The ioctl interface always knows how many targets are going to be in
the table, so remove the dynamic array sizing code in dm-table.c.
This fixes a problem with large tables where the dm_target pointer
passed to the target ctr was becoming invalid.
--- diff/drivers/md/dm-ioctl.c	2003-10-16 10:45:01.000000000 +0100
+++ source/drivers/md/dm-ioctl.c	2003-10-16 10:45:14.000000000 +0100
@@ -871,7 +871,7 @@
 	struct hash_cell *hc;
 	struct dm_table *t;
 
-	r = dm_table_create(&t, get_mode(param));
+	r = dm_table_create(&t, get_mode(param), param->target_count);
 	if (r)
 		return r;
 
--- diff/drivers/md/dm-table.c	2003-10-16 10:45:07.000000000 +0100
+++ source/drivers/md/dm-table.c	2003-10-16 10:45:14.000000000 +0100
@@ -112,42 +112,7 @@
 	return 0;
 }
 
-/*
- * highs, and targets are managed as dynamic arrays during a
- * table load.
- */
-static int alloc_targets(struct dm_table *t, unsigned int num)
-{
-	sector_t *n_highs;
-	struct dm_target *n_targets;
-	int n = t->num_targets;
-
-	/*
-	 * Allocate both the target array and offset array at once.
-	 */
-	n_highs = (sector_t *) vcalloc(sizeof(struct dm_target) +
-				       sizeof(sector_t), num);
-	if (!n_highs)
-		return -ENOMEM;
-
-	n_targets = (struct dm_target *) (n_highs + num);
-
-	if (n) {
-		memcpy(n_highs, t->highs, sizeof(*n_highs) * n);
-		memcpy(n_targets, t->targets, sizeof(*n_targets) * n);
-	}
-
-	memset(n_highs + n, -1, sizeof(*n_highs) * (num - n));
-	vfree(t->highs);
-
-	t->num_allocated = num;
-	t->highs = n_highs;
-	t->targets = n_targets;
-
-	return 0;
-}
-
-int dm_table_create(struct dm_table **result, int mode)
+int dm_table_create(struct dm_table **result, int mode, unsigned num_targets)
 {
 	struct dm_table *t = kmalloc(sizeof(*t), GFP_NOIO);
 
@@ -158,13 +123,17 @@
 	INIT_LIST_HEAD(&t->devices);
 	atomic_set(&t->holders, 1);
 
-	/* allocate a single nodes worth of targets to begin with */
-	if (alloc_targets(t, KEYS_PER_NODE)) {
+
+	/* allocate both the target array and offset array at once */
+	t->highs = (sector_t *) vcalloc(sizeof(struct dm_target) +
+					sizeof(sector_t), num_targets);
+	if (!t->highs) {
 		kfree(t);
-		t = NULL;
 		return -ENOMEM;
 	}
 
+	t->targets = (struct dm_target *) (t->highs + num_targets);
+	t->num_allocated = num_targets;
 	t->mode = mode;
 	*result = t;
 	return 0;
@@ -224,17 +193,6 @@
 }
 
 /*
- * Checks to see if we need to extend highs or targets.
- */
-static inline int check_space(struct dm_table *t)
-{
-	if (t->num_targets >= t->num_allocated)
-		return alloc_targets(t, t->num_allocated * 2);
-
-	return 0;
-}
-
-/*
  * Convert a device path to a dev_t.
  */
 static int lookup_device(const char *path, kdev_t *dev)
@@ -526,8 +484,8 @@
 	char **argv;
 	struct dm_target *tgt;
 
-	if ((r = check_space(t)))
-		return r;
+	if (t->num_targets >= t->num_allocated)
+		return -ENOMEM;
 
 	tgt = t->targets + t->num_targets;
 	memset(tgt, 0, sizeof(*tgt));
--- diff/drivers/md/dm.h	2003-10-16 10:44:23.000000000 +0100
+++ source/drivers/md/dm.h	2003-10-16 10:45:14.000000000 +0100
@@ -96,7 +96,7 @@
  * Functions for manipulating a table.  Tables are also reference
  * counted.
  *---------------------------------------------------------------*/
-int dm_table_create(struct dm_table **result, int mode);
+int dm_table_create(struct dm_table **result, int mode, unsigned num_targets);
 
 void dm_table_get(struct dm_table *t);
 void dm_table_put(struct dm_table *t);