librbd: potential null pointer dereference when requesting exclusive lock

m_require_lock_on_read should be cleared when holding owner_lock.

For safety, also check that exclusive_lock is not null.

Signed-off-by: Mykola Golub <mgolub@mirantis.com>

diff --git a/src/librbd/AioImageRequestWQ.cc b/src/librbd/AioImageRequestWQ.cc
index 062db1b0fcd4a1c48417b0c8779f53cbf25bf5af..52fdd8d6d85771c9305c5de74607541e2d272378 100644 (file)
--- a/src/librbd/AioImageRequestWQ.cc
+++ b/src/librbd/AioImageRequestWQ.cc
@@ -439,8 +439,9 @@ void AioImageRequestWQ::queue(AioImageRequest<> *req) {
 
   assert(m_image_ctx.owner_lock.is_locked());
   bool write_op = req->is_write_op();
-  bool lock_required = (write_op && is_lock_required()) ||
-    (!write_op && m_require_lock_on_read);
+  bool lock_required = (m_image_ctx.exclusive_lock != nullptr &&
+                        ((write_op && is_lock_required()) ||
+                          (!write_op && m_require_lock_on_read)));
 
   if (lock_required && !m_image_ctx.get_exclusive_lock_policy()->may_auto_request_lock()) {
     lderr(cct) << "op requires exclusive lock" << dendl;

diff --git a/src/librbd/ExclusiveLock.cc b/src/librbd/ExclusiveLock.cc
index 1d6b44bf8e11b4f76fd16e0e76ef1af0f2b76642..48ecbf850f57f3e8c64ee51a7892ee3bfa3b5de3 100644 (file)
--- a/src/librbd/ExclusiveLock.cc
+++ b/src/librbd/ExclusiveLock.cc
@@ -687,6 +687,7 @@ void ExclusiveLock<I>::handle_shutdown_released(int r) {
 
   {
     RWLock::WLocker owner_locker(m_image_ctx.owner_lock);
+    m_image_ctx.aio_work_queue->clear_require_lock_on_read();
     m_image_ctx.exclusive_lock = nullptr;
   }
 
@@ -694,7 +695,6 @@ void ExclusiveLock<I>::handle_shutdown_released(int r) {
     lderr(cct) << "failed to shut down exclusive lock: " << cpp_strerror(r)
                << dendl;
   } else {
-    m_image_ctx.aio_work_queue->clear_require_lock_on_read();
     m_image_ctx.aio_work_queue->unblock_writes();
   }
 
@@ -709,10 +709,10 @@ void ExclusiveLock<I>::handle_shutdown(int r) {
 
   {
     RWLock::WLocker owner_locker(m_image_ctx.owner_lock);
+    m_image_ctx.aio_work_queue->clear_require_lock_on_read();
     m_image_ctx.exclusive_lock = nullptr;
   }
 
-  m_image_ctx.aio_work_queue->clear_require_lock_on_read();
   m_image_ctx.aio_work_queue->unblock_writes();
   m_image_ctx.image_watcher->flush(util::create_context_callback<
     ExclusiveLock<I>, &ExclusiveLock<I>::complete_shutdown>(this));