Re: [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next()

Next message: Andrew Morton: "Re: [PATCH 01/15] mm: various small mmap_prepare cleanups"
Previous message: Josh Law: "Re: [PATCH 1/3] lib/maple_tree: fix potential NULL dereference in mas_pop_node()"
In reply to: Josh Law: "Re: [PATCH v3 1/2] lib/idr: fix infinite loop in idr_get_next()"
Next in thread: Josh Law: "[PATCH v3 2/2] lib/idr: fix memory leak in ida_alloc_range() error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Thu Mar 12 2026 - 17:15:37 EST

12 Mar 2026 20:57:48 Josh Law <hlcj1234567@xxxxxxxxx>:

> 12 Mar 2026 20:55:15 Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>:
>
>> On Thu, 12 Mar 2026 18:19:47 +0000 Josh Law <hlcj1234567@xxxxxxxxx> wrote:
>>
>>> In idr_get_next(), if the returned id from idr_get_next_ul() is greater
>>> than INT_MAX, the function issues a warning and returns NULL without
>>> updating the *nextid pointer. This causes a soft lockup for any caller
>>> iterating over an IDR (e.g. via idr_for_each_entry) because they will
>>> receive NULL, fail to advance their index, and repeatedly query the same
>>> state forever.
>>
>> This assumes that the idr_get_next() caller ignores the NULL return and
>> just keeps on looping. Isn't that a caller bug and if so, do we need
>> to defend against it here?
>
> The risk isn't just a single loop failure; it's that idr_get_next() breaks the 'forward-progress' guarantee of the iterator.
> In macros like idr_for_each_entry_continue, if idr_get_next() returns NULL without advancing the pointer, the caller is left in a permanent trap. Any attempt to resume or retry the iteration results in an infinite loop of the same warning because the index is never incremented past the problematic ID.
> Advancing the pointer ensures the infrastructure is robust against these 'soft lockups', even if the caller's error handling is imperfect..

This most definitely needs to be merged.

V/R