From: Josh Law <hlcj1234567@gmail.com>
To: Matthew Wilcox <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, Josh Law <objecting@objecting.org>
Subject: [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next()
Date: Thu, 12 Mar 2026 18:19:47 +0000 [thread overview]
Message-ID: <20260312181948.20020-2-objecting@objecting.org> (raw)
In-Reply-To: <20260312181948.20020-1-objecting@objecting.org>
In idr_get_next(), if the returned id from idr_get_next_ul() is greater
than INT_MAX, the function issues a warning and returns NULL without
updating the *nextid pointer. This causes a soft lockup for any caller
iterating over an IDR (e.g. via idr_for_each_entry) because they will
receive NULL, fail to advance their index, and repeatedly query the same
state forever.
Fix this by setting *nextid to INT_MAX when the bounds check fails,
ensuring the caller's iteration will terminate.
Also update the idr_get_next() test case in the radix-tree test suite
to expect INT_MAX instead of 0 when hitting this condition.
Signed-off-by: Josh Law <objecting@objecting.org>
---
lib/idr.c | 4 +++-
tools/testing/radix-tree/idr-test.c | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/idr.c b/lib/idr.c
index f25bd2b9e9a4..07098eb4ddc3 100644
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -268,8 +268,10 @@ void *idr_get_next(struct idr *idr, int *nextid)
unsigned long id = *nextid;
void *entry = idr_get_next_ul(idr, &id);
- if (WARN_ON_ONCE(id > INT_MAX))
+ if (WARN_ON_ONCE(id > INT_MAX)) {
+ *nextid = INT_MAX;
return NULL;
+ }
*nextid = id;
return entry;
}
diff --git a/tools/testing/radix-tree/idr-test.c b/tools/testing/radix-tree/idr-test.c
index 945144e98507..bf6a0da6a50a 100644
--- a/tools/testing/radix-tree/idr-test.c
+++ b/tools/testing/radix-tree/idr-test.c
@@ -213,7 +213,7 @@ void idr_u32_test1(struct idr *idr, u32 handle)
ptr = idr_get_next(idr, &sid);
if (id > INT_MAX) {
BUG_ON(ptr != NULL);
- BUG_ON(sid != 0);
+ BUG_ON(sid != INT_MAX);
} else {
BUG_ON(ptr != DUMMY_PTR);
BUG_ON(sid != id);
--
2.34.1
next prev parent reply other threads:[~2026-03-12 18:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 18:19 [PATCH v3 0/2] lib/idr: Fixes for infinite loop and memory leak Josh Law
2026-03-12 18:19 ` Josh Law [this message]
2026-03-12 20:55 ` [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next() Andrew Morton
2026-03-12 20:57 ` Josh Law
2026-03-12 21:15 ` Josh Law
2026-03-12 18:19 ` [PATCH v3 2/2] lib/idr: fix memory leak in ida_alloc_range() error path Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312181948.20020-2-objecting@objecting.org \
--to=hlcj1234567@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=objecting@objecting.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.