From: Patrick J. LoPresti on
I discovered this when I accidentally put the following in my
/etc/multipath.conf file:

path_selector least_pending

....instead of this:

path_selector "least_pending 0"

To my surprise, this resulted in a NULL pointer dereference in the
kernel. The bug (and fix) is trivial:

--- linux/drivers/md/dm-mpath.c 2010-05-20 03:06:58.000000000 -0700
+++ linux-patl/drivers/md/dm-mpath.c 2010-06-10 12:22:49.000000000 -0700
@@ -736,12 +736,13 @@
for (i = 0; i < pg->nr_pgpaths; i++) {
struct pgpath *pgpath;
struct arg_set path_args;

if (as->argc < nr_params) {
ti->error = "not enough path parameters";
+ r = -EINVAL;
goto bad;

path_args.argc = nr_params;
path_args.argv = as->argv;

Without this patch, the parse_priority_group function can return 0,
which the caller (multipath_ctr()) immediately dereferences. Bang!

I have confirmed that this bug still exists in and 2.6.35-rc2.

- Pat

P.S. Are the Coverity folks still running the kernel through their
tool? This seems like the sort of thing it would catch.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)
More majordomo info at
Please read the FAQ at