Re: [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next()

Next message: David Hildenbrand (Arm): "Re: [PATCH mm-unstable v15 03/13] mm/khugepaged: generalize __collapse_huge_page_* for mTHP support"
Previous message: Josh Law: "Re: [PATCH 1/3] lib/maple_tree: fix potential NULL dereference in mas_pop_node()"
In reply to: Andrew Morton: "Re: [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next()"
Next in thread: Josh Law: "Re: [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Thu Mar 12 2026 - 16:58:01 EST

12 Mar 2026 20:55:15 Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>:

> On Thu, 12 Mar 2026 18:19:47 +0000 Josh Law <hlcj1234567@xxxxxxxxx> wrote:
>
>> In idr_get_next(), if the returned id from idr_get_next_ul() is greater
>> than INT_MAX, the function issues a warning and returns NULL without
>> updating the *nextid pointer. This causes a soft lockup for any caller
>> iterating over an IDR (e.g. via idr_for_each_entry) because they will
>> receive NULL, fail to advance their index, and repeatedly query the same
>> state forever.
>
> This assumes that the idr_get_next() caller ignores the NULL return and
> just keeps on looping. Isn't that a caller bug and if so, do we need
> to defend against it here?

The risk isn't just a single loop failure; it's that idr_get_next() breaks the 'forward-progress' guarantee of the iterator.
In macros like idr_for_each_entry_continue, if idr_get_next() returns NULL without advancing the pointer, the caller is left in a permanent trap. Any attempt to resume or retry the iteration results in an infinite loop of the same warning because the index is never incremented past the problematic ID.
Advancing the pointer ensures the infrastructure is robust against these 'soft lockups', even if the caller's error handling is imperfect..