[master] 2065315af Fix a potential race between boc state and the storage list

[Dridi Boukelmoune]

commit 2065315afcf7b92dd2e113636c853f52ca12b4f5
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Sun May 24 22:00:24 2020 +0200

    Fix a potential race between boc state and the storage list
    
    We check for the next storage element under the boc mutex, but reference
    the boc state in relation to it after releasing the lock.
    
    Take a copy of the boc state to close this (potential) race.
    
    Fixes #3335, hopefully

diff --git a/bin/varnishd/storage/storage_simple.c b/bin/varnishd/storage/storage_simple.c
index 6bfb1f8f6..bc13f443c 100644
--- a/bin/varnishd/storage/storage_simple.c
+++ b/bin/varnishd/storage/storage_simple.c
@@ -236,6 +236,7 @@ sml_iterator(struct worker *wrk, struct objcore *oc,
     void *priv, objiterate_f *func, int final)
 {
 	struct boc *boc;
+	enum boc_state_e state;
 	struct object *obj;
 	struct storage *st;
 	struct storage *checkpoint = NULL;
@@ -329,12 +330,13 @@ sml_iterator(struct worker *wrk, struct objcore *oc,
 		st = VTAILQ_NEXT(st, list);
 		if (st != NULL && st->len == 0)
 			st = NULL;
+		state = boc->state;
 		Lck_Unlock(&boc->mtx);
-		assert(l > 0 || boc->state == BOS_FINISHED);
+		assert(l > 0 || state == BOS_FINISHED);
 		u = 0;
 		if (st == NULL || final)
 			u |= OBJ_ITER_FLUSH;
-		if (st == NULL && boc->state == BOS_FINISHED)
+		if (st == NULL && state == BOS_FINISHED)
 			u |= OBJ_ITER_END;
 		ret = func(priv, u, p, l);
 		if (ret)