summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQuentin Casasnovas <quentin.casasnovas@oracle.com>2015-03-03 16:31:38 +0100
committerChris Mason <clm@fb.com>2015-03-05 17:28:33 -0800
commitdd9ef135e3542ffc621c4eb7f0091870ec7a1504 (patch)
tree0ea14d6f3c7d20e5faa3845f54e1ffc28bc7a9c4
parent3a8b36f378060d20062a0918e99fae39ff077bf0 (diff)
downloadlwn-dd9ef135e3542ffc621c4eb7f0091870ec7a1504.tar.gz
lwn-dd9ef135e3542ffc621c4eb7f0091870ec7a1504.zip
Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> cc: stable@vger.kernel.org # v3.7+ Signed-off-by: Chris Mason <clm@fb.com>
-rw-r--r--fs/btrfs/tree-log.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index f96996a1b70c..9a1c1711f360 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ again:
base = btrfs_item_ptr_offset(leaf, path->slots[0]);
while (cur_offset < item_size) {
- extref = (struct btrfs_inode_extref *)base + cur_offset;
+ extref = (struct btrfs_inode_extref *)(base + cur_offset);
victim_name_len = btrfs_inode_extref_name_len(leaf, extref);