Konstantin, On Sun, Feb 07, 2016 at 11:27:53AM +0300, Konstantin Khlebnikov wrote: > On Sat, Feb 6, 2016 at 9:18 PM, Jeremiah Mahler <jmmah...@gmail.com> wrote: [...] > >> -static __always_inline unsigned > >> +static __always_inline long > >> radix_tree_chunk_size(struct radix_tree_iter *iter) > >> { > >> return iter->next_index - iter->index; > >> @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct > >> return slot + offset + 1; > >> } > >> } else { > >> - unsigned size = radix_tree_chunk_size(iter) - 1; > >> + long size = radix_tree_chunk_size(iter); > >> > >> - while (size--) { > >> + while (--size > 0) { > >> slot++; > >> iter->index++; > >> if (likely(*slot)) > >> _ > >> > > > > I have applied this patch to my kernel and so far the bug has not > > come back. Thanks for the quick fix. > > > > Although I don't quite understand how this fixes the slot==NULL problem. > > Unless I am missing something, it looks like the while loop will be > > executed the same number of times but the size variable will no > > longer go negative as it did before. > > That's simple. Slot is dereferenced after checking remaining size. > Old version checked only for != 0. After iter-retry size is zero and > afrer "- 1" it overlaps into positive range. In new version it's signed and > checked for > 0. >
OK, I get it now. Thanks for the explanation. -- - Jeremiah Mahler