From 0e6fc8c5a923f6c59ae381bb8e715a3f1f076ec9 Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" Date: Mon, 2 Mar 2020 10:43:00 -0500 Subject: [PATCH] maple_tree: Fix placement of data during add operation during certain conditions. When partially overwriting the sources end slot and coalescing data during the copy operation, there was a potential for an overflow during a store operation. Avoid the overflow by using the new node end instead of the slot passed in as the destination. Signed-off-by: Liam R. Howlett --- lib/maple_tree.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index 3b0e24423810..f55495005132 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -1233,7 +1233,7 @@ static inline unsigned char mas_append_entry(struct ma_state *mas, void *entry) dst_slot = 0; // empty node. else if (dst_slot > mt_slot_count(mas->node)) { // Should not happen. dst_slot = mas_data_end(mas, mte_node_type(mas->node), - &wr_pivot, &coalesce); // slot not set.} + &wr_pivot, &coalesce); // slot not set. } else if (dst_slot) wr_pivot = mas_get_safe_pivot(mas, dst_slot - 1); @@ -2300,15 +2300,15 @@ static inline int __mas_add(struct ma_state *mas, void *entry, mas_mn(&cp)->parent = mn->parent; if (prev_piv == mas->index - 1) { if (slot) // slot - 1 will translate to slot - 1 + 1. - _mas_append(&cp, mn, mas_type, src_max, 0, - slot - 1); + end_slot = _mas_append(&cp, mn, mas_type, + src_max, 0, slot - 1); } else { end_slot = _mas_append(&cp, mn, mas_type, src_max, 0, slot); if (end_slot < mt_pivot_count(cp.node)) mte_set_pivot(cp.node, end_slot, mas->index - 1); - mas_set_slot(&cp, end_slot); } + mas_set_slot(&cp, end_slot); end_slot = mas_append_entry(&cp, entry) + 1; // Partial slot overwrite -- 2.50.1