From 687df405fe6c1bd95fdebba03f3491c26f82692d Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 4 Sep 2025 16:26:19 +0200 Subject: [PATCH] BUG/MINOR: connection: streamline conn detach from lists Over their lifetime, connections are attached to different list. These lists depends on whether connection is on frontend or backend side. Attach point members are stored via a union in struct connection. The next commit reorganizes them so that a proper frontend/backend separation is performed : commit a96f1286a75246fef6db3e615fabdef1de927d83 BUG/MINOR: connection: rearrange union list members On conn_free(), connection instance must be removed from these lists to ensure there is no use-after-free case. However code was still shaky there, despite no real issue. Indeed, was detached for all connections, despite being only used on backend side only. This patch streamlines the freeing of connection. Now, detach is performed in conn_backend_deinit(). Moreover, a new helper conn_frontend_deinit() is defined. It ensures that detach is done. Prior it was performed individually by muxes. Note that a similar procedure is performed when the connection is reversed. Hence, conn_frontend_deinit() is now used here as well, rendering reversal from FE to BE or vice versa symmetrical. As mentionned above, no crash occured prior to this patch, but the code was fragile, in particular access to for frontend connections. Thus this patch is considered as a bug fix worthy of a backport along with above mentionned patch, currently up to 3.0. --- src/connection.c | 24 +++++++++++++++--------- src/mux_h1.c | 3 --- src/mux_h2.c | 3 --- src/mux_quic.c | 2 -- 4 files changed, 15 insertions(+), 17 deletions(-) diff --git a/src/connection.c b/src/connection.c index 15fac3126..8acf04c9d 100644 --- a/src/connection.c +++ b/src/connection.c @@ -555,6 +555,18 @@ static void conn_backend_deinit(struct connection *conn) pool_free(pool_head_conn_hash_node, conn->hash_node); conn->hash_node = NULL; + /* Remove from BE purge list. Necessary if conn already scheduled for + * purge but finally freed before by another code path. + */ + MT_LIST_DELETE(&conn->toremove_list); +} + +/* Ensure frontend connection is removed from its lists. This must be + * performed before freeing or reversing a connection. + */ +static void conn_frontend_deinit(struct connection *conn) +{ + LIST_DEL_INIT(&conn->stopping_list); } /* Tries to allocate a new connection and initialized its main fields. The @@ -594,14 +606,8 @@ void conn_free(struct connection *conn) if (conn_is_back(conn)) conn_backend_deinit(conn); - - /* Remove the conn from toremove_list. - * - * This is needed to prevent a double-free in case the connection was - * already scheduled from cleaning but is freed before via another - * call. - */ - MT_LIST_DELETE(&conn->toremove_list); + else + conn_frontend_deinit(conn); sockaddr_free(&conn->src); sockaddr_free(&conn->dst); @@ -2961,7 +2967,7 @@ int conn_reverse(struct connection *conn) struct server *srv = objt_server(conn->reverse.target); BUG_ON(!srv); - LIST_DEL_INIT(&conn->stopping_list); + conn_frontend_deinit(conn); if (conn_backend_init(conn)) return 1; diff --git a/src/mux_h1.c b/src/mux_h1.c index 86de1149c..defcada21 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -1412,9 +1412,6 @@ static void h1_release(struct h1c *h1c) pool_free(pool_head_h1c, h1c); if (conn) { - if (!conn_is_back(conn)) - LIST_DEL_INIT(&conn->stopping_list); - conn->mux = NULL; conn->ctx = NULL; TRACE_DEVEL("freeing conn", H1_EV_H1C_END, conn); diff --git a/src/mux_h2.c b/src/mux_h2.c index fe68a4cdf..d656e43bc 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -1516,9 +1516,6 @@ static void h2_release(struct h2c *h2c) pool_free(pool_head_h2c, h2c); if (conn) { - if (!conn_is_back(conn)) - LIST_DEL_INIT(&conn->stopping_list); - conn->mux = NULL; conn->ctx = NULL; TRACE_DEVEL("freeing conn", H2_EV_H2C_END, conn); diff --git a/src/mux_quic.c b/src/mux_quic.c index 21f082770..1dd01534b 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -3360,8 +3360,6 @@ static void qcc_release(struct qcc *qcc) pool_free(pool_head_qcc, qcc); if (conn) { - LIST_DEL_INIT(&conn->stopping_list); - conn->mux = NULL; conn->ctx = NULL;