(trafficserver) branch master updated: Revert "Fix NetAcceptAction::cancel() use-after-free race condition (#12803)" (#12841)

Thu, 29 Jan 2026 15:53:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 074671f211 Revert "Fix NetAcceptAction::cancel() use-after-free race 
condition (#12803)" (#12841)
074671f211 is described below

commit 074671f211cf1de829edd678cb637b96e03e26ac
Author: Brian Neradt <[email protected]>
AuthorDate: Thu Jan 29 17:53:46 2026 -0600

    Revert "Fix NetAcceptAction::cancel() use-after-free race condition 
(#12803)" (#12841)
    
    This reverts commit 89a5deffa0736302040754a4e2e5cfb73c6bd304.
    
    I suspect this is introducing different crashes in NetAccept::cancel in CI 
regression tests.
---
 src/iocore/net/P_NetAccept.h       | 27 +++++++++------------------
 src/iocore/net/QUICNetProcessor.cc |  4 +++-
 src/iocore/net/UnixNetAccept.cc    |  5 +----
 src/iocore/net/UnixNetProcessor.cc |  4 +++-
 4 files changed, 16 insertions(+), 24 deletions(-)

diff --git a/src/iocore/net/P_NetAccept.h b/src/iocore/net/P_NetAccept.h
index 22a2dd5bca..163d5578d5 100644
--- a/src/iocore/net/P_NetAccept.h
+++ b/src/iocore/net/P_NetAccept.h
@@ -43,7 +43,6 @@
 #include "iocore/net/NetAcceptEventIO.h"
 #include "Server.h"
 
-#include <atomic>
 #include <vector>
 
 struct NetAccept;
@@ -61,29 +60,21 @@ AcceptFunction net_accept;
 
 class UnixNetVConnection;
 
+// TODO fix race between cancel accept and call back
 struct NetAcceptAction : public Action, public RefCountObjInHeap {
-  std::atomic<Server *> server{nullptr};
-
-  NetAcceptAction(Continuation *cont, Server *s)
-  {
-    continuation = cont;
-    if (cont != nullptr) {
-      mutex = cont->mutex;
-    }
-    server.store(s, std::memory_order_release);
-  }
+  Server *server;
 
   void
   cancel(Continuation *cont = nullptr) override
   {
-    // Close the server before setting the cancelled flag. This ensures that
-    // when acceptEvent() sees cancelled == true, the server close is already
-    // complete, preventing use-after-free races.
-    Server *s = server.exchange(nullptr, std::memory_order_acq_rel);
-    if (s != nullptr) {
-      s->close();
-    }
     Action::cancel(cont);
+    server->close();
+  }
+
+  Continuation *
+  operator=(Continuation *acont)
+  {
+    return Action::operator=(acont);
   }
 
   ~NetAcceptAction() override
diff --git a/src/iocore/net/QUICNetProcessor.cc 
b/src/iocore/net/QUICNetProcessor.cc
index d7f7012606..55592ef6f3 100644
--- a/src/iocore/net/QUICNetProcessor.cc
+++ b/src/iocore/net/QUICNetProcessor.cc
@@ -251,7 +251,9 @@ QUICNetProcessor::main_accept(Continuation *cont, SOCKET 
fd, AcceptOptions const
   na->server.sock = UnixSocket{fd};
   ats_ip_copy(&na->server.accept_addr, &accept_ip);
 
-  na->action_ = new NetAcceptAction(cont, &na->server);
+  na->action_         = new NetAcceptAction();
+  *na->action_        = cont;
+  na->action_->server = &na->server;
   na->init_accept();
 
   return na->action_.get();
diff --git a/src/iocore/net/UnixNetAccept.cc b/src/iocore/net/UnixNetAccept.cc
index 4b69b8641f..cea9df7879 100644
--- a/src/iocore/net/UnixNetAccept.cc
+++ b/src/iocore/net/UnixNetAccept.cc
@@ -479,7 +479,6 @@ NetAccept::acceptEvent(int event, void *ep)
   MUTEX_TRY_LOCK(lock, m, e->ethread);
   if (lock.is_locked()) {
     if (action_->cancelled) {
-      // Server was already closed by whoever called cancel().
       e->cancel();
       Metrics::Gauge::decrement(net_rsb.accepts_currently_open);
       delete this;
@@ -488,7 +487,6 @@ NetAccept::acceptEvent(int event, void *ep)
 
     int res;
     if ((res = net_accept(this, e, false)) < 0) {
-      action_->cancel();
       Metrics::Gauge::decrement(net_rsb.accepts_currently_open);
       /* INKqa11179 */
       Warning("Accept on port %d failed with error no %d", 
ats_ip_port_host_order(&server.addr), res);
@@ -639,7 +637,7 @@ Ldone:
   return EVENT_CONT;
 
 Lerror:
-  action_->cancel();
+  server.close();
   e->cancel();
   Metrics::Gauge::decrement(net_rsb.accepts_currently_open);
   delete this;
@@ -658,7 +656,6 @@ NetAccept::acceptLoopEvent(int event, Event *e)
   }
 
   // Don't think this ever happens ...
-  action_->cancel();
   Metrics::Gauge::decrement(net_rsb.accepts_currently_open);
   delete this;
   return EVENT_DONE;
diff --git a/src/iocore/net/UnixNetProcessor.cc 
b/src/iocore/net/UnixNetProcessor.cc
index 5c8d5111e1..15630281c5 100644
--- a/src/iocore/net/UnixNetProcessor.cc
+++ b/src/iocore/net/UnixNetProcessor.cc
@@ -133,7 +133,9 @@ UnixNetProcessor::accept_internal(Continuation *cont, int 
fd, AcceptOptions cons
   na->proxyPort     = sa ? sa->proxyPort : nullptr;
   na->snpa          = dynamic_cast<SSLNextProtocolAccept *>(cont);
 
-  na->action_ = new NetAcceptAction(cont, &na->server);
+  na->action_         = new NetAcceptAction();
+  *na->action_        = cont;
+  na->action_->server = &na->server;
 
   if (opt.frequent_accept) { // true
     if (accept_threads > 0 && listen_per_thread == 0) {

Reply via email to