2004-11-10 21:03:50

by Dave Kleikamp

[permalink] [raw]
Subject: [PATCH] bug in radix_tree_delete

I was looking through the radix tree code and came across what I think
is a bug in radix_tree_delete.

for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
if (pathp[0].node->tags[tag][idx]) {
tags[tag] = 1;
nr_cleared_tags--;
break;
}
}

The above loop should only be executed if tags[tag] is zero. Otherwise,
when walking up the tree, we can decrement nr_cleared_tags twice or more
for the same value of tag, thus potentially exiting the outer loop too
early.

radix-tree: Ensure that nr_cleared_tags is only decremented once for each tag.

Signed-off-by: Dave Kleikamp <[email protected]>
diff -Nurp linux-2.6.10-rc1-mm4/lib/radix-tree.c linux/lib/radix-tree.c
--- linux-2.6.10-rc1-mm4/lib/radix-tree.c 2004-11-10 14:45:18.259269000 -0600
+++ linux/lib/radix-tree.c 2004-11-10 14:45:59.292031072 -0600
@@ -725,8 +725,10 @@ void *radix_tree_delete(struct radix_tre
for (tag = 0; tag < RADIX_TREE_TAGS; tag++) {
int idx;

- if (!tags[tag])
- tag_clear(pathp[0].node, tag, pathp[0].offset);
+ if (tags[tag])
+ continue;
+
+ tag_clear(pathp[0].node, tag, pathp[0].offset);

for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
if (pathp[0].node->tags[tag][idx]) {