From: Mikulas Patocka <mpatocka@redhat.com>

The parser reads the argument count as a number but doesn't check that
sufficient arguments are supplied. This command triggers the bug:

dmsetup create mpath --table "0 `blockdev --getsize /dev/mapper/cr0`
    multipath 0 0 2 1 round-robin 1000 0 1 1 /dev/mapper/cr0
    round-robin 0 1 1 /dev/mapper/cr1 1000"
kernel BUG at drivers/md/dm-mpath.c:530!

Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>

---
 drivers/md/dm-mpath.c |    6 ++++++
 1 file changed, 6 insertions(+)

Index: linux-2.6.30/drivers/md/dm-mpath.c
===================================================================
--- linux-2.6.30.orig/drivers/md/dm-mpath.c
+++ linux-2.6.30/drivers/md/dm-mpath.c
@@ -553,6 +553,12 @@ static int parse_path_selector(struct ar
 		return -EINVAL;
 	}
 
+	if (ps_argc > as->argc) {
+		dm_put_path_selector(pst);
+		ti->error = "not enough arguments for path selector";
+		return -EINVAL;
+	}
+
 	r = pst->create(&pg->ps, ps_argc, as->argv);
 	if (r) {
 		dm_put_path_selector(pst);