Pipe: take a ref to existing while we are waiting

Otherwise, if it is reaped while we are waiting, it'll be a
use-after-free.

Fixes: http://tracker.ceph.com/issues/15870
Signed-off-by: Samuel Just <sjust@redhat.com>
(cherry picked from commit b224912d249453d754fc0478d3680f8cfa1a5c22)

diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc
index f6eee3394154bbc63daf5cefd9cfb49cfdc94218..6d727546190263a2eb37790a4702ec3eb42961aa 100644 (file)
--- a/src/msg/simple/Pipe.cc
+++ b/src/msg/simple/Pipe.cc
@@ -472,13 +472,21 @@ int Pipe::accept()
         *  held by somebody trying to make use of the SimpleMessenger lock.
         *  So drop locks, wait, and retry. It just looks like a slow network
         *  to everybody else.
+        *
+        *  We take a ref to existing here since it might get reaped before we
+        *  wake up (see bug #15870).  We can be confident that it lived until
+        *  locked it since we held the msgr lock from _lookup_pipe through to
+        *  locking existing->lock and checking reader_dispatching.
         */
+       existing->get();
        pipe_lock.Unlock();
        msgr->lock.Unlock();
        existing->notify_on_dispatch_done = true;
        while (existing->reader_dispatching)
          existing->cond.Wait(existing->pipe_lock);
        existing->pipe_lock.Unlock();
+       existing->put();
+       existing = nullptr;
        goto retry_existing_lookup;
       }