[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62658] New: Child process crashes with segfault signal during graceful


https://bz.apache.org/bugzilla/show_bug.cgi?id=62658

            Bug ID: 62658
           Summary: Child process crashes with segfault signal during
                    graceful
           Product: Apache httpd-2
           Version: 2.4.34
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mpm_event
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: jurcpdo@xxxxxxxxx
  Target Milestone: ---

Created attachment 36113
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36113&action=edit
Fix httpd child process crash with segfault signal

When two or more graceful reloads are requested in a small period of time, the
child process that was under initialization crashes with segmentation fault.

    # httpd -k graceful && httpd -k graceful
gdb backtrace:

    #0  impl_pollset_remove (pollset=0xb8e0ba78, descriptor=0x0) at
poll/unix/epoll.c:214
    #1  0xb742e479 in apr_pollset_remove (pollset=0xb8e0ba78, descriptor=0x0)
        at poll/unix/pollset.c:343
    #2  0xb6ebf7f0 in disable_listensocks () at event.c:470
    #3  0xb6ebf841 in wakeup_listener () at event.c:578
    #4  0xb6ebfc32 in signal_threads (mode=1) at event.c:627
    #5  0xb6ec2e4f in child_main (child_num_arg=2, child_bucket=<optimized
out>) at event.c:2581
    #6  0xb6ec378f in make_child (s=0xb8dcbe28, slot=2, bucket=0) at
event.c:2665
    #7  0xb6ec428c in perform_idle_server_maintenance (num_buckets=<optimized
out>, 
        child_bucket=<optimized out>) at event.c:2848
    #8  server_main_loop (num_buckets=1, remaining_children_to_start=0) at
event.c:2976
    #9  event_run (_pconf=0xb8da70a8, plog=0xb8dcd9a0, s=0xb8dcbe28) at
event.c:3053
    #10 0xb76dbb47 in ap_run_mpm (pconf=0xb8da70a8, plog=0xb8dcd9a0,
s=0xb8dcbe28)
        at mpm_common.c:96
    #11 0xb76d4607 in main (argc=1, argv=0xbf9e5824) at main.c:819


Error log:

[Fri Aug 24 13:22:50.695032 2018] [mpm_event:notice] [pid 5852:tid 3071530752]
AH00489: Apache/2.4.34 (Unix) OpenSSL/1.0.2p configured -- resuming normal
operations
[Fri Aug 24 13:22:50.695045 2018] [core:notice] [pid 5852:tid 3071530752]
AH00094: Command line: '/usr/sbin/httpd'
[Fri Aug 24 13:22:50.695752 2018] [core:notice] [pid 5852:tid 3071530752]
AH00051: child pid 6502 exit signal Segmentation fault (11), possible coredump
in /CORE
[Fri Aug 24 13:22:50.695767 2018] [core:error] [pid 5852:tid 3071530752]
AH00546: no record of generation 2 of exiting child 6502


Apparently, the method disable_listensocks() runs before init_pollset(), so
listener_pollfd will still be unallocated, hence the segfault. It happens only
for the child that was being created when the second graceful reload was
issued.

It might not be so easily reproducible. From several almost identical systems,
only some showed this behaviour.

My suggestion, as the patch attached shows, is to check if the file descriptor
is valid before running apr_pollset_remove(). This does not seem to disrupt the
rest of the flow.

In my tests with the patch, the affected process then continues and eventually
runs init_pollset() then disable_listensocks() and finishes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx