[PATCH 3/3] btrfs: tree-checker: Fix NULL pointer access for corrupted chunk root

[Qu Wenruo <wqu@suse.com>]

[BUG]
For a special crafted image, kernel can cause NULL pointer dereference like:
  BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
  #PF error: [normal kernel read fault]
  Oops: 0000 [#1] SMP PTI
  CPU: 0 PID: 146 Comm: kworker/u2:4 Not tainted 5.0.0-rc8+ #9
  Workqueue: btrfs-endio-meta btrfs_endio_meta_helper
  RIP: 0010:btrfs_root_node+0x10/0x50
  Call Trace:
   btrfs_read_lock_root_node+0x29/0x50
   btrfs_search_slot+0x529/0x920
   btrfs_find_root+0x56/0x240
   btrfs_read_tree_root+0x8b/0x130
   btrfs_read_fs_root+0x12/0x40
   btrfs_get_fs_root.part.49+0x53/0x170
   btrfs_get_fs_root+0x44/0xa0
   check_leaf+0xc0/0xa90
   btrfs_check_leaf_full+0x13/0x20
   btree_readpage_end_io_hook+0x242/0x290
   end_bio_extent_readpage+0x14f/0x660
   bio_endio+0xc4/0x140
   end_workqueue_fn+0x3d/0x40
   normal_work_helper+0xcb/0x320
   btrfs_endio_meta_helper+0x12/0x20
   process_one_work+0x167/0x410
   worker_thread+0x4d/0x460
   kthread+0x105/0x140
   ret_from_fork+0x35/0x40

[CAUSE]
Tree checker can be triggered when tree root is still not initialized.
This is for chunk tree read.

However if chunk tree is empty and has incorrect owner, then tree
checker will do comprehensive empty tree check.
This check involves search root tree to find the root, thus triggering
NULL pointer dereference as root tree is not yet initialized.

[FIX]
Just skip restrict owner check if tree root is not yet initialized.

Fix this fix, the corrupted image can be rejected as expected:
  BTRFS info (device loop0): disk space caching is enabled
  BTRFS info (device loop0): has skinny extents
  BTRFS error (device loop0): super_num_devices 1 mismatch with num_devices 0 found here
  BTRFS error (device loop0): failed to read chunk tree: -22
  BTRFS error (device loop0): open_ctree failed

Reported-by: Yoon Jungyeon <jungyeon@gatech.edu>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=202753
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
 fs/btrfs/tree-checker.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 5ccb4be583ea..e01a84be768f 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -760,8 +760,12 @@ static int check_leaf(struct btrfs_fs_info *fs_info, struct extent_buffer *leaf,
 		 * we can't use @owner as accurate owner indicator.
 		 * Case like balance and new tree block created for commit root
 		 * can break owner check easily.
+		 *
+		 * Also we could trigger tree checker before root tree
+		 * initialized (read chunk tree), skip strict owner check
+		 * if root tree is not initialized yet.
 		 */
-		if (!check_empty_leaf)
+		if (!check_empty_leaf || !fs_info->tree_root->node)
 			return 0;
 
 		key.objectid = owner;
-- 
2.21.0