Konstantin,
On Sun, Feb 07, 2016 at 11:27:53AM +0300, Konstantin Khlebnikov wrote:
> On Sat, Feb 6, 2016 at 9:18 PM, Jeremiah Mahler <jmmah...@gmail.com> wrote:
[...]
> >> -static __always_inline unsigned
> >> +static __always_inline long
> >> radix_tree_chunk_size(struct radix_tree_iter *iter)
> >> {
> >> return iter->next_index - iter->index;
> >> @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct
> >> return slot + offset + 1;
> >> }
> >> } else {
> >> - unsigned size = radix_tree_chunk_size(iter) - 1;
> >> + long size = radix_tree_chunk_size(iter);
> >>
> >> - while (size--) {
> >> + while (--size > 0) {
> >> slot++;
> >> iter->index++;
> >> if (likely(*slot))
> >> _
> >>
> >
> > I have applied this patch to my kernel and so far the bug has not
> > come back. Thanks for the quick fix.
> >
> > Although I don't quite understand how this fixes the slot==NULL problem.
> > Unless I am missing something, it looks like the while loop will be
> > executed the same number of times but the size variable will no
> > longer go negative as it did before.
>
> That's simple. Slot is dereferenced after checking remaining size.
> Old version checked only for != 0. After iter-retry size is zero and
> afrer "- 1" it overlaps into positive range. In new version it's signed and
> checked for > 0.
>
OK, I get it now. Thanks for the explanation.
--
- Jeremiah Mahler
