lib/radix-tree.c: fix overflow in radix_tree_range_tag_if_tagged()
[linux-2.6.git] / lib / radix-tree.c
index 402eb4e..5b7d462 100644 (file)
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2001 Momchil Velikov
  * Portions Copyright (C) 2001 Christoph Hellwig
- * Copyright (C) 2005 SGI, Christoph Lameter <clameter@sgi.com>
+ * Copyright (C) 2005 SGI, Christoph Lameter
  * Copyright (C) 2006 Nick Piggin
  *
  * This program is free software; you can redistribute it and/or
@@ -28,7 +28,6 @@
 #include <linux/slab.h>
 #include <linux/notifier.h>
 #include <linux/cpu.h>
-#include <linux/gfp.h>
 #include <linux/string.h>
 #include <linux/bitops.h>
 #include <linux/rcupdate.h>
@@ -60,9 +59,14 @@ struct radix_tree_path {
 };
 
 #define RADIX_TREE_INDEX_BITS  (8 /* CHAR_BIT */ * sizeof(unsigned long))
-#define RADIX_TREE_MAX_PATH (RADIX_TREE_INDEX_BITS/RADIX_TREE_MAP_SHIFT + 2)
+#define RADIX_TREE_MAX_PATH (DIV_ROUND_UP(RADIX_TREE_INDEX_BITS, \
+                                         RADIX_TREE_MAP_SHIFT))
 
-static unsigned long height_to_maxindex[RADIX_TREE_MAX_PATH] __read_mostly;
+/*
+ * The height_to_maxindex array needs to be one deeper than the maximum
+ * path as height 0 holds only 1 entry.
+ */
+static unsigned long height_to_maxindex[RADIX_TREE_MAX_PATH + 1] __read_mostly;
 
 /*
  * Radix tree node cache.
@@ -76,13 +80,64 @@ struct radix_tree_preload {
        int nr;
        struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
 };
-DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
 
 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
 {
        return root->gfp_mask & __GFP_BITS_MASK;
 }
 
+static inline void tag_set(struct radix_tree_node *node, unsigned int tag,
+               int offset)
+{
+       __set_bit(offset, node->tags[tag]);
+}
+
+static inline void tag_clear(struct radix_tree_node *node, unsigned int tag,
+               int offset)
+{
+       __clear_bit(offset, node->tags[tag]);
+}
+
+static inline int tag_get(struct radix_tree_node *node, unsigned int tag,
+               int offset)
+{
+       return test_bit(offset, node->tags[tag]);
+}
+
+static inline void root_tag_set(struct radix_tree_root *root, unsigned int tag)
+{
+       root->gfp_mask |= (__force gfp_t)(1 << (tag + __GFP_BITS_SHIFT));
+}
+
+static inline void root_tag_clear(struct radix_tree_root *root, unsigned int tag)
+{
+       root->gfp_mask &= (__force gfp_t)~(1 << (tag + __GFP_BITS_SHIFT));
+}
+
+static inline void root_tag_clear_all(struct radix_tree_root *root)
+{
+       root->gfp_mask &= __GFP_BITS_MASK;
+}
+
+static inline int root_tag_get(struct radix_tree_root *root, unsigned int tag)
+{
+       return (__force unsigned)root->gfp_mask & (1 << (tag + __GFP_BITS_SHIFT));
+}
+
+/*
+ * Returns 1 if any slot in the node has this tag set.
+ * Otherwise returns 0.
+ */
+static inline int any_tag_set(struct radix_tree_node *node, unsigned int tag)
+{
+       int idx;
+       for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
+               if (node->tags[tag][idx])
+                       return 1;
+       }
+       return 0;
+}
 /*
  * This assumes that the caller has performed appropriate preallocation, and
  * that the caller has pinned this thread of control to the current CPU.
@@ -90,13 +145,17 @@ static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
 static struct radix_tree_node *
 radix_tree_node_alloc(struct radix_tree_root *root)
 {
-       struct radix_tree_node *ret;
+       struct radix_tree_node *ret = NULL;
        gfp_t gfp_mask = root_gfp_mask(root);
 
-       ret = kmem_cache_alloc(radix_tree_node_cachep, gfp_mask);
-       if (ret == NULL && !(gfp_mask & __GFP_WAIT)) {
+       if (!(gfp_mask & __GFP_WAIT)) {
                struct radix_tree_preload *rtp;
 
+               /*
+                * Provided the caller has preloaded here, we will always
+                * succeed in getting a node here (and never reach
+                * kmem_cache_alloc)
+                */
                rtp = &__get_cpu_var(radix_tree_preloads);
                if (rtp->nr) {
                        ret = rtp->nodes[rtp->nr - 1];
@@ -104,7 +163,10 @@ radix_tree_node_alloc(struct radix_tree_root *root)
                        rtp->nr--;
                }
        }
-       BUG_ON(radix_tree_is_direct_ptr(ret));
+       if (ret == NULL)
+               ret = kmem_cache_alloc(radix_tree_node_cachep, gfp_mask);
+
+       BUG_ON(radix_tree_is_indirect_ptr(ret));
        return ret;
 }
 
@@ -112,6 +174,17 @@ static void radix_tree_node_rcu_free(struct rcu_head *head)
 {
        struct radix_tree_node *node =
                        container_of(head, struct radix_tree_node, rcu_head);
+
+       /*
+        * must only free zeroed nodes into the slab. radix_tree_shrink
+        * can leave us with a non-NULL entry in the first slot, so clear
+        * that here to make sure.
+        */
+       tag_clear(node, 0, 0);
+       tag_clear(node, 1, 0);
+       node->slots[0] = NULL;
+       node->count = 0;
+
        kmem_cache_free(radix_tree_node_cachep, node);
 }
 
@@ -126,6 +199,9 @@ radix_tree_node_free(struct radix_tree_node *node)
  * ensure that the addition of a single element in the tree cannot fail.  On
  * success, return zero, with preemption disabled.  On error, return -ENOMEM
  * with preemption not disabled.
+ *
+ * To make use of this facility, the radix tree must be initialised without
+ * __GFP_WAIT being passed to INIT_RADIX_TREE().
  */
 int radix_tree_preload(gfp_t gfp_mask)
 {
@@ -151,59 +227,7 @@ int radix_tree_preload(gfp_t gfp_mask)
 out:
        return ret;
 }
-
-static inline void tag_set(struct radix_tree_node *node, unsigned int tag,
-               int offset)
-{
-       __set_bit(offset, node->tags[tag]);
-}
-
-static inline void tag_clear(struct radix_tree_node *node, unsigned int tag,
-               int offset)
-{
-       __clear_bit(offset, node->tags[tag]);
-}
-
-static inline int tag_get(struct radix_tree_node *node, unsigned int tag,
-               int offset)
-{
-       return test_bit(offset, node->tags[tag]);
-}
-
-static inline void root_tag_set(struct radix_tree_root *root, unsigned int tag)
-{
-       root->gfp_mask |= (__force gfp_t)(1 << (tag + __GFP_BITS_SHIFT));
-}
-
-
-static inline void root_tag_clear(struct radix_tree_root *root, unsigned int tag)
-{
-       root->gfp_mask &= (__force gfp_t)~(1 << (tag + __GFP_BITS_SHIFT));
-}
-
-static inline void root_tag_clear_all(struct radix_tree_root *root)
-{
-       root->gfp_mask &= __GFP_BITS_MASK;
-}
-
-static inline int root_tag_get(struct radix_tree_root *root, unsigned int tag)
-{
-       return (__force unsigned)root->gfp_mask & (1 << (tag + __GFP_BITS_SHIFT));
-}
-
-/*
- * Returns 1 if any slot in the node has this tag set.
- * Otherwise returns 0.
- */
-static inline int any_tag_set(struct radix_tree_node *node, unsigned int tag)
-{
-       int idx;
-       for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
-               if (node->tags[tag][idx])
-                       return 1;
-       }
-       return 0;
-}
+EXPORT_SYMBOL(radix_tree_preload);
 
 /*
  *     Return the maximum key which can be store into a
@@ -239,7 +263,7 @@ static int radix_tree_extend(struct radix_tree_root *root, unsigned long index)
                        return -ENOMEM;
 
                /* Increase the height.  */
-               node->slots[0] = radix_tree_direct_to_ptr(root->rnode);
+               node->slots[0] = radix_tree_indirect_to_ptr(root->rnode);
 
                /* Propagate the aggregated tag info into the new root */
                for (tag = 0; tag < RADIX_TREE_MAX_TAGS; tag++) {
@@ -250,6 +274,7 @@ static int radix_tree_extend(struct radix_tree_root *root, unsigned long index)
                newheight = root->height+1;
                node->height = newheight;
                node->count = 1;
+               node = radix_tree_ptr_to_indirect(node);
                rcu_assign_pointer(root->rnode, node);
                root->height = newheight;
        } while (height > root->height);
@@ -273,7 +298,7 @@ int radix_tree_insert(struct radix_tree_root *root,
        int offset;
        int error;
 
-       BUG_ON(radix_tree_is_direct_ptr(item));
+       BUG_ON(radix_tree_is_indirect_ptr(item));
 
        /* Make sure the tree is high enough.  */
        if (index > radix_tree_maxindex(root->height)) {
@@ -282,7 +307,8 @@ int radix_tree_insert(struct radix_tree_root *root,
                        return error;
        }
 
-       slot = root->rnode;
+       slot = radix_tree_indirect_to_ptr(root->rnode);
+
        height = root->height;
        shift = (height-1) * RADIX_TREE_MAP_SHIFT;
 
@@ -297,7 +323,8 @@ int radix_tree_insert(struct radix_tree_root *root,
                                rcu_assign_pointer(node->slots[offset], slot);
                                node->count++;
                        } else
-                               rcu_assign_pointer(root->rnode, slot);
+                               rcu_assign_pointer(root->rnode,
+                                       radix_tree_ptr_to_indirect(slot));
                }
 
                /* Go a level down */
@@ -317,7 +344,7 @@ int radix_tree_insert(struct radix_tree_root *root,
                BUG_ON(tag_get(node, 0, offset));
                BUG_ON(tag_get(node, 1, offset));
        } else {
-               rcu_assign_pointer(root->rnode, radix_tree_ptr_to_direct(item));
+               rcu_assign_pointer(root->rnode, item);
                BUG_ON(root_tag_get(root, 0));
                BUG_ON(root_tag_get(root, 1));
        }
@@ -326,34 +353,26 @@ int radix_tree_insert(struct radix_tree_root *root,
 }
 EXPORT_SYMBOL(radix_tree_insert);
 
-/**
- *     radix_tree_lookup_slot    -    lookup a slot in a radix tree
- *     @root:          radix tree root
- *     @index:         index key
- *
- *     Returns:  the slot corresponding to the position @index in the
- *     radix tree @root. This is useful for update-if-exists operations.
- *
- *     This function cannot be called under rcu_read_lock, it must be
- *     excluded from writers, as must the returned slot for subsequent
- *     use by radix_tree_deref_slot() and radix_tree_replace slot.
- *     Caller must hold tree write locked across slot lookup and
- *     replace.
+/*
+ * is_slot == 1 : search for the slot.
+ * is_slot == 0 : search for the node.
  */
-void **radix_tree_lookup_slot(struct radix_tree_root *root, unsigned long index)
+static void *radix_tree_lookup_element(struct radix_tree_root *root,
+                               unsigned long index, int is_slot)
 {
        unsigned int height, shift;
        struct radix_tree_node *node, **slot;
 
-       node = root->rnode;
+       node = rcu_dereference_raw(root->rnode);
        if (node == NULL)
                return NULL;
 
-       if (radix_tree_is_direct_ptr(node)) {
+       if (!radix_tree_is_indirect_ptr(node)) {
                if (index > 0)
                        return NULL;
-               return (void **)&root->rnode;
+               return is_slot ? (void *)&root->rnode : node;
        }
+       node = radix_tree_indirect_to_ptr(node);
 
        height = node->height;
        if (index > radix_tree_maxindex(height))
@@ -364,7 +383,7 @@ void **radix_tree_lookup_slot(struct radix_tree_root *root, unsigned long index)
        do {
                slot = (struct radix_tree_node **)
                        (node->slots + ((index>>shift) & RADIX_TREE_MAP_MASK));
-               node = *slot;
+               node = rcu_dereference_raw(*slot);
                if (node == NULL)
                        return NULL;
 
@@ -372,7 +391,25 @@ void **radix_tree_lookup_slot(struct radix_tree_root *root, unsigned long index)
                height--;
        } while (height > 0);
 
-       return (void **)slot;
+       return is_slot ? (void *)slot:node;
+}
+
+/**
+ *     radix_tree_lookup_slot    -    lookup a slot in a radix tree
+ *     @root:          radix tree root
+ *     @index:         index key
+ *
+ *     Returns:  the slot corresponding to the position @index in the
+ *     radix tree @root. This is useful for update-if-exists operations.
+ *
+ *     This function can be called under rcu_read_lock iff the slot is not
+ *     modified by radix_tree_replace_slot, otherwise it must be called
+ *     exclusive from other writers. Any dereference of the slot must be done
+ *     using radix_tree_deref_slot.
+ */
+void **radix_tree_lookup_slot(struct radix_tree_root *root, unsigned long index)
+{
+       return (void **)radix_tree_lookup_element(root, index, 1);
 }
 EXPORT_SYMBOL(radix_tree_lookup_slot);
 
@@ -390,37 +427,7 @@ EXPORT_SYMBOL(radix_tree_lookup_slot);
  */
 void *radix_tree_lookup(struct radix_tree_root *root, unsigned long index)
 {
-       unsigned int height, shift;
-       struct radix_tree_node *node, **slot;
-
-       node = rcu_dereference(root->rnode);
-       if (node == NULL)
-               return NULL;
-
-       if (radix_tree_is_direct_ptr(node)) {
-               if (index > 0)
-                       return NULL;
-               return radix_tree_direct_to_ptr(node);
-       }
-
-       height = node->height;
-       if (index > radix_tree_maxindex(height))
-               return NULL;
-
-       shift = (height-1) * RADIX_TREE_MAP_SHIFT;
-
-       do {
-               slot = (struct radix_tree_node **)
-                       (node->slots + ((index>>shift) & RADIX_TREE_MAP_MASK));
-               node = rcu_dereference(*slot);
-               if (node == NULL)
-                       return NULL;
-
-               shift -= RADIX_TREE_MAP_SHIFT;
-               height--;
-       } while (height > 0);
-
-       return node;
+       return radix_tree_lookup_element(root, index, 0);
 }
 EXPORT_SYMBOL(radix_tree_lookup);
 
@@ -446,7 +453,7 @@ void *radix_tree_tag_set(struct radix_tree_root *root,
        height = root->height;
        BUG_ON(index > radix_tree_maxindex(height));
 
-       slot = root->rnode;
+       slot = radix_tree_indirect_to_ptr(root->rnode);
        shift = (height - 1) * RADIX_TREE_MAP_SHIFT;
 
        while (height > 0) {
@@ -486,7 +493,11 @@ EXPORT_SYMBOL(radix_tree_tag_set);
 void *radix_tree_tag_clear(struct radix_tree_root *root,
                        unsigned long index, unsigned int tag)
 {
-       struct radix_tree_path path[RADIX_TREE_MAX_PATH], *pathp = path;
+       /*
+        * The radix tree path needs to be one longer than the maximum path
+        * since the "list" is null terminated.
+        */
+       struct radix_tree_path path[RADIX_TREE_MAX_PATH + 1], *pathp = path;
        struct radix_tree_node *slot = NULL;
        unsigned int height, shift;
 
@@ -496,7 +507,7 @@ void *radix_tree_tag_clear(struct radix_tree_root *root,
 
        shift = (height - 1) * RADIX_TREE_MAP_SHIFT;
        pathp->node = NULL;
-       slot = root->rnode;
+       slot = radix_tree_indirect_to_ptr(root->rnode);
 
        while (height > 0) {
                int offset;
@@ -534,7 +545,6 @@ out:
 }
 EXPORT_SYMBOL(radix_tree_tag_clear);
 
-#ifndef __KERNEL__     /* Only the test harness uses this at present */
 /**
  * radix_tree_tag_get - get a tag on a radix tree node
  * @root:              radix tree root
@@ -545,6 +555,10 @@ EXPORT_SYMBOL(radix_tree_tag_clear);
  *
  *  0: tag not present or not set
  *  1: tag set
+ *
+ * Note that the return value of this function may not be relied on, even if
+ * the RCU lock is held, unless tag modification and node deletion are excluded
+ * from concurrency.
  */
 int radix_tree_tag_get(struct radix_tree_root *root,
                        unsigned long index, unsigned int tag)
@@ -557,12 +571,13 @@ int radix_tree_tag_get(struct radix_tree_root *root,
        if (!root_tag_get(root, tag))
                return 0;
 
-       node = rcu_dereference(root->rnode);
+       node = rcu_dereference_raw(root->rnode);
        if (node == NULL)
                return 0;
 
-       if (radix_tree_is_direct_ptr(node))
+       if (!radix_tree_is_indirect_ptr(node))
                return (index == 0);
+       node = radix_tree_indirect_to_ptr(node);
 
        height = node->height;
        if (index > radix_tree_maxindex(height))
@@ -584,22 +599,188 @@ int radix_tree_tag_get(struct radix_tree_root *root,
                 */
                if (!tag_get(node, tag, offset))
                        saw_unset_tag = 1;
-               if (height == 1) {
-                       int ret = tag_get(node, tag, offset);
-
-                       BUG_ON(ret && saw_unset_tag);
-                       return !!ret;
-               }
-               node = rcu_dereference(node->slots[offset]);
+               if (height == 1)
+                       return !!tag_get(node, tag, offset);
+               node = rcu_dereference_raw(node->slots[offset]);
                shift -= RADIX_TREE_MAP_SHIFT;
                height--;
        }
 }
 EXPORT_SYMBOL(radix_tree_tag_get);
-#endif
+
+/**
+ * radix_tree_range_tag_if_tagged - for each item in given range set given
+ *                                tag if item has another tag set
+ * @root:              radix tree root
+ * @first_indexp:      pointer to a starting index of a range to scan
+ * @last_index:                last index of a range to scan
+ * @nr_to_tag:         maximum number items to tag
+ * @iftag:             tag index to test
+ * @settag:            tag index to set if tested tag is set
+ *
+ * This function scans range of radix tree from first_index to last_index
+ * (inclusive).  For each item in the range if iftag is set, the function sets
+ * also settag. The function stops either after tagging nr_to_tag items or
+ * after reaching last_index.
+ *
+ * The function returns number of leaves where the tag was set and sets
+ * *first_indexp to the first unscanned index.
+ * WARNING! *first_indexp can wrap if last_index is ULONG_MAX. Caller must
+ * be prepared to handle that.
+ */
+unsigned long radix_tree_range_tag_if_tagged(struct radix_tree_root *root,
+               unsigned long *first_indexp, unsigned long last_index,
+               unsigned long nr_to_tag,
+               unsigned int iftag, unsigned int settag)
+{
+       unsigned int height = root->height, shift;
+       unsigned long tagged = 0, index = *first_indexp;
+       struct radix_tree_node *open_slots[height], *slot;
+
+       last_index = min(last_index, radix_tree_maxindex(height));
+       if (index > last_index)
+               return 0;
+       if (!nr_to_tag)
+               return 0;
+       if (!root_tag_get(root, iftag)) {
+               *first_indexp = last_index + 1;
+               return 0;
+       }
+       if (height == 0) {
+               *first_indexp = last_index + 1;
+               root_tag_set(root, settag);
+               return 1;
+       }
+
+       shift = (height - 1) * RADIX_TREE_MAP_SHIFT;
+       slot = radix_tree_indirect_to_ptr(root->rnode);
+
+       for (;;) {
+               int offset;
+
+               offset = (index >> shift) & RADIX_TREE_MAP_MASK;
+               if (!slot->slots[offset])
+                       goto next;
+               if (!tag_get(slot, iftag, offset))
+                       goto next;
+               tag_set(slot, settag, offset);
+               if (height == 1) {
+                       tagged++;
+                       goto next;
+               }
+               /* Go down one level */
+               height--;
+               shift -= RADIX_TREE_MAP_SHIFT;
+               open_slots[height] = slot;
+               slot = slot->slots[offset];
+               continue;
+next:
+               /* Go to next item at level determined by 'shift' */
+               index = ((index >> shift) + 1) << shift;
+               /* Overflow can happen when last_index is ~0UL... */
+               if (index > last_index || !index)
+                       break;
+               if (tagged >= nr_to_tag)
+                       break;
+               while (((index >> shift) & RADIX_TREE_MAP_MASK) == 0) {
+                       /*
+                        * We've fully scanned this node. Go up. Because
+                        * last_index is guaranteed to be in the tree, what
+                        * we do below cannot wander astray.
+                        */
+                       slot = open_slots[height];
+                       height++;
+                       shift += RADIX_TREE_MAP_SHIFT;
+               }
+       }
+       /*
+        * The iftag must have been set somewhere because otherwise
+        * we would return immediated at the beginning of the function
+        */
+       root_tag_set(root, settag);
+       *first_indexp = index;
+
+       return tagged;
+}
+EXPORT_SYMBOL(radix_tree_range_tag_if_tagged);
+
+
+/**
+ *     radix_tree_next_hole    -    find the next hole (not-present entry)
+ *     @root:          tree root
+ *     @index:         index key
+ *     @max_scan:      maximum range to search
+ *
+ *     Search the set [index, min(index+max_scan-1, MAX_INDEX)] for the lowest
+ *     indexed hole.
+ *
+ *     Returns: the index of the hole if found, otherwise returns an index
+ *     outside of the set specified (in which case 'return - index >= max_scan'
+ *     will be true). In rare cases of index wrap-around, 0 will be returned.
+ *
+ *     radix_tree_next_hole may be called under rcu_read_lock. However, like
+ *     radix_tree_gang_lookup, this will not atomically search a snapshot of
+ *     the tree at a single point in time. For example, if a hole is created
+ *     at index 5, then subsequently a hole is created at index 10,
+ *     radix_tree_next_hole covering both indexes may return 10 if called
+ *     under rcu_read_lock.
+ */
+unsigned long radix_tree_next_hole(struct radix_tree_root *root,
+                               unsigned long index, unsigned long max_scan)
+{
+       unsigned long i;
+
+       for (i = 0; i < max_scan; i++) {
+               if (!radix_tree_lookup(root, index))
+                       break;
+               index++;
+               if (index == 0)
+                       break;
+       }
+
+       return index;
+}
+EXPORT_SYMBOL(radix_tree_next_hole);
+
+/**
+ *     radix_tree_prev_hole    -    find the prev hole (not-present entry)
+ *     @root:          tree root
+ *     @index:         index key
+ *     @max_scan:      maximum range to search
+ *
+ *     Search backwards in the range [max(index-max_scan+1, 0), index]
+ *     for the first hole.
+ *
+ *     Returns: the index of the hole if found, otherwise returns an index
+ *     outside of the set specified (in which case 'index - return >= max_scan'
+ *     will be true). In rare cases of wrap-around, ULONG_MAX will be returned.
+ *
+ *     radix_tree_next_hole may be called under rcu_read_lock. However, like
+ *     radix_tree_gang_lookup, this will not atomically search a snapshot of
+ *     the tree at a single point in time. For example, if a hole is created
+ *     at index 10, then subsequently a hole is created at index 5,
+ *     radix_tree_prev_hole covering both indexes may return 5 if called under
+ *     rcu_read_lock.
+ */
+unsigned long radix_tree_prev_hole(struct radix_tree_root *root,
+                                  unsigned long index, unsigned long max_scan)
+{
+       unsigned long i;
+
+       for (i = 0; i < max_scan; i++) {
+               if (!radix_tree_lookup(root, index))
+                       break;
+               index--;
+               if (index == ULONG_MAX)
+                       break;
+       }
+
+       return index;
+}
+EXPORT_SYMBOL(radix_tree_prev_hole);
 
 static unsigned int
-__lookup(struct radix_tree_node *slot, void **results, unsigned long index,
+__lookup(struct radix_tree_node *slot, void ***results, unsigned long index,
        unsigned int max_items, unsigned long *next_index)
 {
        unsigned int nr_found = 0;
@@ -626,18 +807,16 @@ __lookup(struct radix_tree_node *slot, void **results, unsigned long index,
                }
 
                shift -= RADIX_TREE_MAP_SHIFT;
-               slot = rcu_dereference(slot->slots[i]);
+               slot = rcu_dereference_raw(slot->slots[i]);
                if (slot == NULL)
                        goto out;
        }
 
        /* Bottom level: grab some items */
        for (i = index & RADIX_TREE_MAP_MASK; i < RADIX_TREE_MAP_SIZE; i++) {
-               struct radix_tree_node *node;
                index++;
-               node = slot->slots[i];
-               if (node) {
-                       results[nr_found++] = rcu_dereference(node);
+               if (slot->slots[i]) {
+                       results[nr_found++] = &(slot->slots[i]);
                        if (nr_found == max_items)
                                goto out;
                }
@@ -675,29 +854,38 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
        unsigned long cur_index = first_index;
        unsigned int ret;
 
-       node = rcu_dereference(root->rnode);
+       node = rcu_dereference_raw(root->rnode);
        if (!node)
                return 0;
 
-       if (radix_tree_is_direct_ptr(node)) {
+       if (!radix_tree_is_indirect_ptr(node)) {
                if (first_index > 0)
                        return 0;
-               node = radix_tree_direct_to_ptr(node);
-               results[0] = rcu_dereference(node);
+               results[0] = node;
                return 1;
        }
+       node = radix_tree_indirect_to_ptr(node);
 
        max_index = radix_tree_maxindex(node->height);
 
        ret = 0;
        while (ret < max_items) {
-               unsigned int nr_found;
+               unsigned int nr_found, slots_found, i;
                unsigned long next_index;       /* Index of next search */
 
                if (cur_index > max_index)
                        break;
-               nr_found = __lookup(node, results + ret, cur_index,
+               slots_found = __lookup(node, (void ***)results + ret, cur_index,
                                        max_items - ret, &next_index);
+               nr_found = 0;
+               for (i = 0; i < slots_found; i++) {
+                       struct radix_tree_node *slot;
+                       slot = *(((void ***)results)[ret + i]);
+                       if (!slot)
+                               continue;
+                       results[ret + nr_found] = rcu_dereference_raw(slot);
+                       nr_found++;
+               }
                ret += nr_found;
                if (next_index == 0)
                        break;
@@ -708,12 +896,71 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
 }
 EXPORT_SYMBOL(radix_tree_gang_lookup);
 
+/**
+ *     radix_tree_gang_lookup_slot - perform multiple slot lookup on radix tree
+ *     @root:          radix tree root
+ *     @results:       where the results of the lookup are placed
+ *     @first_index:   start the lookup from this key
+ *     @max_items:     place up to this many items at *results
+ *
+ *     Performs an index-ascending scan of the tree for present items.  Places
+ *     their slots at *@results and returns the number of items which were
+ *     placed at *@results.
+ *
+ *     The implementation is naive.
+ *
+ *     Like radix_tree_gang_lookup as far as RCU and locking goes. Slots must
+ *     be dereferenced with radix_tree_deref_slot, and if using only RCU
+ *     protection, radix_tree_deref_slot may fail requiring a retry.
+ */
+unsigned int
+radix_tree_gang_lookup_slot(struct radix_tree_root *root, void ***results,
+                       unsigned long first_index, unsigned int max_items)
+{
+       unsigned long max_index;
+       struct radix_tree_node *node;
+       unsigned long cur_index = first_index;
+       unsigned int ret;
+
+       node = rcu_dereference_raw(root->rnode);
+       if (!node)
+               return 0;
+
+       if (!radix_tree_is_indirect_ptr(node)) {
+               if (first_index > 0)
+                       return 0;
+               results[0] = (void **)&root->rnode;
+               return 1;
+       }
+       node = radix_tree_indirect_to_ptr(node);
+
+       max_index = radix_tree_maxindex(node->height);
+
+       ret = 0;
+       while (ret < max_items) {
+               unsigned int slots_found;
+               unsigned long next_index;       /* Index of next search */
+
+               if (cur_index > max_index)
+                       break;
+               slots_found = __lookup(node, results + ret, cur_index,
+                                       max_items - ret, &next_index);
+               ret += slots_found;
+               if (next_index == 0)
+                       break;
+               cur_index = next_index;
+       }
+
+       return ret;
+}
+EXPORT_SYMBOL(radix_tree_gang_lookup_slot);
+
 /*
  * FIXME: the two tag_get()s here should use find_next_bit() instead of
  * open-coding the search.
  */
 static unsigned int
-__lookup_tag(struct radix_tree_node *slot, void **results, unsigned long index,
+__lookup_tag(struct radix_tree_node *slot, void ***results, unsigned long index,
        unsigned int max_items, unsigned long *next_index, unsigned int tag)
 {
        unsigned int nr_found = 0;
@@ -743,11 +990,9 @@ __lookup_tag(struct radix_tree_node *slot, void **results, unsigned long index,
                        unsigned long j = index & RADIX_TREE_MAP_MASK;
 
                        for ( ; j < RADIX_TREE_MAP_SIZE; j++) {
-                               struct radix_tree_node *node;
                                index++;
                                if (!tag_get(slot, tag, j))
                                        continue;
-                               node = slot->slots[j];
                                /*
                                 * Even though the tag was found set, we need to
                                 * recheck that we have a non-NULL node, because
@@ -758,16 +1003,15 @@ __lookup_tag(struct radix_tree_node *slot, void **results, unsigned long index,
                                 * lookup ->slots[x] without a lock (ie. can't
                                 * rely on its value remaining the same).
                                 */
-                               if (node) {
-                                       node = rcu_dereference(node);
-                                       results[nr_found++] = node;
+                               if (slot->slots[j]) {
+                                       results[nr_found++] = &(slot->slots[j]);
                                        if (nr_found == max_items)
                                                goto out;
                                }
                        }
                }
                shift -= RADIX_TREE_MAP_SHIFT;
-               slot = rcu_dereference(slot->slots[i]);
+               slot = rcu_dereference_raw(slot->slots[i]);
                if (slot == NULL)
                        break;
        }
@@ -803,29 +1047,38 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results,
        if (!root_tag_get(root, tag))
                return 0;
 
-       node = rcu_dereference(root->rnode);
+       node = rcu_dereference_raw(root->rnode);
        if (!node)
                return 0;
 
-       if (radix_tree_is_direct_ptr(node)) {
+       if (!radix_tree_is_indirect_ptr(node)) {
                if (first_index > 0)
                        return 0;
-               node = radix_tree_direct_to_ptr(node);
-               results[0] = rcu_dereference(node);
+               results[0] = node;
                return 1;
        }
+       node = radix_tree_indirect_to_ptr(node);
 
        max_index = radix_tree_maxindex(node->height);
 
        ret = 0;
        while (ret < max_items) {
-               unsigned int nr_found;
+               unsigned int nr_found, slots_found, i;
                unsigned long next_index;       /* Index of next search */
 
                if (cur_index > max_index)
                        break;
-               nr_found = __lookup_tag(node, results + ret, cur_index,
-                                       max_items - ret, &next_index, tag);
+               slots_found = __lookup_tag(node, (void ***)results + ret,
+                               cur_index, max_items - ret, &next_index, tag);
+               nr_found = 0;
+               for (i = 0; i < slots_found; i++) {
+                       struct radix_tree_node *slot;
+                       slot = *(((void ***)results)[ret + i]);
+                       if (!slot)
+                               continue;
+                       results[ret + nr_found] = rcu_dereference_raw(slot);
+                       nr_found++;
+               }
                ret += nr_found;
                if (next_index == 0)
                        break;
@@ -837,18 +1090,89 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results,
 EXPORT_SYMBOL(radix_tree_gang_lookup_tag);
 
 /**
+ *     radix_tree_gang_lookup_tag_slot - perform multiple slot lookup on a
+ *                                       radix tree based on a tag
+ *     @root:          radix tree root
+ *     @results:       where the results of the lookup are placed
+ *     @first_index:   start the lookup from this key
+ *     @max_items:     place up to this many items at *results
+ *     @tag:           the tag index (< RADIX_TREE_MAX_TAGS)
+ *
+ *     Performs an index-ascending scan of the tree for present items which
+ *     have the tag indexed by @tag set.  Places the slots at *@results and
+ *     returns the number of slots which were placed at *@results.
+ */
+unsigned int
+radix_tree_gang_lookup_tag_slot(struct radix_tree_root *root, void ***results,
+               unsigned long first_index, unsigned int max_items,
+               unsigned int tag)
+{
+       struct radix_tree_node *node;
+       unsigned long max_index;
+       unsigned long cur_index = first_index;
+       unsigned int ret;
+
+       /* check the root's tag bit */
+       if (!root_tag_get(root, tag))
+               return 0;
+
+       node = rcu_dereference_raw(root->rnode);
+       if (!node)
+               return 0;
+
+       if (!radix_tree_is_indirect_ptr(node)) {
+               if (first_index > 0)
+                       return 0;
+               results[0] = (void **)&root->rnode;
+               return 1;
+       }
+       node = radix_tree_indirect_to_ptr(node);
+
+       max_index = radix_tree_maxindex(node->height);
+
+       ret = 0;
+       while (ret < max_items) {
+               unsigned int slots_found;
+               unsigned long next_index;       /* Index of next search */
+
+               if (cur_index > max_index)
+                       break;
+               slots_found = __lookup_tag(node, results + ret,
+                               cur_index, max_items - ret, &next_index, tag);
+               ret += slots_found;
+               if (next_index == 0)
+                       break;
+               cur_index = next_index;
+       }
+
+       return ret;
+}
+EXPORT_SYMBOL(radix_tree_gang_lookup_tag_slot);
+
+
+/**
  *     radix_tree_shrink    -    shrink height of a radix tree to minimal
  *     @root           radix tree root
  */
 static inline void radix_tree_shrink(struct radix_tree_root *root)
 {
        /* try to shrink tree height */
-       while (root->height > 0 &&
-                       root->rnode->count == 1 &&
-                       root->rnode->slots[0]) {
+       while (root->height > 0) {
                struct radix_tree_node *to_free = root->rnode;
                void *newptr;
 
+               BUG_ON(!radix_tree_is_indirect_ptr(to_free));
+               to_free = radix_tree_indirect_to_ptr(to_free);
+
+               /*
+                * The candidate node has more than one child, or its child
+                * is not at the leftmost slot, we cannot shrink.
+                */
+               if (to_free->count != 1)
+                       break;
+               if (!to_free->slots[0])
+                       break;
+
                /*
                 * We don't need rcu_assign_pointer(), since we are simply
                 * moving the node from one part of the tree to another. If
@@ -857,15 +1181,10 @@ static inline void radix_tree_shrink(struct radix_tree_root *root)
                 * one (root->rnode).
                 */
                newptr = to_free->slots[0];
-               if (root->height == 1)
-                       newptr = radix_tree_ptr_to_direct(newptr);
+               if (root->height > 1)
+                       newptr = radix_tree_ptr_to_indirect(newptr);
                root->rnode = newptr;
                root->height--;
-               /* must only free zeroed nodes into the slab */
-               tag_clear(to_free, 0, 0);
-               tag_clear(to_free, 1, 0);
-               to_free->slots[0] = NULL;
-               to_free->count = 0;
                radix_tree_node_free(to_free);
        }
 }
@@ -881,7 +1200,11 @@ static inline void radix_tree_shrink(struct radix_tree_root *root)
  */
 void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
 {
-       struct radix_tree_path path[RADIX_TREE_MAX_PATH], *pathp = path;
+       /*
+        * The radix tree path needs to be one longer than the maximum path
+        * since the "list" is null terminated.
+        */
+       struct radix_tree_path path[RADIX_TREE_MAX_PATH + 1], *pathp = path;
        struct radix_tree_node *slot = NULL;
        struct radix_tree_node *to_free;
        unsigned int height, shift;
@@ -893,12 +1216,12 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
                goto out;
 
        slot = root->rnode;
-       if (height == 0 && root->rnode) {
-               slot = radix_tree_direct_to_ptr(slot);
+       if (height == 0) {
                root_tag_clear_all(root);
                root->rnode = NULL;
                goto out;
        }
+       slot = radix_tree_indirect_to_ptr(slot);
 
        shift = (height - 1) * RADIX_TREE_MAP_SHIFT;
        pathp->node = NULL;
@@ -940,7 +1263,8 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
                        radix_tree_node_free(to_free);
 
                if (pathp->node->count) {
-                       if (pathp->node == root->rnode)
+                       if (pathp->node ==
+                                       radix_tree_indirect_to_ptr(root->rnode))
                                radix_tree_shrink(root);
                        goto out;
                }
@@ -973,19 +1297,21 @@ int radix_tree_tagged(struct radix_tree_root *root, unsigned int tag)
 EXPORT_SYMBOL(radix_tree_tagged);
 
 static void
-radix_tree_node_ctor(void *node, struct kmem_cache *cachep, unsigned long flags)
+radix_tree_node_ctor(void *node)
 {
        memset(node, 0, sizeof(struct radix_tree_node));
 }
 
 static __init unsigned long __maxindex(unsigned int height)
 {
-       unsigned int tmp = height * RADIX_TREE_MAP_SHIFT;
-       unsigned long index = (~0UL >> (RADIX_TREE_INDEX_BITS - tmp - 1)) >> 1;
-
-       if (tmp >= RADIX_TREE_INDEX_BITS)
-               index = ~0UL;
-       return index;
+       unsigned int width = height * RADIX_TREE_MAP_SHIFT;
+       int shift = RADIX_TREE_INDEX_BITS - width;
+
+       if (shift < 0)
+               return ~0UL;
+       if (shift >= BITS_PER_LONG)
+               return 0UL;
+       return ~0UL >> shift;
 }
 
 static __init void radix_tree_init_maxindex(void)
@@ -1020,7 +1346,8 @@ void __init radix_tree_init(void)
 {
        radix_tree_node_cachep = kmem_cache_create("radix_tree_node",
                        sizeof(struct radix_tree_node), 0,
-                       SLAB_PANIC, radix_tree_node_ctor, NULL);
+                       SLAB_PANIC | SLAB_RECLAIM_ACCOUNT,
+                       radix_tree_node_ctor);
        radix_tree_init_maxindex();
        hotcpu_notifier(radix_tree_callback, 0);
 }