diff options
author | Quentin Casasnovas <quentin.casasnovas@oracle.com> | 2015-03-03 16:31:38 +0100 |
---|---|---|
committer | Chris Mason <clm@fb.com> | 2015-03-05 17:28:33 -0800 |
commit | dd9ef135e3542ffc621c4eb7f0091870ec7a1504 (patch) | |
tree | 0ea14d6f3c7d20e5faa3845f54e1ffc28bc7a9c4 /fs | |
parent | 3a8b36f378060d20062a0918e99fae39ff077bf0 (diff) | |
download | op-kernel-dev-dd9ef135e3542ffc621c4eb7f0091870ec7a1504.zip op-kernel-dev-dd9ef135e3542ffc621c4eb7f0091870ec7a1504.tar.gz |
Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/btrfs/tree-log.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index f96996a..9a1c171 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -1012,7 +1012,7 @@ again: base = btrfs_item_ptr_offset(leaf, path->slots[0]); while (cur_offset < item_size) { - extref = (struct btrfs_inode_extref *)base + cur_offset; + extref = (struct btrfs_inode_extref *)(base + cur_offset); victim_name_len = btrfs_inode_extref_name_len(leaf, extref); |