From: Jim Jagielski <jim@apache.org>
Date: Tue, 2 Dec 2014 12:49:42 +0000 (+0000)
Subject: Merge r1638879, r1640031 from trunk:
X-Git-Tag: 2.4.11~119
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4463b8123eb08fa48ccd8739882750853376a66e;p=apache

Merge r1638879, r1640031 from trunk:

avoid dereferencing a recently apr_pool_clear()'ed event_conn_state_t *cs
in several paths where ptrans is being recycled at the end of a request.



event, eventopt: follow up to r1638879 and r1639960.
Clear the pool in ap_push_pool() before recycling.

Submitted by: covener, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642859 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 9a6a882dee..211dd42c02 100644
--- a/STATUS
+++ b/STATUS
@@ -112,13 +112,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works:
      +1 covener, ylavic, jim
 
-   * event: avoid dereferencing a recently apr_pool_clear()'ed 
-     event_conn_state_t *cs when ptrans is being recycled at EOR.
-     trunk patch: http://svn.apache.org/r1638879
-                  http://svn.apache.org/r1640031
-     2.4.x patch: trunk works
-     +1 covener, ylavic, jim
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c
index 9db1821a89..d10f0e9dbf 100644
--- a/server/mpm/event/event.c
+++ b/server/mpm/event/event.c
@@ -829,7 +829,6 @@ static int start_lingering_close_common(event_conn_state_t *cs, int in_worker)
         TO_QUEUE_REMOVE(*q, cs);
         apr_thread_mutex_unlock(timeout_mutex);
         apr_socket_close(cs->pfd.desc.s);
-        apr_pool_clear(cs->p);
         ap_push_pool(worker_queue_info, cs->p);
         return 0;
     }
@@ -847,7 +846,6 @@ static int start_lingering_close_common(event_conn_state_t *cs, int in_worker)
 static int start_lingering_close_blocking(event_conn_state_t *cs)
 {
     if (ap_start_lingering_close(cs->c)) {
-        apr_pool_clear(cs->p);
         ap_push_pool(worker_queue_info, cs->p);
         return 0;
     }
@@ -872,7 +870,6 @@ static int start_lingering_close_nonblocking(event_conn_state_t *cs)
     if (c->aborted
         || apr_socket_shutdown(csd, APR_SHUTDOWN_WRITE) != APR_SUCCESS) {
         apr_socket_close(csd);
-        apr_pool_clear(cs->p);
         ap_push_pool(worker_queue_info, cs->p);
         return 0;
     }
@@ -896,7 +893,6 @@ static int stop_lingering_close(event_conn_state_t *cs)
         ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, APLOGNO(00468) "error closing socket");
         AP_DEBUG_ASSERT(0);
     }
-    apr_pool_clear(cs->p);
     ap_push_pool(worker_queue_info, cs->p);
     return 0;
 }
@@ -962,8 +958,6 @@ static void process_socket(apr_thread_t *thd, apr_pool_t * p, apr_socket_t * soc
         c = ap_run_create_connection(p, ap_server_conf, sock,
                                      conn_id, sbh, cs->bucket_alloc);
         if (!c) {
-            apr_bucket_alloc_destroy(cs->bucket_alloc);
-            apr_pool_clear(p);
             ap_push_pool(worker_queue_info, p);
             return;
         }
@@ -1241,7 +1235,6 @@ static apr_status_t push2worker(const apr_pollfd_t * pfd,
         apr_socket_close(cs->pfd.desc.s);
         ap_log_error(APLOG_MARK, APLOG_CRIT, rc,
                      ap_server_conf, APLOGNO(00471) "push2worker: ap_queue_push failed");
-        apr_pool_clear(cs->p);
         ap_push_pool(worker_queue_info, cs->p);
     }
 
@@ -1378,7 +1371,6 @@ static void process_lingering_close(event_conn_state_t *cs, const apr_pollfd_t *
     apr_thread_mutex_unlock(timeout_mutex);
     TO_QUEUE_ELEM_INIT(cs);
 
-    apr_pool_clear(cs->p);
     ap_push_pool(worker_queue_info, cs->p);
 }
 
@@ -1699,7 +1691,6 @@ static void * APR_THREAD_FUNC listener_thread(apr_thread_t * thd, void *dummy)
                             ap_log_error(APLOG_MARK, APLOG_CRIT, rc,
                                          ap_server_conf,
                                          "ap_queue_push failed");
-                            apr_pool_clear(ptrans);
                             ap_push_pool(worker_queue_info, ptrans);
                         }
                         else {
@@ -1707,7 +1698,6 @@ static void * APR_THREAD_FUNC listener_thread(apr_thread_t * thd, void *dummy)
                         }
                     }
                     else {
-                        apr_pool_clear(ptrans);
                         ap_push_pool(worker_queue_info, ptrans);
                     }
                 }
diff --git a/server/mpm/event/fdqueue.c b/server/mpm/event/fdqueue.c
index 2fa7e1e52c..485a98dc10 100644
--- a/server/mpm/event/fdqueue.c
+++ b/server/mpm/event/fdqueue.c
@@ -231,6 +231,7 @@ void ap_push_pool(fd_queue_info_t * queue_info,
         apr_atomic_inc32(&queue_info->recycled_pools_count);
     }
 
+    apr_pool_clear(pool_to_recycle);
     new_recycle = (struct recycled_pool *) apr_palloc(pool_to_recycle,
                                                       sizeof (*new_recycle));
     new_recycle->pool = pool_to_recycle;