On Tue, Apr 16, 2019 at 04:18:57PM -0700, Cong Wang wrote:
> > The problem case occurs when we've seen enough distinct
> > errors that we have filled every entry, then we try to
> > look up a pfn that is larger that any seen before.
> >
> > The loop:
> >
> > while (min < max) {
> > ...
> > }
> >
> > will terminate with "min" set to MAX_ELEMS. Then we
> > execute:
> >
> > this_pfn = PFN(ca->array[min]);
> >
> > which references beyond the end of the space allocated
> > for ca->array.
>
> Exactly.
Hmmm. But can we ever really have this happen? The call
sequence to get here looks like:
mutex_lock(&ce_mutex);
if (ca->n == MAX_ELEMS)
WARN_ON(!del_lru_elem_unlocked(ca));
ret = find_elem(ca, pfn, &to);
I.e. if the array was all the way full, we delete one element
before calling find_elem(). So when we get here:
static int __find_elem(struct ce_array *ca, u64 pfn, unsigned int *to)
{
u64 this_pfn;
int min = 0, max = ca->n;
The biggest value "max" can have is MAX_ELEMS-1
-Tony
