[to-be-updated] maple_tree-add-dead-node-check-in-mas_dup_alloc.patch removed from -mm tree - Linux-stable-mirror

6 Jan 2026

The quilt patch titled
     Subject: maple_tree: add dead node check in mas_dup_alloc()
has been removed from the -mm tree.  Its filename was
     maple_tree-add-dead-node-check-in-mas_dup_alloc.patch
This patch was dropped because an updated version will be issued
------------------------------------------------------
From: Boudewijn van der Heide boudewijn@delta-utec.com
Subject: maple_tree: add dead node check in mas_dup_alloc()
Date: Sat, 3 Jan 2026 17:57:58 +0100
__mt_dup() is exported and can be called without internal locking, relying
on the caller to provide appropriate synchronization.  If a caller fails
to hold proper locks, the source tree may be modified concurrently,
potentially resulting in dead nodes during traversal.
The call stack is:
  __mt_dup()
    ��� mas_dup_build()
      ��� mas_dup_alloc()  [accesses node->slot[]]
mas_dup_alloc() may access node slots without first verifying that the
node is still alive.  If a dead node is encountered, its memory layout may
have been switched to the RCU union member, making slot array access
undefined behavior as we would be reading from the rcu_head structure
instead.
If __mt_dup() is invoked without the required external locking and the
source tree is concurrently modified, a node can transition to the dead
RCU layout while mas_dup_alloc() is still traversing it.  In that case the
code may interpret the rcu_head contents as slot pointers.
Practically, this could lead to invalid pointer dereferences (kernel oops)
or corruption of the duplicated tree.  Depending on how that duplicated
tree is later used (e.g.  in mm/VMA paths), the effects could be
userspace-visible, such as fork() failures, process crashes, or broader
system instability.
My understanding is that current in-tree users hold the appropriate locks
and should not hit this, as triggering it requires violating the
__mt_dup() synchronization contract.  The risk primarily comes from the
fact that __mt_dup() is exported (EXPORT_SYMBOL), making it reachable by
out-of-tree modules or future callers which may not follow the locking
rules.
Add an explicit dead node check to detect concurrent modification during
duplication.  When a dead node is detected, return -EBUSY to indicate that
the tree is undergoing concurrent modification.
Link: https://lkml.kernel.org/r/20260103165758.74094-1-boudewijn@delta-utec.com
Fixes: fd32e4e9b764 ("maple_tree: introduce interfaces __mt_dup() and mtree_dup()")
Signed-off-by: Boudewijn van der Heide boudewijn@delta-utec.com
Cc: Alice Ryhl aliceryhl@google.com
Cc: Andrew Ballance andrewjballance@gmail.com
Cc: Liam Howlett liam.howlett@oracle.com
Cc: Matthew Wilcox willy@infradead.org
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton akpm@linux-foundation.org
---
lib/maple_tree.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/lib/maple_tree.c~maple_tree-add-dead-node-check-in-mas_dup_alloc
+++ a/lib/maple_tree.c
@@ -6251,6 +6251,11 @@ static inline void mas_dup_alloc(struct
    /* Allocate memory for child nodes. */
    type = mte_node_type(mas->node);
    new_slots = ma_slots(new_node, type);
+	if (unlikely(ma_dead_node(node))) {
+		mas_set_err(mas, -EBUSY);
+		return;
+	}
+
    count = mas->node_request = mas_data_end(mas) + 1;
    mas_alloc_nodes(mas, gfp);
    if (unlikely(mas_is_err(mas)))
_
Patches currently in -mm which might be from boudewijn@delta-utec.com are

    