summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQuentin Casasnovas <quentin.casasnovas@oracle.com>2015-03-03 16:31:38 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-03-18 13:31:27 +0100
commitde9b1dd6e7696f385b12c1a3c862c1c72214bf31 (patch)
treea816ca5bb66046893a57d2b2334298010d32cc8a
parent93014d588bb73e95025705f4c64bbf0bf84d70a9 (diff)
downloadlwn-de9b1dd6e7696f385b12c1a3c862c1c72214bf31.tar.gz
lwn-de9b1dd6e7696f385b12c1a3c862c1c72214bf31.zip
Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
commit dd9ef135e3542ffc621c4eb7f0091870ec7a1504 upstream. Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--fs/btrfs/tree-log.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index aeb57b98c53f..a7f32bfdd5e7 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -979,7 +979,7 @@ again:
base = btrfs_item_ptr_offset(leaf, path->slots[0]);
while (cur_offset < item_size) {
- extref = (struct btrfs_inode_extref *)base + cur_offset;
+ extref = (struct btrfs_inode_extref *)(base + cur_offset);
victim_name_len = btrfs_inode_extref_name_len(leaf, extref);