drbd: fix a null-pointer dereference when the request event in drbd_request_endio() is READ_COMPLETED_WITH_ERROR

In drbd_request_endio(), the request event what can be set to
READ_COMPLETED_WITH_ERROR. In this case, __req_mod() is invoked with a NULL
peer_device:

  __req_mod(req, what, NULL, &m);

When handling READ_COMPLETED_WITH_ERROR, __req_mod() unconditionally calls
drbd_set_out_of_sync():

  case READ_COMPLETED_WITH_ERROR:
    drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size);

The drbd_set_out_of_sync() macro expands to __drbd_change_sync():

  #define drbd_set_out_of_sync(peer_device, sector, size) \
	__drbd_change_sync(peer_device, sector, size, SET_OUT_OF_SYNC)

However, __drbd_change_sync() assumes a valid peer_device and immediately
dereferences it:

  struct drbd_device *device = peer_device->device;

If peer_device is NULL, this results in a NULL-pointer dereference.

Fix this by adding a NULL check in __req_mod() before calling
drbd_set_out_of_sync().

Signed-off-by: Tuo Li <[email protected]>

Author: lituo1996

drivers/block/drbd/drbd_req.c

@@ -621,7 +621,8 @@ int __req_mod(struct drbd_request *req, enum drbd_req_event what,
 		break;
 
 	case READ_COMPLETED_WITH_ERROR:
-		drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size);
+		if (peer_device)
+			drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size);
 		drbd_report_io_error(device, req);
 		__drbd_chk_io_error(device, DRBD_READ_ERROR);
 		fallthrough;