From 1a9c3be2ceffcb981910de429a7da0fbec43e643 Mon Sep 17 00:00:00 2001
From: Jason Dillaman <dillaman@redhat.com>
Date: Wed, 26 Sep 2018 14:39:25 -0400
Subject: [PATCH] librbd: object copy state machine might dereference a deleted
 object

Fixes: http://tracker.ceph.com/issues/36220
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---
 src/librbd/deep_copy/ObjectCopyRequest.cc | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/librbd/deep_copy/ObjectCopyRequest.cc b/src/librbd/deep_copy/ObjectCopyRequest.cc
index 096b3cb1a3a7a..2f1332cdcae5a 100644
--- a/src/librbd/deep_copy/ObjectCopyRequest.cc
+++ b/src/librbd/deep_copy/ObjectCopyRequest.cc
@@ -470,13 +470,16 @@ void ObjectCopyRequest<I>::send_update_object_map() {
       finish_op_ctx->complete(0);
     });
 
-  m_dst_image_ctx->object_map_lock.get_write();
-  bool sent = m_dst_image_ctx->object_map->template aio_update<
+  auto dst_image_ctx = m_dst_image_ctx;
+  dst_image_ctx->object_map_lock.get_write();
+  bool sent = dst_image_ctx->object_map->template aio_update<
     Context, &Context::complete>(dst_snap_id, m_dst_object_number, object_state,
                                  {}, {}, false, ctx);
-  m_dst_image_ctx->object_map_lock.put_write();
-  m_dst_image_ctx->snap_lock.put_read();
-  m_dst_image_ctx->owner_lock.put_read();
+
+  // NOTE: state machine might complete before we reach here
+  dst_image_ctx->object_map_lock.put_write();
+  dst_image_ctx->snap_lock.put_read();
+  dst_image_ctx->owner_lock.put_read();
   if (!sent) {
     ceph_assert(dst_snap_id == CEPH_NOSNAP);
     ctx->complete(0);
-- 
2.39.5