git-server-git.apps.pok.os.sepia.ceph.com Git

author	Ilya Dryomov <idryomov@gmail.com>
	Wed, 25 Feb 2026 10:37:16 +0000 (11:37 +0100)
committer	Ilya Dryomov <idryomov@gmail.com>
	Sat, 28 Feb 2026 21:03:01 +0000 (22:03 +0100)
commit	151ff1e3e1a9c7d28080ba769fec2302e15f0c14
tree	968e7f1d250142f9b6cb5350f610685f16ee374b	tree \| snapshot
parent	f1ac6cc4499567865c0f41aba4b04b40cd081cf2	commit \| diff

librbd: don't complete ImageUpdateWatchers::shut_down() prematurely

ImageUpdateWatchers::flush() requests aren't tracked with
m_in_flight-like mechanism the way ImageUpdateWatchers::send_notify()
requests are, but in both cases callbacks that represent delayed work
that is very likely to (indirectly) reference ImageCtx are involved.
When the image is getting closed, ImageUpdateWatchers::shut_down() is
called before anything that belongs to ImageCtx is destroyed. However,
the shutdown can complete prematurely in the face of a pending flush if
one gets sent shortly before CloseRequest is invoked. The callback for
that flush will then race with CloseRequest and may execute after parts
of or even the entire ImageCtx is destroyed, leading to use-after-free
and various segfaults.

Fixes: https://tracker.ceph.com/issues/75161
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 3ea6ee62aa339d1ad9976fdcc6e207a505f9bf44)