BUG/MEDIUM: h2: Make sure we set send_list to NULL in h2_detach().
In h2_detach(), if we still have a send_wait pointer, because we woke the
tasklet up, but it hasn't ran yet, explicitely set send_wait to NULL after
we removed the tasklet from the task list.
Failure to do so may lead to crashes if the h2s isn't immediately destroyed,
because we considered there were still something to send.
This should be backported to 1.9.
diff --git a/src/mux_h2.c b/src/mux_h2.c
index 6105f1b..6a8a762 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3052,6 +3052,19 @@
h2s->send_wait != &h2s->wait_event) {
task_remove_from_tasklet_list((struct task *)h2s->send_wait->task);
LIST_DEL_INIT(&h2s->sending_list);
+ /*
+ * At this point, the stream_interface is supposed to have called
+ * h2_unsubscribe(), so the only way there's still a
+ * subscription that came from the stream_interface (as we
+ * can subscribe ourself, in h2_do_shutw() and h2_do_shutr(),
+ * without the stream_interface involved) is that we subscribed
+ * for sending, we woke the tasklet up and removed the
+ * SUB_RETRY_SEND flag, so the stream_interface would not
+ * know it has to unsubscribe for send, but the tasklet hasn't
+ * run yet. Make sure to handle that by explicitely setting
+ * send_wait to NULL, as nothing else will do it for us.
+ */
+ h2s->send_wait = NULL;
}
sess = h2s->sess;