[PATCH 12/18] maple_tree: Catch race in mas_alloc_cyclic()

From: Liam R. Howlett (Oracle)

Date: Mon Jun 29 2026 - 11:03:28 EST


If mas_alloc_cyclic() is called during a low memory situation, it is
possible the lock may be dropped so reclaim can occur. There is a
window where some other task may allocate the same id and cause the
mas_insert() to fail with -EEXIST. In this scenario the function will
return -EEXIST, which is not expected.

Modifying the retry on mas_nomem() to re-search for a slot means that
any race with other writes will not matter as the lock will be held
between finding the index and writing the index.

No existing users are exposed to this issue.

Fixes: 9b6713cc75229 ("maple_tree: Add mtree_alloc_cyclic()")
Reported-by: Chris Mason <clm@xxxxxxxx>
Cc: Chuck Lever <cel@xxxxxxxxxx>
Signed-off-by: Liam R. Howlett (Oracle) <liam@xxxxxxxxxxxxx>
---
lib/maple_tree.c | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 6531a2af338cd..67cc480534e96 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -3900,27 +3900,29 @@ int mas_alloc_cyclic(struct ma_state *mas, unsigned long *startp,
void *entry, unsigned long range_lo, unsigned long range_hi,
unsigned long *next, gfp_t gfp)
{
- unsigned long min = range_lo;
- int ret = 0;
+ int ret;
+ unsigned long min;

- range_lo = max(min, *next);
- ret = mas_empty_area(mas, range_lo, range_hi, 1);
- if ((mas->tree->ma_flags & MT_FLAGS_ALLOC_WRAPPED) && ret == 0) {
- mas->tree->ma_flags &= ~MT_FLAGS_ALLOC_WRAPPED;
- ret = 1;
- }
- if (ret < 0 && range_lo > min) {
- mas_reset(mas);
- ret = mas_empty_area(mas, min, range_hi, 1);
- if (ret == 0)
+ min = range_lo;
+ do {
+ range_lo = max(min, *next);
+ ret = mas_empty_area(mas, range_lo, range_hi, 1);
+ if ((mas->tree->ma_flags & MT_FLAGS_ALLOC_WRAPPED) && ret == 0) {
+ mas->tree->ma_flags &= ~MT_FLAGS_ALLOC_WRAPPED;
ret = 1;
- }
- if (ret < 0)
- return ret;
+ }
+ if (ret < 0 && range_lo > min) {
+ mas_reset(mas);
+ ret = mas_empty_area(mas, min, range_hi, 1);
+ if (ret == 0)
+ ret = 1;
+ }
+ if (ret < 0)
+ return ret;

- do {
mas_insert(mas, entry);
} while (mas_nomem(mas, gfp));
+
if (mas_is_err(mas))
return xa_err(mas->node);

--
2.47.3