[PATCH] maple_tree: Fix out of bounds access on mas_wr_node_walk()

Tue Jul 12 19:13:12 PDT 2022

When walking the node, check to see if offset is within the range of
pivots before reading that pivot, otherwise return the max of the node.

Reported-by: Yu Zhao <yuzhao at google.com>
Fixes: d0aac5e48048 (Maple Tree: add new data structure)
Signed-off-by: Liam R. Howlett <Liam.Howlett at oracle.com>
---
 lib/maple_tree.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 14e9ab14c1da..768707770926 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -2254,10 +2254,10 @@ static inline void mas_wr_node_walk(struct ma_wr_state *wr_mas)
 					       wr_mas->pivots, mas->max);
 	offset = mas->offset;
 	min = mas_safe_min(mas, wr_mas->pivots, offset);
-	max = wr_mas->pivots[offset];
 	if (unlikely(offset == count))
-		goto max; /* may have been set to zero */
+		goto max;
 
+	max = wr_mas->pivots[offset];
 	index = mas->index;
 	if (unlikely(index <= max))
 		goto done;
-- 
2.35.1

