From d9986ed51eb519c167488d06886e6aab2c5d363d Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Thu, 9 May 2019 13:24:08 +0200 Subject: [PATCH] BUG/MEDIUM: h2: Make sure we set send_list to NULL in h2_detach(). In h2_detach(), if we still have a send_wait pointer, because we woke the tasklet up, but it hasn't ran yet, explicitely set send_wait to NULL after we removed the tasklet from the task list. Failure to do so may lead to crashes if the h2s isn't immediately destroyed, because we considered there were still something to send. This should be backported to 1.9. --- src/mux_h2.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/mux_h2.c b/src/mux_h2.c index 6105f1bce..6a8a762a2 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -3052,6 +3052,19 @@ static void h2_detach(struct conn_stream *cs) h2s->send_wait != &h2s->wait_event) { task_remove_from_tasklet_list((struct task *)h2s->send_wait->task); LIST_DEL_INIT(&h2s->sending_list); + /* + * At this point, the stream_interface is supposed to have called + * h2_unsubscribe(), so the only way there's still a + * subscription that came from the stream_interface (as we + * can subscribe ourself, in h2_do_shutw() and h2_do_shutr(), + * without the stream_interface involved) is that we subscribed + * for sending, we woke the tasklet up and removed the + * SUB_RETRY_SEND flag, so the stream_interface would not + * know it has to unsubscribe for send, but the tasklet hasn't + * run yet. Make sure to handle that by explicitely setting + * send_wait to NULL, as nothing else will do it for us. + */ + h2s->send_wait = NULL; } sess = h2s->sess;