bcachefs: Fix lookup_inode_for_snapshot()

This fixes a use-after-free.
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

fs/bcachefs/fsck.c

@@ -682,6 +682,7 @@ lookup_inode_for_snapshot(struct bch_fs *c, struct inode_walker *w,
 
 	if (snapshot != i->snapshot && !is_whiteout) {
 		struct inode_walker_entry new = *i;
+		size_t pos;
 		int ret;
 
 		new.snapshot = snapshot;
@@ -693,9 +694,12 @@ lookup_inode_for_snapshot(struct bch_fs *c, struct inode_walker *w,
 		while (i > w->inodes.data && i[-1].snapshot > snapshot)
 			--i;
 
-		ret = darray_insert_item(&w->inodes, i - w->inodes.data, new);
+		pos = i - w->inodes.data;
+		ret = darray_insert_item(&w->inodes, pos, new);
 		if (ret)
 			return ERR_PTR(ret);
+
+		i = w->inodes.data + pos;
 	}
 
 	return i;