FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree

FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree

[gregkh]

The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..

Possible dependencies:

955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 955a923d2809803980ff574270f81510112be9cf Mon Sep 17 00:00:00 2001
From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Date: Mon, 22 Apr 2024 16:33:49 -0400
Subject: [PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference

Currently the code calls mas_start() followed by mas_data_end() if the
maple state is MA_START, but mas_start() may return with the maple state
node == NULL.  This will lead to a null pointer dereference when checking
information in the NULL node, which is done in mas_data_end().

Avoid setting the offset if there is no node by waiting until after the
maple state is checked for an empty or single entry state.

A user could trigger the events to cause a kernel oops by unmapping all
vmas to produce an empty maple tree, then mapping a vma that would cause
the scenario described above.

Link: https://lkml.kernel.org/r/20240422203349.2418465-1-Liam.Howlett@oracle.com
Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reported-by: Marius Fleischer <fleischermarius@gmail.com>
Closes: https://lore.kernel.org/lkml/CAJg=8jyuSxDL6XvqEXY_66M20psRK2J53oBTP+fjV5xpW2-R6w@mail.gmail.com/
Link: https://lore.kernel.org/lkml/CAJg=8jyuSxDL6XvqEXY_66M20psRK2J53oBTP+fjV5xpW2-R6w@mail.gmail.com/
Tested-by: Marius Fleischer <fleischermarius@gmail.com>
Tested-by: Sidhartha Kumar <sidhartha.kumar@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 55e1b35bf877..2d7d27e6ae3c 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -5109,18 +5109,18 @@ int mas_empty_area_rev(struct ma_state *mas, unsigned long min,
 	if (size == 0 || max - min < size - 1)
 		return -EINVAL;
 
-	if (mas_is_start(mas)) {
+	if (mas_is_start(mas))
 		mas_start(mas);
-		mas->offset = mas_data_end(mas);
-	} else if (mas->offset >= 2) {
-		mas->offset -= 2;
-	} else if (!mas_rewind_node(mas)) {
+	else if ((mas->offset < 2) && (!mas_rewind_node(mas)))
 		return -EBUSY;
-	}
 
-	/* Empty set. */
-	if (mas_is_none(mas) || mas_is_ptr(mas))
+	if (unlikely(mas_is_none(mas) || mas_is_ptr(mas)))
 		return mas_sparse_area(mas, min, max, size, false);
+	else if (mas->offset >= 2)
+		mas->offset -= 2;
+	else
+		mas->offset = mas_data_end(mas);
+
 
 	/* The start of the window can only be within these values. */
 	mas->index = min;

Re: FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree

[Liam R. Howlett]

* gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> [240513 09:30]:
> 
> The patch below does not apply to the 6.1-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
> 
> To reproduce the conflict and resubmit, you may use the following commands:
> 
> git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> git checkout FETCH_HEAD
> git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf
> # <resolve conflicts, build, test, etc.>
> git commit -s
> git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
> 
> Possible dependencies:
> 
> 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
> 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
   ^- This patch is needed, and has a fixes tag.  I'm not entirely sure
   why it wasn't included in 6.1 already, but it applies cleanly and
   fixes the issue with 955a923d2809.

> fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")

Thanks,
Liam

Re: FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree

[Greg KH]

On Thu, May 23, 2024 at 03:45:22PM -0400, Liam R. Howlett wrote:
> * gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> [240513 09:30]:
> > 
> > The patch below does not apply to the 6.1-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> > 
> > To reproduce the conflict and resubmit, you may use the following commands:
> > 
> > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > git checkout FETCH_HEAD
> > git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf
> > # <resolve conflicts, build, test, etc.>
> > git commit -s
> > git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
> > 
> > Possible dependencies:
> > 
> > 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
> > 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
>    ^- This patch is needed, and has a fixes tag.  I'm not entirely sure
>    why it wasn't included in 6.1 already, but it applies cleanly and
>    fixes the issue with 955a923d2809.

"Fixes:" tags does not mean "will always end up in stable".  Please
read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

> > fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")

So you want us to take all of these?  Or just the one?

thanks,

greg k-h

Re: FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree

[Liam R. Howlett]

* Greg KH <gregkh@linuxfoundation.org> [240524 00:10]:
> On Thu, May 23, 2024 at 03:45:22PM -0400, Liam R. Howlett wrote:
> > * gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> [240513 09:30]:
> > > 
> > > The patch below does not apply to the 6.1-stable tree.
> > > If someone wants it applied there, or to any other stable or longterm
> > > tree, then please email the backport, including the original git commit
> > > id to <stable@vger.kernel.org>.
> > > 
> > > To reproduce the conflict and resubmit, you may use the following commands:
> > > 
> > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > > git checkout FETCH_HEAD
> > > git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf
> > > # <resolve conflicts, build, test, etc.>
> > > git commit -s
> > > git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
> > > 
> > > Possible dependencies:
> > > 
> > > 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
> > > 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
> >    ^- This patch is needed, and has a fixes tag.  I'm not entirely sure
> >    why it wasn't included in 6.1 already, but it applies cleanly and
> >    fixes the issue with 955a923d2809.
> 
> "Fixes:" tags does not mean "will always end up in stable".  Please
> read:
>     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.

Thank you.  The Cc of stable was missing but wasn't required at the
time, so this patch was not taken and wasn't necessary.  It's better to
take it now.

> 
> > > fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
> 
> So you want us to take all of these?  Or just the one?

Apologies for not being clear.

The last patch in the list (fad8e4291da5) is reported to be an empty
cherry-pick and stable was Cc'ed on that fix.

Please apply:
29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
then
955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")

Regards,
Liam

Re: FAILED: patch "[PATCH] maple_tree: fix mas_empty_area_rev() null pointer dereference" failed to apply to 6.1-stable tree

[Greg KH]

On Fri, May 24, 2024 at 09:03:15AM -0400, Liam R. Howlett wrote:
> * Greg KH <gregkh@linuxfoundation.org> [240524 00:10]:
> > On Thu, May 23, 2024 at 03:45:22PM -0400, Liam R. Howlett wrote:
> > > * gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> [240513 09:30]:
> > > > 
> > > > The patch below does not apply to the 6.1-stable tree.
> > > > If someone wants it applied there, or to any other stable or longterm
> > > > tree, then please email the backport, including the original git commit
> > > > id to <stable@vger.kernel.org>.
> > > > 
> > > > To reproduce the conflict and resubmit, you may use the following commands:
> > > > 
> > > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > > > git checkout FETCH_HEAD
> > > > git cherry-pick -x 955a923d2809803980ff574270f81510112be9cf
> > > > # <resolve conflicts, build, test, etc.>
> > > > git commit -s
> > > > git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024051347-uncross-jockstrap-5ce0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
> > > > 
> > > > Possible dependencies:
> > > > 
> > > > 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")
> > > > 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
> > >    ^- This patch is needed, and has a fixes tag.  I'm not entirely sure
> > >    why it wasn't included in 6.1 already, but it applies cleanly and
> > >    fixes the issue with 955a923d2809.
> > 
> > "Fixes:" tags does not mean "will always end up in stable".  Please
> > read:
> >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > for how to do this properly.
> 
> Thank you.  The Cc of stable was missing but wasn't required at the
> time, so this patch was not taken and wasn't necessary.  It's better to
> take it now.
> 
> > 
> > > > fad8e4291da5 ("maple_tree: make maple state reusable after mas_empty_area_rev()")
> > 
> > So you want us to take all of these?  Or just the one?
> 
> Apologies for not being clear.
> 
> The last patch in the list (fad8e4291da5) is reported to be an empty
> cherry-pick and stable was Cc'ed on that fix.
> 
> Please apply:
> 29ad6bb31348 ("maple_tree: fix allocation in mas_sparse_area()")
> then
> 955a923d2809 ("maple_tree: fix mas_empty_area_rev() null pointer dereference")

Now done, thanks.

greg k-h