From f7ae84e7d1b20201b38348d9dcbaefa47eb29814 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Tue, 4 Jun 2024 11:56:09 +0200 Subject: [PATCH] BUG/MINOR: quic: prevent crash on qc_kill_conn() Ensure idle_timer task is allocated in qc_kill_conn() before waking it up. It can be NULL if idle timer has already fired but MUX layer is still present, which prevents immediate quic_conn release. qc_kill_conn() is only used on send() syscall fatal error to notify upper layer of an error and close the whole connection asap. This crash occurence is pretty rare as it relies on timing issues. It happens only if idle timer occurs before the MUX release (a bigger client timeout is thus required) and any send() syscall detected error. For now, it was only reproduced using GDB to interrupt haproxy longer than the idle timeout. This should be backported up to 2.6. --- src/quic_conn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index 6cc1d38f8..842456114 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -161,7 +161,9 @@ void qc_kill_conn(struct quic_conn *qc) TRACE_PROTO("killing the connection", QUIC_EV_CONN_KILL, qc); qc->flags |= QUIC_FL_CONN_TO_KILL; qc->flags &= ~QUIC_FL_CONN_RETRANS_NEEDED; - task_wakeup(qc->idle_timer_task, TASK_WOKEN_OTHER); + + if (!(qc->flags & QUIC_FL_CONN_EXP_TIMER)) + task_wakeup(qc->idle_timer_task, TASK_WOKEN_OTHER); qc_notify_err(qc);