librbd: clear ctx before initiating close in Image::{aio_,}close()

Image::aio_close() must clear ctx before initiating close.  Otherwise
the provided callback may see a non-NULL ctx and attempt to close the
image again from Image destructor, leading to an invalid memory access
as ImageCtx and ImageState are both freed immediately after the image
is closed (i.e. before AioCompletion is completed and the callback is
executed).

The same adjustment is made to Image::close() just for consistency.

Fixes: https://tracker.ceph.com/issues/69619
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 61baa8793402d416289ff25535d6f9124da3cae9)

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index 1f75f0f4f0bfa21571c2091d423f395adff2f4b5..33d6c25916d69e37d4387e7df324a75f489d7a29 100644 (file)
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -1630,8 +1630,8 @@ namespace librbd {
       ImageCtx *ictx = (ImageCtx *)ctx;
       tracepoint(librbd, close_image_enter, ictx, ictx->name.c_str(), ictx->id.c_str());
 
+      ctx = NULL;  // before initiating close
       r = ictx->state->close();
-      ctx = NULL;
 
       tracepoint(librbd, close_image_exit, r);
     }
@@ -1647,9 +1647,9 @@ namespace librbd {
     ImageCtx *ictx = (ImageCtx *)ctx;
     tracepoint(librbd, aio_close_image_enter, ictx, ictx->name.c_str(), ictx->id.c_str(), c->pc);
 
+    ctx = NULL;  // before initiating close
     ictx->state->close(new C_AioCompletion(ictx, librbd::io::AIO_TYPE_CLOSE,
                                            get_aio_completion(c)));
-    ctx = NULL;
 
     tracepoint(librbd, aio_close_image_exit, 0);
     return 0;