bcachefs: Fix a UAF after write_super()

write_super() may reallocate the superblock buffer - but
bch_sb_field_ext was referencing it; don't use it after the write_super
call.

Reported-by: syzbot+8992fc10a192067b8d8a@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/recovery.c b/fs/bcachefs/recovery.c
index e632da69196ccf8988ba7efcd743559e713354c0..1f9d044ed92077334c3976fefe39bc4e017b9337 100644 (file)
--- a/fs/bcachefs/recovery.c
+++ b/fs/bcachefs/recovery.c
@@ -664,10 +664,10 @@ int bch2_fs_recovery(struct bch_fs *c)
        if (check_version_upgrade(c))
                write_sb = true;
 
+       c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));
+
        if (write_sb)
                bch2_write_super(c);
-
-       c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));
        mutex_unlock(&c->sb_lock);
 
        if (c->opts.fsck && IS_ENABLED(CONFIG_BCACHEFS_DEBUG))