From: Sage Weil <sage@redhat.com>
Date: Mon, 23 Jan 2017 19:46:34 +0000 (-0500)
Subject: os/bluestore/KernelDevice: avoid possible use-after-free for ioc->priv
X-Git-Tag: v12.0.0~52^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=393747a6983364f878aa884827b121ab6c2a46dc;p=ceph.git

os/bluestore/KernelDevice: avoid possible use-after-free for ioc->priv

If aio_wake() triggers destruction, ioc->priv might be a
use-after-free (this is the case for the BlueStore read path).

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/os/bluestore/KernelDevice.cc b/src/os/bluestore/KernelDevice.cc
index c9cde7868e30..7ffd6fd91f7b 100644
--- a/src/os/bluestore/KernelDevice.cc
+++ b/src/os/bluestore/KernelDevice.cc
@@ -269,10 +269,12 @@ void KernelDevice::_aio_thread()
 	// trust aio[] values; they my be freed (e.g., by BlueFS::_fsync)
 	if (left == 0) {
 	  // check waiting count before doing callback (which may
-	  // destroy this ioc).
+	  // destroy this ioc).  and avoid ref to ioc after aio_wake()
+	  // in case that triggers destruction.
+	  void *priv = ioc->priv;
 	  ioc->aio_wake();
-	  if (ioc->priv) {
-	    aio_callback(aio_callback_priv, ioc->priv);
+	  if (priv) {
+	    aio_callback(aio_callback_priv, priv);
 	  }
 	}
       }