On Wed, Mar 18, 2020 at 12:17 AM Rayagonda Kokatanur <rayagonda.kokatanur@xxxxxxxxxxxx> wrote: > > On Tue, Mar 17, 2020 at 11:06 PM Dan Williams <dan.j.williams@xxxxxxxxx> wrote: > > > > On Mon, Mar 16, 2020 at 11:16 PM Rayagonda Kokatanur > > <rayagonda.kokatanur@xxxxxxxxxxxx> wrote: > > > > > > Fix possible negative array index read in __2data_recov_5() function. > > > > > > Signed-off-by: Rayagonda Kokatanur <rayagonda.kokatanur@xxxxxxxxxxxx> > > > --- > > > crypto/async_tx/async_raid6_recov.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/crypto/async_tx/async_raid6_recov.c b/crypto/async_tx/async_raid6_recov.c > > > index 33f2a8f8c9f4..9cd016cb2d09 100644 > > > --- a/crypto/async_tx/async_raid6_recov.c > > > +++ b/crypto/async_tx/async_raid6_recov.c > > > @@ -206,7 +206,7 @@ __2data_recov_5(int disks, size_t bytes, int faila, int failb, > > > good_srcs++; > > > } > > > > > > - if (good_srcs > 1) > > > + if ((good_srcs > 1) || (good < 0)) > > > return NULL; > > > > Read the code again, I don't see how this can happen. > > This case can happen and it is reported by coverity tool. > In the for loop , the condition "if (blocks[i] == NULL)" true all the > time then variable 'good' will be -1. Just because coverity reports it does not make it true. Please go read the full call path that gets us to this call and identify how all entries in blocks[] could be NULL. Hint, the answer is in how async_raid6_2data_recov() calls __2data_recov_5().