BUG/MEDIUM: quic: always remove the connection from the accept list on close

Fred managed to reproduce a crash showing a corrupted accept_list when
firing thousands of concurrent picoquicdemo clients to a same instance.
It may happen if the connection was placed into the accept_list and
immediately closed before being processed (e.g. on error or t/o ?).

In any case the quic_conn_release() function should always detach a
connection to be deleted from any list, like it does for other lists,
so let's add an MT_LIST_DELETE() here.

This should be backported to 2.6.

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 87396ea15b68b943e8992b74dc248136de836fbf..a971698378560f93fb4e3efefa45b67065657732 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4084,6 +4084,11 @@ static void quic_conn_release(struct quic_conn *qc)
        /* We must not free the quic-conn if the MUX is still allocated. */
        BUG_ON(qc->mux_state == QC_MUX_READY);
 
+       /* in the unlikely (but possible) case the connection was just added to
+        * the accept_list we must delete it from there.
+        */
+       MT_LIST_DELETE(&qc->accept_list);
+
        /* free remaining stream descriptors */
        node = eb64_first(&qc->streams_by_id);
        while (node) {