From f7324e6eef77d0db0745322ae47a3bc0e09d2970 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 14 Feb 2022 19:43:29 +0000 Subject: [PATCH] linux: Actually do post-order tree traversal. Requires breaking the rbtree(3) abstraction, but this is necessary because the body of the loop often frees the element, so as is we had a huge pile of use-after-free going on. --- sys/external/bsd/drm2/include/linux/rbtree.h | 65 +++++++++++++++++--- 1 file changed, 56 insertions(+), 9 deletions(-) diff --git a/sys/external/bsd/drm2/include/linux/rbtree.h b/sys/external/bsd/drm2/include/linux/rbtree.h index 7eba9a131a99..f33ea21d630f 100644 --- a/sys/external/bsd/drm2/include/linux/rbtree.h +++ b/sys/external/bsd/drm2/include/linux/rbtree.h @@ -144,15 +144,62 @@ rb_replace_node_cached(struct rb_node *old, struct rb_node *new, } /* - * XXX This is not actually postorder, but I can't fathom why you would - * want postorder for an ordered tree; different insertion orders lead - * to different traversal orders. + * This violates the abstraction of rbtree(3) for postorder traversal + * -- children first, then parents -- so it is safe for cleanup code + * that just frees all the nodes without removing them from the tree. */ -#define rbtree_postorder_for_each_entry_safe(NODE, TMP, ROOT, FIELD) \ - for ((NODE) = RB_TREE_MIN(&(ROOT)->rbr_tree); \ - ((NODE) != NULL && \ - ((TMP) = rb_tree_iterate(&(ROOT)->rbr_tree, (NODE), \ - RB_DIR_RIGHT), 1)); \ - (NODE) = (TMP)) +static inline struct rb_node * +rb_first_postorder(const struct rb_root *root) +{ + struct rb_node *node, *child; + + if ((node = root->rbr_tree.rbt_root) == NULL) + return NULL; + while ((child = node->rb_left) != NULL) + node = child; + return node; +} + +static inline struct rb_node * +rb_next2_postorder(const struct rb_root *root, struct rb_node *node) +{ + struct rb_node *parent, *child; + + if (node == NULL) + return NULL; + + /* + * If there's no parent, we're at the root, and so the + * post-order iteration is done. + */ + if ((parent = RB_FATHER(node)) == NULL) /* kinda sexist, innit */ + return NULL; + + /* + * If we're the right child, we've already processed the left + * child (which may be gone by now), so just return the parent. + */ + if (RB_RIGHT_P(node)) + return parent; + + /* + * Otherwise, move down to the leftmost child of our right + * sibling -- or return the parent if there is none. + */ + if ((node = parent->rb_right) == NULL) + return parent; + while ((child = node->rb_left) != NULL) + node = child; + return node; +} + +#define rbtree_postorder_for_each_entry_safe(ENTRY, TMP, ROOT, FIELD) \ + for ((ENTRY) = rb_entry_safe(rb_first_postorder(ROOT), \ + __typeof__(*(ENTRY)), FIELD); \ + ((ENTRY) != NULL && \ + ((TMP) = rb_entry_safe(rb_next2_postorder((ROOT), \ + &(ENTRY)->FIELD), __typeof__(*(ENTRY)), FIELD), \ + 1)); \ + (ENTRY) = (TMP)) #endif /* _LINUX_RBTREE_H_ */