From 964caaff0e56ef0b243c77d37da9907c77d90e3e Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Tue, 15 Dec 2020 14:30:12 +0100 Subject: [PATCH] BUG/MAJOR: cache: Crash because of disabled entry not removed from the tree The cache entries are now added into the tree even when they are not complete yet. If we realized while trying to add a response's payload that the shctx was full, the entry was disabled through the disable_cache_entry function, which cleared the key field of the entry's node, but without actually removing it from the tree. So the shctx row could be stolen from the entry and the row's content be rewritten while a lookup in the tree would still find a reference to the old entry. This caused a random crash in case of cache saturation and row reuse. This patch adds the missing removal of the node from the tree next to the reset of the key in disable_cache_entry. This bug was introduced by commit 3243447 ("MINOR: cache: Add entry to the tree as soon as possible") It does not need to be backported. --- src/cache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cache.c b/src/cache.c index bc9bb9873..9ed7b9762 100644 --- a/src/cache.c +++ b/src/cache.c @@ -365,6 +365,7 @@ static inline void disable_cache_entry(struct cache_st *st, filter->ctx = NULL; /* disable cache */ shctx_lock(shctx); shctx_row_dec_hot(shctx, st->first_block); + eb32_delete(&object->eb); object->eb.key = 0; shctx_unlock(shctx); pool_free(pool_head_cache_st, st);