+ maple_tree-add-dead-node-check-in-mas_dup_alloc.patch added to mm-hotfixes-unstable branch

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* + maple_tree-add-dead-node-check-in-mas_dup_alloc.patch added to mm-hotfixes-unstable branch
@ 2026-01-06  1:33 Andrew Morton
  0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-01-06  1:33 UTC (permalink / raw)
  To: mm-commits, willy, stable, liam.howlett, andrewjballance,
	aliceryhl, boudewijn, akpm

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4206 bytes --]

The patch titled
     Subject: maple_tree: add dead node check in mas_dup_alloc()
has been added to the -mm mm-hotfixes-unstable branch.  Its filename is
     maple_tree-add-dead-node-check-in-mas_dup_alloc.patch

This patch will shortly appear at
     https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/maple_tree-add-dead-node-check-in-mas_dup_alloc.patch

This patch will later appear in the mm-hotfixes-unstable branch at
    git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via various
branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there most days

------------------------------------------------------
From: Boudewijn van der Heide <boudewijn@delta-utec.com>
Subject: maple_tree: add dead node check in mas_dup_alloc()
Date: Sat, 3 Jan 2026 17:57:58 +0100

__mt_dup() is exported and can be called without internal locking, relying
on the caller to provide appropriate synchronization.  If a caller fails
to hold proper locks, the source tree may be modified concurrently,
potentially resulting in dead nodes during traversal.

The call stack is:
  __mt_dup()
    → mas_dup_build()
      → mas_dup_alloc()  [accesses node->slot[]]

mas_dup_alloc() may access node slots without first verifying that the
node is still alive.  If a dead node is encountered, its memory layout may
have been switched to the RCU union member, making slot array access
undefined behavior as we would be reading from the rcu_head structure
instead.

If __mt_dup() is invoked without the required external locking and the
source tree is concurrently modified, a node can transition to the dead
RCU layout while mas_dup_alloc() is still traversing it.  In that case the
code may interpret the rcu_head contents as slot pointers.

Practically, this could lead to invalid pointer dereferences (kernel oops)
or corruption of the duplicated tree.  Depending on how that duplicated
tree is later used (e.g.  in mm/VMA paths), the effects could be
userspace-visible, such as fork() failures, process crashes, or broader
system instability.

My understanding is that current in-tree users hold the appropriate locks
and should not hit this, as triggering it requires violating the
__mt_dup() synchronization contract.  The risk primarily comes from the
fact that __mt_dup() is exported (EXPORT_SYMBOL), making it reachable by
out-of-tree modules or future callers which may not follow the locking
rules.

Add an explicit dead node check to detect concurrent modification during
duplication.  When a dead node is detected, return -EBUSY to indicate that
the tree is undergoing concurrent modification.

Link: https://lkml.kernel.org/r/20260103165758.74094-1-boudewijn@delta-utec.com
Fixes: fd32e4e9b764 ("maple_tree: introduce interfaces __mt_dup() and mtree_dup()")
Signed-off-by: Boudewijn van der Heide <boudewijn@delta-utec.com>
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andrew Ballance <andrewjballance@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/maple_tree.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/lib/maple_tree.c~maple_tree-add-dead-node-check-in-mas_dup_alloc
+++ a/lib/maple_tree.c
@@ -6251,6 +6251,11 @@ static inline void mas_dup_alloc(struct
 	/* Allocate memory for child nodes. */
 	type = mte_node_type(mas->node);
 	new_slots = ma_slots(new_node, type);
+	if (unlikely(ma_dead_node(node))) {
+		mas_set_err(mas, -EBUSY);
+		return;
+	}
+
 	count = mas->node_request = mas_data_end(mas) + 1;
 	mas_alloc_nodes(mas, gfp);
 	if (unlikely(mas_is_err(mas)))
_

Patches currently in -mm which might be from boudewijn@delta-utec.com are

maple_tree-add-dead-node-check-in-mas_dup_alloc.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-01-06  1:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-06  1:33 + maple_tree-add-dead-node-check-in-mas_dup_alloc.patch added to mm-hotfixes-unstable branch Andrew Morton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox