From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
There's an off by one error in the bag_remove code such that we end up
copying memory from beyond the end of the array into the array. Not a
serious problem since we have counters to prevent us from reading that
garbage, but AddressSanitizer complained so let's fix it.
Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
---
repair/slab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/repair/slab.c b/repair/slab.c
index 8609270..d47448a 100644
--- a/repair/slab.c
+++ b/repair/slab.c
@@ -469,7 +469,7 @@ bag_remove(
{
ASSERT(nr < bag->bg_inuse);
memmove(&bag->bg_ptrs[nr], &bag->bg_ptrs[nr + 1],
- (bag->bg_inuse - nr) * sizeof(void *));
+ (bag->bg_inuse - nr - 1) * sizeof(void *));
bag->bg_inuse--;
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
