From: Ilya Dryomov <idryomov@gmail.com>
Date: Wed, 22 Jan 2025 19:34:11 +0000 (+0100)
Subject: librbd: clear ctx before initiating close in Image::{aio_,}close()
X-Git-Tag: testing/wip-pdonnell-testing-20250303.200617-debug~21^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=aba7c2a54fb58dd71e7672394cd938c26f00ef36;p=ceph-ci.git

librbd: clear ctx before initiating close in Image::{aio_,}close()

Image::aio_close() must clear ctx before initiating close.  Otherwise
the provided callback may see a non-NULL ctx and attempt to close the
image again from Image destructor, leading to an invalid memory access
as ImageCtx and ImageState are both freed immediately after the image
is closed (i.e. before AioCompletion is completed and the callback is
executed).

The same adjustment is made to Image::close() just for consistency.

Fixes: https://tracker.ceph.com/issues/69619
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 61baa8793402d416289ff25535d6f9124da3cae9)
---

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index 1f75f0f4f0b..33d6c25916d 100644
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -1630,8 +1630,8 @@ namespace librbd {
       ImageCtx *ictx = (ImageCtx *)ctx;
       tracepoint(librbd, close_image_enter, ictx, ictx->name.c_str(), ictx->id.c_str());
 
+      ctx = NULL;  // before initiating close
       r = ictx->state->close();
-      ctx = NULL;
 
       tracepoint(librbd, close_image_exit, r);
     }
@@ -1647,9 +1647,9 @@ namespace librbd {
     ImageCtx *ictx = (ImageCtx *)ctx;
     tracepoint(librbd, aio_close_image_enter, ictx, ictx->name.c_str(), ictx->id.c_str(), c->pc);
 
+    ctx = NULL;  // before initiating close
     ictx->state->close(new C_AioCompletion(ictx, librbd::io::AIO_TYPE_CLOSE,
                                            get_aio_completion(c)));
-    ctx = NULL;
 
     tracepoint(librbd, aio_close_image_exit, 0);
     return 0;