librbd: fix use-after-free on ictx in list_descendants()

Ictx is deleted when "ictx->state->open()" and "ictx->state->close()"
fail, and then "lderr(ictx->cct)" crashes.

Fixes: https://tracker.ceph.com/issues/52522
Signed-off-by: Wang ShuaiChao <wangshuaich@chinatelecom.cn>
(cherry picked from commit fa5d61ee5144f67cba53d54d36013614183e53a3)

diff --git a/src/librbd/api/Image.cc b/src/librbd/api/Image.cc
index 7a4db0e0f4a995c5e29116b7900c4c5729fad051..4997d4117bc3cc0e8ff0dc3839b3ac2a5df60d66 100644 (file)
--- a/src/librbd/api/Image.cc
+++ b/src/librbd/api/Image.cc
@@ -311,12 +311,13 @@ int Image<I>::list_descendants(
     std::vector<librbd::linked_image_spec_t> *images) {
   ImageCtx *ictx = new librbd::ImageCtx("", image_id, nullptr,
                                         io_ctx, true);
+  CephContext *cct = ictx->cct;
   int r = ictx->state->open(OPEN_FLAG_SKIP_OPEN_PARENT);
   if (r < 0) {
     if (r == -ENOENT) {
       return 0;
     }
-    lderr(ictx->cct) << "failed to open descendant " << image_id
+    lderr(cct) << "failed to open descendant " << image_id
                      << " from pool " << io_ctx.get_pool_name() << ":"
                      << cpp_strerror(r) << dendl;
     return r;
@@ -326,7 +327,7 @@ int Image<I>::list_descendants(
 
   int r1 = ictx->state->close();
   if (r1 < 0) {
-    lderr(ictx->cct) << "error when closing descendant " << image_id
+    lderr(cct) << "error when closing descendant " << image_id
                      << " from pool " << io_ctx.get_pool_name() << ":"
                      << cpp_strerror(r) << dendl;
   }