From 451120140e10ec1bd60ae20c33d707e788cfd8f0 Mon Sep 17 00:00:00 2001
From: "Adam C. Emerson" <aemerson@redhat.com>
Date: Thu, 5 Mar 2020 22:14:47 -0500
Subject: [PATCH] common/ceph_timer: Pass reference to waited time on stack

std::condition_variable::wait_until takes a const reference to a
time_point. It may access this reference after relinquishing the
mutex, creating a potential use-after-free error if the first event is
shut down.

So, just copy the time onto the stack, so we have a reference that
won't disappear.

https://tracker.ceph.com/issues/44373

Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
---
 src/common/ceph_timer.h | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/common/ceph_timer.h b/src/common/ceph_timer.h
index d5c0d60f37e..d12cc19933a 100644
--- a/src/common/ceph_timer.h
+++ b/src/common/ceph_timer.h
@@ -130,10 +130,15 @@ class timer {
 
       if (suspended)
 	break;
-      if (schedule.empty())
+      if (schedule.empty()) {
 	cond.wait(l);
-      else
-	cond.wait_until(l, schedule.begin()->t);
+      } else {
+	// Since wait_until takes its parameter by reference, passing
+	// the time /in the event/ is unsafe, as it might be canceled
+	// while we wait.
+	const auto t = schedule.begin()->t;
+	cond.wait_until(l, t);
+      }
     }
   }
 
-- 
2.39.5