From: Willy Tarreau Date: Thu, 19 Jan 2023 10:34:21 +0000 (+0100) Subject: BUG/MINOR: listener: close tiny race between resume_listener() and stopping X-Git-Tag: v2.8-dev2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1ebee177;p=thirdparty%2Fhaproxy.git BUG/MINOR: listener: close tiny race between resume_listener() and stopping Pierre Cheynier reported a very rare race condition on soft-stop in the listeners. What happens is that if a previously limited listener is being resumed by another thread finishing an accept loop, and at the same time a soft-stop is performed, the soft-stop will turn the listener's state to LI_INIT, and once the listener's lock is released, resume_listener() in the second thread will try to resume this listener which has an fd==-1, yielding a crash in listener_set_state(): FATAL: bug condition "l->rx.fd == -1" matched at src/listener.c:288 The reason is that resume_listener() only checks for LI_READY, but doesn't consider being called with a non-initialized or a stopped listener. Let's also make sure we don't try to ressuscitate such a listener there. This will have to be backported to all versions. --- diff --git a/src/listener.c b/src/listener.c index c94702a04a..aa466d05ed 100644 --- a/src/listener.c +++ b/src/listener.c @@ -530,6 +530,10 @@ int resume_listener(struct listener *l, int lpx) if (l->state == LI_READY) goto end; + /* the listener might have been stopped in parallel */ + if (l->state < LI_PAUSED) + goto end; + if (l->rx.proto->resume) ret = l->rx.proto->resume(l);