ublk: fix maple tree lockdep warning in ublk_buf_cleanup

ublk_buf_cleanup() iterates the maple tree with mas_for_each()
without holding mas_lock, triggering a lockdep splat on
CONFIG_PROVE_RCU kernels since mas_find() internally uses
rcu_dereference_check() which requires either RCU or the tree lock.

Fix by holding mas_lock around the iteration, and call mas_erase()
before freeing each range to avoid dangling pointers in the tree.

Fixes: 5e864438e285 ("ublk: replace xarray with IDA for shmem buffer index allocation")
Reported-by: Jens Axboe <axboe@kernel.dk>
Closes: https://lore.kernel.org/linux-block/0349d72d-dff8-4f9f-b448-919fa5ae96da@kernel.dk/
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Link: https://patch.msgid.link/20260423033058.2805135-2-tom.leiming@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index ef8a0705e68b515e5564bc06755a3f6e92f271d5..d5bbade15e653042ceb4cc3dd115267346526ddf 100644 (file)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5486,11 +5486,14 @@ static void ublk_buf_cleanup(struct ublk_device *ub)
        struct ublk_buf_range *range;
        struct page *pages[32];
 
+       mas_lock(&mas);
        mas_for_each(&mas, range, ULONG_MAX) {
                unsigned long base = mas.index;
                unsigned long nr = mas.last - base + 1;
                unsigned long off;
 
+               mas_erase(&mas);
+
                for (off = 0; off < nr; ) {
                        unsigned int batch = min_t(unsigned long,
                                                   nr - off, 32);
@@ -5503,6 +5506,7 @@ static void ublk_buf_cleanup(struct ublk_device *ub)
                }
                kfree(range);
        }
+       mas_unlock(&mas);
        mtree_destroy(&ub->buf_tree);
        ida_destroy(&ub->buf_ida);
 }