From e8826ded5fea3593d89da2be5c2d81c522070995 Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouchard@haproxy.com>
Date: Thu, 17 Oct 2019 18:02:53 +0200
Subject: [PATCH] BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream
 before freeing.

On error, make sure we don't have a conn_stream before freeing the connection
and the associated mux context. Otherwise a stream will still reference
the connection, and attempt to use it.
If we still have a conn_stream, it will properly be free'd when the detach
method is called, anyway.

This should be backported to 2.0 and 1.9.
---
 src/mux_pt.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/mux_pt.c b/src/mux_pt.c
index a86cbefd9..b957ed632 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -51,9 +51,10 @@ static struct task *mux_pt_io_cb(struct task *t, void *tctx, unsigned short stat
 	struct mux_pt_ctx *ctx = tctx;
 
 	conn_sock_drain(ctx->conn);
-	if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))
-		mux_pt_destroy(ctx);
-	else
+	if (ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH)) {
+		if (!ctx->cs)
+			mux_pt_destroy(ctx);
+	} else
 		ctx->conn->xprt->subscribe(ctx->conn, ctx->conn->xprt_ctx, SUB_RETRY_RECV,
 		    &ctx->wait_event);
 
@@ -193,7 +194,7 @@ static void mux_pt_detach(struct conn_stream *cs)
 	    !(conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))) {
 		ctx->cs = NULL;
 		conn->xprt->subscribe(conn, conn->xprt_ctx, SUB_RETRY_RECV, &ctx->wait_event);
-	} else
+	} else if (!ctx->cs)
 		/* There's no session attached to that connection, destroy it */
 		mux_pt_destroy(ctx);
 }