BUG/MINOR: pools: make DEBUG_UAF always write to the to-be-freed location

Since the code was reorganized, DEBUG_UAF was still tested in the locked
pool code despite pools being disabled when DEBUG_UAF is used. Let's move
the test to pool_put_to_os() which is the one that is always called in
this condition.

The impact is only a possible misleading analysis during a troubleshooting
session due to a missing double-frees or free of const area test that is
normally already dealt with by the underlying code anyway. In practice it's
unlikely anyone will ever notice.

This should only be backported to 2.4.

include/haproxy/pool.h

@@ -194,8 +194,6 @@ static inline void pool_put_to_shared_cache(struct pool_head *pool, void *ptr)
 {
 	_HA_ATOMIC_DEC(&pool->used);
 
-#ifndef DEBUG_UAF /* normal pool behaviour */
-
 	HA_SPIN_LOCK(POOL_LOCK, &pool->lock);
 	if (!pool_is_crowded(pool)) {
 		*POOL_LINK(pool, ptr) = (void *)pool->free_list;
@@ -204,13 +202,6 @@ static inline void pool_put_to_shared_cache(struct pool_head *pool, void *ptr)
 	}
 	HA_SPIN_UNLOCK(POOL_LOCK, &pool->lock);
 
-#else
-	/* release the entry for real to detect use after free */
-	/* ensure we crash on double free or free of a const area */
-	*(uint32_t *)ptr = 0xDEADADD4;
-
-#endif /* DEBUG_UAF */
-
 	if (ptr) {
 		/* still not freed */
 		pool_put_to_os(pool, ptr);

src/pool.c

@@ -147,6 +147,14 @@ void *pool_get_from_os(struct pool_head *pool)
  */
 void pool_put_to_os(struct pool_head *pool, void *ptr)
 {
+#ifdef DEBUG_UAF
+	/* This object will be released for real in order to detect a use after
+	 * free. We also force a write to the area to ensure we crash on double
+	 * free or free of a const area.
+	 */
+	*(uint32_t *)ptr = 0xDEADADD4;
+#endif /* DEBUG_UAF */
+
 	pool_free_area(ptr, pool->size + POOL_EXTRA);
 	_HA_ATOMIC_DEC(&pool->allocated);
 }