From 16b2be93ad9e7db2d57ca5aaa4ca629efecd6530 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 4 Jul 2019 11:59:42 +0200 Subject: [PATCH] BUG/MEDIUM: lb_fas: Don't test the server's lb_tree from outside the lock In the function fas_srv_reposition(), the server's lb_tree is tested from outside the lock. So it is possible to remove it after the test and then call eb32_insert() in fas_queue_srv() with a NULL root pointer, which is invalid. Moving the test in the scope of the lock fixes the bug. This issue was reported on Github, issue #126. This patch must be backported to 2.0, 1.9 and 1.8. --- src/lb_fas.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/lb_fas.c b/src/lb_fas.c index 69b85d72d..6b72099f3 100644 --- a/src/lb_fas.c +++ b/src/lb_fas.c @@ -70,12 +70,11 @@ static inline void fas_queue_srv(struct server *s) */ static void fas_srv_reposition(struct server *s) { - if (!s->lb_tree) - return; - HA_SPIN_LOCK(LBPRM_LOCK, &s->proxy->lbprm.lock); - fas_dequeue_srv(s); - fas_queue_srv(s); + if (s->lb_tree) { + fas_dequeue_srv(s); + fas_queue_srv(s); + } HA_SPIN_UNLOCK(LBPRM_LOCK, &s->proxy->lbprm.lock); }