[PR] Fix NetAcceptAction::cancel() use-after-free race condition [trafficserver]

Mon, 12 Jan 2026 14:20:30 -0800 


bneradt opened a new pull request, #12803:
URL: https://github.com/apache/trafficserver/pull/12803

   Fix a race condition between NetAcceptAction::cancel() and 
NetAccept::acceptEvent() where the server pointer could be dereferenced after 
the NetAccept object was deleted.
   
   The race occurred as follows:
   1. Thread T4 calls NetAcceptAction::cancel(), sets cancelled=true
   2. Thread T3 running acceptEvent() sees cancelled==true
   3. Thread T3 deletes the NetAccept (including embedded Server)
   4. Thread T4 tries to call server->close() on freed memory
   
   The fix uses std::atomic<Server*> with atomic exchange to ensure only one 
thread can successfully obtain and use the server pointer. Both cancel() and 
the cleanup paths before delete this atomically exchange the pointer with 
nullptr - whichever succeeds first closes the server, the other becomes a no-op.
   
   This addresses the TODO comment that was in the code: "// TODO fix race 
between cancel accept and call back"
   
   ASAN report this fixes (seen intermittently on rocky CI builds):
   
   ```
   ==8850==ERROR: AddressSanitizer: heap-use-after-free on address 
0x616000028cb4 at pc 0x000001346739 bp 0x7fa40fd2f580 sp 0x7fa40fd2f570 WRITE 
of size 4 at 0x616000028cb4 thread T4 ([ET_NET 2])
       #0 0x1346738 in UnixSocket::close() 
../src/iocore/eventsystem/UnixSocket.cc:138
       #1 0x12b44ed in Server::close() ../src/iocore/net/Server.cc:88
       #2 0x121fb95 in NetAcceptAction::cancel(Continuation*) 
../src/iocore/net/P_NetAccept.h:71
       #3 0x7fa41686d082 in TSActionCancel(tsapi_action*) 
../src/api/InkAPI.cc:5828
       ...
   
   0x616000028cb4 is located 308 bytes inside of 576-byte region 
[0x616000028b80,0x616000028dc0) freed by thread T3 ([ET_NET 1]) here:
       #0 0x7fa416d2036f in operator delete(void*, unsigned long)
       #1 0x12593c4 in NetAccept::~NetAccept() 
../src/iocore/net/P_NetAccept.h:128
       #2 0x12bebf0 in NetAccept::acceptEvent(int, void*) 
../src/iocore/net/UnixNetAccept.cc:484
       ...
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to