From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Tue, 3 Mar 2015 15:31:38 +0000 (+0100)
Subject: Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
X-Git-Tag: firefly_0821_release~3679^2~723
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=edf2ec9971b81163e986556d7773e46b372264fd;p=firefly-linux-kernel-4.4.55.git

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

commit dd9ef135e3542ffc621c4eb7f0091870ec7a1504 upstream.

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index bca436330681..7d3331cbccba 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -943,7 +943,7 @@ again:
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);
 
 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);
 
 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);