From 877da05ffb13c1a998070707e0d15df0167f9364 Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Fri, 30 Jul 2021 14:33:06 -0400
Subject: [PATCH] bcachefs: Zero out mem_ptr field in btree ptr keys from
 journal replay

This fixes a bad ptr deref on recovery from unclean shutdown in
bch2_btree_node_get_noiter().

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
---
 fs/bcachefs/recovery.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/fs/bcachefs/recovery.c b/fs/bcachefs/recovery.c
index 84e224fb0d019..afb72648fe541 100644
--- a/fs/bcachefs/recovery.c
+++ b/fs/bcachefs/recovery.c
@@ -39,6 +39,20 @@ static void drop_alloc_keys(struct journal_keys *keys)
 	keys->nr = dst;
 }
 
+/*
+ * Btree node pointers have a field to stack a pointer to the in memory btree
+ * node; we need to zero out this field when reading in btree nodes, or when
+ * reading in keys from the journal:
+ */
+static void zero_out_btree_mem_ptr(struct journal_keys *keys)
+{
+	struct journal_key *i;
+
+	for (i = keys->d; i < keys->d + keys->nr; i++)
+		if (i->k->k.type == KEY_TYPE_btree_ptr_v2)
+			bkey_i_to_btree_ptr_v2(i->k)->v.mem_ptr = 0;
+}
+
 /* iterate over keys read from the journal: */
 
 static int __journal_key_cmp(enum btree_id	l_btree_id,
@@ -1072,6 +1086,8 @@ use_clean:
 		drop_alloc_keys(&c->journal_keys);
 	}
 
+	zero_out_btree_mem_ptr(&c->journal_keys);
+
 	ret = journal_replay_early(c, clean, &c->journal_entries);
 	if (ret)
 		goto err;
-- 
2.30.2