On Wed, 2018-06-20 at 13:45 +0300, Dan Carpenter wrote:
> If rq_state == ARRAY_SIZE() then we read one element beyond the end of
> the blk_mq_rq_state_name_array[] array.
>
> Fixes: ec6dcf63c55c ("blk-mq-debugfs: Show more request state information")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c
> index ffa622366922..1c4532e92938 100644
> --- a/block/blk-mq-debugfs.c
> +++ b/block/blk-mq-debugfs.c
> @@ -356,7 +356,7 @@ static const char *const blk_mq_rq_state_name_array[] = {
>
> static const char *blk_mq_rq_state_name(enum mq_rq_state rq_state)
> {
> - if (WARN_ON_ONCE((unsigned int)rq_state >
> + if (WARN_ON_ONCE((unsigned int)rq_state >=
> ARRAY_SIZE(blk_mq_rq_state_name_array)))
> return "(?)";
> return blk_mq_rq_state_name_array[rq_state];
Reviewed-by: Bart Van Assche <bart.vanassche@xxxxxxx>
