From 952070908f9f47acb9e9ebd642570dd75f672edc Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Thu, 16 Jan 2020 16:14:56 -0500
Subject: bcachefs: Don't modify existing key in place in sort_repack_merge()

This fixes a nasty memory corruption with other threads that are still
reading the btree node being compacted.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---
 fs/bcachefs/bkey_sort.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/fs/bcachefs/bkey_sort.c b/fs/bcachefs/bkey_sort.c
index 1c8e5a80e32a..7cbb57042af1 100644
--- a/fs/bcachefs/bkey_sort.c
+++ b/fs/bcachefs/bkey_sort.c
@@ -210,28 +210,38 @@ bch2_sort_repack_merge(struct bch_fs *c,
 		       bool filter_whiteouts)
 {
 	struct bkey_packed *prev = NULL, *k_packed;
-	struct bkey_s k;
+	struct bkey_on_stack k;
 	struct btree_nr_keys nr;
-	struct bkey unpacked;
 
 	memset(&nr, 0, sizeof(nr));
+	bkey_on_stack_init(&k);
 
 	while ((k_packed = bch2_btree_node_iter_next_all(iter, src))) {
 		if (filter_whiteouts && bkey_whiteout(k_packed))
 			continue;
 
-		k = __bkey_disassemble(src, k_packed, &unpacked);
+		/*
+		 * NOTE:
+		 * bch2_bkey_normalize may modify the key we pass it (dropping
+		 * stale pointers) and we don't have a write lock on the src
+		 * node; we have to make a copy of the entire key before calling
+		 * normalize
+		 */
+		bkey_on_stack_realloc(&k, c, k_packed->u64s + BKEY_U64s);
+		bch2_bkey_unpack(src, k.k, k_packed);
 
 		if (filter_whiteouts &&
-		    bch2_bkey_normalize(c, k))
+		    bch2_bkey_normalize(c, bkey_i_to_s(k.k)))
 			continue;
 
-		extent_sort_append(c, out_f, &nr, vstruct_last(dst), &prev, k);
+		extent_sort_append(c, out_f, &nr, vstruct_last(dst),
+				   &prev, bkey_i_to_s(k.k));
 	}
 
 	extent_sort_advance_prev(out_f, &nr, vstruct_last(dst), &prev);
 
 	dst->u64s = cpu_to_le16((u64 *) prev - dst->_data);
+	bkey_on_stack_exit(&k, c);
 	return nr;
 }
 
-- 
cgit v1.2.3