From 54bc78693d8153f10ec4268bfad8779b08740bc2 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 10 Aug 2022 07:26:27 +0200
Subject: [PATCH] BUG/MEDIUM: quic: always remove the connection from the
 accept list on close

Fred managed to reproduce a crash showing a corrupted accept_list when
firing thousands of concurrent picoquicdemo clients to a same instance.
It may happen if the connection was placed into the accept_list and
immediately closed before being processed (e.g. on error or t/o ?).

In any case the quic_conn_release() function should always detach a
connection to be deleted from any list, like it does for other lists,
so let's add an MT_LIST_DELETE() here.

This should be backported to 2.6.
---
 src/xprt_quic.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 87396ea15..a97169837 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4084,6 +4084,11 @@ static void quic_conn_release(struct quic_conn *qc)
 	/* We must not free the quic-conn if the MUX is still allocated. */
 	BUG_ON(qc->mux_state == QC_MUX_READY);
 
+	/* in the unlikely (but possible) case the connection was just added to
+	 * the accept_list we must delete it from there.
+	 */
+	MT_LIST_DELETE(&qc->accept_list);
+
 	/* free remaining stream descriptors */
 	node = eb64_first(&qc->streams_by_id);
 	while (node) {