From nobody Thu Apr  9 15:44:00 2026
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com
 [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C07FB34F26F
	for <linux-kernel@vger.kernel.org>; Fri,  6 Mar 2026 22:32:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772836344; cv=none;
 b=K054EyQT+Az/HI09GqRAEZnMZkNTGP2IJd8FSnyUYatXreXsYzkCLbGtMdFO+9u+xL5E13jlW2AWeB3DnoINJAWHbAmzrKOLua1YpxS0s7ZHnPQAyXAkm+pOPoxRpA5W+huEIiUpoEAbcMJggwKihXeYJOub6zARORf76wkFuog=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772836344; c=relaxed/simple;
	bh=ZwgW5mqmBZmhObh+8kXu026Oudf7Atc7326Ev2z66MU=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Y6FCFbEMHtYTuxrDaAJrWKuLTHZNwBMCsDmiNuI0gqpQ8d4BjXJMSx+4Omi/4inNQJT9Mr5E1vPH8g0/ufVExx/+6oCzeYX4WyT7MyyJTWf/tF1c4oWWz2YB5/UHpaqnxg4m0f3Ji5Esh2fExzHugHozABZXB6lZNCU8ihpZ/iM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=bts63cZY; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="bts63cZY"
Received: by mail-qk1-f181.google.com with SMTP id
 af79cd13be357-8cb3fb47559so1110757185a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 06 Mar 2026 14:32:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772836340; x=1773441140;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=I43ZwIkTjWZSMomwFvfbkGBzNSzBl77P1JqN/Y31gvA=;
        b=bts63cZYPq21X3a9+Fl5lftZ5V/5YJNIXa3JGs+ZRJggTJdApU3n76L9fplCcZ+9Mg
         3ctaZ0yqrNzVpEQhdc9NdfWU2UwTVV3Hd0uWfoKN6vFuHXTlg5mNEF3yJpWxxE9zJTI3
         tTTgeyks2DAxDXqr/3TjLX6AT5HBw6SB8NYvm1z547k+CWZzV8VeT0G1oX58ibCLh64u
         ZVqynkPIt88cHhXr7U/gUcoJf9gTUa/grE6TJE40xUu2M/bu8gO7031hmIYtry+ud4vB
         Eb4lsN6Q/8x7ye4mXXwXIhG5RBC5o+Ye7Dn7mtqHNu+Q7ygGV2Zm8DuGBbxLBtrBSKUn
         s46Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772836340; x=1773441140;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=I43ZwIkTjWZSMomwFvfbkGBzNSzBl77P1JqN/Y31gvA=;
        b=wy6Ei3efPIuSLMMD6qOrNvF26VdRWNgaGcYKtZTeOAb5soEliVaVsySOUcuU4JLgUd
         LAWtpI/RvmmmSZZYHaVLvaajNrseE0Frq63zP2XY9ReJ4Af1zm4oof95U6mbHMN9iDj3
         RtHnOBomulgcFFEwhhqaKCo5E6PUG2qIku1BH+TQWdOhiKln0SoLjEgcG0kaP4HS7doj
         1RjdfK3PIiFIB8Smeq0DsIsDPgp6T84JengJyUudQ0CrqFT4jOUsFFPmoibSjgkSdNO1
         q4qdlcI5rvptFjOL4tl1Y9BJZKKqhSaozdPn1nXrZrlH9ZQN/UKhh75KqrKV4rUs9WFE
         QeLw==
X-Forwarded-Encrypted: i=1;
 AJvYcCX2vkTxvpYXpVEuyJXIkL+oqy7kixYO5/pzRPbSVCCrIDSag0BUD5yi2boL1t+sLad9OWeF+9X/LaYhvdc=@vger.kernel.org
X-Gm-Message-State: AOJu0YyuggKtfRNGjAiR2fKFFavjNtXcHRco0SxgTEuWxciGY9Syvi++
	e7iNrs2IA9+IjnOyPAbhURY7yRa4MW+ykxIJTQHokY5FYo0uPWBKjmIo
X-Gm-Gg: ATEYQzyzKwTC6FxlbNolF4+Unp06/w1j7IuUdP4NYv6wXAYBGqho7JA04fXqFtaVyC7
	75DHHDo69npyTz9Pec/5LcyRdiC9qRZ6kVTqB5Sbzz9PIYTapWAdLKw807nOehLlwhGL0XK5ynW
	+Hf47jgOvWJb1jmDR5i+v/ClNQvdPnZErNJaleimkUxD2mhCuT6/npxg165I2MYSGYRLZ6j3HJg
	iPjuucxPPtClZjkSoqdgzaCHqkpM1KJXhFZR84PYCicSGPsW5ER0zdfhkT1PJL3qqHPqHAGFtyH
	MMds6aMT/FREvLOltWDqBpWJH0axzPk3Djn6BoXbU9dsFvAcKU6Akhm2+iOvSev3GSbBiy7hkq+
	gz8J1NGHo9bwO20CAdkbmqES82g7IqtfajvM3mlM7jD5hFCTM91E0nGHXOkKi0gc80+I2zRNB5R
	HDsO0sXcXSFABlj+ncPDSOz4tptHiLokVi3MN7xvEIBdgf7x9fzj1A1ABcufHiYOFnnVzCvp6O9
	y0OkBFM5SLFTes=
X-Received: by 2002:a05:620a:1707:b0:8b6:134e:22f8 with SMTP id
 af79cd13be357-8cd6d51347bmr471278085a.60.1772836340486;
        Fri, 06 Mar 2026 14:32:20 -0800 (PST)
Received: from instance-20260207-1316.vcn12250046.oraclevcn.com
 ([150.136.248.187])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8cd6f4ab874sm196429685a.22.2026.03.06.14.32.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 06 Mar 2026 14:32:20 -0800 (PST)
From: Josh Law <hlcj1234567@gmail.com>
X-Google-Original-From: Josh Law <objecting@objecting.org>
To: Liam Howlett <liam.howlett@oracle.com>,
	Matthew Wilcox <willy@infradead.org>
Cc: Alice Ryhl <aliceryhl@google.com>,
	Andrew Ballance <andrewjballance@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Josh Law <objecting@objecting.org>
Subject: [PATCH v2] lib/maple_tree: fix swapped arguments in mas_safe_pivot()
 call
Date: Fri,  6 Mar 2026 22:32:19 +0000
Message-ID: <20260306223219.2824040-1-objecting@objecting.org>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Josh Law <objecting@objecting.org>

The call to mas_safe_pivot() in mas_wr_extend_null() has the pivot index
and maple type arguments swapped. The function signature expects
(mas, pivots, piv, type) but the call passes (mas, pivots, type, piv).

This causes the pivot index to be interpreted as a maple node type and
vice versa, leading to incorrect pivot lookups. In practice, this means
a null-extending store into a maple tree node can read the wrong pivot
value, potentially corrupting the range tracked by the maple state. For
a VMA maple tree, this could cause an incorrect vm_area_struct range to
be returned during operations like mmap or munmap, leading to silent
memory mapping corruption.

Every other mas_safe_pivot() call site in the file passes the arguments
in the correct (piv, type) order; this is the only one with them
reversed.

Link: https://lkml.kernel.org/r/20260306200820.2819999-1-objecting@objectin=
g.org
Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Signed-off-by: Josh Law <objecting@objecting.org>
Cc: stable@vger.kernel.org
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andrew Ballance <andrewjballance@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
 lib/maple_tree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 5aa4c9500018..f82000821293 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -3279,7 +3279,7 @@ static inline void mas_extend_spanning_null(struct ma=
_wr_state *l_wr_mas,
 	    (r_mas->last < r_mas->max) &&
 	    !mas_slot_locked(r_mas, r_wr_mas->slots, r_mas->offset + 1)) {
 		r_mas->last =3D mas_safe_pivot(r_mas, r_wr_mas->pivots,
-					     r_wr_mas->type, r_mas->offset + 1);
+					     r_mas->offset + 1, r_wr_mas->type);
 		r_mas->offset++;
 	}
 }
--=20
2.43.0