From 3a5d488f190e0940708128a5f044fe7e0c102299 Mon Sep 17 00:00:00 2001
From: Vitaliy Filippov <vitalif@yourcmc.ru>
Date: Mon, 1 Jun 2020 00:34:04 +0300
Subject: [PATCH] Fix use-after-free in osd_flush.cpp

---
 osd_flush.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/osd_flush.cpp b/osd_flush.cpp
index b10e464b..9294bbb9 100644
--- a/osd_flush.cpp
+++ b/osd_flush.cpp
@@ -270,9 +270,10 @@ void osd_t::submit_recovery_op(osd_recovery_op_t *op)
                 throw std::runtime_error("Failed to recover an object");
             }
         }
+        // CAREFUL! op = &recovery_ops[op->oid]. Don't access op->* after recovery_ops.erase()
+        op->osd_op = NULL;
         recovery_ops.erase(op->oid);
         delete osd_op;
-        op->osd_op = NULL;
         continue_recovery();
     };
     exec_op(op->osd_op);