[dm-devel] [PATCH] md: fix missing check on list iterator

Sun Mar 27 05:37:42 UTC 2022

The bug is here:
    bypass_pg(m, pg, bypassed);

The list iterator 'pg' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it will lead
to a invalid memory access.

To fix this bug, run bypass_pg(m, pg, bypassed); and return 0
when found, otherwise return -EINVAL.

Cc: stable at vger.kernel.org
Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong at gmail.com>
---
 drivers/md/dm-mpath.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index f4719b65e5e3..6ba8f1133564 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1496,12 +1496,13 @@ static int bypass_pg_num(struct multipath *m, const char *pgstr, bool bypassed)
 	}
 
 	list_for_each_entry(pg, &m->priority_groups, list) {
-		if (!--pgnum)
-			break;
+		if (!--pgnum) {
+			bypass_pg(m, pg, bypassed);
+			return 0;
+		}
 	}
 
-	bypass_pg(m, pg, bypassed);
-	return 0;
+	return -EINVAL;
 }
 
 /*
-- 
2.17.1

