idr: fix a critical misallocation bug, take#2

[karo-tx-linux.git] / lib / idr.c

diff --git a/lib/idr.c b/lib/idr.c
index ba7d37cf7847fbcd025b8039237acfef48c7a7ca..0dc782216d4b94dc423c2d62d1ac70a2b6d30ddc 100644 (file)
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -140,7 +140,8 @@ static int sub_alloc(struct idr *idp, int *starting_id, struct idr_layer **pa)
        id = *starting_id;
  restart:
        p = idp->top;
-       l = p->layer;
+       l = idp->layers;
+       pa[l--] = NULL;
        while (1) {
                /*
                 * We run around this while until we reach the leaf node...
@@ -154,11 +155,13 @@ static int sub_alloc(struct idr *idp, int *starting_id, struct idr_layer **pa)
                        oid = id;
                        id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
 
-                       /* did id go over the limit? */
-                       if (id >= (1 << (idp->layers * IDR_BITS))) {
+                       /* if already at the top layer, we need to grow */
+                       if (id >= 1 << (idp->layers * IDR_BITS)) {
                                *starting_id = id;
                                return IDR_NEED_TO_GROW;
                        }
+                       p = pa[l];
+                       BUG_ON(!p);
 
                        /* If we need to go up one layer, continue the
                         * loop; otherwise, restart from the top.