From 4ee86babe09f0682a60b1c56be99819bbe4ba62c Mon Sep 17 00:00:00 2001 From: Hannes Reinecke Date: Tue, 15 Mar 2016 12:03:28 -0700 Subject: [PATCH] blk-mq: add bounds check on tag-to-rq conversion We need to check for a valid index before accessing the array element to avoid accessing invalid memory regions. Reviewed-by: Christoph Hellwig Reviewed-by: Jeff Moyer Modified by Jens to drop the unlikely(), and make the fall through path be having a valid tag. Signed-off-by: Jens Axboe --- block/blk-mq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 5667f59c277c..261b6feddae6 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -544,7 +544,10 @@ EXPORT_SYMBOL(blk_mq_abort_requeue_list); struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag) { - return tags->rqs[tag]; + if (tag < tags->nr_tags) + return tags->rqs[tag]; + + return NULL; } EXPORT_SYMBOL(blk_mq_tag_to_rq); -- 2.20.1