diff options
| author | Kent Overstreet <kent.overstreet@linux.dev> | 2024-06-21 02:42:39 +0300 |
|---|---|---|
| committer | Kent Overstreet <kent.overstreet@linux.dev> | 2024-06-21 17:17:07 +0300 |
| commit | 2fe79ce7d1e8ec5059e7dfc15f3c769ae9679569 (patch) | |
| tree | 2d65be5f950ce8e9d89c633e0b08f67917dfe455 /fs/bcachefs | |
| parent | e6b3a655ac7ba5282b1504851488236865804cb8 (diff) | |
| download | linux-2fe79ce7d1e8ec5059e7dfc15f3c769ae9679569.tar.xz | |
bcachefs: Fix a UAF after write_super()
write_super() may reallocate the superblock buffer - but
bch_sb_field_ext was referencing it; don't use it after the write_super
call.
Reported-by: syzbot+8992fc10a192067b8d8a@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
Diffstat (limited to 'fs/bcachefs')
| -rw-r--r-- | fs/bcachefs/recovery.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/bcachefs/recovery.c b/fs/bcachefs/recovery.c index e632da69196c..1f9d044ed920 100644 --- a/fs/bcachefs/recovery.c +++ b/fs/bcachefs/recovery.c @@ -664,10 +664,10 @@ int bch2_fs_recovery(struct bch_fs *c) if (check_version_upgrade(c)) write_sb = true; + c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0])); + if (write_sb) bch2_write_super(c); - - c->recovery_passes_explicit |= bch2_recovery_passes_from_stable(le64_to_cpu(ext->recovery_passes_required[0])); mutex_unlock(&c->sb_lock); if (c->opts.fsck && IS_ENABLED(CONFIG_BCACHEFS_DEBUG)) |