[Drbd-dev] [PATCH] drbd: avoid use-after-free in drbd_request_endio

[Lars Ellenberg]

On Sun, Apr 29, 2018 at 06:19:18PM -0700, Sarah Newman wrote:
> It appears that bio_put(req->private_bio) may put the bio being
> passed in, after which point accessing bio will no longer be
> valid. Make a local copy of bio->bi_error before then.
> 
> Without this patch, with CONFIG_DEBUG_PAGEALLOC the debug message
> 
> "role( Secondary -> Primary )"
> 
> is followed by
> 
> "BUG: unable to handle kernel paging request"
> 
> This applies to versions before 4e4cbee93d561, first released
> in v4.13. v4.13+ appears to have a similar bug.
> 
> Signed-off-by: Sarah Newman <srn at prgmr.com>

Acked-by: Lars Ellenberg <lars.ellenberg at linbit.com>

The original (out-of-tree) code
is just like the result of your patch,
though obfuscated by compatibility macros.
This was apparently an "upstreaming mishap"
when removing that obfuscation :-(

I think minimal in-tree change would have been:
   req->private_bio = ERR_PTR(bio->bi_error);
   bio_put(bio);

-- 
: Lars Ellenberg
: LINBIT | Keeping the Digital World Running
: DRBD -- Heartbeat -- Corosync -- Pacemaker
: R&D, Integration, Ops, Consulting, Support

DRBD® and LINBIT® are registered trademarks of LINBIT