From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Sat, 26 Jul 2025 09:28:19 +0000 (+0200)
Subject: BUG/MEDIUM: queue/stats: also use stream_set_srv_target() for pendconns
X-Git-Tag: v3.3-dev5~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=021a0681bea3c9c75e4c015eeda7e8c852fe7aef;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: queue/stats: also use stream_set_srv_target() for pendconns

Following c24de07 ("OPTIM: stats: store fast sharded counters pointers
at session and stream level") some crashes were observed in
connect_server():

  #0  0x00000000007ba39c in connect_server (s=0x65117b0) at src/backend.c:2101
  2101                            _HA_ATOMIC_INC(&s->sv_tgcounters->connect);
  Missing separate debuginfos, use: debuginfo-install glibc-2.17-325.el7_9.x86_64 libgcc-4.8.5-44.el7.x86_64 nss-softokn-freebl-3.67.0-3.el7_9.x86_64 pcre-8.32-17.el7.x86_64
  (gdb) bt
  #0  0x00000000007ba39c in connect_server (s=0x65117b0) at src/backend.c:2101
  #1  0x00000000007baff8 in back_try_conn_req (s=0x65117b0) at src/backend.c:2378
  #2  0x00000000006c0e9f in process_stream (t=0x650f180, context=0x65117b0, state=8196) at src/stream.c:2366
  #3  0x0000000000bd3e51 in run_tasks_from_lists (budgets=0x7ffd592752e0) at src/task.c:655
  #4  0x0000000000bd49ef in process_runnable_tasks () at src/task.c:889
  #5  0x0000000000851169 in run_poll_loop () at src/haproxy.c:2834
  #6  0x0000000000851865 in run_thread_poll_loop (data=0x1a03580 <ha_thread_info>) at src/haproxy.c:3050
  #7  0x0000000000852a53 in main (argc=7, argv=0x7ffd592755f8) at src/haproxy.c:3637

Here the crash occurs during the atomic inc of a sv_tgcounters metric from
the stream pointer, which tells us the pointer is likely garbage.

In fact, we assign s->sv_tgcounters each time the stream target is set to
a valid server. For that we use stream_set_srv_target() helper which does
assigment for us. By reviewing the code, in turns out we forgot to call
stream_set_srv_target() in pendconn_dequeue(), where the stream target
is set to the server who picked the pendconn.

Let's fix the bug by using stream_set_srv_target() there.

No backport needed unless c24de07 is.
---

diff --git a/src/queue.c b/src/queue.c
index 7f06ac905..28a2e2dfe 100644
--- a/src/queue.c
+++ b/src/queue.c
@@ -747,7 +747,7 @@ int pendconn_dequeue(struct stream *strm)
 
 	if (p->target) {
 		/* a server picked this pendconn, it must skip LB */
-		strm->target = &p->target->obj_type;
+		stream_set_srv_target(strm, p->target);
 		strm->flags |= SF_ASSIGNED;
 	}