From nobody Thu Apr 9 15:39:38 2026 Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9049021CC4F for ; Fri, 6 Mar 2026 20:08:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772827704; cv=none; b=Ys7wMbFkQJjOCH01q/Wyw+n9atN2CMu3hMJrGRBVK7jpttQ+SS+r9AuwBfb+VUiNTMTzzeQXy3THqrmVNXLa57pP50J2s7JENBQwkCqb3/bgpKupROV6ZvFhaBP+2MWLAkp1FZAF47HrP4cJNEaoRRi90bvPWdSoyKfSRLLuWms= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772827704; c=relaxed/simple; bh=QItmmAak7d9MkP/NV1CgWI5AQR94euiG+demLTEnpA4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=fIg1dSF32QdNHZSDF4leGnNGWhldi6UMzsgOJ+Cp8d7nJhqTxaPj4UMBHsPpeUd4snm/s99vTiRVq+rDKOnjTpWGwl4y0grcyD5XCRbY08zHCzLDS7WeiEWNoJxxTTGurJS/tna70kIJQERRW+mfYtktK8BcSUrXMRJ44cuudB8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mFCZCQQ8; arc=none smtp.client-ip=209.85.160.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mFCZCQQ8" Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-506251815a3so85712501cf.0 for ; Fri, 06 Mar 2026 12:08:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772827702; x=1773432502; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LWkvdurancvUwExlX3UI7CQYr2n3SptyMlvPTt9mkS4=; b=mFCZCQQ8YIVz5WcdB8n+/bN0dp4bwtQRMfJOtrodAF/6aImNgZpX2Un4++zk3SoEpM Nuq26lUPMFf94PDHmj29KjgekTWj7MDwWMVp0SwgSY/cS2dNGDe4V86LrGhQ0mwl7HO4 HtYeKiJTFWd0crX1fp13xEG5ECO6xt6WxyJBgODGSf5mEXUA8SIdF1aMCjDivFvx1wzC afR7cum5yT6qrxp7NMSx97adpRCn5v0ACk2NTSVN6SG6EYAxGkFkQ7RwM8WglCvCN5fm jkVIGmllXFL5OWmoWRmUjnuGkmGB6ULERsqgyLcrGQ4fkv5r0Ulhw75Y56JAfGZe0bz9 KeiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772827702; x=1773432502; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LWkvdurancvUwExlX3UI7CQYr2n3SptyMlvPTt9mkS4=; b=XjsQm7mMqcZJkRYnm8JSqrWfCeRA5FMuGPMCu4p068MffxSBgUEpMIgH9uXEZ/ngQF BeO33VMzKG5mgxljYL8DqSd2nMy9y2G9FeDkuZ4uvQ7kboC1Y9O69cjlt+RyUc+Xk9Ja K8UJwec6AfZN1BqldqIYwvlWfACdG9nUYP41xxAreKTfdMpBBiySOYzk9h/G/Mx3UPnx aCg8523/byZJPqOzJ0Eq+1BUlYxIL26s9w2FdkKDXuuaQ0MsBA2eyHFluOoWShviiTRT ngSf9YD6zvRwYVy/3PcjmxUc9G26t5XWWw+ydOtT0snKnzfWARpCaxIkUDYD1pokJ/4n +bKg== X-Forwarded-Encrypted: i=1; AJvYcCXrMFaOzzg7za1sJkoaDSvy0QoGxihcCPJFKeaaK8RlVnOhBHNVkVe1bWBw5hKy3pVjfkpUnSxKCPnICcs=@vger.kernel.org X-Gm-Message-State: AOJu0Yxer7WEf5z371YVhklKjx3tA1IyMg6g9j4vXPml/rnrOmukEyTm TXBJA8ZAcJVZD570OM/pA6zdRDtNH7LYJicAEkletBKHQHJeOP2Ukutw X-Gm-Gg: ATEYQzyUT4S4FZKdFaRCScIpVFEQPPtWbC589aJ2L3JdJW3THoDhdbnSP1yqnfBciJR FkqT5bbLSlaiOsL3CL9e3nqTpo93WehHrlbJKQEpvH8zJ45aBUx6wqRq/Jb1A0/AFybmynRn9BZ kvuJVlcSp/PpV5cHwazhAKnpf381qoRehAm9wKH17Qf9rXXrnkJ2+fdLZn1hXekUHvdmIu5Z2wX 4P+56F+1rCQZ7zXSJ28dMRaFrSHN7KEXM6UZ9IZyM4O8mL6AO7DLud8IAlGHOh9FCtBwWpXjn2R 9eKZzM6jC1PXAqMp75EomSZYfVEvgHnsTN2+dvia3rRwr92SUmkoHSdvC4J9RPef5NSDUZt1KpM nwgBnru/nIQquaV6Fk8R34Ua3zV/Y+Na1WQLhcUX9JVaoYnIqoSC/Bcth/sj7lO1r0FYOMgNu0m gFot4ryFUpBvKTywIA3aguulN2WtSlZMlvU7fuqUuv8E4VNsqs+IhShd74g+ijOnlmOCdH4vNQx p+v X-Received: by 2002:a05:622a:1481:b0:506:bdd1:794 with SMTP id d75a77b69052e-508f496e7bcmr41506581cf.76.1772827702423; Fri, 06 Mar 2026 12:08:22 -0800 (PST) Received: from instance-20260207-1316.vcn12250046.oraclevcn.com ([150.136.248.187]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-508fcd9e5c8sm9414961cf.26.2026.03.06.12.08.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Mar 2026 12:08:21 -0800 (PST) From: Josh Law X-Google-Original-From: Josh Law To: Liam.Howlett@oracle.com, akpm@linux-foundation.org Cc: aliceryhl@google.com, andrewjballance@gmail.com, maple-tree@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Josh Law Subject: [PATCH] lib/maple_tree: fix swapped arguments in mas_safe_pivot() call Date: Fri, 6 Mar 2026 20:08:20 +0000 Message-ID: <20260306200820.2819999-1-objecting@objecting.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Josh Law The call to mas_safe_pivot() in mas_wr_extend_null() has the pivot index and maple type arguments swapped. The function signature expects (mas, pivots, piv, type) but the call passes (mas, pivots, type, piv). This causes the pivot index to be interpreted as a maple node type and vice versa, leading to incorrect pivot lookups. In practice, this means a null-extending store into a maple tree node can read the wrong pivot value, potentially corrupting the range tracked by the maple state. For a VMA maple tree, this could cause an incorrect vm_area_struct range to be returned during operations like mmap or munmap, leading to silent memory mapping corruption. Every other mas_safe_pivot() call site in the file passes the arguments in the correct (piv, type) order; this is the only one with them reversed. Signed-off-by: Josh Law --- lib/maple_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index 5aa4c9500018..f82000821293 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -3279,7 +3279,7 @@ static inline void mas_extend_spanning_null(struct ma= _wr_state *l_wr_mas, (r_mas->last < r_mas->max) && !mas_slot_locked(r_mas, r_wr_mas->slots, r_mas->offset + 1)) { r_mas->last =3D mas_safe_pivot(r_mas, r_wr_mas->pivots, - r_wr_mas->type, r_mas->offset + 1); + r_mas->offset + 1, r_wr_mas->type); r_mas->offset++; } } --=20 2.43.0