aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Chinner <dgc@sgi.com>2008-02-05 21:37:40 -0500
committerLachlan McIlroy <lachlan@redback.melbourne.sgi.com>2008-02-07 02:24:13 -0500
commit450790a2c51e6d9d47ed30dbdcf486656b8e186f (patch)
tree4951fb3e7fae21a791fd7c4b161a1d3f0e6dc571
parentcbc89dcfd24fd161f7a8e262266177db160a58fb (diff)
[XFS] Fix oops in xfs_file_readdir()
When xfs_file_readdir() exactly fills a buffer, it can move it's index past the end of the buffer and dereference it even though the result of the dereference is never used. On some platforms this causes an oops. SGI-PV: 976923 SGI-Modid: xfs-linux-melb:xfs-kern:30458a Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
-rw-r--r--fs/xfs/linux-2.6/xfs_file.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/xfs/linux-2.6/xfs_file.c b/fs/xfs/linux-2.6/xfs_file.c
index 21a1c2b1c5fc..edab1ffbb163 100644
--- a/fs/xfs/linux-2.6/xfs_file.c
+++ b/fs/xfs/linux-2.6/xfs_file.c
@@ -350,8 +350,8 @@ xfs_file_readdir(
350 350
351 size = buf.used; 351 size = buf.used;
352 de = (struct hack_dirent *)buf.dirent; 352 de = (struct hack_dirent *)buf.dirent;
353 curr_offset = de->offset /* & 0x7fffffff */;
354 while (size > 0) { 353 while (size > 0) {
354 curr_offset = de->offset /* & 0x7fffffff */;
355 if (filldir(dirent, de->name, de->namlen, 355 if (filldir(dirent, de->name, de->namlen,
356 curr_offset & 0x7fffffff, 356 curr_offset & 0x7fffffff,
357 de->ino, de->d_type)) { 357 de->ino, de->d_type)) {
@@ -362,7 +362,6 @@ xfs_file_readdir(
362 sizeof(u64)); 362 sizeof(u64));
363 size -= reclen; 363 size -= reclen;
364 de = (struct hack_dirent *)((char *)de + reclen); 364 de = (struct hack_dirent *)((char *)de + reclen);
365 curr_offset = de->offset /* & 0x7fffffff */;
366 } 365 }
367 } 366 }
368 367