From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 10 Nov 2023 16:04:23 +0000 (+0100)
Subject: BUG/MEDIUM: applet: Remove appctx from buffer wait list on release
X-Git-Tag: v2.9-dev10~100
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ebf90ca550a711b8b5f2620c83f51b4461839cd2;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: applet: Remove appctx from buffer wait list on release

For now, the appctx is removed from the buffer wait list when it is
freed. However, when it is released, it is not necessarily freed
immediately. But it is detached from the SC. If it is still registered in
the buffer wait list, it could then be woken up to get a buffer. At this
stage it is totally unexpected, especially because we must access the SC.

The fix is obvious, the appctx must be removed from the buffer wait list on
release.

Note this bug exists because the appctx was moved at the mux level.

This patch must be backported as far as 2.6.
---

diff --git a/src/applet.c b/src/applet.c
index 674cf8349b..93178ec14a 100644
--- a/src/applet.c
+++ b/src/applet.c
@@ -360,6 +360,9 @@ void appctx_shut(struct appctx *appctx)
 	if (appctx->applet->release)
 		appctx->applet->release(appctx);
 
+	if (LIST_INLIST(&appctx->buffer_wait.list))
+		LIST_DEL_INIT(&appctx->buffer_wait.list);
+
 	se_fl_set(appctx->sedesc, SE_FL_SHRR | SE_FL_SHWN);
 	TRACE_LEAVE(APPLET_EV_RELEASE, appctx);
 }