diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 0a37b8f38..b975fe708 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.8.4 -PKG_RELEASE:=02 +PKG_VERSION:=1.8.5 +PKG_RELEASE:=01 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/ -PKG_HASH:=e305b0a4e7dec08072841eef6ac6dcd1b5586b1eff09c2d51e152a912e8884a6 +PKG_HASH:=1c22083fa85332d5ab1c9aa8a7ec47a28d87ad9d802558808f9921d938ba20c9 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_LICENSE:=GPL-2.0 diff --git a/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch b/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch deleted file mode 100644 index 93b51dc40..000000000 --- a/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 2fcd544272a5498ffa49544e9f06b51bc93e55d1 Mon Sep 17 00:00:00 2001 -From: Olivier Houchard -Date: Tue, 13 Feb 2018 15:17:23 +0100 -Subject: [PATCH] BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as - unrecovarable. - -Bart Geesink reported some random errors appearing under the form of -termination flags SD in the logs for connections involving SSL traffic -to reach the servers. - -Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit -c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens -that the special case of SSL_ERROR_SYSCALL isn't handled anymore since -this commit. - -SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL, -without meaning the connection is gone. Before flagging the connection -as in error, check the errno value. - -This should be backported to 1.8. - -(cherry picked from commit 7e2e505006feb8f3b4a7f9e0ac5e89b5a8c4895e) -Signed-off-by: Willy Tarreau ---- - src/ssl_sock.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index aecf3dd..f118724 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -5437,6 +5437,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - break; - } else if (ret == SSL_ERROR_ZERO_RETURN) - goto read0; -+ /* For SSL_ERROR_SYSCALL, make sure the error is -+ * unrecoverable before flagging the connection as -+ * in error. -+ */ -+ if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN)) -+ goto clear_ssl_error; - /* otherwise it's a real error */ - goto out_error; - } -@@ -5451,11 +5457,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - conn_sock_read0(conn); - goto leave; - out_error: -+ conn->flags |= CO_FL_ERROR; -+clear_ssl_error: - /* Clear openssl global errors stack */ - ssl_sock_dump_errors(conn); - ERR_clear_error(); - -- conn->flags |= CO_FL_ERROR; - goto leave; - } - --- -1.7.10.4 - diff --git a/net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch b/net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch deleted file mode 100644 index 22274d366..000000000 --- a/net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch +++ /dev/null @@ -1,63 +0,0 @@ -From f7fa1d461aa71bbc8a6c23fdcfc305f2e52ce5dd Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Mon, 19 Feb 2018 14:25:15 +0100 -Subject: [PATCH] BUG/MEDIUM: ssl: Shutdown the connection for reading on - SSL_ERROR_SYSCALL - -When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the -connection must be shut down for reading. Else, the connection loops infinitly, -consuming all the CPU. - -The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always -treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in -1.8 too. - -(cherry picked from commit 4ac77a98cda3d0f9b1d9de7bbbda2c91357f0767) -Signed-off-by: Willy Tarreau ---- - src/ssl_sock.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index f118724..a065bbb 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -5437,10 +5437,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - break; - } else if (ret == SSL_ERROR_ZERO_RETURN) - goto read0; -- /* For SSL_ERROR_SYSCALL, make sure the error is -- * unrecoverable before flagging the connection as -- * in error. -- */ -+ /* For SSL_ERROR_SYSCALL, make sure to clear the error -+ * stack before shutting down the connection for -+ * reading. */ - if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN)) - goto clear_ssl_error; - /* otherwise it's a real error */ -@@ -5453,16 +5452,19 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - conn_cond_update_sock_polling(conn); - return done; - -+ clear_ssl_error: -+ /* Clear openssl global errors stack */ -+ ssl_sock_dump_errors(conn); -+ ERR_clear_error(); - read0: - conn_sock_read0(conn); - goto leave; -+ - out_error: - conn->flags |= CO_FL_ERROR; --clear_ssl_error: - /* Clear openssl global errors stack */ - ssl_sock_dump_errors(conn); - ERR_clear_error(); -- - goto leave; - } - --- -1.7.10.4 - diff --git a/net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch b/net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch deleted file mode 100644 index 446a6107d..000000000 --- a/net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8a5949f2d74c3a3a6c6da25449992c312b183ef3 Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Fri, 2 Feb 2018 15:54:15 +0100 -Subject: [PATCH] BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as - earlier as possible - -When the body length is undefined (no Content-Length or Transfer-Encoding -headers), The reponse remains in ending mode, waiting the request is done. So, -most of time this is not a problem because the resquest is done before the -response. But when a client sends data to a server that replies without waiting -all the data, it is really not desirable to wait the end of the request to -finish the response. - -This bug was introduced when the tunneling of the request and the reponse was -refactored, in commit 4be980391 ("MINOR: http: Switch requests/responses in -TUNNEL mode only by checking txn flag"). - -This patch should be backported in 1.8 and 1.7. - -(cherry picked from commit fd04fcf5edb0a24cd29ce8f4d4dc2aa3a0e2e82c) -Signed-off-by: Willy Tarreau ---- - src/proto_http.c | 15 +++++---------- - 1 file changed, 5 insertions(+), 10 deletions(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index 64bd410..29880ea 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -4634,16 +4634,8 @@ int http_sync_res_state(struct stream *s) - * let's enforce it now that we're not expecting any new - * data to come. The caller knows the stream is complete - * once both states are CLOSED. -- * -- * However, there is an exception if the response length -- * is undefined. In this case, we switch in TUNNEL mode. - */ -- if (!(txn->rsp.flags & HTTP_MSGF_XFER_LEN)) { -- channel_auto_read(chn); -- txn->rsp.msg_state = HTTP_MSG_TUNNEL; -- chn->flags |= CF_NEVER_WAIT; -- } -- else if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) { -+ if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) { - channel_shutr_now(chn); - channel_shutw_now(chn); - } -@@ -6241,6 +6233,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg) - /* The server still sending data that should be filtered */ - if (!(chn->flags & CF_SHUTR) && HAS_DATA_FILTERS(s, chn)) - goto missing_data_or_waiting; -+ msg->msg_state = HTTP_MSG_TUNNEL; -+ goto ending; - } - - msg->msg_state = HTTP_MSG_ENDING; -@@ -6262,7 +6256,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg) - /* default_ret */ 1, - /* on_error */ goto error, - /* on_wait */ goto waiting); -- msg->msg_state = HTTP_MSG_DONE; -+ if (msg->msg_state == HTTP_MSG_ENDING) -+ msg->msg_state = HTTP_MSG_DONE; - return 1; - - missing_data_or_waiting: --- -1.7.10.4 - diff --git a/net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch b/net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch deleted file mode 100644 index 11d2ef9c0..000000000 --- a/net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 7ccf7c9791f2b2329f3940d1347618af3a77bebc Mon Sep 17 00:00:00 2001 -From: Emeric Brun -Date: Mon, 19 Feb 2018 15:59:48 +0100 -Subject: [PATCH] BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. - -Since the split between connections and conn-stream objects, this -keywords are broken. - -This patch must be backported in 1.8 - -(cherry picked from commit eb8def9f34c37537d56a69fcd211d4c4c8006bea) -Signed-off-by: Willy Tarreau ---- - src/ssl_sock.c | 31 ++++++++++++++----------------- - 1 file changed, 14 insertions(+), 17 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 4d0d5db..d832d76 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -6580,8 +6580,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char * - static int - smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->data.type = SMP_T_BOOL; - smp->data.u.sint = (conn && conn->xprt == &ssl_sock); -@@ -6625,8 +6625,8 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch - static int - smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->flags = 0; - if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) -@@ -6651,9 +6651,8 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char * - static int - smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -- -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - int sint; - - smp->flags = 0; -@@ -6676,8 +6675,8 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c - static int - smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->flags = 0; - if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) -@@ -6747,8 +6746,8 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw - static int - smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->flags = 0; - if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) -@@ -6773,9 +6772,8 @@ static int - smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private) - { - #if OPENSSL_VERSION_NUMBER > 0x0090800fL -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -- -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - SSL_SESSION *ssl_sess; - - smp->flags = SMP_F_CONST; -@@ -6917,9 +6915,8 @@ static int - smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private) - { - #if OPENSSL_VERSION_NUMBER > 0x0090800fL -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -- -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - int finished_len; - struct chunk *finished_trash; - --- -1.7.10.4 - diff --git a/net/haproxy/patches/0005-BUG-MEDIUM-h2-always-consume-any-trailing-data-after-end-of-output-buffers.patch b/net/haproxy/patches/0005-BUG-MEDIUM-h2-always-consume-any-trailing-data-after-end-of-output-buffers.patch deleted file mode 100644 index 2ed041f39..000000000 --- a/net/haproxy/patches/0005-BUG-MEDIUM-h2-always-consume-any-trailing-data-after-end-of-output-buffers.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6fc36785addd45cc76a029a023296def53cff135 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 27 Feb 2018 15:37:25 +0100 -Subject: [PATCH] BUG/MEDIUM: h2: always consume any trailing data after end - of output buffers - -In case a stream tries to emit more data than advertised by the chunks -or content-length headers, the extra data remains in the channel's output -buffer until the channel's timeout expires. It can easily happen when -sending malformed error files making use of a wrong content-length or -having extra CRLFs after the empty chunk. It may also be possible to -forge such a bad response using Lua. - -The H1 to H2 encoder must protect itself against this by marking the data -presented to it as consumed if it decides to discard them, so that the -sending stream doesn't wait for the timeout to trigger. - -The visible effect of this problem is a huge memory usage and a high -concurrent connection count during benchmarks when using such bad data -(a typical place where this easily happens). - -This fix must be backported to 1.8. - -(cherry picked from commit 35a62705df65632e2717ae0d20a93e0cb3f8f163) -Signed-off-by: Willy Tarreau ---- - src/mux_h2.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index caae041..4303a06 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -3020,6 +3020,9 @@ static int h2s_frt_make_resp_headers(struct h2s *h2s, struct buffer *buf) - * body or directly end in TRL2. - */ - if (es_now) { -+ // trim any possibly pending data (eg: inconsistent content-length) -+ bo_del(buf, buf->o); -+ - h1m->state = HTTP_MSG_DONE; - h2s->flags |= H2_SF_ES_SENT; - if (h2s->st == H2_SS_OPEN) -@@ -3269,8 +3272,12 @@ static int h2s_frt_make_resp_data(struct h2s *h2s, struct buffer *buf) - else - h2c_stream_close(h2c, h2s); - -- if (!(h1m->flags & H1_MF_CHNK)) -+ if (!(h1m->flags & H1_MF_CHNK)) { -+ // trim any possibly pending data (eg: inconsistent content-length) -+ bo_del(buf, buf->o); -+ - h1m->state = HTTP_MSG_DONE; -+ } - - h2s->flags |= H2_SF_ES_SENT; - } -@@ -3319,6 +3326,10 @@ static int h2_snd_buf(struct conn_stream *cs, struct buffer *buf, int flags) - } - total += count; - bo_del(buf, count); -+ -+ // trim any possibly pending data (eg: extra CR-LF, ...) -+ bo_del(buf, buf->o); -+ - h2s->res.state = HTTP_MSG_DONE; - break; - } --- -1.7.10.4 - diff --git a/net/haproxy/patches/0006-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bo_putblk.patch b/net/haproxy/patches/0006-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bo_putblk.patch deleted file mode 100644 index 94eec1f6b..000000000 --- a/net/haproxy/patches/0006-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bo_putblk.patch +++ /dev/null @@ -1,33 +0,0 @@ -From fefb8592821ff0fa56f435c581d6e92e563e7ad7 Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Mon, 26 Feb 2018 10:47:03 +0100 -Subject: [PATCH] BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk - -When the block of data need to be split to support the wrapping, the start of -the second block of data was wrong. We must be sure to skip data copied during -the first memcpy. - -This patch must be backported to 1.8, 1.7, 1.6 and 1.5. - -(cherry picked from commit b2b279464c5c0f3dfadf02333e06eb0ae8ae8793) -Signed-off-by: Willy Tarreau ---- - include/common/buffer.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/common/buffer.h b/include/common/buffer.h -index 976085e..ae9aafd 100644 ---- a/include/common/buffer.h -+++ b/include/common/buffer.h -@@ -468,7 +468,7 @@ static inline int bo_putblk(struct buffer *b, const char *blk, int len) - memcpy(b->p, blk, half); - b->p = b_ptr(b, half); - if (len > half) { -- memcpy(b->p, blk, len - half); -+ memcpy(b->p, blk + half, len - half); - b->p = b_ptr(b, half); - } - b->o += len; --- -1.7.10.4 - diff --git a/net/haproxy/patches/0007-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bi_putblk.patch b/net/haproxy/patches/0007-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bi_putblk.patch deleted file mode 100644 index 93ca220a9..000000000 --- a/net/haproxy/patches/0007-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bi_putblk.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 14f325000b91649b9d117c4d53d6b194ed3c7b11 Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Mon, 26 Feb 2018 10:51:28 +0100 -Subject: [PATCH] BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk - -When the block of data need to be split to support the wrapping, the start of -the second block of data was wrong. We must be sure to skup data copied during -the first memcpy. - -This patch must be backported to 1.8. - -(cherry picked from commit ca6ef506610e9d78f99b7ab2095ce0f8a47e18df) -Signed-off-by: Willy Tarreau ---- - include/common/buffer.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/common/buffer.h b/include/common/buffer.h -index ae9aafd..0e63913 100644 ---- a/include/common/buffer.h -+++ b/include/common/buffer.h -@@ -577,7 +577,7 @@ static inline int bi_putblk(struct buffer *b, const char *blk, int len) - - memcpy(bi_end(b), blk, half); - if (len > half) -- memcpy(b_ptr(b, b->i + half), blk, len - half); -+ memcpy(b_ptr(b, b->i + half), blk + half, len - half); - b->i += len; - return len; - } --- -1.7.10.4 - diff --git a/net/haproxy/patches/0008-BUG-MEDIUM-h2-also-arm-the-h2-timeout-when-sending.patch b/net/haproxy/patches/0008-BUG-MEDIUM-h2-also-arm-the-h2-timeout-when-sending.patch deleted file mode 100644 index 9096eb15a..000000000 --- a/net/haproxy/patches/0008-BUG-MEDIUM-h2-also-arm-the-h2-timeout-when-sending.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ccfb5d755f1708f890b197375d962d8c938e78bd Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 5 Mar 2018 16:10:54 +0100 -Subject: [PATCH] BUG/MEDIUM: h2: also arm the h2 timeout when sending - -Right now the h2 idle timeout is only set when there is no stream. If we -fail to send because the socket buffers are full (generally indicating -the client has left), we also need to arm it so that we can properly -expire such connections, otherwise some failed transfers might leave -H2 connections pending forever. - -Thanks to Thierry Fournier for the diag and the traces. - -This patch needs to be backported to 1.8. - -(cherry picked from commit 84b118f3120b3c61156f0ada12ae6456bd1a0b5a) -Signed-off-by: Willy Tarreau ---- - src/mux_h2.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index 4303a06..5446fd4 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -2329,7 +2329,7 @@ static int h2_wake(struct connection *conn) - } - - if (h2c->task) { -- if (eb_is_empty(&h2c->streams_by_id)) { -+ if (eb_is_empty(&h2c->streams_by_id) || h2c->mbuf->o) { - h2c->task->expire = tick_add(now_ms, h2c->last_sid < 0 ? h2c->timeout : h2c->shut_timeout); - task_queue(h2c->task); - } -@@ -2501,7 +2501,7 @@ static void h2_detach(struct conn_stream *cs) - h2_release(h2c->conn); - } - else if (h2c->task) { -- if (eb_is_empty(&h2c->streams_by_id)) { -+ if (eb_is_empty(&h2c->streams_by_id) || h2c->mbuf->o) { - h2c->task->expire = tick_add(now_ms, h2c->last_sid < 0 ? h2c->timeout : h2c->shut_timeout); - task_queue(h2c->task); - } --- -1.7.10.4 - diff --git a/net/haproxy/patches/0009-BUG-MEDIUM-fix-a-100-cpu-usage-with-cpu-map-and-nbthread-nbproc.patch b/net/haproxy/patches/0009-BUG-MEDIUM-fix-a-100-cpu-usage-with-cpu-map-and-nbthread-nbproc.patch deleted file mode 100644 index 23a4028ca..000000000 --- a/net/haproxy/patches/0009-BUG-MEDIUM-fix-a-100-cpu-usage-with-cpu-map-and-nbthread-nbproc.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 5149cd3c7abad68ddb19a0a5b3b604786d5f1b95 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Cyril=20Bont=C3=A9?= -Date: Mon, 12 Mar 2018 21:47:39 +0100 -Subject: [PATCH] BUG/MEDIUM: fix a 100% cpu usage with cpu-map and - nbthread/nbproc - -Krishna Kumar reported a 100% cpu usage with a configuration using -cpu-map and a high number of threads, - -Indeed, this minimal configuration to reproduce the issue : - global - nbthread 40 - cpu-map auto:1/1-40 0-39 - - frontend test - bind :8000 - -This is due to a wrong type in a shift operator (int vs unsigned long int), -causing an endless loop while applying the cpu affinity on threads. The same -issue may also occur with nbproc under FreeBSD. This commit addresses both -cases. - -This patch must be backported to 1.8. - -(cherry picked from commit d400ab3a369523538c426cb70e059954c76b69c3) -Signed-off-by: Willy Tarreau ---- - src/haproxy.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/haproxy.c b/src/haproxy.c -index 09f7b5e..7d6e019 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -2838,7 +2838,7 @@ int main(int argc, char **argv) - CPU_ZERO(&cpuset); - while ((i = ffsl(cpu_map)) > 0) { - CPU_SET(i - 1, &cpuset); -- cpu_map &= ~(1 << (i - 1)); -+ cpu_map &= ~(1UL << (i - 1)); - } - ret = cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID, -1, sizeof(cpuset), &cpuset); - } -@@ -3038,7 +3038,7 @@ int main(int argc, char **argv) - - while ((j = ffsl(cpu_map)) > 0) { - CPU_SET(j - 1, &cpuset); -- cpu_map &= ~(1 << (j - 1)); -+ cpu_map &= ~(1UL << (j - 1)); - } - pthread_setaffinity_np(threads[i], - sizeof(cpuset), &cpuset); --- -1.7.10.4 - diff --git a/net/haproxy/patches/0010-BUG-MEDIUM-spoe-Remove-idle-applets-from-idle-list-when-HAProxy-is-stopping.patch b/net/haproxy/patches/0010-BUG-MEDIUM-spoe-Remove-idle-applets-from-idle-list-when-HAProxy-is-stopping.patch deleted file mode 100644 index ca714224b..000000000 --- a/net/haproxy/patches/0010-BUG-MEDIUM-spoe-Remove-idle-applets-from-idle-list-when-HAProxy-is-stopping.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7034083b5063d28276b986d645d18071aba5f4d5 Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Wed, 28 Feb 2018 13:33:26 +0100 -Subject: [PATCH] BUG/MEDIUM: spoe: Remove idle applets from idle list when - HAProxy is stopping - -In the SPOE applet's handler, when an applet is switched from the state IDLE to -PROCESSING, it is removed for the list of idle applets. But when HAProxy is -stopping, this applet can be switched to DISCONNECT. In this case, we also need -to remove it from the list of idle applets. Else the applet is removed but still -present in the list. It could lead to a segmentation fault or an infinite loop, -depending the code path. - -(cherry picked from commit 7d9f1ba246055046eed547fa35aa546683021dce) -[wt: adapted context for 1.8] -Signed-off-by: Willy Tarreau ---- - src/flt_spoe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/flt_spoe.c b/src/flt_spoe.c -index 8fb6e0b..e76a352 100644 ---- a/src/flt_spoe.c -+++ b/src/flt_spoe.c -@@ -1866,6 +1866,7 @@ spoe_handle_appctx(struct appctx *appctx) - goto switchstate; - - case SPOE_APPCTX_ST_IDLE: -+ agent->rt[tid].applets_idle--; - if (stopping && - LIST_ISEMPTY(&agent->rt[tid].sending_queue) && - LIST_ISEMPTY(&SPOE_APPCTX(appctx)->waiting_queue)) { -@@ -1874,7 +1875,6 @@ spoe_handle_appctx(struct appctx *appctx) - appctx->st0 = SPOE_APPCTX_ST_DISCONNECT; - goto switchstate; - } -- agent->rt[tid].applets_idle--; - appctx->st0 = SPOE_APPCTX_ST_PROCESSING; - /* fall through */ - --- -1.7.10.4 -