From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 25 Oct 2022 09:38:21 +0000 (+0200)
Subject: BUG/MINOR: quic: fix race condition on datagram purging
X-Git-Tag: v2.7-dev9~125
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b13e9407173c340d0b8d63c73ff07fdde5e889c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: fix race condition on datagram purging

Each datagram is received by a random thread and dispatch to its
destination thread linked to the connection. Then, the datagram is
handled by the connection thread. Once this is done, datagram buffer
pointer is atomically set to NULL to mark it as consumed.

Consumed datagrams are purged before recvfrom() invocation on random
receiver threads. The check for NULL buffer must thus be done
atomically. This was not the case before this patch, which may have
triggered race conditions.

This bug has been introduced by commit
  91b2305ad79bb7086840797b6e98bd791992444f
  MINOR: quic: implement datagram cleanup for quic_receiver_buf

This should be backported up to 2.6 after previously mentionned commit.
---

diff --git a/src/quic_sock.c b/src/quic_sock.c
index 03cb963772..52632fee07 100644
--- a/src/quic_sock.c
+++ b/src/quic_sock.c
@@ -223,7 +223,7 @@ static struct quic_dgram *quic_rxbuf_purge_dgrams(struct quic_receiver_buf *buf)
 		cur = LIST_ELEM(buf->dgram_list.n, struct quic_dgram *, recv_list);
 
 		/* Loop until a not yet consumed datagram is found. */
-		if (cur->buf)
+		if (HA_ATOMIC_LOAD(&cur->buf))
 			break;
 
 		/* Clear buffer of current unused datagram. */