From: Willy Tarreau <w@1wt.eu>
Date: Wed, 20 Oct 2021 12:38:43 +0000 (+0200)
Subject: CLEANUP: dns: always detach the appctx from the dns session on release
X-Git-Tag: v2.5-dev11~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b56a878950c602886d018a14a974103024c8ded4;p=thirdparty%2Fhaproxy.git

CLEANUP: dns: always detach the appctx from the dns session on release

When dns_session_release() calls dns_session_free(), it was shown that
it might still be attached there:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x00000000006437d7 in dns_session_free (ds=0x7f895439e810) at src/dns.c:768
  768             BUG_ON(!LIST_ISEMPTY(&ds->ring.waiters));
  [Current thread is 1 (Thread 0x7f895bbe2700 (LWP 31792))]
  (gdb) bt
  #0  0x00000000006437d7 in dns_session_free (ds=0x7f895439e810) at src/dns.c:768
  #1  0x0000000000643ab8 in dns_session_release (appctx=0x7f89545a4ff0) at src/dns.c:805
  #2  0x000000000062e35a in si_applet_release (si=0x7f89545a5550) at include/haproxy/stream_interface.h:236
  #3  0x000000000063150f in stream_int_shutw_applet (si=0x7f89545a5550) at src/stream_interface.c:1697
  #4  0x0000000000640ab8 in si_shutw (si=0x7f89545a5550) at include/haproxy/stream_interface.h:437
  #5  0x0000000000643103 in dns_session_io_handler (appctx=0x7f89545a4ff0) at src/dns.c:725
  #6  0x00000000006d776f in task_run_applet (t=0x7f89545a5100, context=0x7f89545a4ff0, state=81924) at src/applet.c:90
  #7  0x000000000068b82b in run_tasks_from_lists (budgets=0x7f895bbbf5c0) at src/task.c:611
  #8  0x000000000068c258 in process_runnable_tasks () at src/task.c:850
  #9  0x0000000000621e61 in run_poll_loop () at src/haproxy.c:2636
  #10 0x0000000000622328 in run_thread_poll_loop (data=0x8d7440 <ha_thread_info+64>) at src/haproxy.c:2807
  #11 0x00007f895c54a06b in start_thread () from /lib64/libpthread.so.0
  #12 0x00007f895bf3772f in clone () from /lib64/libc.so.6
  (gdb) p &ds->ring.waiters
  $1 = (struct list *) 0x7f895439e8a8
  (gdb) p ds->ring.waiters
  $2 = {
    n = 0x7f89545a5078,
    p = 0x7f89545a5078
  }
  (gdb) p ds->ring.waiters->n
  $3 = (struct list *) 0x7f89545a5078
  (gdb) p *ds->ring.waiters->n
  $4 = {
    n = 0x7f895439e8a8,
    p = 0x7f895439e8a8
  }

Let's always detach it before freeing so that it remains possible to
check the dns_session's ring before releasing it, and possibly catch
bugs.
---

diff --git a/src/dns.c b/src/dns.c
index 63bb52f25f..baafe844f4 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -775,6 +775,14 @@ static void dns_session_release(struct appctx *appctx)
 	if (!ds)
 		return;
 
+	/* We do not call ring_appctx_detach here
+	 * because we want to keep readers counters
+	 * to retry a conn with a different appctx.
+	 */
+	HA_RWLOCK_WRLOCK(DNS_LOCK, &ds->ring.lock);
+	LIST_DEL_INIT(&appctx->wait_entry);
+	HA_RWLOCK_WRUNLOCK(DNS_LOCK, &ds->ring.lock);
+
 	dss = ds->dss;
 
 	HA_SPIN_LOCK(DNS_LOCK, &dss->lock);
@@ -808,13 +816,6 @@ static void dns_session_release(struct appctx *appctx)
 		return;
 	}
 
-	/* We do not call ring_appctx_detach here
-	 * because we want to keep readers counters
-	 * to retry a con with a different appctx*/
-	HA_RWLOCK_WRLOCK(DNS_LOCK, &ds->ring.lock);
-	LIST_DEL_INIT(&appctx->wait_entry);
-	HA_RWLOCK_WRUNLOCK(DNS_LOCK, &ds->ring.lock);
-
 	/* if there is no pending complete response
 	 * message, ensure to reset
 	 * message offsets if the session