[PATCH] drbd: Fix potential NULL pointer dereference in _drbd_set_state()

From: Ваторопин Андрей

Date: Thu Jun 25 2026 - 01:18:51 EST


From: Andrey Vatoropin <a.vatoropin@xxxxxxx>

The connection pointer receives a value in the _drbd_set_state()
function, including through a call to the first_peer_device() function.
This function returns a pointer to a list element. If the list is empty, it
returns a NULL pointer, which is later assigned to the connection
pointer. Subsequently, this pointer will be dereferenced.

Add a NULL check for the connection pointer to avoid dereferencing an
invalid pointer.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: a6b32bc3cebd ("drbd: Introduce "peer_device" object between "device" and "connection"")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Andrey Vatoropin <a.vatoropin@xxxxxxx>
---
drivers/block/drbd/drbd_state.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/block/drbd/drbd_state.c b/drivers/block/drbd/drbd_state.c
index adcba7f1d8ea..ea982d48017e 100644
--- a/drivers/block/drbd/drbd_state.c
+++ b/drivers/block/drbd/drbd_state.c
@@ -1281,6 +1281,11 @@ _drbd_set_state(struct drbd_device *device, union drbd_state ns,
if (rv < SS_SUCCESS)
return rv;

+ if (!connection) {
+ drbd_err(device, "No connection to peer, aborting!\n");
+ return SS_ALREADY_STANDALONE;
+ }
+
if (!(flags & CS_HARD)) {
/* pre-state-change checks ; only look at ns */
/* See drbd_state_sw_errors in drbd_strings.c */
--
2.43.0