2022-05-17 18:26:14

by Liam R. Howlett

Subject: [PATCH] maple_tree: Fix mas_next() when already on the last node entry

It is possible to return the metadata as the next entry if the last node
entry is already in the maple state and the limit is not reached. Check
for this condition in mas_next_nentry() where the node end is returned.

Signed-off-by: Liam R. Howlett <[email protected]>
---
lib/maple_tree.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 967631055210..751aafd01c42 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -4547,6 +4547,9 @@ static inline void *mas_next_nentry(struct ma_state *mas,
return NULL;

count = ma_data_end(node, type, pivots, mas->max);
+ if (mas->offset > count)
+ return NULL;
+
while (mas->offset < count) {
pivot = pivots[mas->offset];
entry = mas_slot(mas, slots, mas->offset);
--
2.35.1

2022-05-18 01:48:34

by Sven Schnelle

Subject: Re: [PATCH] maple_tree: Fix mas_next() when already on the last node entry

Liam Howlett <[email protected]> writes:

> It is possible to return the metadata as the next entry if the last node
> entry is already in the maple state and the limit is not reached. Check
> for this condition in mas_next_nentry() where the node end is returned.
>
> Signed-off-by: Liam R. Howlett <[email protected]>

Thanks, that matches my observation from the initial report that we're
returing metadata. I just applied the patch to next-20220516 and i'm no
longer able to trigger the crash. So feel free to add my:

Tested-by: Sven Schnelle <[email protected]>

However, as Heiko already wrote in another mail i would also like to
request that the maple tree code isn't merged with the next merge
window. These patches touch a lot of critical infrastructure, and i would like
to have it in next for at least one development cycle, so we can be sure
that we've seen and fixed most of the issues.

Thanks,
Sven
> ---
> lib/maple_tree.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/lib/maple_tree.c b/lib/maple_tree.c
> index 967631055210..751aafd01c42 100644
> --- a/lib/maple_tree.c
> +++ b/lib/maple_tree.c
> @@ -4547,6 +4547,9 @@ static inline void *mas_next_nentry(struct ma_state *mas,
> return NULL;
>
> count = ma_data_end(node, type, pivots, mas->max);
> + if (mas->offset > count)
> + return NULL;
> +
> while (mas->offset < count) {
> pivot = pivots[mas->offset];
> entry = mas_slot(mas, slots, mas->offset);