From: Ruediger Pluem <rpluem@apache.org>
Date: Fri, 22 Feb 2008 22:58:42 +0000 (+0000)
Subject: * Second part of fix for PR 44402:
X-Git-Tag: 2.3.0~942
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=38e1b393564c8588d846bbad779fd93262fc3d2d;p=apache

* Second part of fix for PR 44402:

  - Fix the same race condition in event MPM.
  - Slightly optimize code in worker MPM by removing the need for an additional
    dereference operation.
  - Do some word smithing on the CHANGES entry.

PR: 44402
Submitted by: Basant Kumar Kukreja <basant.kukreja sun.com>
Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630348 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c7fc3ab587..b1b35805e2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,8 +2,9 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
-  *) Worker MPM: fix race condition in recycling a pool
-     PR 44402 [Basant Kumar Kukreja <basant.kukreja sun.com>]
+  *) Worker / Event MPM: Fix race condition in pool recycling that leads to
+     segmentation faults under load.  PR 44402
+     [Basant Kumar Kukreja <basant.kukreja sun.com>]
 
   *) mod_include: Correctly handle SSI directives split over multiple filter
      passes.  PR 44447 [Harald Niesche <harald brokenerror.de>]
diff --git a/server/mpm/experimental/event/fdqueue.c b/server/mpm/experimental/event/fdqueue.c
index 8534a3e8de..925241909a 100644
--- a/server/mpm/experimental/event/fdqueue.c
+++ b/server/mpm/experimental/event/fdqueue.c
@@ -201,10 +201,16 @@ void ap_push_pool(fd_queue_info_t * queue_info,
                                                           (*new_recycle));
         new_recycle->pool = pool_to_recycle;
         for (;;) {
-            new_recycle->next = queue_info->recycled_pools;
+            /*
+             * Save queue_info->recycled_pool in local variable next because
+             * new_recycle->next can be changed after apr_atomic_casptr
+             * function call.
+             */
+            struct recycled_pool *next = queue_info->recycled_pools;
+            new_recycle->next = next;
             if (apr_atomic_casptr
                 ((volatile void **) &(queue_info->recycled_pools),
-                 new_recycle, new_recycle->next) == new_recycle->next) {
+                 new_recycle, next) == next) {
                 break;
             }
         }
diff --git a/server/mpm/worker/fdqueue.c b/server/mpm/worker/fdqueue.c
index b88b8dacd8..951fafacab 100644
--- a/server/mpm/worker/fdqueue.c
+++ b/server/mpm/worker/fdqueue.c
@@ -101,7 +101,7 @@ apr_status_t ap_queue_info_set_idle(fd_queue_info_t *queue_info,
             struct recycled_pool *next = queue_info->recycled_pools;
             new_recycle->next = next;
             if (apr_atomic_casptr((volatile void**)&(queue_info->recycled_pools),
-                                  new_recycle, new_recycle->next) == next) {
+                                  new_recycle, next) == next) {
                 break;
             }
         }