From: Willy Tarreau <w@1wt.eu>
Date: Sat, 17 Sep 2022 09:07:19 +0000 (+0200)
Subject: BUG/MEDIUM: captures: free() an error capture out of the proxy lock
X-Git-Tag: v2.7-dev6~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da9f25875958757fd1f16b74bd887977e78c8b09;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: captures: free() an error capture out of the proxy lock

Ed Hein reported in github issue #1856 some occasional watchdog panics
in 2.4.18 showing extreme contention on the proxy's lock while the libc
was in malloc()/free(). One cause of this problem is that we call free()
under the proxy's lock in proxy_capture_error(), which makes no sense
since if we can free the object under the lock after it's been detached,
we can also free it after releasing the lock (since it's not referenced
anymore).

This should be backported to all relevant versions, likely all
supported ones.
---

diff --git a/src/proxy.c b/src/proxy.c
index 04431de282..7a4857b37a 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -2546,8 +2546,8 @@ void proxy_capture_error(struct proxy *proxy, int is_back,
 	} else {
 		es = HA_ATOMIC_XCHG(&proxy->invalid_req, es);
 	}
-	free(es);
 	HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &proxy->lock);
+	ha_free(&es);
 }
 
 /* Configure all proxies which lack a maxconn setting to use the global one by