BUG/MAJOR: connection: Never remove connection from idle lists outside the lock

Since the idle connections management changed to use eb-trees instead of MT lists, a lock must be acquired to manipulate servers idle/safe/available connection lists. However, it remains an unprotected use in connect_server(), when a connection is removed from an idle list if the mux has no more streams available. Thus it is possible to remove a connection from an idle list on a thread, while another one is looking for a idle connection. Of couse, this may lead to a crash. To fix the bug, we must take care to acquire the idle connections lock first. The bug was introduced by the commit f232cb3e9 ("MEDIUM: connection: replace idle conn lists by eb trees"). The patch must be backported as far as 2.4.
2025-09-22 14:21:25 +02:00 · 2022-04-22 17:56:24 +02:00 · 2022-04-22 17:56:24 +02:00 · 7ae48a70d6
commit 7ae48a70d6
parent eaa703ef06
1 changed files with 2 additions and 0 deletions
--- a/src/backend.c
+++ b/src/backend.c
@ -1529,7 +1529,9 @@ static int connect_server(struct stream *s)

 			if (avail <= 1) {
 				/* No more streams available, remove it from the list */
+				HA_SPIN_LOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
 				conn_delete_from_tree(&srv_conn->hash_node->node);
+				HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
 			}

 			if (avail >= 1) {