bcachefs: Fix rare use after free in read path

If the bkey_on_stack_reassemble() call in __bch2_read_indirect_extent()
reallocates the buffer, k in bch2_read - which we pointed at the
bkey_on_stack buffer - will now point to a stale buffer. Whoops.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/fs-io.c b/fs/bcachefs/fs-io.c
index 0290f7410a5cb1ebf3b28a1ec1293a87bd57f967..edc3d73d26ba971ea057267c9e737e81b8e9cb77 100644 (file)
--- a/fs/bcachefs/fs-io.c
+++ b/fs/bcachefs/fs-io.c
@@ -782,18 +782,19 @@ retry:
                if (ret)
                        break;
 
-               bkey_on_stack_reassemble(&sk, c, k);
-               k = bkey_i_to_s_c(sk.k);
-
                offset_into_extent = iter->pos.offset -
                        bkey_start_offset(k.k);
                sectors = k.k->size - offset_into_extent;
 
+               bkey_on_stack_reassemble(&sk, c, k);
+
                ret = bch2_read_indirect_extent(trans,
                                        &offset_into_extent, &sk);
                if (ret)
                        break;
 
+               k = bkey_i_to_s_c(sk.k);
+
                sectors = min(sectors, k.k->size - offset_into_extent);
 
                bch2_trans_unlock(trans);

diff --git a/fs/bcachefs/fs.c b/fs/bcachefs/fs.c
index b214d58e94e9dc09b92b6b28ea5ebe2bff108476..a61d5f8aecd6eb1281ae11a3213e05c84304c39b 100644 (file)
--- a/fs/bcachefs/fs.c
+++ b/fs/bcachefs/fs.c
@@ -911,20 +911,21 @@ retry:
                        continue;
                }
 
-               bkey_on_stack_realloc(&cur, c, k.k->u64s);
-               bkey_on_stack_realloc(&prev, c, k.k->u64s);
-               bkey_reassemble(cur.k, k);
-               k = bkey_i_to_s_c(cur.k);
-
                offset_into_extent      = iter->pos.offset -
                        bkey_start_offset(k.k);
                sectors                 = k.k->size - offset_into_extent;
 
+               bkey_on_stack_realloc(&cur, c, k.k->u64s);
+               bkey_on_stack_realloc(&prev, c, k.k->u64s);
+               bkey_reassemble(cur.k, k);
+
                ret = bch2_read_indirect_extent(&trans,
                                        &offset_into_extent, &cur);
                if (ret)
                        break;
 
+               k = bkey_i_to_s_c(cur.k);
+
                sectors = min(sectors, k.k->size - offset_into_extent);
 
                if (offset_into_extent)

diff --git a/fs/bcachefs/io.c b/fs/bcachefs/io.c
index 5c12bfed3a7b45988af99d44a1d8735913897ca3..03f5b9034aa7004f20c468a66ba8d2e4fd016865 100644 (file)
--- a/fs/bcachefs/io.c
+++ b/fs/bcachefs/io.c
@@ -1667,7 +1667,6 @@ retry:
                unsigned bytes, sectors, offset_into_extent;
 
                bkey_on_stack_reassemble(&sk, c, k);
-               k = bkey_i_to_s_c(sk.k);
 
                offset_into_extent = iter->pos.offset -
                        bkey_start_offset(k.k);
@@ -1678,6 +1677,8 @@ retry:
                if (ret)
                        break;
 
+               k = bkey_i_to_s_c(sk.k);
+
                sectors = min(sectors, k.k->size - offset_into_extent);
 
                bch2_trans_unlock(&trans);
@@ -2311,13 +2312,14 @@ retry:
                sectors = k.k->size - offset_into_extent;
 
                bkey_on_stack_reassemble(&sk, c, k);
-               k = bkey_i_to_s_c(sk.k);
 
                ret = bch2_read_indirect_extent(&trans,
                                        &offset_into_extent, &sk);
                if (ret)
                        goto err;
 
+               k = bkey_i_to_s_c(sk.k);
+
                /*
                 * With indirect extents, the amount of data to read is the min
                 * of the original extent and the indirect extent: