From: Jason Dillaman <dillaman@redhat.com>
Date: Tue, 28 Jul 2020 13:07:49 +0000 (-0400)
Subject: librbd: ensure image cannot be closed until in-flight IO callbacks complete
X-Git-Tag: wip-pdonnell-testing-20200918.022351~513^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0d64e31c191f04b10b5318eb6d4db9dd83b2d166;p=ceph-ci.git

librbd: ensure image cannot be closed until in-flight IO callbacks complete

If a librbd client attempts to close the image while it still has in-flight IO
pending, it's possible for the AsyncOperation tracker which prevents the image
from being closed to be completed before the actual AioCompletion callback
fires. This can result in the now destructed ImageCtx being de-referenced by
the AioCompletion.

Fixes: https://tracker.ceph.com/issues/46737
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---

diff --git a/src/librbd/io/AioCompletion.cc b/src/librbd/io/AioCompletion.cc
index cad10336424..f6015b8a942 100644
--- a/src/librbd/io/AioCompletion.cc
+++ b/src/librbd/io/AioCompletion.cc
@@ -118,10 +118,6 @@ void AioCompletion::complete() {
     image_dispatcher_ctx->complete(rval);
   }
 
-  // note: possible for image to be closed after op marked finished
-  if (async_op.started()) {
-    async_op.finish_op();
-  }
   tracepoint(librbd, aio_complete_exit);
 }
 
@@ -274,8 +270,15 @@ void AioCompletion::complete_event_socket() {
 void AioCompletion::notify_callbacks_complete() {
   state = AIO_STATE_COMPLETE;
 
-  std::unique_lock<std::mutex> locker(lock);
-  cond.notify_all();
+  {
+    std::unique_lock<std::mutex> locker(lock);
+    cond.notify_all();
+  }
+
+  // note: possible for image to be closed after op marked finished
+  if (async_op.started()) {
+    async_op.finish_op();
+  }
 }
 
 } // namespace io