bcachefs: Fix rare use after free in read path

If the bkey_on_stack_reassemble() call in __bch2_read_indirect_extent()
reallocates the buffer, k in bch2_read - which we pointed at the
bkey_on_stack buffer - will now point to a stale buffer. Whoops.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

1 files changed, 6 insertions, 5 deletions

diff --git a/fs/bcachefs/fs.c b/fs/bcachefs/fs.c
index b214d58e94e9..a61d5f8aecd6 100644
--- a/fs/bcachefs/fs.c
+++ b/fs/bcachefs/fs.c
@@ -911,20 +911,21 @@ retry:
 			continue;
 		}
 
-		bkey_on_stack_realloc(&cur, c, k.k->u64s);
-		bkey_on_stack_realloc(&prev, c, k.k->u64s);
-		bkey_reassemble(cur.k, k);
-		k = bkey_i_to_s_c(cur.k);
-
 		offset_into_extent	= iter->pos.offset -
 			bkey_start_offset(k.k);
 		sectors			= k.k->size - offset_into_extent;
 
+		bkey_on_stack_realloc(&cur, c, k.k->u64s);
+		bkey_on_stack_realloc(&prev, c, k.k->u64s);
+		bkey_reassemble(cur.k, k);
+
 		ret = bch2_read_indirect_extent(&trans,
 					&offset_into_extent, &cur);
 		if (ret)
 			break;
 
+		k = bkey_i_to_s_c(cur.k);
+
 		sectors = min(sectors, k.k->size - offset_into_extent);
 
 		if (offset_into_extent)