bcachefs: Fix a UAF after write_super()

write_super() may reallocate the superblock buffer - but bch_sb_field_ext was referencing it; don't use it after the write_super call. Reported-by: syzbot+8992fc10a192067b8d8a@syzkaller.appspotmail.com Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
author: Kent Overstreet <kent.overstreet@linux.dev> 2024-06-20 19:42:39 -0400
committer: Kent Overstreet <kent.overstreet@linux.dev> 2024-06-21 10:17:07 -0400
commit: 2fe79ce7d1e8ec5059e7dfc15f3c769ae9679569 (patch)
tree: 2d65be5f950ce8e9d89c633e0b08f67917dfe455 /fs
parent: e6b3a655ac7ba5282b1504851488236865804cb8 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/bcachefs/recovery.c b/fs/bcachefs/recovery.c
index e632da69196c..1f9d044ed920 100644
--- a/fs/bcachefs/recovery.c
+++ b/fs/bcachefs/recovery.c
@@ -664,10 +664,10 @@ int bch2_fs_recovery(struct bch_fs *c)
 	if (check_version_upgrade(c))
 		write_sb = true;
 
+	c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));
+
 	if (write_sb)
 		bch2_write_super(c);
-
-	c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));
 	mutex_unlock(&c->sb_lock);
 
 	if (c->opts.fsck && IS_ENABLED(CONFIG_BCACHEFS_DEBUG))
author	Kent Overstreet <kent.overstreet@linux.dev>	2024-06-20 19:42:39 -0400
committer	Kent Overstreet <kent.overstreet@linux.dev>	2024-06-21 10:17:07 -0400
commit	2fe79ce7d1e8ec5059e7dfc15f3c769ae9679569 (patch)
tree	2d65be5f950ce8e9d89c633e0b08f67917dfe455 /fs
parent	e6b3a655ac7ba5282b1504851488236865804cb8 (diff)