The bug is here: bypass_pg(m, pg, bypassed);
The list iterator 'pg' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access.
To fix this bug, run bypass_pg(m, pg, bypassed); and return 0 when found, otherwise return -EINVAL.
Cc: stable@vger.kernel.org Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xiaomeng Tong xiam0nd.tong@gmail.com --- drivers/md/dm-mpath.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c index f4719b65e5e3..6ba8f1133564 100644 --- a/drivers/md/dm-mpath.c +++ b/drivers/md/dm-mpath.c @@ -1496,12 +1496,13 @@ static int bypass_pg_num(struct multipath *m, const char *pgstr, bool bypassed) }
list_for_each_entry(pg, &m->priority_groups, list) { - if (!--pgnum) - break; + if (!--pgnum) { + bypass_pg(m, pg, bypassed); + return 0; + } }
- bypass_pg(m, pg, bypassed); - return 0; + return -EINVAL; }
/*