From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2167635F8B2
	for <linux-kernel@vger.kernel.org>; Fri,  6 Mar 2026 22:58:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772837936; cv=none; b=I4hSjcF+qW86KNL+oRNd9/Y1GV2kZvEIin9l/jJDbWJKcX1lxAnVqD23Ij1+FtCQd0h9nbkzwZxfWlQQOXsnnCHAgEp0Te26SdhUX2pt5o2zVVvJ3D75Lr6viPCvLFZqU1hLUaUglJx7Y0Rr9JqZBTgQBohJpzpI2bI4m4q1jgg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772837936; c=relaxed/simple;
	bh=N9y5RAhCYUKybIGpF6z0XyF0IhHLh1Xb2RsgvYslKwk=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=P98eZhl/eHagoBnqNDE25+gE+d7z9A3vHaLLRmv9rpXCrowuHN5LizTJBrJEvmPjtheVxY3R0g82xwSxEeS+eLLg+H/aWZl0A3ZG/BQKYs/guQVDeWq3FA2Q5JigeXrSto/QJNoEkuU5z6JzeDG7LVrJ1Bvd/XOBOHT/SBVizw0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SLtzqqsx; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SLtzqqsx"
Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8cb38e86cf2so1033000285a.1
        for <linux-kernel@vger.kernel.org>; Fri, 06 Mar 2026 14:58:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772837933; x=1773442733; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=67LeBKFGIlYmB6wwTDabvnEnjwEifdPbBlAfgz15b6k=;
        b=SLtzqqsxvsgKHxIvA1sSNrxjDCUIOtAcHKSL0+ru7FRbzOqlWrelAYsKtezfYDKlMJ
         W9V631gz+0e32dB6MoTXnFwF2ogOMeJKkpIBUHBa+EOAvks+pq/OBRLxuMVloaunDx/e
         NKX9wi9E7+au/AoAqSBKogr7WCRiZJtTdn17EZb96SdTboZ6MO+KUdMIaBLGM2ZZ94SS
         +CSC1hGUPne4WdU1u/4rChcJpPy7oAmq6Juuk3R1fp3KM/ooZrRiZJ/xIVvEpS3dAi7i
         3kRfaBBywwCwXZgA3A6nUEO62ausbD6FspD994Hxu3g3DlBRAtlDT+53mDOX8Gq/e2i2
         kMHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772837933; x=1773442733;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=67LeBKFGIlYmB6wwTDabvnEnjwEifdPbBlAfgz15b6k=;
        b=xD/Y96EgfMIyfnDY/lnuknvUTwMRGSzuznZgdrrhFQVwaZ/29LO9x7ZRUPIM5ygLce
         vdVkJ0AYBkg38eCpPq/76VrKMwq8qNbNsvYcb/rQD8ZhFXYLqykaELkMgPfGIt1eHDz5
         VeO6lpZuBrdsrrrqQT5tKMdbHLnbme2yYEFBRBML/Ig85xjvKmNZc/HWjjWIkb4viHyy
         y3t2wLBLgsZjozI/N9JM8Oi982TUdamtv2r684xQYs/Vm2htvVu2fPSl5JUdWKAjivF7
         3ccNLrlEtaKBvCxHjynVM6cjt+qObI11IzOoYVMrsOIAp/IjG5Z7nOYIMVYD4ZY/GgDq
         iUwA==
X-Forwarded-Encrypted: i=1; AJvYcCWMsQIIvOWtYsgsTrENmeHnAVZ3gdZHKJXSwXZjZ/sV/nXOdVNWZmcvrQpI9+i2uAU9fn2dmn7i803LN1A=@vger.kernel.org
X-Gm-Message-State: AOJu0YzuC5UrM+NwXtOf095/iuTG2mjbH+8HryOWEI+oqYWMKWGSwyvF
	WxDGssdOTEmQdab9/r9RfL2cgpYS2mvhDszLT+aHIrXBgmEcVViGJYFNU4oaqce0
X-Gm-Gg: ATEYQzygPljXcKUkXwmG9jZgdRvl0MhlZ+OFnIEqY/kQ7YSAO0XhwkEVPgkm1ovsT51
	lY/oh/7eyZhaNw8X86KaN/kQ+dQSCFX4pGiOkINVJ9oYhLHNOWwunFXJyhai6JrNnB6IH8Bveyp
	XMvpse2FimgoXytozPWD8fk+Ldt4mgxKm+nl0H7On+/q1HfcPY+N3KkSMcwiCCXo/xXj5YeIebe
	RkkCeTK8Ba8e2/0sSNV1St8WirnF7Gg/ZQX4vWrMgkidspbXwfJ7X3PU05pkJ/SMh71kMiQdnzd
	t0IA5v4Zo5vuahdth1Hz74oW5r7VtL7J1YCnHPAjMLtIDY7A5kd18brt5vi9Xh7ayIAAIW/Vf0M
	wvKxPsIqczUOJNC1pSxYXxl5opErXOB9m4lc4xffoaQCEABEZkWpzgjxWMrkQ3QOPuDBkDrHH+X
	Z44j288laA+zLybkRuFEI7to/YGnIb4kih6Zx+6LiuaVH3M5/WRirXGcnLg+uT9IM0LTDye4BNt
	0cq
X-Received: by 2002:a05:622a:14cd:b0:4ec:f56c:afa5 with SMTP id d75a77b69052e-508f4711c82mr49280901cf.22.1772837932908;
        Fri, 06 Mar 2026 14:58:52 -0800 (PST)
Received: from instance-20260207-1316.vcn12250046.oraclevcn.com ([150.136.248.187])
        by smtp.gmail.com with ESMTPSA id d75a77b69052e-508f651149fsm22754481cf.2.2026.03.06.14.58.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 06 Mar 2026 14:58:51 -0800 (PST)
From: Josh Law <hlcj1234567@gmail.com>
X-Google-Original-From: Josh Law <objecting@objecting.org>
To: Liam Howlett <liam.howlett@oracle.com>,
	Matthew Wilcox <willy@infradead.org>
Cc: Alice Ryhl <aliceryhl@google.com>,
	Andrew Ballance <andrewjballance@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Josh Law <objecting@objecting.org>
Subject: [PATCH v3] lib/maple_tree: fix swapped arguments in mas_safe_pivot() call
Date: Fri,  6 Mar 2026 22:58:49 +0000
Message-ID: <20260306225849.2824409-1-objecting@objecting.org>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Josh Law <objecting@objecting.org>

The call to mas_safe_pivot() in mas_wr_extend_null() has the pivot index
and maple type arguments swapped. The function signature expects
(mas, pivots, piv, type) but the call passes (mas, pivots, type, piv).

This causes the pivot index to be interpreted as a maple node type and
vice versa, leading to incorrect pivot lookups. In practice, this means
a null-extending store into a maple tree node can read the wrong pivot
value, potentially corrupting the range tracked by the maple state. For
a VMA maple tree, this could cause an incorrect vm_area_struct range to
be returned during operations like mmap or munmap, leading to silent
memory mapping corruption.

Every other mas_safe_pivot() call site in the file passes the arguments
in the correct (piv, type) order; this is the only one with them
reversed.

Link: https://lkml.kernel.org/r/20260306200820.2819999-1-objecting@objecting.org
Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Signed-off-by: Josh Law <objecting@objecting.org>
Cc: stable@vger.kernel.org
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andrew Ballance <andrewjballance@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
Changes in v3:
- Included a changelog detailing modifications since v1.

Changes in v2:
- Added Link, Fixes, and Cc tags (including stable@vger.kernel.org) to the commit message.
- Appended Andrew Morton's Signed-off-by to expedite merging.

 lib/maple_tree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 5aa4c9500018..f82000821293 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -3279,7 +3279,7 @@ static inline void mas_extend_spanning_null(struct ma_wr_state *l_wr_mas,
 	    (r_mas->last < r_mas->max) &&
 	    !mas_slot_locked(r_mas, r_wr_mas->slots, r_mas->offset + 1)) {
 		r_mas->last = mas_safe_pivot(r_mas, r_wr_mas->pivots,
-					     r_wr_mas->type, r_mas->offset + 1);
+					     r_mas->offset + 1, r_wr_mas->type);
 		r_mas->offset++;
 	}
 }
-- 
2.43.0