On Fri, Nov 19, 2021 at 04:17:58PM +0800, zhangyue wrote:
> In function 'xfs_btree_delrec()', if all data in array
> 'cur->bc_ptrs[level]' is 0, the 'level' may be greater than
> or equal to 'XFS_BTREE_MAXLEVELS'.
>
> At this time, the array may be out of bound.
>
> Signed-off-by: zhangyue <zhangyue1@xxxxxxxxxx>
I /think/ this is no longer necessary since XFS_BTREE_MAXLEVELS went
away in 5.16, but if you disagree, please resend.
--D
> ---
> fs/xfs/libxfs/xfs_btree.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
> index bbdae2b4559f..fe66d1adc169 100644
> --- a/fs/xfs/libxfs/xfs_btree.c
> +++ b/fs/xfs/libxfs/xfs_btree.c
> @@ -3694,6 +3694,9 @@ xfs_btree_delrec(
> tcur = NULL;
>
> /* Get the index of the entry being deleted, check for nothing there. */
> + if (level >= XFS_BTREE_MAXLEVELS)
> + return -EFSCORRUPTED;
> +
> ptr = cur->bc_ptrs[level];
> if (ptr == 0) {
> *stat = 0;
> --
> 2.30.0
>
