* Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx> [240903 08:27]:
> Hi Andrew - TL;DR of this is - please apply the fix patch attached below to
> fix a problem in this series, thanks! :)
Oh yes. I should have caught this, thanks Lorenzo.
Cheers,
Liam
> ----8<----
> From 3e7decc5390b0edc462afa74794a8208e25e50f2 Mon Sep 17 00:00:00 2001
> From: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>
> Date: Tue, 3 Sep 2024 13:20:34 +0100
> Subject: [PATCH] mm: fix off-by-one error in vms_abort_munmap_vmas()
>
> Maple tree ranges have an inclusive end, VMAs do not, so we must subtract
> one from the VMA-specific end value when using a mas_...() function.
>
> We failed to do so in vms_abort_munmap_vmas() which resulted in a store
> overlapping the intended range by one byte, and thus corrupting the maple
> tree.
>
> Fix this by subtracting one from vms->end() passed into mas_set_range().
>
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>
> ---
> mm/vma.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/vma.h b/mm/vma.h
> index 370d3246f147..819f994cf727 100644
> --- a/mm/vma.h
> +++ b/mm/vma.h
> @@ -240,7 +240,7 @@ static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms,
> * not symmetrical and state data has been lost. Resort to the old
> * failure method of leaving a gap where the MAP_FIXED mapping failed.
> */
> - mas_set_range(mas, vms->start, vms->end);
> + mas_set_range(mas, vms->start, vms->end - 1);
> if (unlikely(mas_store_gfp(mas, NULL, GFP_KERNEL))) {
> pr_warn_once("%s: (%d) Unable to abort munmap() operation\n",
> current->comm, current->pid);
> --
> 2.46.0
