From: Wang ShuaiChao <wangshuaich@chinatelecom.cn>
Date: Tue, 7 Sep 2021 08:43:11 +0000 (+0800)
Subject: librbd: fix use-after-free on ictx in list_descendants()
X-Git-Tag: v16.2.8~174^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=5e5ff9e80d46c21c256b01fddba979ba7b7ab71f;p=ceph.git

librbd: fix use-after-free on ictx in list_descendants()

Ictx is deleted when "ictx->state->open()" and "ictx->state->close()"
fail, and then "lderr(ictx->cct)" crashes.

Fixes: https://tracker.ceph.com/issues/52522
Signed-off-by: Wang ShuaiChao <wangshuaich@chinatelecom.cn>
(cherry picked from commit fa5d61ee5144f67cba53d54d36013614183e53a3)
---

diff --git a/src/librbd/api/Image.cc b/src/librbd/api/Image.cc
index 7a4db0e0f4a99..4997d4117bc3c 100644
--- a/src/librbd/api/Image.cc
+++ b/src/librbd/api/Image.cc
@@ -311,12 +311,13 @@ int Image<I>::list_descendants(
     std::vector<librbd::linked_image_spec_t> *images) {
   ImageCtx *ictx = new librbd::ImageCtx("", image_id, nullptr,
                                         io_ctx, true);
+  CephContext *cct = ictx->cct;
   int r = ictx->state->open(OPEN_FLAG_SKIP_OPEN_PARENT);
   if (r < 0) {
     if (r == -ENOENT) {
       return 0;
     }
-    lderr(ictx->cct) << "failed to open descendant " << image_id
+    lderr(cct) << "failed to open descendant " << image_id
                      << " from pool " << io_ctx.get_pool_name() << ":"
                      << cpp_strerror(r) << dendl;
     return r;
@@ -326,7 +327,7 @@ int Image<I>::list_descendants(
 
   int r1 = ictx->state->close();
   if (r1 < 0) {
-    lderr(ictx->cct) << "error when closing descendant " << image_id
+    lderr(cct) << "error when closing descendant " << image_id
                      << " from pool " << io_ctx.get_pool_name() << ":"
                      << cpp_strerror(r) << dendl;
   }