From: Andrew Morton <akpm@linux-foundation.org>
To: mm-commits@vger.kernel.org,willy@infradead.org,stable@vger.kernel.org,liam.howlett@oracle.com,andrewjballance@gmail.com,aliceryhl@google.com,boudewijn@delta-utec.com,akpm@linux-foundation.org
Subject: + maple_tree-add-dead-node-check-in-mas_dup_alloc.patch added to mm-hotfixes-unstable branch
Date: Mon, 05 Jan 2026 17:33:54 -0800 [thread overview]
Message-ID: <20260106013355.15148C16AAE@smtp.kernel.org> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4206 bytes --]
The patch titled
Subject: maple_tree: add dead node check in mas_dup_alloc()
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
maple_tree-add-dead-node-check-in-mas_dup_alloc.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/maple_tree-add-dead-node-check-in-mas_dup_alloc.patch
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via various
branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there most days
------------------------------------------------------
From: Boudewijn van der Heide <boudewijn@delta-utec.com>
Subject: maple_tree: add dead node check in mas_dup_alloc()
Date: Sat, 3 Jan 2026 17:57:58 +0100
__mt_dup() is exported and can be called without internal locking, relying
on the caller to provide appropriate synchronization. If a caller fails
to hold proper locks, the source tree may be modified concurrently,
potentially resulting in dead nodes during traversal.
The call stack is:
__mt_dup()
→ mas_dup_build()
→ mas_dup_alloc() [accesses node->slot[]]
mas_dup_alloc() may access node slots without first verifying that the
node is still alive. If a dead node is encountered, its memory layout may
have been switched to the RCU union member, making slot array access
undefined behavior as we would be reading from the rcu_head structure
instead.
If __mt_dup() is invoked without the required external locking and the
source tree is concurrently modified, a node can transition to the dead
RCU layout while mas_dup_alloc() is still traversing it. In that case the
code may interpret the rcu_head contents as slot pointers.
Practically, this could lead to invalid pointer dereferences (kernel oops)
or corruption of the duplicated tree. Depending on how that duplicated
tree is later used (e.g. in mm/VMA paths), the effects could be
userspace-visible, such as fork() failures, process crashes, or broader
system instability.
My understanding is that current in-tree users hold the appropriate locks
and should not hit this, as triggering it requires violating the
__mt_dup() synchronization contract. The risk primarily comes from the
fact that __mt_dup() is exported (EXPORT_SYMBOL), making it reachable by
out-of-tree modules or future callers which may not follow the locking
rules.
Add an explicit dead node check to detect concurrent modification during
duplication. When a dead node is detected, return -EBUSY to indicate that
the tree is undergoing concurrent modification.
Link: https://lkml.kernel.org/r/20260103165758.74094-1-boudewijn@delta-utec.com
Fixes: fd32e4e9b764 ("maple_tree: introduce interfaces __mt_dup() and mtree_dup()")
Signed-off-by: Boudewijn van der Heide <boudewijn@delta-utec.com>
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andrew Ballance <andrewjballance@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
lib/maple_tree.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/lib/maple_tree.c~maple_tree-add-dead-node-check-in-mas_dup_alloc
+++ a/lib/maple_tree.c
@@ -6251,6 +6251,11 @@ static inline void mas_dup_alloc(struct
/* Allocate memory for child nodes. */
type = mte_node_type(mas->node);
new_slots = ma_slots(new_node, type);
+ if (unlikely(ma_dead_node(node))) {
+ mas_set_err(mas, -EBUSY);
+ return;
+ }
+
count = mas->node_request = mas_data_end(mas) + 1;
mas_alloc_nodes(mas, gfp);
if (unlikely(mas_is_err(mas)))
_
Patches currently in -mm which might be from boudewijn@delta-utec.com are
maple_tree-add-dead-node-check-in-mas_dup_alloc.patch
reply other threads:[~2026-01-06 1:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260106013355.15148C16AAE@smtp.kernel.org \
--to=akpm@linux-foundation.org \
--cc=aliceryhl@google.com \
--cc=andrewjballance@gmail.com \
--cc=boudewijn@delta-utec.com \
--cc=liam.howlett@oracle.com \
--cc=mm-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox