From: Olivier Houchard <cognet@ci0.org>
Date: Mon, 30 Dec 2019 17:15:40 +0000 (+0100)
Subject: BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection.
X-Git-Tag: v2.2-dev1~140
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=140237471e408736bb7162e68c572c710a66a526;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection.

In connect_server(), when we decide we want to kill the connection of
another thread because there are too many idle connections, hold the
toremove_lock of the corresponding thread, othervise, there's a small race
condition where we could try to add the connection to the toremove_connections
list while it has already been free'd.

This should be backported to 2.0 and 2.1.
---

diff --git a/src/backend.c b/src/backend.c
index ebc5050cb4..be081a5e18 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1295,6 +1295,7 @@ int connect_server(struct stream *s)
 				// see it possibly larger.
 				ALREADY_CHECKED(i);
 
+				HA_SPIN_LOCK(OTHER_LOCK, &toremove_lock[tid]);
 				tokill_conn = MT_LIST_POP(&srv->idle_orphan_conns[i],
 				    struct connection *, list);
 				if (tokill_conn) {
@@ -1305,6 +1306,7 @@ int connect_server(struct stream *s)
 					task_wakeup(idle_conn_cleanup[i], TASK_WOKEN_OTHER);
 					break;
 				}
+				HA_SPIN_UNLOCK(OTHER_LOCK, &toremove_lock[tid]);
 			}
 		}