[core/collect] fix use after free during shutdown

Pass worker a collect cleanup (complete == FALSE) callback is called in;
other workers might be gone already.

Change-Id: Idbec63d1f0081ed2b588706b130c72ff1bd08c24

Author: stbuehler

include/lighttpd/collect.h

@@ -15,14 +15,16 @@
 typedef gpointer (*liCollectFuncCB)(liWorker *wrk, gpointer fdata);
 
 /** CollectCallback: the type of functions to call after a function was called in each workers context
+  *   - wrk: worker this callback is run in; if complete == TRUE this should be worker the job was started in.
   *   - cbdata: optional callback data
   *     depending on the data you should only use it when complete == TRUE
   *   - fdata : the data the CollectFunc got (this data must be valid until cb is called)
   *   - result: the return values
   *   - complete: determines if cbdata is still valid
   *     if this is FALSE, it may be called from another context than li_collect_start was called
+  *     (and the original worker may be already gone)
   */
-typedef void (*liCollectCB)(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete);
+typedef void (*liCollectCB)(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete);
 
 typedef struct liCollectInfo liCollectInfo;
 

src/main/backends.c

@@ -787,8 +787,9 @@ static gpointer backend_pool_worker_init(liWorker *wrk, gpointer fdata) {
 	return NULL;
 }
 
-static void backend_pool_worker_init_done(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
+static void backend_pool_worker_init_done(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
 	liBackendPool_p *pool = fdata;
+	UNUSED(wrk);
 	UNUSED(cbdata);
 	UNUSED(result);
 	UNUSED(complete);
@@ -861,7 +862,7 @@ static gpointer backend_pool_worker_shutdown(liWorker *wrk, gpointer fdata) {
 	return NULL;
 }
 
-static void backend_pool_worker_shutdown_done(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
+static void backend_pool_worker_shutdown_done(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
 	liBackendPool_p *pool = fdata;
 	UNUSED(cbdata);
 	UNUSED(result);
@@ -870,8 +871,7 @@ static void backend_pool_worker_shutdown_done(gpointer cbdata, gpointer fdata, G
 	pool->public.config->callbacks->free_cb(&pool->public);
 
 	if (pool->worker_pools != NULL) {
-		liServer *srv = pool->worker_pools[0].wrk->srv;
-		g_slice_free1(sizeof(liBackendPool_p) * srv->worker_count, pool->worker_pools);
+		g_slice_free1(sizeof(liBackendPool_p) * wrk->srv->worker_count, pool->worker_pools);
 	}
 
 	g_mutex_free(pool->lock);
@@ -902,7 +902,7 @@ void li_backend_pool_free(liBackendPool *bpool) {
 	g_mutex_unlock(pool->lock);
 
 	if (pool->worker_pools == NULL) {
-		backend_pool_worker_shutdown_done(NULL, pool, NULL, TRUE);
+		backend_pool_worker_shutdown_done(NULL, NULL, pool, NULL, TRUE);
 	} else {
 		liServer *srv = pool->worker_pools[0].wrk->srv;
 

src/main/collect.c

@@ -45,7 +45,7 @@ static void collect_info_free(liCollectInfo *ci) {
 static gboolean collect_insert_callback(liWorker *ctx, liCollectInfo *ci) {
 	if (ctx == ci->wrk) {
 		/* we are in the destination context */
-		ci->cb(ci->cbdata, ci->fdata, ci->results, !ci->stopped);
+		ci->cb(ctx, ci->cbdata, ci->fdata, ci->results, !ci->stopped);
 		collect_info_free(ci);
 		return TRUE;
 	} else {
@@ -64,7 +64,7 @@ static gboolean collect_send_result(liWorker *ctx, liCollectInfo *ci) {
 	if (!g_atomic_int_dec_and_test(&ci->counter)) return FALSE; /* not all workers done yet */
 	if (g_atomic_int_get(&ctx->srv->exiting)) {
 		/* cleanup state, just call the callback with complete = FALSE */
-		ci->cb(ci->cbdata, ci->fdata, ci->results, FALSE);
+		ci->cb(ctx, ci->cbdata, ci->fdata, ci->results, FALSE);
 		collect_info_free(ci);
 		return TRUE;
 	} else {
@@ -124,7 +124,7 @@ void li_collect_watcher_cb(liEventBase *watcher, int events) {
 			collect_send_result(wrk, ci);
 			break;
 		case COLLECT_CB:
-			ci->cb(ci->cbdata, ci->fdata, ci->results, !ci->stopped);
+			ci->cb(wrk, ci->cbdata, ci->fdata, ci->results, !ci->stopped);
 			collect_info_free(ci);
 			break;
 		}

src/modules/mod_debug.c

@@ -170,11 +170,12 @@ static gpointer debug_collect_func(liWorker *wrk, gpointer fdata) {
 }
 
 /* the CollectCallback */
-static void debug_collect_cb(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
+static void debug_collect_cb(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
 	mod_debug_job_t *job = cbdata;
 	liVRequest *vr;
 	GString *html;
 
+	UNUSED(wrk);
 	UNUSED(fdata);
 
 	if (!complete) {
@@ -486,9 +487,11 @@ static gpointer debug_show_events_func(liWorker *wrk, gpointer fdata) {
 }
 
 /* the CollectCallback */
-static void debug_show_events_cb(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
+static void debug_show_events_cb(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
 	collect_events_job *job = fdata;
 	liVRequest *vr;
+
+	UNUSED(wrk);
 	UNUSED(cbdata);
 
 	if (complete) {

src/modules/mod_progress.c

@@ -192,7 +192,7 @@ static gpointer progress_collect_func(liWorker *wrk, gpointer fdata) {
 }
 
 /* the CollectCallback */
-static void progress_collect_cb(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
+static void progress_collect_cb(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
 	guint i;
 	GString *output;
 	mod_progress_node *node = NULL;
@@ -201,6 +201,7 @@ static void progress_collect_cb(gpointer cbdata, gpointer fdata, GPtrArray *resu
 	gboolean debug = job->debug;
 	mod_progress_format format = job->format;
 
+	UNUSED(wrk);
 	UNUSED(cbdata);
 
 	if (complete) {

src/modules/mod_status.c

@@ -414,13 +414,14 @@ static gpointer status_collect_func(liWorker *wrk, gpointer fdata) {
 }
 
 /* the CollectCallback */
-static void status_collect_cb(gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
+static void status_collect_cb(liWorker *wrk, gpointer cbdata, gpointer fdata, GPtrArray *result, gboolean complete) {
 	guint i, j;
 	mod_status_job *job = fdata;
 	liVRequest *vr = job->vr;
 	liPlugin *p = job->p;
 	gboolean short_info = job->short_info;
 
+	UNUSED(wrk);
 	UNUSED(cbdata);
 
 	if (!complete) {