BUG/MINOR: connection: streamline conn detach from lists

Over their lifetime, connections are attached to different list. These
lists depends on whether connection is on frontend or backend side.
Attach point members are stored via a union in struct connection. The
next commit reorganizes them so that a proper frontend/backend
separation is performed :

  commit a96f1286a75246fef6db3e615fabdef1de927d83
  BUG/MINOR: connection: rearrange union list members

On conn_free(), connection instance must be removed from these lists to
ensure there is no use-after-free case. However code was still shaky
there, despite no real issue. Indeed, <toremove_list> was detached for
all connections, despite being only used on backend side only.

This patch streamlines the freeing of connection. Now, <toremove_list>
detach is performed in conn_backend_deinit(). Moreover, a new helper
conn_frontend_deinit() is defined. It ensures that <stopping_list>
detach is done. Prior it was performed individually by muxes.

Note that a similar procedure is performed when the connection is
reversed. Hence, conn_frontend_deinit() is now used here as well,
rendering reversal from FE to BE or vice versa symmetrical.

As mentionned above, no crash occured prior to this patch, but the code
was fragile, in particular access to <toremove_list> for frontend
connections. Thus this patch is considered as a bug fix worthy of a
backport along with above mentionned patch, currently up to 3.0.

diff --git a/src/connection.c b/src/connection.c
index 15fac3126a18addcda3d4ee6d1cf1801b81abaf1..8acf04c9dd4a089dc1514eafd1bc1fb2c162edf9 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -555,6 +555,18 @@ static void conn_backend_deinit(struct connection *conn)
        pool_free(pool_head_conn_hash_node, conn->hash_node);
        conn->hash_node = NULL;
 
+       /* Remove from BE purge list. Necessary if conn already scheduled for
+        * purge but finally freed before by another code path.
+        */
+       MT_LIST_DELETE(&conn->toremove_list);
+}
+
+/* Ensure <conn> frontend connection is removed from its lists. This must be
+ * performed before freeing or reversing a connection.
+ */
+static void conn_frontend_deinit(struct connection *conn)
+{
+       LIST_DEL_INIT(&conn->stopping_list);
 }
 
 /* Tries to allocate a new connection and initialized its main fields. The
@@ -594,14 +606,8 @@ void conn_free(struct connection *conn)
 
        if (conn_is_back(conn))
                conn_backend_deinit(conn);
-
-       /* Remove the conn from toremove_list.
-        *
-        * This is needed to prevent a double-free in case the connection was
-        * already scheduled from cleaning but is freed before via another
-        * call.
-        */
-       MT_LIST_DELETE(&conn->toremove_list);
+       else
+               conn_frontend_deinit(conn);
 
        sockaddr_free(&conn->src);
        sockaddr_free(&conn->dst);
@@ -2961,7 +2967,7 @@ int conn_reverse(struct connection *conn)
                struct server *srv = objt_server(conn->reverse.target);
                BUG_ON(!srv);
 
-               LIST_DEL_INIT(&conn->stopping_list);
+               conn_frontend_deinit(conn);
 
                if (conn_backend_init(conn))
                        return 1;

diff --git a/src/mux_h1.c b/src/mux_h1.c
index 86de1149c91ca7d3dfbed8c827e1529dcebbf530..defcada213764958bec3c9e26bf269caae2e39f6 100644 (file)
--- a/src/mux_h1.c
+++ b/src/mux_h1.c
@@ -1412,9 +1412,6 @@ static void h1_release(struct h1c *h1c)
        pool_free(pool_head_h1c, h1c);
 
        if (conn) {
-               if (!conn_is_back(conn))
-                       LIST_DEL_INIT(&conn->stopping_list);
-
                conn->mux = NULL;
                conn->ctx = NULL;
                TRACE_DEVEL("freeing conn", H1_EV_H1C_END, conn);

diff --git a/src/mux_h2.c b/src/mux_h2.c
index fe68a4cdfe0588c65f6a734d2c91268f44eca57e..d656e43bc0b2a707bd96d94d39fbb3d659c0db90 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -1516,9 +1516,6 @@ static void h2_release(struct h2c *h2c)
        pool_free(pool_head_h2c, h2c);
 
        if (conn) {
-               if (!conn_is_back(conn))
-                       LIST_DEL_INIT(&conn->stopping_list);
-
                conn->mux = NULL;
                conn->ctx = NULL;
                TRACE_DEVEL("freeing conn", H2_EV_H2C_END, conn);

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 21f082770aecf27e679773007b807a2b575e3ed4..1dd01534b6f7047e1d5db65dee63c1cb3a1bace4 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -3360,8 +3360,6 @@ static void qcc_release(struct qcc *qcc)
        pool_free(pool_head_qcc, qcc);
 
        if (conn) {
-               LIST_DEL_INIT(&conn->stopping_list);
-
                conn->mux = NULL;
                conn->ctx = NULL;