Over their lifetime, connections are attached to different list. These
lists depends on whether connection is on frontend or backend side.
Attach point members are stored via a union in struct connection. The
next commit reorganizes them so that a proper frontend/backend
separation is performed :
commit
a96f1286a75246fef6db3e615fabdef1de927d83
BUG/MINOR: connection: rearrange union list members
On conn_free(), connection instance must be removed from these lists to
ensure there is no use-after-free case. However code was still shaky
there, despite no real issue. Indeed, <toremove_list> was detached for
all connections, despite being only used on backend side only.
This patch streamlines the freeing of connection. Now, <toremove_list>
detach is performed in conn_backend_deinit(). Moreover, a new helper
conn_frontend_deinit() is defined. It ensures that <stopping_list>
detach is done. Prior it was performed individually by muxes.
Note that a similar procedure is performed when the connection is
reversed. Hence, conn_frontend_deinit() is now used here as well,
rendering reversal from FE to BE or vice versa symmetrical.
As mentionned above, no crash occured prior to this patch, but the code
was fragile, in particular access to <toremove_list> for frontend
connections. Thus this patch is considered as a bug fix worthy of a
backport along with above mentionned patch, currently up to 3.0.
(cherry picked from commit
687df405fe6c1bd95fdebba03f3491c26f82692d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
1636d094b23fe56b5dd672d46e6de32aeb7efe6f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
55c056cdd8d4d3ef9b0e400a3f0b6c4a823c815b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
pool_free(pool_head_conn_hash_node, conn->hash_node);
conn->hash_node = NULL;
+ /* Remove from BE purge list. Necessary if conn already scheduled for
+ * purge but finally freed before by another code path.
+ */
+ MT_LIST_DELETE(&conn->toremove_list);
+}
+
+/* Ensure <conn> frontend connection is removed from its lists. This must be
+ * performed before freeing or reversing a connection.
+ */
+static void conn_frontend_deinit(struct connection *conn)
+{
+ LIST_DEL_INIT(&conn->stopping_list);
}
/* Tries to allocate a new connection and initialized its main fields. The
if (conn_is_back(conn))
conn_backend_deinit(conn);
-
- /* Remove the conn from toremove_list.
- *
- * This is needed to prevent a double-free in case the connection was
- * already scheduled from cleaning but is freed before via another
- * call.
- */
- MT_LIST_DELETE(&conn->toremove_list);
+ else
+ conn_frontend_deinit(conn);
sockaddr_free(&conn->src);
sockaddr_free(&conn->dst);
struct server *srv = objt_server(conn->reverse.target);
BUG_ON(!srv);
- LIST_DEL_INIT(&conn->stopping_list);
+ conn_frontend_deinit(conn);
if (conn_backend_init(conn))
return 1;
pool_free(pool_head_h1c, h1c);
if (conn) {
- if (!conn_is_back(conn))
- LIST_DEL_INIT(&conn->stopping_list);
-
conn->mux = NULL;
conn->ctx = NULL;
TRACE_DEVEL("freeing conn", H1_EV_H1C_END, conn);
pool_free(pool_head_h2c, h2c);
if (conn) {
- if (!conn_is_back(conn))
- LIST_DEL_INIT(&conn->stopping_list);
-
conn->mux = NULL;
conn->ctx = NULL;
TRACE_DEVEL("freeing conn", H2_EV_H2C_END, conn);
pool_free(pool_head_qcc, qcc);
if (conn) {
- LIST_DEL_INIT(&conn->stopping_list);
-
conn->mux = NULL;
conn->ctx = NULL;
projects / haproxy-3.0.git / commitdiff