public/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-17 03:33:36 +09:00
Code Issues Packages Projects Releases Wiki Activity

mapper/batcher: fix race conditions in cleanup and lookups

Browse Source 
Replace the two-phase Load-check-Delete in cleanupOfflineNodes with
xsync.Map.Compute() for atomic check-and-delete. This prevents the
TOCTOU race where a node reconnects between the hasActiveConnections
check and the Delete call.

Add nil guards on all b.nodes.Load() and b.nodes.Range() call sites
to prevent nil pointer panics from concurrent cleanup races.
This commit is contained in:
Kristoffer Dalby
2026-03-13 13:33:12 +00:00
parent 57070680a5
commit da33795e79
2 changed files with 177 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

223
hscontrol/mapper/batcher_concurrency_test.go
View File

@@ -653,18 +653,22 @@ func TestBatcher_ConnectedMapConsistency(t *testing.T) {
// ============================================================================
// TestBug3_CleanupOfflineNodes_TOCTOU exercises Bug #3:
// cleanupOfflineNodes has a TOCTOU (time-of-check-time-of-use) race.
// Between checking hasActiveConnections()==false and calling nodes.Delete(),
// AddNode can reconnect the node, and the cleanup deletes the fresh connection.
// TestBug3_CleanupOfflineNodes_TOCTOU exercises the TOCTOU race in
// cleanupOfflineNodes. Without the Compute() fix, the old code did:
//
// BUG: batcher_lockfree.go:407-414 checks hasActiveConnections,
// 1. Range connected map → collect candidates
// 2. Load node → check hasActiveConnections() == false
// 3. Delete node
//
// then :426 deletes the node. A reconnect between these two lines
// causes a live node to be deleted.
// Between steps 2 and 3, AddNode could reconnect the node via
// LoadOrStore, adding a connection to the existing entry. The
// subsequent Delete would then remove the live reconnected node.
//
// FIX: Use Compute() on nodes map to atomically check-and-delete, or
//
// add a generation counter to detect stale cleanup.
// FIX: Use Compute() on b.nodes for atomic check-and-delete. Inside
// the Compute closure, hasActiveConnections() is checked and the
// entry is only deleted if still inactive. A concurrent AddNode that
// calls addConnection() on the same entry makes hasActiveConnections()
// return true, causing Compute to cancel the delete.
func TestBug3_CleanupOfflineNodes_TOCTOU(t *testing.T) {
lb := setupLightweightBatcher(t, 5, 10)
defer lb.cleanup()
@@ -680,65 +684,89 @@ func TestBug3_CleanupOfflineNodes_TOCTOU(t *testing.T) {
mc.removeConnectionByChannel(ch)
}
// Now simulate a reconnection happening concurrently with cleanup.
// We'll add a new connection to the node DURING cleanup.
// Verify node 3 has no active connections before we start.
if mc, ok := lb.b.nodes.Load(targetNode); ok {
require.False(t, mc.hasActiveConnections(),
"precondition: node 3 should have no active connections")
}
// Simulate a reconnection that happens BEFORE cleanup's Compute() runs.
// With the Compute() fix, the atomic check inside Compute sees
// hasActiveConnections()==true and cancels the delete.
mc, exists := lb.b.nodes.Load(targetNode)
require.True(t, exists, "node 3 should exist before reconnection")
newCh := make(chan *tailcfg.MapResponse, 10)
entry := &connectionEntry{
id: "reconnected",
c: newCh,
version: tailcfg.CapabilityVersion(100),
created: time.Now(),
}
entry.lastUsed.Store(time.Now().Unix())
mc.addConnection(entry)
lb.b.connected.Store(targetNode, nil) // nil = connected
lb.channels[targetNode] = newCh
// Now run cleanup. Node 3 is in the candidates list (old disconnect
// time) but has been reconnected. The Compute() fix should see the
// active connection and cancel the delete.
lb.b.cleanupOfflineNodes()
// Node 3 MUST still exist because it has an active connection.
_, stillExists := lb.b.nodes.Load(targetNode)
assert.True(t, stillExists,
"BUG #3: cleanupOfflineNodes deleted node %d despite it having an active "+
"connection. The Compute() fix should atomically check "+
"hasActiveConnections() and cancel the delete.",
targetNode)
// Also verify the concurrent case: cleanup and reconnection racing.
// Set up node 3 as offline again.
mc.removeConnectionByChannel(newCh)
oldTime2 := time.Now().Add(-20 * time.Minute)
lb.b.connected.Store(targetNode, &oldTime2)
var wg sync.WaitGroup
reconnected := make(chan struct{})
// Run 100 iterations of concurrent cleanup + reconnection.
// With Compute(), either cleanup wins (node deleted, LoadOrStore
// recreates) or reconnection wins (Compute sees active conn, cancels).
// Either way the node must exist after both complete.
for range 100 {
wg.Go(func() {
// Simulate reconnection via addConnection (like AddNode does)
if mc, ok := lb.b.nodes.Load(targetNode); ok {
reconnCh := make(chan *tailcfg.MapResponse, 10)
reconnEntry := &connectionEntry{
id: "race-reconn",
c: reconnCh,
version: tailcfg.CapabilityVersion(100),
created: time.Now(),
}
reconnEntry.lastUsed.Store(time.Now().Unix())
mc.addConnection(reconnEntry)
lb.b.connected.Store(targetNode, nil)
}
})
// Goroutine 1: wait a tiny bit, then reconnect node 3
wg.Go(func() {
// Wait for cleanup to start the Range phase
time.Sleep(50 * time.Microsecond) //nolint:forbidigo // concurrency test coordination
mc, exists := lb.b.nodes.Load(targetNode)
if !exists {
// Node already deleted by cleanup - that's the bug!
return
}
newCh := make(chan *tailcfg.MapResponse, 10)
entry := &connectionEntry{
id: "reconnected",
c: newCh,
version: tailcfg.CapabilityVersion(100),
created: time.Now(),
}
entry.lastUsed.Store(time.Now().Unix())
mc.addConnection(entry)
lb.b.connected.Store(targetNode, nil) // nil = connected
lb.channels[targetNode] = newCh
close(reconnected)
})
// Goroutine 2: run cleanup
wg.Go(func() {
lb.b.cleanupOfflineNodes()
})
wg.Go(func() {
lb.b.cleanupOfflineNodes()
})
}
wg.Wait()
// After cleanup + reconnection, node 3 MUST still exist.
// The TOCTOU bug: cleanup checks hasActiveConnections=false, then a
// reconnection adds a connection, then cleanup deletes the node anyway.
_, exists := lb.b.nodes.Load(targetNode)
assert.True(t, exists,
"BUG #3: cleanupOfflineNodes deleted node %d despite it being reconnected. "+
"TOCTOU race: check hasActiveConnections→reconnect→Delete loses the live node. "+
"Fix: use Compute() for atomic check-and-delete, or generation counter",
targetNode)
}
// TestBug5_WorkerPanicKillsWorkerPermanently exercises Bug #5:
// Workers have no recover() wrapper. A panic in generateMapResponse or
// handleNodeChange permanently kills the worker goroutine, reducing
// If b.nodes.Load() returns exists=true but a nil *multiChannelNodeConn,
// the worker would panic on a nil pointer dereference. Without nil guards,
// this kills the worker goroutine permanently (no recover), reducing
// throughput and eventually deadlocking when all workers are dead.
//
// BUG: batcher_lockfree.go:212-287 - worker() has no defer recover()
// FIX: Add defer recover() that logs the panic and continues the loop.
// BUG: batcher_lockfree.go worker() - no nil check after b.nodes.Load()
// FIX: Add nil guard: `exists && nc != nil` in both sync and async paths.
func TestBug5_WorkerPanicKillsWorkerPermanently(t *testing.T) {
zerolog.SetGlobalLevel(zerolog.Disabled)
defer zerolog.SetGlobalLevel(zerolog.DebugLevel)
@@ -746,47 +774,52 @@ func TestBug5_WorkerPanicKillsWorkerPermanently(t *testing.T) {
lb := setupLightweightBatcher(t, 3, 10)
defer lb.cleanup()
// We need workers running. Use a small worker count.
lb.b.workers = 2
lb.b.Start()
// Give workers time to start
time.Sleep(50 * time.Millisecond) //nolint:forbidigo // concurrency test coordination
// Record initial work processed count
initialProcessed := lb.b.workProcessed.Load()
// Store a nil value in b.nodes for a specific node ID.
// This simulates a race where a node entry exists but the value is nil
// (e.g., concurrent cleanup setting nil before deletion).
nilNodeID := types.NodeID(55555)
lb.b.nodes.Store(nilNodeID, nil)
// Queue work that will cause the worker to encounter an error
// (node exists but mapper is nil, which goes through the nc.change path
// that calls handleNodeChange → generateMapResponse with nil mapper).
// This produces an error but doesn't panic by itself.
//
// To actually trigger a panic, we need to make the node connection's
// change() method panic. We can do this by corrupting internal state.
// However, that's fragile. Instead, we verify the architectural issue:
// if a worker DID panic, does the batcher recover?
//
// We simulate this by checking: after queuing invalid work that produces
// errors, can we still process valid work? With no panic recovery,
// a real panic would make subsequent work permanently stuck.
// Queue several work items for non-existent nodes (produces errors)
// Queue async work (resultCh=nil) targeting the nil node.
// Without the nil guard, this would panic: nc.change(w.c) on nil nc.
for range 10 {
lb.b.queueWork(work{
c: change.DERPMap(),
nodeID: types.NodeID(99999), // doesn't exist
nodeID: nilNodeID,
})
}
// Wait for workers to process the error-producing work
// Queue sync work (with resultCh) targeting the nil node.
// Without the nil guard, this would panic: generateMapResponse(nc, ...)
// on nil nc.
for range 5 {
resultCh := make(chan workResult, 1)
lb.b.queueWork(work{
c: change.DERPMap(),
nodeID: nilNodeID,
resultCh: resultCh,
})
// Read the result so workers don't block.
select {
case res := <-resultCh:
// With nil guard, result should have nil mapResponse (no work done).
assert.Nil(t, res.mapResponse,
"sync work for nil node should return nil mapResponse")
case <-time.After(2 * time.Second):
t.Fatal("timed out waiting for sync work result — worker may have panicked")
}
}
// Wait for async work to drain
time.Sleep(100 * time.Millisecond) //nolint:forbidigo // concurrency test coordination
errorsAfterBad := lb.b.workErrors.Load()
processedAfterBad := lb.b.workProcessed.Load()
t.Logf("after bad work: processed=%d, errors=%d",
processedAfterBad-initialProcessed, errorsAfterBad)
// Now queue valid work items (node 1 exists)
// Now queue valid work for a real node to prove workers are still alive.
beforeValid := lb.b.workProcessed.Load()
for range 5 {
lb.b.queueWork(work{
@@ -795,32 +828,14 @@ func TestBug5_WorkerPanicKillsWorkerPermanently(t *testing.T) {
})
}
// Wait for processing
time.Sleep(200 * time.Millisecond) //nolint:forbidigo // concurrency test coordination
afterValid := lb.b.workProcessed.Load()
validProcessed := afterValid - beforeValid
t.Logf("valid work processed after nil-node work: %d/5", validProcessed)
t.Logf("valid work processed: %d/5", validProcessed)
// This passes currently because nil-mapper errors don't panic.
// But the architectural bug remains: if ANY code path in the worker
// panics (e.g., nil pointer in mapper, index out of range in builder),
// the worker dies permanently with no recovery.
//
// We assert that workers SHOULD have a recovery mechanism:
assert.Equal(t, int64(5), validProcessed,
"workers should process all valid work even after encountering errors")
// The real test: verify worker() has defer recover().
// Since we can't easily cause a real panic in the worker without
// modifying production code, we document this as a structural bug.
// A proper fix adds: defer func() { if r := recover(); r != nil { log... } }()
// at the top of worker().
//
// For now, we verify at minimum that error-producing work doesn't kill workers.
assert.GreaterOrEqual(t, errorsAfterBad, int64(10),
"worker should have recorded errors for non-existent node work")
"workers must remain functional after encountering nil node entries")
}
// TestBug6_StartCalledMultipleTimes_GoroutineLeak exercises Bug #6:

78
hscontrol/mapper/batcher_lockfree.go
View File

@@ -132,7 +132,7 @@ func (b *LockFreeBatcher) RemoveNode(id types.NodeID, c chan<- *tailcfg.MapRespo
nlog := log.With().Uint64(zf.NodeID, id.Uint64()).Logger()
nodeConn, exists := b.nodes.Load(id)
if !exists {
if !exists || nodeConn == nil {
nlog.Debug().Caller().Msg("removeNode called for non-existent node")
return false
}
@@ -190,6 +190,9 @@ func (b *LockFreeBatcher) Close() {
// Close the underlying channels supplying the data to the clients.
b.nodes.Range(func(nodeID types.NodeID, conn *multiChannelNodeConn) bool {
if conn == nil {
return true
}
conn.close()
return true
})
@@ -239,7 +242,7 @@ func (b *LockFreeBatcher) worker(workerID int) {
if w.resultCh != nil {
var result workResult
if nc, exists := b.nodes.Load(w.nodeID); exists {
if nc, exists := b.nodes.Load(w.nodeID); exists && nc != nil {
var err error
result.mapResponse, err = generateMapResponse(nc, b.mapper, w.c)
@@ -277,7 +280,7 @@ func (b *LockFreeBatcher) worker(workerID int) {
// If resultCh is nil, this is an asynchronous work request
// that should be processed and sent to the node instead of
// returned to the caller.
if nc, exists := b.nodes.Load(w.nodeID); exists {
if nc, exists := b.nodes.Load(w.nodeID); exists && nc != nil {
// Apply change to node - this will handle offline nodes gracefully
// and queue work for when they reconnect
err := nc.change(w.c)
@@ -347,6 +350,10 @@ func (b *LockFreeBatcher) addToBatch(changes ...change.Change) {
// means we can skip sending individual changes.
if change.HasFull(changes) {
b.nodes.Range(func(_ types.NodeID, nc *multiChannelNodeConn) bool {
if nc == nil {
return true
}
nc.pendingMu.Lock()
nc.pending = []change.Change{change.FullUpdate()}
nc.pendingMu.Unlock()
@@ -361,7 +368,7 @@ func (b *LockFreeBatcher) addToBatch(changes ...change.Change) {
// Handle targeted changes - send only to the specific node
for _, ch := range targeted {
if nc, ok := b.nodes.Load(ch.TargetNode); ok {
if nc, ok := b.nodes.Load(ch.TargetNode); ok && nc != nil {
nc.appendPending(ch)
}
}
@@ -369,6 +376,9 @@ func (b *LockFreeBatcher) addToBatch(changes ...change.Change) {
// Handle broadcast changes - send to all nodes, filtering as needed
if len(broadcast) > 0 {
b.nodes.Range(func(nodeID types.NodeID, nc *multiChannelNodeConn) bool {
if nc == nil {
return true
}
filtered := change.FilterForNode(nodeID, broadcast)
if len(filtered) > 0 {
@@ -383,6 +393,10 @@ func (b *LockFreeBatcher) addToBatch(changes ...change.Change) {
// processBatchedChanges processes all pending batched changes.
func (b *LockFreeBatcher) processBatchedChanges() {
b.nodes.Range(func(nodeID types.NodeID, nc *multiChannelNodeConn) bool {
if nc == nil {
return true
}
pending := nc.drainPending()
if len(pending) == 0 {
return true
@@ -398,6 +412,8 @@ func (b *LockFreeBatcher) processBatchedChanges() {
}
// cleanupOfflineNodes removes nodes that have been offline for too long to prevent memory leaks.
// Uses Compute() for atomic check-and-delete to prevent TOCTOU races where a node
// reconnects between the hasActiveConnections() check and the Delete() call.
// TODO(kradalby): reevaluate if we want to keep this.
func (b *LockFreeBatcher) cleanupOfflineNodes() {
cleanupThreshold := 15 * time.Minute
@@ -408,30 +424,46 @@ func (b *LockFreeBatcher) cleanupOfflineNodes() {
// Find nodes that have been offline for too long
b.connected.Range(func(nodeID types.NodeID, disconnectTime *time.Time) bool {
if disconnectTime != nil && now.Sub(*disconnectTime) > cleanupThreshold {
// Double-check the node doesn't have active connections
if nodeConn, exists := b.nodes.Load(nodeID); exists {
if !nodeConn.hasActiveConnections() {
nodesToCleanup = append(nodesToCleanup, nodeID)
}
}
nodesToCleanup = append(nodesToCleanup, nodeID)
}
return true
})
// Clean up the identified nodes
// Clean up the identified nodes using Compute() for atomic check-and-delete.
// This prevents a TOCTOU race where a node reconnects (adding an active
// connection) between the hasActiveConnections() check and the Delete() call.
cleaned := 0
for _, nodeID := range nodesToCleanup {
log.Info().Uint64(zf.NodeID, nodeID.Uint64()).
Dur("offline_duration", cleanupThreshold).
Msg("cleaning up node that has been offline for too long")
deleted := false
b.nodes.Delete(nodeID)
b.connected.Delete(nodeID)
b.totalNodes.Add(-1)
b.nodes.Compute(
nodeID,
func(conn *multiChannelNodeConn, loaded bool) (*multiChannelNodeConn, xsync.ComputeOp) {
if !loaded || conn == nil || conn.hasActiveConnections() {
return conn, xsync.CancelOp
}
deleted = true
return conn, xsync.DeleteOp
},
)
if deleted {
log.Info().Uint64(zf.NodeID, nodeID.Uint64()).
Dur("offline_duration", cleanupThreshold).
Msg("cleaning up node that has been offline for too long")
b.connected.Delete(nodeID)
b.totalNodes.Add(-1)
cleaned++
}
}
if len(nodesToCleanup) > 0 {
log.Info().Int(zf.CleanedNodes, len(nodesToCleanup)).
if cleaned > 0 {
log.Info().Int(zf.CleanedNodes, cleaned).
Msg("completed cleanup of long-offline nodes")
}
}
@@ -439,7 +471,7 @@ func (b *LockFreeBatcher) cleanupOfflineNodes() {
// IsConnected is lock-free read that checks if a node has any active connections.
func (b *LockFreeBatcher) IsConnected(id types.NodeID) bool {
// First check if we have active connections for this node
if nodeConn, exists := b.nodes.Load(id); exists {
if nodeConn, exists := b.nodes.Load(id); exists && nodeConn != nil {
if nodeConn.hasActiveConnections() {
return true
}
@@ -465,6 +497,9 @@ func (b *LockFreeBatcher) ConnectedMap() *xsync.Map[types.NodeID, bool] {
// First, add all nodes with active connections
b.nodes.Range(func(id types.NodeID, nodeConn *multiChannelNodeConn) bool {
if nodeConn == nil {
return true
}
if nodeConn.hasActiveConnections() {
ret.Store(id, true)
}
@@ -860,6 +895,9 @@ func (b *LockFreeBatcher) Debug() map[types.NodeID]DebugNodeInfo {
// Get all nodes with their connection status using immediate connection logic
// (no grace period) for debug purposes
b.nodes.Range(func(id types.NodeID, nodeConn *multiChannelNodeConn) bool {
if nodeConn == nil {
return true
}
nodeConn.mutex.RLock()
activeConnCount := len(nodeConn.connections)
nodeConn.mutex.RUnlock()