From: Damien Le Moal <dlemoal@kernel.org> mainline inclusion from mainline-v7.0-rc1 commit 6158e34e594dd150f3f2df81a1b0fe636e156757 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15109 CVE: CVE-2026-45855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Make sure to check that the tag of a queued command is valid when ata_qc_issue() is called, and fail the QC if the tag is not valid, or if there is an on-going non-NCQ command already on the link. Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Long Li <leo.lilong@huawei.com> --- drivers/ata/libata-core.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index a7d7a3b43154..a59b30362506 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5022,8 +5022,13 @@ void ata_qc_issue(struct ata_queued_cmd *qc) struct ata_link *link = qc->dev->link; u8 prot = qc->tf.protocol; - /* Make sure only one non-NCQ command is outstanding. */ - WARN_ON_ONCE(ata_tag_valid(link->active_tag)); + /* + * Make sure we have a valid tag and that only one non-NCQ command is + * outstanding. + */ + if (WARN_ON_ONCE(!ata_tag_valid(qc->tag)) || + WARN_ON_ONCE(ata_tag_valid(link->active_tag))) + goto sys_err; if (ata_is_ncq(prot)) { WARN_ON_ONCE(link->sactive & (1 << qc->hw_tag)); -- 2.52.0