deh defined as an array of type __u16[], and issue is triggered when it's trying to access an element at index 1, which is out of bounds because the array has only one element at index 0. Reported-by: syzbot+e5bb9eb00a5a5ed2a9a2@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=e5bb9eb00a5a5ed2a9a2 Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@xxxxxxxxx> --- fs/reiserfs/item_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c index 3a5a752d96c7..ccf547c5e8e1 100644 --- a/fs/reiserfs/item_ops.c +++ b/fs/reiserfs/item_ops.c @@ -484,7 +484,7 @@ static int direntry_create_vi(struct virtual_node *vn, vn->vn_mode); dir_u->entry_sizes[i] = (j ? deh_location(&deh[j - 1]) : ih_item_len(vi->vi_ih)) - - deh_location(&deh[j]) + DEH_SIZE; + deh_location(&deh[j - 1]) + DEH_SIZE; } size += (dir_u->entry_count * sizeof(short)); -- 2.34.1
