From: Josh Law <objecting@objecting.org>

The call to mas_safe_pivot() in mas_wr_extend_null() has the pivot index
and maple type arguments swapped. The function signature expects
(mas, pivots, piv, type) but the call passes (mas, pivots, type, piv).

This causes the pivot index to be interpreted as a maple node type and
vice versa, leading to incorrect pivot lookups. In practice, this means
a null-extending store into a maple tree node can read the wrong pivot
value, potentially corrupting the range tracked by the maple state. For
a VMA maple tree, this could cause an incorrect vm_area_struct range to
be returned during operations like mmap or munmap, leading to silent
memory mapping corruption.

Every other mas_safe_pivot() call site in the file passes the arguments
in the correct (piv, type) order; this is the only one with them
reversed.

Link: https://lkml.kernel.org/r/20260306200820.2819999-1-objecting@objecting.org
Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Signed-off-by: Josh Law <objecting@objecting.org>
Cc: stable@vger.kernel.org
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andrew Ballance <andrewjballance@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
Changes in v3:
- Included a changelog detailing modifications since v1.

Changes in v2:
- Added Link, Fixes, and Cc tags (including stable@vger.kernel.org) to the commit message.
- Appended Andrew Morton's Signed-off-by to expedite merging.

 lib/maple_tree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 5aa4c9500018..f82000821293 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -3279,7 +3279,7 @@ static inline void mas_extend_spanning_null(struct ma_wr_state *l_wr_mas,
 	    (r_mas->last < r_mas->max) &&
 	    !mas_slot_locked(r_mas, r_wr_mas->slots, r_mas->offset + 1)) {
 		r_mas->last = mas_safe_pivot(r_mas, r_wr_mas->pivots,
-					     r_wr_mas->type, r_mas->offset + 1);
+					     r_mas->offset + 1, r_wr_mas->type);
 		r_mas->offset++;
 	}
 }
-- 
2.43.0

On 3/6/26 23:58, Josh Law wrote:
> From: Josh Law <objecting@objecting.org>
> 
> The call to mas_safe_pivot() in mas_wr_extend_null() has the pivot index

The function is actually mas_extend_spanning_null() ?

> and maple type arguments swapped. The function signature expects
> (mas, pivots, piv, type) but the call passes (mas, pivots, type, piv).
> 
> This causes the pivot index to be interpreted as a maple node type and
> vice versa, leading to incorrect pivot lookups. In practice, this means
> a null-extending store into a maple tree node can read the wrong pivot
> value, potentially corrupting the range tracked by the maple state. For
> a VMA maple tree, this could cause an incorrect vm_area_struct range to
> be returned during operations like mmap or munmap, leading to silent
> memory mapping corruption.
> 
> Every other mas_safe_pivot() call site in the file passes the arguments
> in the correct (piv, type) order; this is the only one with them
> reversed.
> 
> Link: https://lkml.kernel.org/r/20260306200820.2819999-1-objecting@objecting.org
> Fixes: 54a611b60590 ("Maple Tree: add new data structure")
> Signed-off-by: Josh Law <objecting@objecting.org>
> Cc: stable@vger.kernel.org
> Cc: Alice Ryhl <aliceryhl@google.com>
> Cc: Andrew Ballance <andrewjballance@gmail.com>
> Cc: Liam Howlett <liam.howlett@oracle.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

I'm not a maple tree expert but this looks obviously correct enough. So I
won't speculate on the impact of this bug, but:

Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>

I guess since it's old and not in mm-hotfixes, we can afford to wait for
Liam who should be back before the merge window. I'm not sure how to
handle the fact that this patch has been withdrawn [1] however.

[1] https://lore.kernel.org/all/E1A667AB-DCE4-4034-A36B-DAA458780A81@objecting.org/

> ---
> Changes in v3:
> - Included a changelog detailing modifications since v1.
> 
> Changes in v2:
> - Added Link, Fixes, and Cc tags (including stable@vger.kernel.org) to the commit message.
> - Appended Andrew Morton's Signed-off-by to expedite merging.

No!

> 
>  lib/maple_tree.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/maple_tree.c b/lib/maple_tree.c
> index 5aa4c9500018..f82000821293 100644
> --- a/lib/maple_tree.c
> +++ b/lib/maple_tree.c
> @@ -3279,7 +3279,7 @@ static inline void mas_extend_spanning_null(struct ma_wr_state *l_wr_mas,
>  	    (r_mas->last < r_mas->max) &&
>  	    !mas_slot_locked(r_mas, r_wr_mas->slots, r_mas->offset + 1)) {
>  		r_mas->last = mas_safe_pivot(r_mas, r_wr_mas->pivots,
> -					     r_wr_mas->type, r_mas->offset + 1);
> +					     r_mas->offset + 1, r_wr_mas->type);
>  		r_mas->offset++;
>  	}
>  }

On Thu, 26 Mar 2026 19:02:35 +0100 "Vlastimil Babka (SUSE)" <vbabka@kernel.org> wrote:

> 
> I'm not a maple tree expert but this looks obviously correct enough. So I
> won't speculate on the impact of this bug, but:
> 
> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> 
> I guess since it's old and not in mm-hotfixes, we can afford to wait for
> Liam who should be back before the merge window.

Yup, I'm keeping this parked until Liam is back on deck.

> I'm not sure how to
> handle the fact that this patch has been withdrawn [1] however.
> 
> [1] https://lore.kernel.org/all/E1A667AB-DCE4-4034-A36B-DAA458780A81@objecting.org/

Waiting to see what Liam says.  If he likes it then let's proceed.

* Andrew Morton <akpm@linux-foundation.org> [260326 14:44]:
> On Thu, 26 Mar 2026 19:02:35 +0100 "Vlastimil Babka (SUSE)" <vbabka@kernel.org> wrote:
> 
> > 
> > I'm not a maple tree expert but this looks obviously correct enough. So I
> > won't speculate on the impact of this bug, but:
> > 
> > Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> > 
> > I guess since it's old and not in mm-hotfixes, we can afford to wait for
> > Liam who should be back before the merge window.
> 
> Yup, I'm keeping this parked until Liam is back on deck.
> 
> > I'm not sure how to
> > handle the fact that this patch has been withdrawn [1] however.
> > 
> > [1] https://lore.kernel.org/all/E1A667AB-DCE4-4034-A36B-DAA458780A81@objecting.org/
> 
> Waiting to see what Liam says.  If he likes it then let's proceed.

This fix looks correct, but I'm not okay with taking it for the
following reasons:

1. It does not have a reproducer to catch this bug showing up again.
Although unlikely to show up again, it certainly won't with a
reproducer.  I have a strict policy of requiring a test case for each
fix that should either go into the testing module or the test framework.

Every regression or bug has a reproducer as the next patch after a bug
fix.  This allows for successful running of the test cases without
failure (git bisect still works), while maintaining less overhead for
backports.

2. The reason given why this hasn't been triggered does not seem
correct.  If you create the test case, then you would know why it wasn't
triggered instead of assuming what you stated.

Maybe I've messed something bigger up and that code isn't reachable.  No
one knows why it hasn't showed up because proper care hasn't been taken
in analyzing why it hasn't showed up.

It also means instead of knowing what's going on, you're making more
work for stable.

This is just sloppy.

To put it another way: what are the user-visible runtime effects of this
change?

3. The SoB email address; I'm objecting.

I'm not entirely sure what's been done about these Josh Law patches.  It
seems some sort of bot is involved without proper oversight.

If these problems are not addressed, I will rewrite the patch with a
reproducer along with a note pointing to these interactions as credit to
where the bug was reported - since I have no idea WHO reported it.

Thanks,
Liam

On 26 March 2026 18:02:35 GMT, "Vlastimil Babka (SUSE)" <vbabka@kernel.org> wrote:
>On 3/6/26 23:58, Josh Law wrote:
>> From: Josh Law <objecting@objecting.org>
>> 
>> The call to mas_safe_pivot() in mas_wr_extend_null() has the pivot index
>
>The function is actually mas_extend_spanning_null() ?
>
>> and maple type arguments swapped. The function signature expects
>> (mas, pivots, piv, type) but the call passes (mas, pivots, type, piv).
>> 
>> This causes the pivot index to be interpreted as a maple node type and
>> vice versa, leading to incorrect pivot lookups. In practice, this means
>> a null-extending store into a maple tree node can read the wrong pivot
>> value, potentially corrupting the range tracked by the maple state. For
>> a VMA maple tree, this could cause an incorrect vm_area_struct range to
>> be returned during operations like mmap or munmap, leading to silent
>> memory mapping corruption.
>> 
>> Every other mas_safe_pivot() call site in the file passes the arguments
>> in the correct (piv, type) order; this is the only one with them
>> reversed.
>> 
>> Link: https://lkml.kernel.org/r/20260306200820.2819999-1-objecting@objecting.org
>> Fixes: 54a611b60590 ("Maple Tree: add new data structure")
>> Signed-off-by: Josh Law <objecting@objecting.org>
>> Cc: stable@vger.kernel.org
>> Cc: Alice Ryhl <aliceryhl@google.com>
>> Cc: Andrew Ballance <andrewjballance@gmail.com>
>> Cc: Liam Howlett <liam.howlett@oracle.com>
>> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>
>I'm not a maple tree expert but this looks obviously correct enough. So I
>won't speculate on the impact of this bug, but:
>
>Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
>
>I guess since it's old and not in mm-hotfixes, we can afford to wait for
>Liam who should be back before the merge window. I'm not sure how to
>handle the fact that this patch has been withdrawn [1] however.
>
>[1] https://lore.kernel.org/all/E1A667AB-DCE4-4034-A36B-DAA458780A81@objecting.org/
>
>> ---
>> Changes in v3:
>> - Included a changelog detailing modifications since v1.
>> 
>> Changes in v2:
>> - Added Link, Fixes, and Cc tags (including stable@vger.kernel.org) to the commit message.
>> - Appended Andrew Morton's Signed-off-by to expedite merging.
>
>No!
>
>> 
>>  lib/maple_tree.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/lib/maple_tree.c b/lib/maple_tree.c
>> index 5aa4c9500018..f82000821293 100644
>> --- a/lib/maple_tree.c
>> +++ b/lib/maple_tree.c
>> @@ -3279,7 +3279,7 @@ static inline void mas_extend_spanning_null(struct ma_wr_state *l_wr_mas,
>>  	    (r_mas->last < r_mas->max) &&
>>  	    !mas_slot_locked(r_mas, r_wr_mas->slots, r_mas->offset + 1)) {
>>  		r_mas->last = mas_safe_pivot(r_mas, r_wr_mas->pivots,
>> -					     r_wr_mas->type, r_mas->offset + 1);
>> +					     r_mas->offset + 1, r_wr_mas->type);
>>  		r_mas->offset++;
>>  	}
>>  }
>


Hi, this patch isn't pending!

I may come back to lib/ earlier, I'm just refining my workflow to be better, and to be honest!


Also, thanks for the ack


V/R


Josh Law