Re: [PATCH v2] lib/idr: fix infinite loop in idr_get_next()

Next message: Josh Law: "Re: [PATCH v2] lib/idr: fix infinite loop in idr_get_next()"
Previous message: Ian Rogers: "Re: [PATCH v4 27/30] selftests/bpf: Append extra cflags"
In reply to: Josh Law: "[PATCH v2] lib/idr: fix infinite loop in idr_get_next()"
Next in thread: Josh Law: "Re: [PATCH v2] lib/idr: fix infinite loop in idr_get_next()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Matthew Wilcox

Date: Thu Mar 12 2026 - 13:27:01 EST

On Thu, Mar 12, 2026 at 05:12:38PM +0000, Josh Law wrote:
> From: Josh Law <objecting@xxxxxxxxxxxxx>
>
> In idr_get_next(), if the returned id from idr_get_next_ul() is greater
> than INT_MAX, the function issues a warning and returns NULL without
> updating the *nextid pointer. This causes a soft lockup for any caller
> iterating over an IDR (e.g. via idr_for_each_entry) because they will
> receive NULL, fail to advance their index, and repeatedly query the same
> state forever.
>
> Fix this by setting *nextid to INT_MAX when the bounds check fails,
> ensuring the caller's iteration will terminate.

Can you add a test-case for this? And the IDA patch you also sent?