Prev: Removing dead CONFIG_PMCTWILED
Next: [git patches] libata fixes
From: Patrick J. LoPresti on 10 Jun 2010 15:50
I discovered this when I accidentally put the following in my
/etc/multipath.conf file:

path_selector least_pending

....instead of this:

path_selector "least_pending 0"

To my surprise, this resulted in a NULL pointer dereference in the
kernel. The bug (and fix) is trivial:

--- linux/drivers/md/dm-mpath.c 2010-05-20 03:06:58.000000000 -0700
+++ linux-patl/drivers/md/dm-mpath.c 2010-06-10 12:22:49.000000000 -0700
@@ -736,12 +736,13 @@
for (i = 0; i < pg->nr_pgpaths; i++) {
struct pgpath *pgpath;
struct arg_set path_args;

if (as->argc < nr_params) {
ti->error = "not enough path parameters";
+ r = -EINVAL;
goto bad;
}

path_args.argc = nr_params;
path_args.argv = as->argv;

Without this patch, the parse_priority_group function can return 0,
which the caller (multipath_ctr()) immediately dereferences. Bang!

I have confirmed that this bug still exists in 2.6.32.9 and 2.6.35-rc2.

- Pat

P.S. Are the Coverity folks still running the kernel through their
tool? This seems like the sort of thing it would catch.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: Removing dead CONFIG_PMCTWILED
Next: [git patches] libata fixes