Re: [PATCH] lib/assoc_array: fix stale nr_leaves_on_tree after gc

Next message: kernel test robot: "Re: [PATCH 02/13] scsi: alua: Create a core ALUA driver"
Previous message: Paul Menzel: "Re: [Intel-wired-lan] [PATCH] idpf: fix UAF and double free in idpf_plug_core_aux_dev() error path"
In reply to: Josh Law: "[PATCH] lib/assoc_array: fix stale nr_leaves_on_tree after gc"
Next in thread: Josh Law: "Re: [PATCH] lib/assoc_array: fix stale nr_leaves_on_tree after gc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Wed Mar 18 2026 - 13:23:43 EST

On Wed, 18 Mar 2026 16:49:59 +0000 Josh Law <objecting@xxxxxxxxxxxxx> wrote:

> In assoc_array_gc(), assoc_array_apply_edit() publishes the new tree
> root before nr_leaves_on_tree is updated, creating a window where the
> tree is visible with a stale leaf count. Move the nr_leaves_on_tree
> assignment before assoc_array_apply_edit() so the count is consistent
> when the new root becomes visible.
>
> ...
>
> --- a/lib/assoc_array.c
> +++ b/lib/assoc_array.c
> @@ -1711,8 +1711,8 @@ int assoc_array_gc(struct assoc_array *array,
>
> gc_complete:
> edit->set[0].to = new_root;
> - assoc_array_apply_edit(edit);
> array->nr_leaves_on_tree = nr_leaves_on_tree;
> + assoc_array_apply_edit(edit);
> return 0;

But assoc_array_apply_edit() alters array->nr_leaves_on_tree and now we
immediately overwrite that alteration?