From: Tejun Heo <tj@kernel.org>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] [PATCH] idr: fix a subtle bug in idr_get_next()
Date: Sat, 2 Feb 2013 15:10:48 -0800 [thread overview]
Message-ID: <20130202231048.GA3940@mtj.dyndns.org> (raw)
In-Reply-To: <20130201180028.GC31863@mtj.dyndns.org>
The iteration logic of idr_get_next() is borrowed mostly verbatim from
idr_for_each(). It walks down the tree looking for the slot matching
the current ID. If the matching slot is not found, the ID is
incremented by the distance of single slot at the given level and
repeats.
The implementation assumes that during the whole iteration id is
aligned to the layer boundaries of the level closest to the leaf,
which is true for all iterations starting from zero or an existing
element and thus is fine for idr_for_each().
However, idr_get_next() may be given any point and if the starting id
hits in the middle of a non-existent layer, increment to the next
layer will end up skipping the same offset into it. For example, an
IDR with IDs filled between [64, 127] would look like the following.
[ 0 64 ... ]
/----/ |
| |
NULL [ 64 ... 127 ]
If idr_get_next() is called with 63 as the starting point, it will try
to follow down the pointer from 0. As it is NULL, it will then try to
proceed to the next slot in the same level by adding the slot distance
at that level which is 64 - making the next try 127. It goes around
the loop and finds and returns 127 skipping [64, 126].
Note that this bug also triggers in idr_for_each_entry() loop which
deletes during iteration as deletions can make layers go away leaving
the iteration with unaligned ID into missing layers.
Fix it by ensuring proceeding to the next slot doesn't carry over the
unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
id += slot_distance.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: David Teigland <teigland@redhat.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
---
lib/idr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/idr.c b/lib/idr.c
index 6482390..ca5aa00 100644
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -625,7 +625,14 @@ void *idr_get_next(struct idr *idp, int *nextidp)
return p;
}
- id += 1 << n;
+ /*
+ * Proceed to the next layer at the current level. Unlike
+ * idr_for_each(), @id isn't guaranteed to be aligned to
+ * layer boundary@this point and adding 1 << n may
+ * incorrectly skip IDs. Make sure we jump to the
+ * beginning of the next layer using round_up().
+ */
+ id = round_up(id + 1, 1 << n);
while (n < fls(id)) {
n += IDR_BITS;
p = *--paa;
next prev parent reply other threads:[~2013-02-02 23:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1359163872-1949-1-git-send-email-tj@kernel.org>
2013-01-26 1:31 ` [Cluster-devel] [PATCH 09/14] dlm: use idr_for_each_entry() in recover_idr_clear() error path Tejun Heo
2013-01-28 15:55 ` David Teigland
2013-01-26 1:31 ` [Cluster-devel] [PATCH 10/14] dlm: don't use idr_remove_all() Tejun Heo
2013-01-28 15:57 ` David Teigland
2013-01-29 15:13 ` David Teigland
2013-01-30 21:24 ` David Teigland
2013-01-31 23:53 ` Tejun Heo
2013-02-01 0:18 ` Tejun Heo
2013-02-01 17:44 ` David Teigland
2013-02-01 18:00 ` Tejun Heo
2013-02-02 23:10 ` Tejun Heo [this message]
2013-02-02 23:11 ` [Cluster-devel] [PATCH] idr: fix a subtle bug in idr_get_next() Tejun Heo
2013-02-03 2:15 ` Randy Dunlap
2013-02-03 17:53 ` Hugh Dickins
2013-02-05 15:36 ` David Teigland
2013-02-04 3:39 ` Li Zefan
2013-02-04 17:44 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130202231048.GA3940@mtj.dyndns.org \
--to=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).