[PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails
@ 2025-10-18 15:23 Huiwen He
  2025-10-18 16:38 ` Markus Elfring
  0 siblings, 1 reply; 6+ messages in thread
From: Huiwen He @ 2025-10-18 15:23 UTC (permalink / raw)
  To: Liam.Howlett
  Cc: aliceryhl, andrewjballance, maple-tree, linux-mm, linux-kernel,
	Huiwen He

mas_pop_node() may return NULL when memory allocation fails or when
mas->sheaf is invalid. Several callers of mas_pop_node() did not check
the return value and directly dereferenced the pointer, which could
lead to a NULL pointer dereference and kernel crash.

Fixes: 54a611b60590 ("maple_tree: add mas_pop_node() helper")
Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
---
 lib/maple_tree.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 39bb779cb311..524e1cfb4439 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -3085,6 +3085,9 @@ static inline void mas_root_expand(struct ma_state *mas, void *entry)
 	int slot = 0;
 
 	node = mas_pop_node(mas);
+	if (unlikely(!node))
+		return;
+
 	pivots = ma_pivots(node, type);
 	slots = ma_slots(node, type);
 	node->parent = ma_parent_ptr(mas_tree_parent(mas));
@@ -3367,6 +3370,9 @@ static inline void mas_new_root(struct ma_state *mas, void *entry)
 	}
 
 	node = mas_pop_node(mas);
+	if (unlikely(!node))
+		return;
+
 	pivots = ma_pivots(node, type);
 	slots = ma_slots(node, type);
 	node->parent = ma_parent_ptr(mas_tree_parent(mas));
@@ -3506,6 +3512,9 @@ static inline void mas_wr_node_store(struct ma_wr_state *wr_mas,
 		newnode = &reuse;
 	}
 
+	if (unlikely(!newnode))
+		return;
+
 	newnode->parent = mas_mn(mas)->parent;
 	dst_pivots = ma_pivots(newnode, wr_mas->type);
 	dst_slots = ma_slots(newnode, wr_mas->type);
-- 
2.43.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails
  2025-10-18 15:23 [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails Huiwen He
@ 2025-10-18 16:38 ` Markus Elfring
  2025-10-19  0:32   ` Matthew Wilcox
  2025-10-19 11:49   ` Huiwen He
  0 siblings, 2 replies; 6+ messages in thread
From: Markus Elfring @ 2025-10-18 16:38 UTC (permalink / raw)
  To: Huiwen He, maple-tree, linux-mm, Liam R. Howlett
  Cc: LKML, Alice Ryhl, Andrew Ballance

> mas_pop_node() may return NULL when memory allocation fails or when
> mas->sheaf is invalid. Several callers of mas_pop_node() did not check
> the return value and directly dereferenced the pointer, which could
> lead to a NULL pointer dereference and kernel crash.

Will another imperative wording approach become more helpful for an improved
change description?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.18-rc1#n94

Regards,
Markus

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails
  2025-10-18 16:38 ` Markus Elfring
@ 2025-10-19  0:32   ` Matthew Wilcox
  2025-10-19 11:49   ` Huiwen He
  1 sibling, 0 replies; 6+ messages in thread
From: Matthew Wilcox @ 2025-10-19  0:32 UTC (permalink / raw)
  To: Markus Elfring
  Cc: Huiwen He, maple-tree, linux-mm, Liam R. Howlett, LKML,
	Alice Ryhl, Andrew Ballance

On Sat, Oct 18, 2025 at 06:38:11PM +0200, Markus Elfring wrote:
> > mas_pop_node() may return NULL when memory allocation fails or when
> > mas->sheaf is invalid. Several callers of mas_pop_node() did not check
> > the return value and directly dereferenced the pointer, which could
> > lead to a NULL pointer dereference and kernel crash.
> 
> Will another imperative wording approach become more helpful for an improved
> change description?
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.18-rc1#n94

Markus, stop this.  You've been told before.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails
  2025-10-18 16:38 ` Markus Elfring
  2025-10-19  0:32   ` Matthew Wilcox
@ 2025-10-19 11:49   ` Huiwen He
  2025-10-19 20:14     ` Matthew Wilcox
  1 sibling, 1 reply; 6+ messages in thread
From: Huiwen He @ 2025-10-19 11:49 UTC (permalink / raw)
  To: markus.elfring
  Cc: Liam.Howlett, aliceryhl, andrewjballance, hehuiwen, linux-kernel,
	linux-mm, maple-tree

Hi Markus,

Thanks for your suggestion.
The commit description could be improved to better follow the imperative style.
I'll update it in the later version (maybe v2). 

Best regards,
Huiwen He


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails
  2025-10-19 11:49   ` Huiwen He
@ 2025-10-19 20:14     ` Matthew Wilcox
  2025-10-21 14:19       ` Liam R. Howlett
  0 siblings, 1 reply; 6+ messages in thread
From: Matthew Wilcox @ 2025-10-19 20:14 UTC (permalink / raw)
  To: Huiwen He
  Cc: markus.elfring, Liam.Howlett, aliceryhl, andrewjballance,
	linux-kernel, linux-mm, maple-tree

On Sun, Oct 19, 2025 at 07:49:16PM +0800, Huiwen He wrote:
> Hi Markus,
> 
> Thanks for your suggestion.
> The commit description could be improved to better follow the imperative style.
> I'll update it in the later version (maybe v2). 

Do not send a v2 until somebody has a substantive comment.  I suspect
that what you are doing here is wrong, but I lack the understanding to
explain why it is wrong.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails
  2025-10-19 20:14     ` Matthew Wilcox
@ 2025-10-21 14:19       ` Liam R. Howlett
  0 siblings, 0 replies; 6+ messages in thread
From: Liam R. Howlett @ 2025-10-21 14:19 UTC (permalink / raw)
  To: Matthew Wilcox
  Cc: Huiwen He, markus.elfring, aliceryhl, andrewjballance,
	linux-kernel, linux-mm, maple-tree

* Matthew Wilcox <willy@infradead.org> [251019 16:14]:
> On Sun, Oct 19, 2025 at 07:49:16PM +0800, Huiwen He wrote:
...

> 
> Do not send a v2 until somebody has a substantive comment.  I suspect
> that what you are doing here is wrong, but I lack the understanding to
> explain why it is wrong.

Thanks Matthew.

This is not necessary.

At this point we ALWAYS have enough allocations.

I'm guessing you saw the WARN_ON() and return of NULL and assumed we'd
need to check the return in caller.  This WARN_ON() is in place in case
the calculations are incorrect in some corner case (which has never
happened in mainline), so this will add extra instructions for a
significant amount of calls, especially the mas_wr_node_store() path,
with no chance of catching an error.

In fact, the only time I've seen the tree fail to allocate enough memory
is when syzbot fails allocations - and that will happen in the
preallocation stage, which does check the return.

So, thanks for looking but this patch is unnecessary.

Thanks,
Liam

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-10-21 14:19 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-18 15:23 [PATCH] maple_tree: Fix potential NULL pointer dereference if mas_pop_node() fails Huiwen He
2025-10-18 16:38 ` Markus Elfring
2025-10-19  0:32   ` Matthew Wilcox
2025-10-19 11:49   ` Huiwen He
2025-10-19 20:14     ` Matthew Wilcox
2025-10-21 14:19       ` Liam R. Howlett

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox