From: Eric Covener Date: Wed, 25 Jun 2014 22:01:31 +0000 (+0000) Subject: Backport r1604350 and r1605067 from trunk: X-Git-Tag: 2.4.10~84 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f4086813f55bc002228fede323c1c75ae5d19fa2;p=apache Backport r1604350 and r1605067 from trunk: * event MPM: fix a race where a worker looks at a conn_rec after it might be in use by another thread or may have been freed and re-allocated. Submitted By: Edward Lu git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1605619 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index b00118a08d..a1e7e6a5a8 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.10 + *) event MPM: Fix possible crashes (third party modules accessing c->sbh) + or occasional missed mod_status updates under load. + [Edward Lu ] + *) mod_authnz_ldap: Support primitive LDAP servers do not accept filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special filter "none" to be specified in AuthLDAPURL. [Eric Covener] diff --git a/STATUS b/STATUS index 5769a10624..0aa63f220c 100644 --- a/STATUS +++ b/STATUS @@ -100,16 +100,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * event MPM: fix a race where a worker looks at a conn_rec after it might be - in use by another thread or may have been freed and - re-allocated. - trunk patch: http://svn.apache.org/r1604350 - http://svn.apache.org/r1605067 - 2.4.x patch: http://people.apache.org/~covener/patches/httpd-2.4.x-event_sbh-race-2.diff - +1: covener, ylavic, trawick - trawick: seems to also fix another glitch specific to 2.4.x branch (sbh not cleared - in one of the lingering_close_* paths) - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c index 622b0187bb..ee92237e5a 100644 --- a/server/mpm/event/event.c +++ b/server/mpm/event/event.c @@ -799,6 +799,7 @@ static int start_lingering_close_common(event_conn_state_t *cs) } apr_atomic_inc32(&lingering_count); apr_thread_mutex_lock(timeout_mutex); + cs->c->sbh = NULL; TO_QUEUE_APPEND(*q, cs); cs->pfd.reqevents = ( cs->pub.sense == CONN_SENSE_WANT_WRITE ? APR_POLLOUT : @@ -1087,9 +1088,8 @@ read_request: } if (cs->pub.state == CONN_STATE_LINGER) { - if (!start_lingering_close_blocking(cs)) - notify_suspend(cs); - return; + start_lingering_close_blocking(cs); + notify_suspend(cs); } else if (cs->pub.state == CONN_STATE_CHECK_REQUEST_LINE_READABLE) { /* It greatly simplifies the logic to use a single timeout value here @@ -1117,20 +1117,12 @@ read_request: "process_socket: apr_pollset_add failure"); AP_DEBUG_ASSERT(rc == APR_SUCCESS); } - return; } else if (cs->pub.state == CONN_STATE_SUSPENDED) { apr_atomic_inc32(&suspended_count); + c->sbh = NULL; + notify_suspend(cs); } - /* - * Prevent this connection from writing to our connection state after it - * is no longer associated with this thread. This would happen if the EOR - * bucket is destroyed from the listener thread due to a connection abort - * or timeout. - */ - c->sbh = NULL; - notify_suspend(cs); - return; } /* conns_this_child has gone to zero or below. See if the admin coded