[PATCH 0/3] may miss to set node dead on destroy

[Liam R. Howlett]

* Wei Yang <richard.weiyang at gmail.com> [250207 20:26]:

The subject of this patch set makes the issue sound much more sever than
it is.  It currently sounds like a memory leak or a UAF, which isn't the
case.

The root node may remain usable for the duration of the rcu window if
it's a leaf node.  The impact is pretty minor - you may see the old data
on calls that happen in the same rcu window - which is the case anyways.

You should also say maple_tree: in the subject since this is
going to linux-mm.  Not a really big deal since each patch in the series
specifies the maple tree.

> Per my understanding, on destroy we should set each node dead. But current
> code miss this when the maple tree has only the root node.
>     
> The reason is mt_destroy_walk() leverage mte_destroy_descend() to set
> node dead, but this is skipped since the only root node is a leaf.
> 
> Patch 1 fixes this.
> 
> When adding a test case, I found we always get the new value even we leave the
> old root node not dead. It turns out we always re-walk the tree in mas_walk().
> It looks like a typo on the status check of mas_walk().
> 
> Patch 2 fixes this.
> 
> Patch 3 add a test case to assert retrieving new value when overwriting the
> whole range to a tree with only root node
> 
> Wei Yang (3):
>   maple_tree: may miss to set node dead on destroy
>   maple_tree: restart walk on correct status
>   maple_tree: assert retrieving new value on a tree with only root node
> 
>  lib/maple_tree.c                 |  4 +++-
>  tools/testing/radix-tree/maple.c | 24 ++++++++++++++++++++++++
>  2 files changed, 27 insertions(+), 1 deletion(-)
> 
> -- 
> 2.34.1
>