maple_tree: Fix placement of data during add operation during certain

conditions.

When partially overwriting the sources end slot and coalescing data
during the copy operation, there was a potential for an overflow during
a store operation.  Avoid the overflow by using the new node end instead
of the slot passed in as the destination.

Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 3b0e24423810fb0051de41dbf881f765b26092c2..f55495005132b2effa0ad50cce17b7738286337c 100644 (file)
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -1233,7 +1233,7 @@ static inline unsigned char mas_append_entry(struct ma_state *mas, void *entry)
                dst_slot = 0; // empty node.
        else if (dst_slot > mt_slot_count(mas->node)) { // Should not happen.
                dst_slot = mas_data_end(mas, mte_node_type(mas->node),
-                               &wr_pivot, &coalesce); // slot not set.}
+                               &wr_pivot, &coalesce); // slot not set.
        } else if (dst_slot)
                wr_pivot = mas_get_safe_pivot(mas, dst_slot - 1);
 
@@ -2300,15 +2300,15 @@ static inline int __mas_add(struct ma_state *mas, void *entry,
                mas_mn(&cp)->parent = mn->parent;
                if (prev_piv == mas->index - 1) {
                        if (slot) // slot - 1 will translate to slot - 1 + 1.
-                               _mas_append(&cp, mn, mas_type, src_max, 0,
-                                           slot - 1);
+                               end_slot = _mas_append(&cp, mn, mas_type,
+                                               src_max, 0, slot - 1);
                } else {
                        end_slot = _mas_append(&cp, mn, mas_type, src_max, 0, slot);
                        if (end_slot < mt_pivot_count(cp.node))
                                mte_set_pivot(cp.node, end_slot, mas->index - 1);
-                       mas_set_slot(&cp, end_slot);
                }
 
+               mas_set_slot(&cp, end_slot);
                end_slot = mas_append_entry(&cp, entry) + 1;
 
                // Partial slot overwrite