From: Kent Overstreet <kent.overstreet@linux.dev>
Date: Mon, 17 Jul 2023 01:56:18 +0000 (-0400)
Subject: bcachefs: Fix lookup_inode_for_snapshot()
X-Git-Tag: io_uring-6.7-2023-11-10~119^2~180
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=20e6d9a8d4050220f4e0a0195d102abaf2c8439b;p=linux-block.git

bcachefs: Fix lookup_inode_for_snapshot()

This fixes a use-after-free.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/fsck.c b/fs/bcachefs/fsck.c
index c8599978ae46..0d7344ff64c0 100644
--- a/fs/bcachefs/fsck.c
+++ b/fs/bcachefs/fsck.c
@@ -682,6 +682,7 @@ found:
 
 	if (snapshot != i->snapshot && !is_whiteout) {
 		struct inode_walker_entry new = *i;
+		size_t pos;
 		int ret;
 
 		new.snapshot = snapshot;
@@ -693,9 +694,12 @@ found:
 		while (i > w->inodes.data && i[-1].snapshot > snapshot)
 			--i;
 
-		ret = darray_insert_item(&w->inodes, i - w->inodes.data, new);
+		pos = i - w->inodes.data;
+		ret = darray_insert_item(&w->inodes, pos, new);
 		if (ret)
 			return ERR_PTR(ret);
+
+		i = w->inodes.data + pos;
 	}
 
 	return i;