The patch titled Subject: fs/userfaultfd: fix vma iteration in mas_for_each() loop has been added to the -mm mm-unstable branch. Its filename is userfaultfd-use-maple-tree-iterator-to-iterate-vmas-fix.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/userfaultfd-use-maple-tree-iterator-to-iterate-vmas-fix.patch This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Liam Howlett <liam.howlett@xxxxxxxxxx> Subject: fs/userfaultfd: fix vma iteration in mas_for_each() loop Date: Wed, 15 Jun 2022 16:42:17 +0000 The maple tree state becomes stale when the tree is altered and requires the iteration to be paused with mas_pause(). This forces the next iteration to start from the top of tree for the next entry. Link: https://lkml.kernel.org/r/20220615164150.652376-1-Liam.Howlett@xxxxxxxxxx Fixes: "userfaultfd-use-maple-tree-iterator-to-iterate-vmas.patch" Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx> Reported-by: syzbot+68771c0e74f7bb7804e5@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/userfaultfd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/fs/userfaultfd.c~userfaultfd-use-maple-tree-iterator-to-iterate-vmas-fix +++ a/fs/userfaultfd.c @@ -890,10 +890,13 @@ static int userfaultfd_release(struct in vma->vm_file, vma->vm_pgoff, vma_policy(vma), NULL_VM_UFFD_CTX, anon_vma_name(vma)); - if (prev) + if (prev) { + mas_pause(&mas); vma = prev; - else + } else { prev = vma; + } + vma->vm_flags = new_flags; vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; } _ Patches currently in -mm which might be from liam.howlett@xxxxxxxxxx are maple-tree-add-new-data-structure-fix.patch maple-tree-add-new-data-structure-fix-2.patch maple-tree-add-new-data-structure-fix-3.patch maple-tree-add-new-data-structure-fix-4.patch maple-tree-add-new-data-structure-fix-7.patch maple-tree-add-new-data-structure-fix-8.patch maple-tree-add-new-data-structure-fix-8-fix.patch maple-tree-add-new-data-structure-fix-9.patch maple-tree-add-new-data-structure-fix-10.patch lib-test_maple_tree-add-testing-for-maple-tree-fix.patch lib-test_maple_tree-add-testing-for-maple-tree-fix-2.patch mm-start-tracking-vmas-with-maple-tree-fix-2.patch mm-mmap-use-advanced-maple-tree-api-for-mmap_region-fix-2.patch mm-mmap-use-advanced-maple-tree-api-for-mmap_region-fix-3.patch mm-mmap-change-do_brk_munmap-to-use-do_mas_align_munmap-fix.patch userfaultfd-use-maple-tree-iterator-to-iterate-vmas-fix.patch mm-remove-the-vma-linked-list-fix.patch mm-remove-the-vma-linked-list-fix-4.patch mm-mlock-drop-dead-code-in-count_mm_mlocked_page_nr.patch