Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
missed a case in r1538490:
PR56639

Always NULL c->sbh before putting a connection back in a pollset or queue.

We can't NULL c->sbh at the bottom of process_socket() after putting a socket back on 
the event_pollset or having it go into lingering close, because the listener or a worker
thread could A) continue on the connection or B) free and allocate the same conn_rec
pointer before we get to the bottom of process_socket().

Submitted By: Edward Lu
Committed By: covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1604350 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
covener committed Jun 21, 2014
1 parent ddb6b6b commit d62d4c3
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 15 deletions.
4 changes: 4 additions & 0 deletions CHANGES
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0

*) event MPM: Fix possible crashes (third party modules accessing c->sbh)
or occasional missed mod_status updates for some initial requests
on a connection under load. PR 56639.[Edward Lu <Chaosed0 gmail.com>]

*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
Expand Down
20 changes: 5 additions & 15 deletions server/mpm/event/event.c
Expand Up @@ -845,6 +845,7 @@ static int start_lingering_close_common(event_conn_state_t *cs)
cs->pub.sense == CONN_SENSE_WANT_WRITE ? APR_POLLOUT :
APR_POLLIN) | APR_POLLHUP | APR_POLLERR;
cs->pub.sense = CONN_SENSE_DEFAULT;
cs->c->sbh = NULL;
rv = apr_pollset_add(event_pollset, &cs->pfd);
apr_thread_mutex_unlock(timeout_mutex);
if (rv != APR_SUCCESS && !APR_STATUS_IS_EEXIST(rv)) {
Expand Down Expand Up @@ -1130,11 +1131,8 @@ static void process_socket(apr_thread_t *thd, apr_pool_t * p, apr_socket_t * soc
}

if (cs->pub.state == CONN_STATE_LINGER) {
if (!start_lingering_close_blocking(cs)) {
c->sbh = NULL;
notify_suspend(cs);
return;
}
start_lingering_close_blocking(cs);
notify_suspend(cs);
}
else if (cs->pub.state == CONN_STATE_CHECK_REQUEST_LINE_READABLE) {
/* It greatly simplifies the logic to use a single timeout value here
Expand Down Expand Up @@ -1162,21 +1160,13 @@ static void process_socket(apr_thread_t *thd, apr_pool_t * p, apr_socket_t * soc
"process_socket: apr_pollset_add failure");
AP_DEBUG_ASSERT(rc == APR_SUCCESS);
}
return;
}
else if (cs->pub.state == CONN_STATE_SUSPENDED) {
cs->c->suspended_baton = cs;
apr_atomic_inc32(&suspended_count);
c->sbh = NULL;
notify_suspend(cs);
}
/*
* Prevent this connection from writing to our connection state after it
* is no longer associated with this thread. This would happen if the EOR
* bucket is destroyed from the listener thread due to a connection abort
* or timeout.
*/
c->sbh = NULL;
notify_suspend(cs);
return;
}

/* Put a SUSPENDED connection back into a queue. */
Expand Down

0 comments on commit d62d4c3

Please sign in to comment.