From 1bc0b5aab3fca8549fcda8ee7f2d794164f1188b Mon Sep 17 00:00:00 2001
From: Vitaliy Filippov <vitalif@yourcmc.ru>
Date: Sat, 24 Feb 2024 00:06:34 +0300
Subject: [PATCH] Fix a rare use-after-free in automatic sync after delete in
 blockstore

ASan report: [0] READ of size 16 at operator() /root/vitastor/src/blockstore_write.cpp:100
...[5] blockstore_impl_t::ack_sync(blockstore_op_t*) /root/vitastor/src/blockstore_sync.cpp:232
---
 src/blockstore_write.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/blockstore_write.cpp b/src/blockstore_write.cpp
index 1418d62e..f393ed05 100644
--- a/src/blockstore_write.cpp
+++ b/src/blockstore_write.cpp
@@ -95,11 +95,13 @@ bool blockstore_impl_t::enqueue_write(blockstore_op_t *op)
                 // Issue an additional sync so the delete reaches the journal
                 blockstore_op_t *sync_op = new blockstore_op_t;
                 sync_op->opcode = BS_OP_SYNC;
-                sync_op->callback = [this, op](blockstore_op_t *sync_op)
+                sync_op->oid = op->oid;
+                sync_op->version = op->version;
+                sync_op->callback = [this](blockstore_op_t *sync_op)
                 {
                     flusher->unshift_flush((obj_ver_id){
-                        .oid = op->oid,
-                        .version = op->version-1,
+                        .oid = sync_op->oid,
+                        .version = sync_op->version-1,
                     }, true);
                     delete sync_op;
                 };