From c6eedcceef97f6a5a03e2b8b35e32ec31470483c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 26 Mar 2021 09:09:42 +0100 Subject: [PATCH] BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In issue #1197, Stéphane Graber reported a rare case of crash that results from an attempt to close an already closed H1 connection. It indeed looks like under some circumstances it should be possible to call the h1_shutw_conn() function more than once, though these conditions are not very clear. Without going through a deep analysis of all possibilities, one potential case seems to be a detach() called with pending output data, causing H1C_F_ST_SHUTDOWN to be set on the connection, then h1_process() being immediately called on I/O, causing h1_send() to flush these data and call h1_shutw_conn(), and finally the upper stream calling cs_shutw() hence h1_shutw(), which itself will call h1_shutw_conn() again while the transport and control layers have already been released. But the whole sequence is not certain as it's not very clear in which case it's possible to leave h1_send() without the connection anymore (at least the obuf is empty). However what is certain is that a shutdown function must be idempotent, so let's fix h1_shutw_conn() regarding this point. Stéphane reported the issue as far back as 2.0, so this patch should be backported this far. (cherry picked from commit 62592ad967d6d24be2aabb664a5e1d594ab35415) Signed-off-by: Willy Tarreau --- src/mux_h1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/mux_h1.c b/src/mux_h1.c index d1b7684139..d4ea17d615 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -2663,6 +2663,9 @@ static void h1_shutw_conn(struct connection *conn, enum cs_shw_mode mode) { struct h1c *h1c = conn->ctx; + if (conn->flags & CO_FL_SOCK_WR_SH) + return; + TRACE_ENTER(H1_EV_STRM_SHUT, conn, h1c->h1s); conn_xprt_shutw(conn); conn_sock_shutw(conn, (mode == CS_SHW_NORMAL));