The patch titled Subject: maple_tree: add dead node check in mas_dup_alloc() has been added to the -mm mm-hotfixes-unstable branch. Its filename is maple_tree-add-dead-node-check-in-mas_dup_alloc.patch

This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches...

This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days

------------------------------------------------------ From: Boudewijn van der Heide boudewijn@delta-utec.com Subject: maple_tree: add dead node check in mas_dup_alloc() Date: Sat, 3 Jan 2026 17:57:58 +0100

__mt_dup() is exported and can be called without internal locking, relying on the caller to provide appropriate synchronization. If a caller fails to hold proper locks, the source tree may be modified concurrently, potentially resulting in dead nodes during traversal.

The call stack is: __mt_dup() ��� mas_dup_build() ��� mas_dup_alloc() [accesses node->slot[]]

mas_dup_alloc() may access node slots without first verifying that the node is still alive. If a dead node is encountered, its memory layout may have been switched to the RCU union member, making slot array access undefined behavior as we would be reading from the rcu_head structure instead.

If __mt_dup() is invoked without the required external locking and the source tree is concurrently modified, a node can transition to the dead RCU layout while mas_dup_alloc() is still traversing it. In that case the code may interpret the rcu_head contents as slot pointers.

Practically, this could lead to invalid pointer dereferences (kernel oops) or corruption of the duplicated tree. Depending on how that duplicated tree is later used (e.g. in mm/VMA paths), the effects could be userspace-visible, such as fork() failures, process crashes, or broader system instability.

My understanding is that current in-tree users hold the appropriate locks and should not hit this, as triggering it requires violating the __mt_dup() synchronization contract. The risk primarily comes from the fact that __mt_dup() is exported (EXPORT_SYMBOL), making it reachable by out-of-tree modules or future callers which may not follow the locking rules.

Add an explicit dead node check to detect concurrent modification during duplication. When a dead node is detected, return -EBUSY to indicate that the tree is undergoing concurrent modification.

Link: https://lkml.kernel.org/r/20260103165758.74094-1-boudewijn@delta-utec.com Fixes: fd32e4e9b764 ("maple_tree: introduce interfaces __mt_dup() and mtree_dup()") Signed-off-by: Boudewijn van der Heide boudewijn@delta-utec.com Cc: Alice Ryhl aliceryhl@google.com Cc: Andrew Ballance andrewjballance@gmail.com Cc: Liam Howlett liam.howlett@oracle.com Cc: Matthew Wilcox willy@infradead.org Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

lib/maple_tree.c | 5 +++++ 1 file changed, 5 insertions(+)

--- a/lib/maple_tree.c~maple_tree-add-dead-node-check-in-mas_dup_alloc +++ a/lib/maple_tree.c @@ -6251,6 +6251,11 @@ static inline void mas_dup_alloc(struct /* Allocate memory for child nodes. */ type = mte_node_type(mas->node); new_slots = ma_slots(new_node, type); + if (unlikely(ma_dead_node(node))) { + mas_set_err(mas, -EBUSY); + return; + } + count = mas->node_request = mas_data_end(mas) + 1; mas_alloc_nodes(mas, gfp); if (unlikely(mas_is_err(mas))) _

Patches currently in -mm which might be from boudewijn@delta-utec.com are

maple_tree-add-dead-node-check-in-mas_dup_alloc.patch