[master] 6287cadcc h2: Consistently release the session workspace in h2_rxframe

[Walid Boudebouda]

commit 6287cadccf89fed3c5af1141343a7c419287eda1
Author: Walid Boudebouda <walid.boudebouda at gmail.com>
Date:   Fri Sep 19 18:44:23 2025 +0200

    h2: Consistently release the session workspace in h2_rxframe
    
    All other code paths returning from h2_rxframe guarantee that the
    h2 session workspace is released as they all go through HTC_RxStuff.
    The only exception was this code path that is particularly hard to
    hit, as it requires h2->goaway to be set without having h2->error
    at the same time.
    
    Fixes: #4396

diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index 2956516d6..6d9ddae7d 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -1517,8 +1517,11 @@ h2_rxframe(struct worker *wrk, struct h2_sess *h2)
 
 	ASSERT_RXTHR(h2);
 
-	if (h2->goaway && h2->open_streams == 0)
+	if (h2->goaway && h2->open_streams == 0) {
+		// h2 WS must always be released before returning
+		WS_ReleaseP(h2->ws, h2->htc->rxbuf_b);
 		return (0);
+	}
 
 	h2->t1 = NAN;
 	VTCP_blocking(*h2->htc->rfd);
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
index 46b02dc09..5e4bdbed9 100644
--- a/bin/varnishd/http2/cache_http2_session.c
+++ b/bin/varnishd/http2/cache_http2_session.c
@@ -436,6 +436,7 @@ h2_new_session(struct worker *wrk, void *arg)
 		AN(WS_Reservation(h2->ws));
 	}
 
+	assert(!WS_IsReserved(h2->ws));
 	AN(h2->error);
 
 	/* Delete all idle streams */