxx>
Signed-off-by: Ren Wei <n05ec@xxxxxxxxxx>
---
ipc/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipc/util.c b/ipc/util.c
index 9eb89820594e..1737d776bc08 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -253,7 +253,7 @@ static inline int ipc_idr_alloc(struct ipc_ids *ids, struct kern_ipc_perm *new)
} else {
new->seq = ipcid_to_seqx(next_id);
idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
- 0, GFP_NOWAIT);
+ ipc_mni, GFP_NOWAIT);
}
if (idx >= 0)
new->id = (new->seq << ipcmni_seq_shift()) + idx;
--
2.43.0