[PATCH 0/4] drbd: A few bug fixes

[PATCH 0/4] drbd: A few bug fixes

[Ethan Tidmore]

Here are 4 bug fixes found with Smatch.

Ethan Tidmore (4):
  drbd: Fix out-of-bounds access
  drbd: Fix variable dereference before check
  drbd: Add missing error code in drbd_main.c
  drbd: Add check for error pointer

 drivers/block/drbd/drbd_main.c     | 1 +
 drivers/block/drbd/drbd_nl.c       | 2 +-
 drivers/block/drbd/drbd_receiver.c | 2 +-
 drivers/block/drbd/drbd_req.c      | 4 +++-
 4 files changed, 6 insertions(+), 3 deletions(-)

-- 
2.53.0

[PATCH 1/4] drbd: Fix out-of-bounds access

[Ethan Tidmore]

The array sync_rule_names[] has 22 elements and rule is used to access
this array. The variable rule has the possibility of being index 22
because the condition (rule > ARRAY_SIZE(sync_rule_names)) could
evaluate to 22 > 22 which would be false and then rule would be used to
index sync_rule_names[] which would cause and out-of-bounds bug.

Change condition from (rule > ARRAY_SIZE(sync_rule_names)) to
(rule >= ARRAY_SIZE(sync_rule_names)).

Detected by Smatch:
drivers/block/drbd/drbd_receiver.c:280 drbd_sync_rule_str() error:
buffer overflow 'sync_rule_names' 22 <= 22

Fixes: 851f106c134a3 ("drbd: rework receiver for DRBD 9 transport and protocol")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/block/drbd/drbd_receiver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 06d83b5ffafb..280be2ee7d7e 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -273,7 +273,7 @@ static void drbd_cancel_conflicting_resync_requests(struct drbd_peer_device *pee
 
 static const char *drbd_sync_rule_str(enum sync_rule rule)
 {
-	if (rule < 0 || rule > ARRAY_SIZE(sync_rule_names)) {
+	if (rule < 0 || rule >= ARRAY_SIZE(sync_rule_names)) {
 		WARN_ON(true);
 		return "?";
 	}
-- 
2.53.0

[PATCH 2/4] drbd: Fix variable dereference before check

[Ethan Tidmore]

The struct is 'req' is checked for NULL after resource was assigned from
a member from it.

Check 'req' for NULL before assigning resource.

Detected by Smatch:
drivers/block/drbd/drbd_req.c:1996 drbd_unplug() warn:
variable dereferenced before check 'req' (see line 1993)

Fixes: 71d075200b462 ("drbd: rework request processing for DRBD 9 multi-peer IO")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/block/drbd/drbd_req.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_req.c b/drivers/block/drbd/drbd_req.c
index e88b5da15c1e..4cbd9ec15157 100644
--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -1990,12 +1990,14 @@ static void drbd_unplug(struct blk_plug_cb *cb, bool from_schedule)
 {
 	struct drbd_plug_cb *plug = container_of(cb, struct drbd_plug_cb, cb);
 	struct drbd_request *req = plug->most_recent_req;
-	struct drbd_resource *resource = req->device->resource;
+	struct drbd_resource *resource;
 
 	kfree(cb);
 	if (!req)
 		return;
 
+	resource = req->device->resource;
+
 	read_lock_irq(&resource->state_rwlock);
 	/* In case the sender did not process it yet, raise the flag to
 	 * have it followed with P_UNPLUG_REMOTE just after. */
-- 
2.53.0

[PATCH 3/4] drbd: Add missing error code in drbd_main.c

[Ethan Tidmore]

No error code is assigned in alloc_workqueue() error path.

Assign error code -ENOMEM.

Detected by Smatch:
drivers/block/drbd/drbd_main.c:4575 drbd_init() warn:
missing error code 'err'

Fixes: b2e550c8d1f54 ("drbd: rework module core for DRBD 9 transport and multi-peer")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/block/drbd/drbd_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index e2c3530cfa13..689b7cac5ec2 100644
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -4569,6 +4569,7 @@ static int __init drbd_init(void)
 		goto fail;
 	}
 
+	err = -ENOMEM;
 	ping_ack_sender = alloc_workqueue("drbd_pas",
 			WQ_UNBOUND | WQ_MEM_RECLAIM | WQ_HIGHPRI, 0);
 	if (!ping_ack_sender)
-- 
2.53.0

[PATCH 4/4] drbd: Add check for error pointer

[Ethan Tidmore]

The function find_cfg_context_attr() can return an error pointer or NULL
in its error path.

Change NULL check to IS_ERR_OR_NULL().

Detected by Smatch:
drivers/block/drbd/drbd_nl.c:6571 drbd_adm_dump_paths() error:
'resource_filter' dereferencing possible ERR_PTR()

Fixes: 626c95b0e2a23 ("drbd: rework netlink interface for DRBD 9 multi-peer config")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/block/drbd/drbd_nl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index c5e253820ccf..1f458eb972e9 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -6566,7 +6566,7 @@ static int drbd_adm_dump_paths(struct sk_buff *skb, struct netlink_callback *cb)
 	resource = (struct drbd_resource *)cb->args[0];
 	if (!cb->args[0]) {
 		resource_filter = find_cfg_context_attr(cb->nlh, T_ctx_resource_name);
-		if (resource_filter) {
+		if (!IS_ERR_OR_NULL(resource_filter)) {
 			retcode = ERR_RES_NOT_KNOWN;
 			resource = drbd_find_resource(nla_data(resource_filter));
 			if (!resource)
-- 
2.53.0

Re: [PATCH 0/4] drbd: A few bug fixes

[Christoph Böhmwalder]

On 3/18/26 00:23, Ethan Tidmore wrote:
> Here are 4 bug fixes found with Smatch.
> 
> Ethan Tidmore (4):
>    drbd: Fix out-of-bounds access
>    drbd: Fix variable dereference before check
>    drbd: Add missing error code in drbd_main.c
>    drbd: Add check for error pointer
> 
>   drivers/block/drbd/drbd_main.c     | 1 +
>   drivers/block/drbd/drbd_nl.c       | 2 +-
>   drivers/block/drbd/drbd_receiver.c | 2 +-
>   drivers/block/drbd/drbd_req.c      | 4 +++-
>   4 files changed, 6 insertions(+), 3 deletions(-)
> 

Thanks, these all look good.
I'll squash them into the DRDB9 series to keep the history clean.

Regards,
Christoph

Re: [PATCH 4/4] drbd: Add check for error pointer

[Christoph Böhmwalder]

On 3/18/26 00:23, Ethan Tidmore wrote:
> The function find_cfg_context_attr() can return an error pointer or NULL
> in its error path.
> 
> Change NULL check to IS_ERR_OR_NULL().
> 
> Detected by Smatch:
> drivers/block/drbd/drbd_nl.c:6571 drbd_adm_dump_paths() error:
> 'resource_filter' dereferencing possible ERR_PTR()
> 
> Fixes: 626c95b0e2a23 ("drbd: rework netlink interface for DRBD 9 multi-peer config")
> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
> ---
>   drivers/block/drbd/drbd_nl.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
> index c5e253820ccf..1f458eb972e9 100644
> --- a/drivers/block/drbd/drbd_nl.c
> +++ b/drivers/block/drbd/drbd_nl.c
> @@ -6566,7 +6566,7 @@ static int drbd_adm_dump_paths(struct sk_buff *skb, struct netlink_callback *cb)
>   	resource = (struct drbd_resource *)cb->args[0];
>   	if (!cb->args[0]) {
>   		resource_filter = find_cfg_context_attr(cb->nlh, T_ctx_resource_name);
> -		if (resource_filter) {
> +		if (!IS_ERR_OR_NULL(resource_filter)) {
>   			retcode = ERR_RES_NOT_KNOWN;
>   			resource = drbd_find_resource(nla_data(resource_filter));
>   			if (!resource)

find_cfg_context_attr is also called identically in 3 other cases, so 
these have the same issue.
I've also fixed these 3 cases in my squash.

Regards,
Christoph