From 28ac8d210426f374f69650958bbb20ff800e0aea Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Mon, 15 Sep 2025 15:18:57 -0700 Subject: [PATCH] [release-branch.go1.25] net/http: avoid connCount underflow race Remove a race condition in counting the number of connections per host, which can cause a connCount underflow and a panic. The race occurs when: - A RoundTrip call attempts to use a HTTP/2 roundtripper (pconn.alt != nil) and receives an isNoCachedConn error. The call removes the pconn from the idle conn pool and decrements the connCount for its host. - A second RoundTrip call on the same pconn succeeds, and delivers the pconn to a third RoundTrip waiting for a conn. - The third RoundTrip receives the pconn at the same moment its request context is canceled. It places the pconn back into the idle conn pool. At this time, the connCount is incorrect, because the conn returned to the idle pool is not matched by an increment in the connCount. Fix this by not adding HTTP/2 pconns back to the idle pool in wantConn.cancel. For #61474 Fixes #75539 Change-Id: I104d6cf85a54d0382eebf3fcf5dda99c69a7c3f6 Reviewed-on: https://go-review.googlesource.com/c/go/+/703936 Auto-Submit: Damien Neil Reviewed-by: Nicholas Husin Reviewed-by: Nicholas Husin LUCI-TryBot-Result: Go LUCI (cherry picked from commit 3203a5da290753e5c7aceb12f41f06b272356bd0) Reviewed-on: https://go-review.googlesource.com/c/go/+/705376 Reviewed-by: Cherry Mui --- src/net/http/transport.go | 5 ++++- src/net/http/transport_test.go | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/src/net/http/transport.go b/src/net/http/transport.go index 07b3a9e1e7..2778db332e 100644 --- a/src/net/http/transport.go +++ b/src/net/http/transport.go @@ -1372,7 +1372,10 @@ func (w *wantConn) cancel(t *Transport) { w.done = true w.mu.Unlock() - if pc != nil { + // HTTP/2 connections (pc.alt != nil) aren't removed from the idle pool on use, + // and should not be added back here. If the pconn isn't in the idle pool, + // it's because we removed it due to an error. + if pc != nil && pc.alt == nil { t.putOrCloseIdleConn(pc) } } diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go index 9762f05886..28ad3eb6fe 100644 --- a/src/net/http/transport_test.go +++ b/src/net/http/transport_test.go @@ -7559,3 +7559,35 @@ func TestTransportServerProtocols(t *testing.T) { }) } } + +func TestIssue61474(t *testing.T) { + run(t, testIssue61474, []testMode{http2Mode}) +} +func testIssue61474(t *testing.T, mode testMode) { + if testing.Short() { + return + } + + // This test reliably exercises the condition causing #61474, + // but requires many iterations to do so. + // Keep the test around for now, but don't run it by default. + t.Skip("test is too large") + + cst := newClientServerTest(t, mode, HandlerFunc(func(rw ResponseWriter, req *Request) { + }), func(tr *Transport) { + tr.MaxConnsPerHost = 1 + }) + var wg sync.WaitGroup + defer wg.Wait() + for range 100000 { + wg.Go(func() { + ctx, cancel := context.WithTimeout(t.Context(), 1*time.Millisecond) + defer cancel() + req, _ := NewRequestWithContext(ctx, "GET", cst.ts.URL, nil) + resp, err := cst.c.Do(req) + if err == nil { + resp.Body.Close() + } + }) + } +} -- 2.52.0