This is an automated email from the ASF dual-hosted git repository. bneradt pushed a commit to branch revert-12803-fix_unix_socket_use_after_free in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 571a22069f4f2e8af982dc9dcf7c49f4356d5ae7 Author: Brian Neradt <[email protected]> AuthorDate: Thu Jan 29 16:12:29 2026 -0600 Revert "Fix NetAcceptAction::cancel() use-after-free race condition (#12803)" This reverts commit 89a5deffa0736302040754a4e2e5cfb73c6bd304. --- src/iocore/net/P_NetAccept.h | 27 +++++++++------------------ src/iocore/net/QUICNetProcessor.cc | 4 +++- src/iocore/net/UnixNetAccept.cc | 5 +---- src/iocore/net/UnixNetProcessor.cc | 4 +++- 4 files changed, 16 insertions(+), 24 deletions(-) diff --git a/src/iocore/net/P_NetAccept.h b/src/iocore/net/P_NetAccept.h index 22a2dd5bca..163d5578d5 100644 --- a/src/iocore/net/P_NetAccept.h +++ b/src/iocore/net/P_NetAccept.h @@ -43,7 +43,6 @@ #include "iocore/net/NetAcceptEventIO.h" #include "Server.h" -#include <atomic> #include <vector> struct NetAccept; @@ -61,29 +60,21 @@ AcceptFunction net_accept; class UnixNetVConnection; +// TODO fix race between cancel accept and call back struct NetAcceptAction : public Action, public RefCountObjInHeap { - std::atomic<Server *> server{nullptr}; - - NetAcceptAction(Continuation *cont, Server *s) - { - continuation = cont; - if (cont != nullptr) { - mutex = cont->mutex; - } - server.store(s, std::memory_order_release); - } + Server *server; void cancel(Continuation *cont = nullptr) override { - // Close the server before setting the cancelled flag. This ensures that - // when acceptEvent() sees cancelled == true, the server close is already - // complete, preventing use-after-free races. - Server *s = server.exchange(nullptr, std::memory_order_acq_rel); - if (s != nullptr) { - s->close(); - } Action::cancel(cont); + server->close(); + } + + Continuation * + operator=(Continuation *acont) + { + return Action::operator=(acont); } ~NetAcceptAction() override diff --git a/src/iocore/net/QUICNetProcessor.cc b/src/iocore/net/QUICNetProcessor.cc index d7f7012606..55592ef6f3 100644 --- a/src/iocore/net/QUICNetProcessor.cc +++ b/src/iocore/net/QUICNetProcessor.cc @@ -251,7 +251,9 @@ QUICNetProcessor::main_accept(Continuation *cont, SOCKET fd, AcceptOptions const na->server.sock = UnixSocket{fd}; ats_ip_copy(&na->server.accept_addr, &accept_ip); - na->action_ = new NetAcceptAction(cont, &na->server); + na->action_ = new NetAcceptAction(); + *na->action_ = cont; + na->action_->server = &na->server; na->init_accept(); return na->action_.get(); diff --git a/src/iocore/net/UnixNetAccept.cc b/src/iocore/net/UnixNetAccept.cc index 4b69b8641f..cea9df7879 100644 --- a/src/iocore/net/UnixNetAccept.cc +++ b/src/iocore/net/UnixNetAccept.cc @@ -479,7 +479,6 @@ NetAccept::acceptEvent(int event, void *ep) MUTEX_TRY_LOCK(lock, m, e->ethread); if (lock.is_locked()) { if (action_->cancelled) { - // Server was already closed by whoever called cancel(). e->cancel(); Metrics::Gauge::decrement(net_rsb.accepts_currently_open); delete this; @@ -488,7 +487,6 @@ NetAccept::acceptEvent(int event, void *ep) int res; if ((res = net_accept(this, e, false)) < 0) { - action_->cancel(); Metrics::Gauge::decrement(net_rsb.accepts_currently_open); /* INKqa11179 */ Warning("Accept on port %d failed with error no %d", ats_ip_port_host_order(&server.addr), res); @@ -639,7 +637,7 @@ Ldone: return EVENT_CONT; Lerror: - action_->cancel(); + server.close(); e->cancel(); Metrics::Gauge::decrement(net_rsb.accepts_currently_open); delete this; @@ -658,7 +656,6 @@ NetAccept::acceptLoopEvent(int event, Event *e) } // Don't think this ever happens ... - action_->cancel(); Metrics::Gauge::decrement(net_rsb.accepts_currently_open); delete this; return EVENT_DONE; diff --git a/src/iocore/net/UnixNetProcessor.cc b/src/iocore/net/UnixNetProcessor.cc index 5c8d5111e1..15630281c5 100644 --- a/src/iocore/net/UnixNetProcessor.cc +++ b/src/iocore/net/UnixNetProcessor.cc @@ -133,7 +133,9 @@ UnixNetProcessor::accept_internal(Continuation *cont, int fd, AcceptOptions cons na->proxyPort = sa ? sa->proxyPort : nullptr; na->snpa = dynamic_cast<SSLNextProtocolAccept *>(cont); - na->action_ = new NetAcceptAction(cont, &na->server); + na->action_ = new NetAcceptAction(); + *na->action_ = cont; + na->action_->server = &na->server; if (opt.frequent_accept) { // true if (accept_threads > 0 && listen_per_thread == 0) {
