From: Adam C. Emerson <aemerson@redhat.com>
Date: Fri, 6 Mar 2020 03:14:47 +0000 (-0500)
Subject: common/ceph_timer: Pass reference to waited time on stack
X-Git-Tag: v15.1.1~42^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=451120140e10ec1bd60ae20c33d707e788cfd8f0;p=ceph-ci.git

common/ceph_timer: Pass reference to waited time on stack

std::condition_variable::wait_until takes a const reference to a
time_point. It may access this reference after relinquishing the
mutex, creating a potential use-after-free error if the first event is
shut down.

So, just copy the time onto the stack, so we have a reference that
won't disappear.

https://tracker.ceph.com/issues/44373

Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
---

diff --git a/src/common/ceph_timer.h b/src/common/ceph_timer.h
index d5c0d60f37e..d12cc19933a 100644
--- a/src/common/ceph_timer.h
+++ b/src/common/ceph_timer.h
@@ -130,10 +130,15 @@ class timer {
 
       if (suspended)
 	break;
-      if (schedule.empty())
+      if (schedule.empty()) {
 	cond.wait(l);
-      else
-	cond.wait_until(l, schedule.begin()->t);
+      } else {
+	// Since wait_until takes its parameter by reference, passing
+	// the time /in the event/ is unsafe, as it might be canceled
+	// while we wait.
+	const auto t = schedule.begin()->t;
+	cond.wait_until(l, t);
+      }
     }
   }