os/bluestore/KernelDevice: avoid possible use-after-free for ioc->priv

If aio_wake() triggers destruction, ioc->priv might be a
use-after-free (this is the case for the BlueStore read path).

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/os/bluestore/KernelDevice.cc b/src/os/bluestore/KernelDevice.cc
index c9cde7868e305a49cea86b2f83a02a5f27765ced..7ffd6fd91f7b1876a43a5ae415fd5922a30cd269 100644 (file)
--- a/src/os/bluestore/KernelDevice.cc
+++ b/src/os/bluestore/KernelDevice.cc
@@ -269,10 +269,12 @@ void KernelDevice::_aio_thread()
        // trust aio[] values; they my be freed (e.g., by BlueFS::_fsync)
        if (left == 0) {
          // check waiting count before doing callback (which may
-         // destroy this ioc).
+         // destroy this ioc).  and avoid ref to ioc after aio_wake()
+         // in case that triggers destruction.
+         void *priv = ioc->priv;
          ioc->aio_wake();
-         if (ioc->priv) {
-           aio_callback(aio_callback_priv, ioc->priv);
+         if (priv) {
+           aio_callback(aio_callback_priv, priv);
          }
        }
       }