Commit 2fe79ce7 authored by Kent Overstreet's avatar Kent Overstreet
Browse files

bcachefs: Fix a UAF after write_super() 



write_super() may reallocate the superblock buffer - but
bch_sb_field_ext was referencing it; don't use it after the write_super
call.

Reported-by: default avatar <syzbot+8992fc10a192067b8d8a@syzkaller.appspotmail.com>
Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
parent e6b3a655

fs/bcachefs/recovery.c

+2 −2
Original line number Diff line number Diff line
@@ -664,10 +664,10 @@ int bch2_fs_recovery(struct bch_fs *c) 
	if (check_version_upgrade(c))

		write_sb = true;



	c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));



	if (write_sb)

		bch2_write_super(c);



	c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));

	mutex_unlock(&c->sb_lock);



	if (c->opts.fsck && IS_ENABLED(CONFIG_BCACHEFS_DEBUG))