From 0e0793715cafe07dab722b2d28c4825eab84f5fc Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Mon, 15 Apr 2019 17:51:16 +0200 Subject: [PATCH] BUG/MEDIUM: muxes: Make sure we unsubcribed when destroying mux ctx. In the h1 and h2 muxes, make sure we unsubscribed before destroying the mux context. Failing to do so will lead in a segfault later, as the connection will attempt to dereference its conn->send_wait or conn->recv_wait, which pointed to the now-free'd mux context. This was introduced by commit 39a96ee16eeec51774f9f52a783cf624a0de4ccb, so should only be backported if that commit gets backported. --- src/mux_h1.c | 4 +++- src/mux_h2.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index 3a031e04f..368dcc6c9 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -483,6 +483,9 @@ static void h1_release(struct h1c *h1c) tasklet_free(h1c->wait_event.task); h1s_destroy(h1c->h1s); + if (conn && h1c->wait_event.events != 0) + conn->xprt->unsubscribe(conn, h1c->wait_event.events, + &h1c->wait_event); pool_free(pool_head_h1c, h1c); } @@ -490,7 +493,6 @@ static void h1_release(struct h1c *h1c) conn->mux = NULL; conn->ctx = NULL; - conn_force_unsubscribe(conn); conn_stop_tracking(conn); conn_full_close(conn); if (conn->destroy_cb) diff --git a/src/mux_h2.c b/src/mux_h2.c index 894c4bdbb..adcd0b4df 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -642,6 +642,9 @@ static void h2_release(struct h2c *h2c) } if (h2c->wait_event.task) tasklet_free(h2c->wait_event.task); + if (h2c->wait_event.events != 0) + conn->xprt->unsubscribe(conn, h2c->wait_event.events, + &h2c->wait_event); pool_free(pool_head_h2c, h2c); } @@ -650,7 +653,6 @@ static void h2_release(struct h2c *h2c) conn->mux = NULL; conn->ctx = NULL; - conn_force_unsubscribe(conn); conn_stop_tracking(conn); conn_full_close(conn); if (conn->destroy_cb)