From: Kent Overstreet <kent.overstreet@linux.dev>
Date: Thu, 20 Jun 2024 23:42:39 +0000 (-0400)
Subject: bcachefs: Fix a UAF after write_super()
X-Git-Tag: v6.10-rc5-pxa1908~42^2~1
X-Git-Url: https://git.dujemihanovic.xyz/?a=commitdiff_plain;h=2fe79ce7d1e8ec5059e7dfc15f3c769ae9679569;p=linux.git

bcachefs: Fix a UAF after write_super()

write_super() may reallocate the superblock buffer - but
bch_sb_field_ext was referencing it; don't use it after the write_super
call.

Reported-by: syzbot+8992fc10a192067b8d8a@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/recovery.c b/fs/bcachefs/recovery.c
index e632da69196c..1f9d044ed920 100644
--- a/fs/bcachefs/recovery.c
+++ b/fs/bcachefs/recovery.c
@@ -664,10 +664,10 @@ int bch2_fs_recovery(struct bch_fs *c)
 	if (check_version_upgrade(c))
 		write_sb = true;
 
+	c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));
+
 	if (write_sb)
 		bch2_write_super(c);
-
-	c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0]));
 	mutex_unlock(&c->sb_lock);
 
 	if (c->opts.fsck && IS_ENABLED(CONFIG_BCACHEFS_DEBUG))