-
Notifications
You must be signed in to change notification settings - Fork 782
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix origin session cache double free #8330
Conversation
341fcee
to
c5ce17b
Compare
[approve ci autest] |
[approve ci clang-analyzer] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good 👍 Commented some nitpicks.
remove and free sessions that are timed out free sessions that failed to be set, and free sessions when done
c5ce17b
to
559d7e1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable.
@duke8253 do we need to backport this to the 9.2.0 branch? |
remove and free sessions that are timed out free sessions that failed to be set, and free sessions when done (cherry picked from commit f4274a8)
Cherry-picked to v9.2.x |
* asf/master: (47 commits) Doc: cleanup build errors. (apache#8377) Doc: Add proxy.config.cacvhe.mutex_retry_delay (apache#8376) Adds support for TCP_NOTSENT_LOWAT sockopt (apache#8354) Added support for promoting internal (plugin-initiated) requests. (apache#8363) Removed references to the throttle option from the slice plugin. (apache#8373) Pre-warming TLS Tunnel (apache#7661) Traffic Dump: update json-schema for new tuple requirements (apache#8370) TSSslSecretSet: Update SSL_CTX TLS Secrets (apache#8368) Added support for verifying cacheability before attempting to force an object into cache (apache#8364) [doc] Add a note for TSLifecycleHookAdd. Warn users that a contp could eventually be executed in a ET_NET when it was originally scheduled in the ET_TASK. (apache#8344) check size of session, and free sessions the ATS way (apache#8330) Locking around SSLSecret::secret_map access (apache#8358) Stabilize regex_revalidate Au test. (apache#559) (apache#8360) change MemArena::make test to remove memory leak (apache#8352) free sessions when timeout (apache#8356) test_MMH: fix memory leak in unit test (apache#8357) crash fix (apache#8268) remove unused RecConfigFileEntry struct (apache#8353) Rename outbound_conntrack to global_outbound_conntrack to reduce confusion. (apache#8343) remove unused RecConfigFileEntry from RecConfigParse (apache#8348) ...
* asf/9.2.x: Updated ChangeLog Add SSLSessionDup for older OpenSSL and BoringSSL (apache#8578) use shared pointer to help with high memory utilization (apache#8498) Commenting TSHttpTxnCacheLookupStatusGet need_to_revalidate (apache#8621) check size of session, and free sessions the ATS way (apache#8330) free sessions when timeout (apache#8356) Fix 32bit build failure on Odroid Xu-4 (apache#8626) TSHttpTxnCacheLookupStatusGet: call need_to_revalidate (apache#8617) SNIConfig (tunnel_route): Change the way we extract matched subgroups from the server name. (apache#8589) fix for collapsed forwarding ink_abort for CacheHitFresh fail (apache#8613) Do not turn off cache for internal requests (apache#8266) Rate Limit Plugin: Re-enable VConnection when SNI is empty (apache#8625) Removes hard dependency on having perl installed (apache#8611)
We started seeing some weird crashes after turning on origin session cache in production, and it seems like it was caused by SSL session being freed more than once. My guess is that since the current origin sessions stores the OpenSSL's session object directly, and let OpenSSL handle the freeing, when multiple threads uses the same session and terminates the session, the object gets freed while others are still using it. This commit reverts back to using
d2i_SSL_SESSION
andi2d_SSL_SESSION
to convert sessions, since I don't like the idea of manually keeping track OpenSSL's internal ref counter. Also callsSSL_SESSION_free
manually on the generated sessions as per OpenSSL's documentation.