diff options
| author | Thomas Heil <heil@terminal-consulting.de> | 2018-09-23 23:28:26 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-09-23 23:28:26 +0200 |
| commit | 27df687034ca073622d8bb85d51819c7e215974e (patch) | |
| tree | 574aa726ea73445e583f110ff268fa819f20f34f /net | |
| parent | c69af6717cc28f946284a729c4c2b8954eede673 (diff) | |
| parent | 60138d90b8a79e1a8a542590c1eac114ad2fead9 (diff) | |
Merge pull request #7086 from gladiac1337/feature-haproxy-v1.8.14
haproxy: Update HAProxy to v1.8.14
Diffstat (limited to 'net')
26 files changed, 4 insertions, 2031 deletions
diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 2c1866504..268501d72 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.8.13 -PKG_RELEASE:=2 +PKG_VERSION:=1.8.14 +PKG_RELEASE:=1 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/ -PKG_HASH:=2bf5dafbb5f1530c0e67ab63666565de948591f8e0ee2a1d3c84c45e738220f1 +PKG_HASH:=b17e402578be85e58af7a3eac99b1f675953bea9f67af2e964cf8bdbd1bd3fdf PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_LICENSE:=GPL-2.0 diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index 77ed6415a..4612ccdae 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/bash CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git -BASE_TAG=v1.8.13 +BASE_TAG=v1.8.14 TMP_REPODIR=tmprepo PATCHESDIR=patches diff --git a/net/haproxy/patches/0000-BUG-MEDIUM-servers-check-the-queues-once-enabling-a-server.patch b/net/haproxy/patches/0000-BUG-MEDIUM-servers-check-the-queues-once-enabling-a-server.patch deleted file mode 100644 index ba5c02292..000000000 --- a/net/haproxy/patches/0000-BUG-MEDIUM-servers-check-the-queues-once-enabling-a-server.patch +++ /dev/null @@ -1,46 +0,0 @@ -commit ef9b56022c656df34044103a317b7b890ced6628 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Aug 7 10:14:53 2018 +0200 - - BUG/MEDIUM: servers: check the queues once enabling a server - - Commit 64cc49c ("MAJOR: servers: propagate server status changes - asynchronously.") heavily changed the way the server states are - updated since they became asynchronous. During this change, some - code was lost, which is used to shut down some sessions from a - backup server and to pick pending connections from a proxy once - a server is turned back from maintenance to ready state. The - effect is that when temporarily disabling a server, connections - stay in the backend's queue, and when re-enabling it, they are - not picked and they expire in the backend's queue. Now they're - properly picked again. - - This fix must be backported to 1.8. - - (cherry picked from commit 6a78e61694d69beb49c0e8486be9550f5e8b7d08) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/server.c b/src/server.c -index 3d6a4093..fbed6cd4 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -4774,6 +4774,19 @@ void srv_update_status(struct server *s) - if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0) - set_backend_down(s->proxy); - -+ /* If the server is set with "on-marked-up shutdown-backup-sessions", -+ * and it's not a backup server and its effective weight is > 0, -+ * then it can accept new connections, so we shut down all streams -+ * on all backup servers. -+ */ -+ if ((s->onmarkedup & HANA_ONMARKEDUP_SHUTDOWNBACKUPSESSIONS) && -+ !(s->flags & SRV_F_BACKUP) && s->next_eweight) -+ srv_shutdown_backup_streams(s->proxy, SF_ERR_UP); -+ -+ /* check if we can handle some connections queued at the proxy. We -+ * will take as many as we can handle. -+ */ -+ xferred = pendconn_grab_from_px(s); - } - else if (s->next_admin & SRV_ADMF_MAINT) { - /* remaining in maintenance mode, let's inform precisely about the diff --git a/net/haproxy/patches/0001-BUG-MEDIUM-queue-prevent-a-backup-server-from-draining-the-proxys-connections.patch b/net/haproxy/patches/0001-BUG-MEDIUM-queue-prevent-a-backup-server-from-draining-the-proxys-connections.patch deleted file mode 100644 index 54d3b8c30..000000000 --- a/net/haproxy/patches/0001-BUG-MEDIUM-queue-prevent-a-backup-server-from-draining-the-proxys-connections.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit 5550143cd6de58c6e733e389c6946e3dd26e89c0 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Aug 7 10:44:58 2018 +0200 - - BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections - - When switching back from a backup to an active server, the backup server - currently continues to drain the proxy's connections, which is a problem - because it's not expected to be able to pick them. - - This patch ensures that a backup server will only pick backend connections - if there is no active server and it is the selected backup server or all - backup servers are supposed to be used. - - This issue seems to have existed forever, so this fix should be backported - to all stable versions. - - (cherry picked from commit a8694654ba021bf1e0e560a98ab5e70dc44d212e) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/queue.c b/src/queue.c -index 1c730c75..b0b89426 100644 ---- a/src/queue.c -+++ b/src/queue.c -@@ -117,7 +117,10 @@ static int pendconn_process_next_strm(struct server *srv, struct proxy *px) - } - - ps_found: -- if (srv_currently_usable(rsrv) && px->nbpend) { -+ if (srv_currently_usable(rsrv) && px->nbpend && -+ (!(srv->flags & SRV_F_BACKUP) || -+ (!px->srv_act && -+ (srv == px->lbprm.fbck || (px->options & PR_O_USE_ALL_BK))))) { - struct pendconn *pp; - - list_for_each_entry(pp, &px->pendconns, list) { -@@ -287,6 +290,15 @@ int pendconn_grab_from_px(struct server *s) - if (!srv_currently_usable(s)) - return 0; - -+ /* if this is a backup server and there are active servers or at -+ * least another backup server was elected, then this one must -+ * not dequeue requests from the proxy. -+ */ -+ if ((s->flags & SRV_F_BACKUP) && -+ (s->proxy->srv_act || -+ ((s != s->proxy->lbprm.fbck) && !(s->proxy->options & PR_O_USE_ALL_BK)))) -+ return 0; -+ - HA_SPIN_LOCK(PROXY_LOCK, &s->proxy->lock); - maxconn = srv_dynamic_maxconn(s); - list_for_each_entry_safe(p, pback, &s->proxy->pendconns, list) { diff --git a/net/haproxy/patches/0002-MINOR-dns-fix-wrong-score-computation-in-dns_get_ip_from_response.patch b/net/haproxy/patches/0002-MINOR-dns-fix-wrong-score-computation-in-dns_get_ip_from_response.patch deleted file mode 100644 index aacb7f035..000000000 --- a/net/haproxy/patches/0002-MINOR-dns-fix-wrong-score-computation-in-dns_get_ip_from_response.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit 7d395954136c45e1533f355068399fec5e606db1 -Author: Baptiste Assmann <bedis9@gmail.com> -Date: Fri Jun 22 13:03:50 2018 +0200 - - MINOR: dns: fix wrong score computation in dns_get_ip_from_response - - dns_get_ip_from_response() is used to compare the caller current IP to - the IP available in the records returned by the DNS server. - A scoring system is in place to get the best IP address available. - That said, in the current implementation, there are a couple of issues: - 1. a comment does not match what the code does - 2. the code does not match what the commet says (score value is not - incremented with '2') - - This patch fixes both issues. - - Backport status: 1.8 - - (cherry picked from commit 84221b4e9010810cf93b7ad7a31d825fa9fc26bf) - [wt: Baptiste explicitly asked for this one to be backported to stable] - Cc: Baptiste <bedis9@gmail.com> - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/dns.c b/src/dns.c -index 153a46b2..d8388ef1 100644 ---- a/src/dns.c -+++ b/src/dns.c -@@ -1027,10 +1027,13 @@ int dns_get_ip_from_response(struct dns_response_packet *dns_p, - } - - /* Check if the IP found in the record is already affected to a -- * member of a group. If yes, the score should be incremented -+ * member of a group. If not, the score should be incremented - * by 2. */ -- if (owner && snr_check_ip_callback(owner, ip, &ip_type)) -+ if (owner && snr_check_ip_callback(owner, ip, &ip_type)) { - continue; -+ } else { -+ score += 2; -+ } - - /* Check for current ip matching. */ - if (ip_type == currentip_sin_family && diff --git a/net/haproxy/patches/0003-MINOR-dns-new-DNS-options-to-allow-prevent-IP-address-duplication.patch b/net/haproxy/patches/0003-MINOR-dns-new-DNS-options-to-allow-prevent-IP-address-duplication.patch deleted file mode 100644 index e824bb082..000000000 --- a/net/haproxy/patches/0003-MINOR-dns-new-DNS-options-to-allow-prevent-IP-address-duplication.patch +++ /dev/null @@ -1,158 +0,0 @@ -commit c1bfcd002f54d1d84a99282d13f875c2649f3d70 -Author: Baptiste Assmann <bedis9@gmail.com> -Date: Fri Jun 22 15:04:43 2018 +0200 - - MINOR: dns: new DNS options to allow/prevent IP address duplication - - By default, HAProxy's DNS resolution at runtime ensure that there is no - IP address duplication in a backend (for servers being resolved by the - same hostname). - There are a few cases where people want, on purpose, to disable this - feature. - - This patch introduces a couple of new server side options for this purpose: - "resolve-opts allow-dup-ip" or "resolve-opts prevent-dup-ip". - - (cherry picked from commit 8e2d9430c0562ed74276d7f58e92706c384c0a36) - - [wt: this is backported to 1.8 upon request from Baptiste because it offers - the option to revert to 1.7 behaviour, which some people depend on. The - address deduplication used on 1.8 apparently is not suited to everyone] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 011533a0..1973bbf2 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -11623,6 +11623,40 @@ rise <count> - after <count> consecutive successful health checks. This value defaults to 2 - if unspecified. See also the "check", "inter" and "fall" parameters. - -+resolve-opts <option>,<option>,... -+ Comma separated list of options to apply to DNS resolution linked to this -+ server. -+ -+ Available options: -+ -+ * allow-dup-ip -+ By default, HAProxy prevents IP address duplication in a backend when DNS -+ resolution at runtime is in operation. -+ That said, for some cases, it makes sense that two servers (in the same -+ backend, being resolved by the same FQDN) have the same IP address. -+ For such case, simply enable this option. -+ This is the opposite of prevent-dup-ip. -+ -+ * prevent-dup-ip -+ Ensure HAProxy's default behavior is enforced on a server: prevent re-using -+ an IP address already set to a server in the same backend and sharing the -+ same fqdn. -+ This is the opposite of allow-dup-ip. -+ -+ Example: -+ backend b_myapp -+ default-server init-addr none resolvers dns -+ server s1 myapp.example.com:80 check resolve-opts allow-dup-ip -+ server s2 myapp.example.com:81 check resolve-opts allow-dup-ip -+ -+ With the option allow-dup-ip set: -+ * if the nameserver returns a single IP address, then both servers will use -+ it -+ * If the nameserver returns 2 IP addresses, then each server will pick up a -+ different address -+ -+ Default value: not set -+ - resolve-prefer <family> - When DNS resolution is enabled for a server and multiple IP addresses from - different families are returned, HAProxy will prefer using an IP address -diff --git a/include/types/dns.h b/include/types/dns.h -index 9b1d08df..488d3996 100644 ---- a/include/types/dns.h -+++ b/include/types/dns.h -@@ -245,6 +245,8 @@ struct dns_options { - } mask; - } pref_net[SRV_MAX_PREF_NET]; - int pref_net_nb; /* The number of registered prefered networks. */ -+ int accept_duplicate_ip; /* flag to indicate whether the associated object can use an IP address -+ already set to an other object of the same group */ - }; - - /* Resolution structure associated to single server and used to manage name -diff --git a/src/dns.c b/src/dns.c -index d8388ef1..b31000a2 100644 ---- a/src/dns.c -+++ b/src/dns.c -@@ -965,8 +965,10 @@ int dns_get_ip_from_response(struct dns_response_packet *dns_p, - int currentip_sel; - int j; - int score, max_score; -+ int allowed_duplicated_ip; - - family_priority = dns_opts->family_prio; -+ allowed_duplicated_ip = dns_opts->accept_duplicate_ip; - *newip = newip4 = newip6 = NULL; - currentip_found = 0; - *newip_sin_family = AF_UNSPEC; -@@ -1030,7 +1032,9 @@ int dns_get_ip_from_response(struct dns_response_packet *dns_p, - * member of a group. If not, the score should be incremented - * by 2. */ - if (owner && snr_check_ip_callback(owner, ip, &ip_type)) { -- continue; -+ if (!allowed_duplicated_ip) { -+ continue; -+ } - } else { - score += 2; - } -diff --git a/src/server.c b/src/server.c -index fbed6cd4..36a05e27 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -1506,6 +1506,7 @@ static void srv_settings_cpy(struct server *srv, struct server *src, int srv_tmp - if (src->resolvers_id != NULL) - srv->resolvers_id = strdup(src->resolvers_id); - srv->dns_opts.family_prio = src->dns_opts.family_prio; -+ srv->dns_opts.accept_duplicate_ip = src->dns_opts.accept_duplicate_ip; - if (srv->dns_opts.family_prio == AF_UNSPEC) - srv->dns_opts.family_prio = AF_INET6; - memcpy(srv->dns_opts.pref_net, -@@ -2044,6 +2045,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr - newsrv = &curproxy->defsrv; - cur_arg = 1; - newsrv->dns_opts.family_prio = AF_INET6; -+ newsrv->dns_opts.accept_duplicate_ip = 0; - } - - while (*args[cur_arg]) { -@@ -2139,6 +2141,31 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr - newsrv->resolvers_id = strdup(args[cur_arg + 1]); - cur_arg += 2; - } -+ else if (!strcmp(args[cur_arg], "resolve-opts")) { -+ char *p, *end; -+ -+ for (p = args[cur_arg + 1]; *p; p = end) { -+ /* cut on next comma */ -+ for (end = p; *end && *end != ','; end++); -+ if (*end) -+ *(end++) = 0; -+ -+ if (!strcmp(p, "allow-dup-ip")) { -+ newsrv->dns_opts.accept_duplicate_ip = 1; -+ } -+ else if (!strcmp(p, "prevent-dup-ip")) { -+ newsrv->dns_opts.accept_duplicate_ip = 0; -+ } -+ else { -+ ha_alert("parsing [%s:%d]: '%s' : unknown resolve-opts option '%s', supported methods are 'allow-dup-ip' and 'prevent-dup-ip'.\n", -+ file, linenum, args[cur_arg], p); -+ err_code |= ERR_ALERT | ERR_FATAL; -+ goto out; -+ } -+ } -+ -+ cur_arg += 2; -+ } - else if (!strcmp(args[cur_arg], "resolve-prefer")) { - if (!strcmp(args[cur_arg + 1], "ipv4")) - newsrv->dns_opts.family_prio = AF_INET; diff --git a/net/haproxy/patches/0004-BUG-MEDIUM-lua-possible-CLOSE-WAIT-state-with-n-headers.patch b/net/haproxy/patches/0004-BUG-MEDIUM-lua-possible-CLOSE-WAIT-state-with-n-headers.patch deleted file mode 100644 index 09c765ecc..000000000 --- a/net/haproxy/patches/0004-BUG-MEDIUM-lua-possible-CLOSE-WAIT-state-with-n-headers.patch +++ /dev/null @@ -1,72 +0,0 @@ -commit d804e5e6b76bfd34576305ff33fe32aacb1fa5b7 -Author: Thierry FOURNIER <thierry.fournier@ozon.io> -Date: Sat Jun 30 10:37:33 2018 +0200 - - BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers - - The Lua parser doesn't takes in account end-of-headers containing - only '\n'. It expects always '\r\n'. If a '\n' is processes the Lua - parser considers it miss 1 byte, and wait indefinitely for new data. - - When the client reaches their timeout, it closes the connection. - This close is not detected and the connection keep in CLOSE-WAIT - state. - - I guess that this patch fix only a visible part of the problem. - If the Lua HTTP parser wait for data, the timeout server or the - connectio closed by the client may stop the applet. - - How reproduce the problem: - - HAProxy conf: - - global - lua-load bug38.lua - frontend frt - timeout client 2s - timeout server 2s - mode http - bind *:8080 - http-request use-service lua.donothing - - Lua conf - - core.register_service("donothing", "http", function(applet) end) - - Client request: - - echo -ne 'GET / HTTP/1.1\n\n' | nc 127.0.0.1 8080 - - Look for CLOSE-WAIT in the connection with "netstat" or "ss". I - use this script: - - while sleep 1; do ss | grep CLOSE-WAIT; done - - This patch must be backported in 1.6, 1.7 and 1.8 - - Workaround: enable the "hard-stop-after" directive, and perform - periodic reload. - - (cherry picked from commit 70d318ccb760ee25f166a75d163f38545f074ff1) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index 54064860..4e50fa64 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -6594,13 +6594,13 @@ static void hlua_applet_http_fct(struct appctx *ctx) - len2 = 0; - if (ret == 0) - len1 = 0; -- if (len1 + len2 < strm->txn->req.eoh + 2) { -+ if (len1 + len2 < strm->txn->req.eoh + strm->txn->req.eol) { - si_applet_cant_get(si); - return; - } - - /* skip the requests bytes. */ -- co_skip(si_oc(si), strm->txn->req.eoh + 2); -+ co_skip(si_oc(si), strm->txn->req.eoh + strm->txn->req.eol); - } - - /* Executes The applet if it is not done. */ diff --git a/net/haproxy/patches/0005-MINOR-threads-Introduce-double-width-CAS-on-x86_64-and-arm.patch b/net/haproxy/patches/0005-MINOR-threads-Introduce-double-width-CAS-on-x86_64-and-arm.patch deleted file mode 100644 index ee18b212c..000000000 --- a/net/haproxy/patches/0005-MINOR-threads-Introduce-double-width-CAS-on-x86_64-and-arm.patch +++ /dev/null @@ -1,186 +0,0 @@ -commit cd753064396f9563640fef940ce2a89e192042b1 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Thu Dec 21 17:13:05 2017 +0100 - - MINOR: threads: Introduce double-width CAS on x86_64 and arm. - - Introduce double-width compare-and-swap on arches that support it, right now - x86_64, arm, and aarch64. - Also introduce functions to do memory barriers. - - (cherry picked from commit f61f0cb95ffbfe403219226d427cd292ca79965a) - [wt: this is backported only to have the barriers for the new rdv point] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/hathreads.h b/include/common/hathreads.h -index 25cadf10..543ab95c 100644 ---- a/include/common/hathreads.h -+++ b/include/common/hathreads.h -@@ -98,6 +98,19 @@ extern THREAD_LOCAL unsigned long tid_bit; /* The bit corresponding to the threa - - #define ha_sigmask(how, set, oldset) sigprocmask(how, set, oldset) - -+ -+static inline void __ha_barrier_load(void) -+{ -+} -+ -+static inline void __ha_barrier_store(void) -+{ -+} -+ -+static inline void __ha_barrier_full(void) -+{ -+} -+ - #else /* USE_THREAD */ - - #include <stdio.h> -@@ -694,8 +707,147 @@ static inline void __spin_unlock(enum lock_label lbl, struct ha_spinlock *l, - - #endif /* DEBUG_THREAD */ - -+#ifdef __x86_64__ -+#define HA_HAVE_CAS_DW 1 -+#define HA_CAS_IS_8B -+static __inline int -+__ha_cas_dw(void *target, void *compare, const void *set) -+{ -+ char ret; -+ -+ __asm __volatile("lock cmpxchg16b %0; setz %3" -+ : "+m" (*(void **)target), -+ "=a" (((void **)compare)[0]), -+ "=d" (((void **)compare)[1]), -+ "=q" (ret) -+ : "a" (((void **)compare)[0]), -+ "d" (((void **)compare)[1]), -+ "b" (((const void **)set)[0]), -+ "c" (((const void **)set)[1]) -+ : "memory", "cc"); -+ return (ret); -+} -+ -+static __inline void -+__ha_barrier_load(void) -+{ -+ __asm __volatile("lfence" ::: "memory"); -+} -+ -+static __inline void -+__ha_barrier_store(void) -+{ -+ __asm __volatile("sfence" ::: "memory"); -+} -+ -+static __inline void -+__ha_barrier_full(void) -+{ -+ __asm __volatile("mfence" ::: "memory"); -+} -+ -+#elif defined(__arm__) && (defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__)) -+#define HA_HAVE_CAS_DW 1 -+static __inline void -+__ha_barrier_load(void) -+{ -+ __asm __volatile("dmb" ::: "memory"); -+} -+ -+static __inline void -+__ha_barrier_store(void) -+{ -+ __asm __volatile("dsb" ::: "memory"); -+} -+ -+static __inline void -+__ha_barrier_full(void) -+{ -+ __asm __volatile("dmb" ::: "memory"); -+} -+ -+static __inline int __ha_cas_dw(void *target, void *compare, void *set) -+{ -+ uint64_t previous; -+ int tmp; -+ -+ __asm __volatile("1:" -+ "ldrexd %0, [%4];" -+ "cmp %Q0, %Q2;" -+ "ittt eq;" -+ "cmpeq %R0, %R2;" -+ "strexdeq %1, %3, [%4];" -+ "cmpeq %1, #1;" -+ "beq 1b;" -+ : "=&r" (previous), "=&r" (tmp) -+ : "r" (compare), "r" (set), "r" (target) -+ : "memory", "cc"); -+ tmp = (previous == *(uint64_t *)compare); -+ *(uint64_t *)compare = previous; -+ return (tmp); -+} -+ -+#elif defined (__aarch64__) -+#define HA_HAVE_CAS_DW 1 -+#define HA_CAS_IS_8B -+ -+static __inline void -+__ha_barrier_load(void) -+{ -+ __asm __volatile("dmb ishld" ::: "memory"); -+} -+ -+static __inline void -+__ha_barrier_store(void) -+{ -+ __asm __volatile("dmb ishst" ::: "memory"); -+} -+ -+static __inline void -+__ha_barrier_full(void) -+{ -+ __asm __volatile("dmb ish" ::: "memory"); -+} -+ -+static __inline int __ha_cas_dw(void *target, void *compare, void *set) -+{ -+ void *value[2]; -+ uint64_t tmp1, tmp2; -+ -+ __asm__ __volatile__("1:" -+ "ldxp %0, %1, [%4];" -+ "mov %2, %0;" -+ "mov %3, %1;" -+ "eor %0, %0, %5;" -+ "eor %1, %1, %6;" -+ "orr %1, %0, %1;" -+ "mov %w0, #0;" -+ "cbnz %1, 2f;" -+ "stxp %w0, %7, %8, [%4];" -+ "cbnz %w0, 1b;" -+ "mov %w0, #1;" -+ "2:" -+ : "=&r" (tmp1), "=&r" (tmp2), "=&r" (value[0]), "=&r" (value[1]) -+ : "r" (target), "r" (((void **)(compare))[0]), "r" (((void **)(compare))[1]), "r" (((void **)(set))[0]), "r" (((void **)(set))[1]) -+ : "cc", "memory"); -+ -+ memcpy(compare, &value, sizeof(value)); -+ return (tmp1); -+} -+ -+#else -+#define __ha_barrier_load __sync_synchronize -+#define __ha_barrier_store __sync_synchronize -+#define __ha_barrier_full __sync_synchronize -+#endif -+ - #endif /* USE_THREAD */ - -+static inline void __ha_compiler_barrier(void) -+{ -+ __asm __volatile("" ::: "memory"); -+} -+ - /* Dummy I/O handler used by the sync pipe.*/ - void thread_sync_io_handler(int fd); - int parse_nbthread(const char *arg, char **err); diff --git a/net/haproxy/patches/0006-BUG-MEDIUM-threads-fix-the-double-CAS-implementation-for-ARMv7.patch b/net/haproxy/patches/0006-BUG-MEDIUM-threads-fix-the-double-CAS-implementation-for-ARMv7.patch deleted file mode 100644 index 8c875b7a0..000000000 --- a/net/haproxy/patches/0006-BUG-MEDIUM-threads-fix-the-double-CAS-implementation-for-ARMv7.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit ad84851746243d85f9be59703e9bee0f5c5f8eba -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Feb 14 14:16:28 2018 +0100 - - BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7 - - Commit f61f0cb ("MINOR: threads: Introduce double-width CAS on x86_64 - and arm.") introduced the double CAS. But the ARMv7 version is bogus, - it uses the value of the pointers instead of dereferencing them. When - lucky, it simply doesn't build due to impossible registers combinations. - Otherwise it will immediately crash at run time when facing traffic. - - No backport is needed, this bug was introduced in 1.9-dev. - - (cherry picked from commit 41ccb194d1d14669e0592e5373ef5776f099e82a) - [wt: backported only to keep safe code eventhough we don't use - this function in 1.8] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/hathreads.h b/include/common/hathreads.h -index 543ab95c..4e72848e 100644 ---- a/include/common/hathreads.h -+++ b/include/common/hathreads.h -@@ -766,7 +766,7 @@ __ha_barrier_full(void) - __asm __volatile("dmb" ::: "memory"); - } - --static __inline int __ha_cas_dw(void *target, void *compare, void *set) -+static __inline int __ha_cas_dw(void *target, void *compare, const void *set) - { - uint64_t previous; - int tmp; -@@ -780,7 +780,7 @@ static __inline int __ha_cas_dw(void *target, void *compare, void *set) - "cmpeq %1, #1;" - "beq 1b;" - : "=&r" (previous), "=&r" (tmp) -- : "r" (compare), "r" (set), "r" (target) -+ : "r" (*(uint64_t *)compare), "r" (*(uint64_t *)set), "r" (target) - : "memory", "cc"); - tmp = (previous == *(uint64_t *)compare); - *(uint64_t *)compare = previous; diff --git a/net/haproxy/patches/0007-MINOR-threads-add-more-consistency-between-certain-variables-in-no-thread-case.patch b/net/haproxy/patches/0007-MINOR-threads-add-more-consistency-between-certain-variables-in-no-thread-case.patch deleted file mode 100644 index 0713dd45f..000000000 --- a/net/haproxy/patches/0007-MINOR-threads-add-more-consistency-between-certain-variables-in-no-thread-case.patch +++ /dev/null @@ -1,172 +0,0 @@ -commit ece550d98e1c10017fb91ecfa0d19ae9d2dc45da -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Aug 1 19:12:20 2018 +0200 - - MINOR: threads: add more consistency between certain variables in no-thread case - - When threads are disabled, some variables such as tid and tid_bit are - still checked everywhere, the MAX_THREADS_MASK macro is ~0UL while - MAX_THREADS is 1, and the all_threads_mask variable is replaced with a - macro forced to zero. The compiler cannot optimize away all this code - involving checks on tid and tid_bit, and we end up in special cases - where all_threads_mask has to be specifically tested for being zero or - not. It is not even certain the code paths are always equivalent when - testing without threads and with nbthread 1. - - Let's change this to make sure we always present a single thread when - threads are disabled, and have the relevant values declared as constants - so that the compiler can optimize all the tests away. Now we have - MAX_THREADS_MASK set to 1, all_threads_mask set to 1, tid set to zero - and tid_bit set to 1. Doing just this has removed 4 kB of code in the - no-thread case. - - A few checks for all_threads_mask==0 have been removed since it never - happens anymore. - - (cherry picked from commit 0c026f49e7348bce5b3c74be896ae208ae6e26a4) - [wt: the thread code feels safer with this, especially with the small updates - needed for the rdv point; missed one occurrence fixed by next patch] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/hathreads.h b/include/common/hathreads.h -index 4e72848e..7eb5d127 100644 ---- a/include/common/hathreads.h -+++ b/include/common/hathreads.h -@@ -24,10 +24,6 @@ - - #include <common/config.h> - --#define MAX_THREADS_MASK ((unsigned long)-1) --extern THREAD_LOCAL unsigned int tid; /* The thread id */ --extern THREAD_LOCAL unsigned long tid_bit; /* The bit corresponding to the thread id */ -- - /* Note about all_threads_mask : - * - with threads support disabled, this symbol is defined as zero (0UL). - * - with threads enabled, this variable is never zero, it contains the mask -@@ -37,7 +33,14 @@ extern THREAD_LOCAL unsigned long tid_bit; /* The bit corresponding to the threa - #ifndef USE_THREAD - - #define MAX_THREADS 1 --#define all_threads_mask 0UL -+#define MAX_THREADS_MASK 1 -+ -+/* Only way found to replace variables with constants that are optimized away -+ * at build time. -+ */ -+enum { all_threads_mask = 1UL }; -+enum { tid_bit = 1UL }; -+enum { tid = 0 }; - - #define __decl_hathreads(decl) - -@@ -98,6 +101,9 @@ extern THREAD_LOCAL unsigned long tid_bit; /* The bit corresponding to the threa - - #define ha_sigmask(how, set, oldset) sigprocmask(how, set, oldset) - -+static inline void ha_set_tid(unsigned int tid) -+{ -+} - - static inline void __ha_barrier_load(void) - { -@@ -120,6 +126,7 @@ static inline void __ha_barrier_full(void) - #include <import/plock.h> - - #define MAX_THREADS LONGBITS -+#define MAX_THREADS_MASK ((unsigned long)-1) - - #define __decl_hathreads(decl) decl - -@@ -223,10 +230,19 @@ void thread_exit_sync(void); - int thread_no_sync(void); - int thread_need_sync(void); - -+extern THREAD_LOCAL unsigned int tid; /* The thread id */ -+extern THREAD_LOCAL unsigned long tid_bit; /* The bit corresponding to the thread id */ - extern volatile unsigned long all_threads_mask; - - #define ha_sigmask(how, set, oldset) pthread_sigmask(how, set, oldset) - -+/* sets the thread ID and the TID bit for the current thread */ -+static inline void ha_set_tid(unsigned int data) -+{ -+ tid = data; -+ tid_bit = (1UL << tid); -+} -+ - - #if defined(DEBUG_THREAD) || defined(DEBUG_FULL) - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 24349a59..d1474d4b 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -7652,11 +7652,11 @@ int check_config_validity() - nbproc = my_ffsl(bind_conf->bind_proc); - - mask = bind_conf->bind_thread[nbproc - 1]; -- if (mask && !(mask & (all_threads_mask ? all_threads_mask : 1UL))) { -+ if (mask && !(mask & all_threads_mask)) { - unsigned long new_mask = 0; - - while (mask) { -- new_mask |= mask & (all_threads_mask ? all_threads_mask : 1UL); -+ new_mask |= mask & all_threads_mask; - mask >>= global.nbthread; - } - -diff --git a/src/haproxy.c b/src/haproxy.c -index 9ba56623..e0186ff9 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -2448,8 +2448,7 @@ static void *run_thread_poll_loop(void *data) - struct per_thread_deinit_fct *ptdf; - __decl_hathreads(static HA_SPINLOCK_T start_lock); - -- tid = *((unsigned int *)data); -- tid_bit = (1UL << tid); -+ ha_set_tid(*((unsigned int *)data)); - tv_update_date(-1,-1); - - list_for_each_entry(ptif, &per_thread_init_list, list) { -diff --git a/src/hathreads.c b/src/hathreads.c -index 0d0a0509..238cbb80 100644 ---- a/src/hathreads.c -+++ b/src/hathreads.c -@@ -19,8 +19,6 @@ - #include <common/standard.h> - #include <proto/fd.h> - --THREAD_LOCAL unsigned int tid = 0; --THREAD_LOCAL unsigned long tid_bit = (1UL << 0); - - /* Dummy I/O handler used by the sync pipe.*/ - void thread_sync_io_handler(int fd) -@@ -33,6 +31,9 @@ static HA_SPINLOCK_T sync_lock; - static int threads_sync_pipe[2]; - static unsigned long threads_want_sync = 0; - volatile unsigned long all_threads_mask = 1; // nbthread 1 assumed by default -+THREAD_LOCAL unsigned int tid = 0; -+THREAD_LOCAL unsigned long tid_bit = (1UL << 0); -+ - - #if defined(DEBUG_THREAD) || defined(DEBUG_FULL) - struct lock_stat lock_stats[LOCK_LABELS]; -@@ -130,7 +131,7 @@ void thread_enter_sync() - { - static volatile unsigned long barrier = 0; - -- if (!all_threads_mask) -+ if (!(all_threads_mask & (all_threads_mask - 1))) - return; - - thread_sync_barrier(&barrier); -@@ -146,7 +147,7 @@ void thread_exit_sync() - { - static volatile unsigned long barrier = 0; - -- if (!all_threads_mask) -+ if (!(all_threads_mask & (all_threads_mask - 1))) - return; - - if (threads_want_sync & tid_bit) diff --git a/net/haproxy/patches/0008-BUG-MEDIUM-threads-fix-the-no-thread-case-after-the-change-to-the-sync-point.patch b/net/haproxy/patches/0008-BUG-MEDIUM-threads-fix-the-no-thread-case-after-the-change-to-the-sync-point.patch deleted file mode 100644 index 9231e466c..000000000 --- a/net/haproxy/patches/0008-BUG-MEDIUM-threads-fix-the-no-thread-case-after-the-change-to-the-sync-point.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 7607ec0917c33ce511d46b791dfa5550451dd538 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Aug 7 10:07:15 2018 +0200 - - BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point - - In commit 0c026f4 ("MINOR: threads: add more consistency between certain - variables in no-thread case"), we ensured that we don't have all_threads_mask - zeroed anymore. But one test was missed for the write() to the sync pipe. - This results in a situation where when running single-threaded, once a - server status changes, a wake-up message is written to the pipe and never - consumed, showing a 100% CPU usage. - - No backport is needed. - (cherry picked from commit ab657ce2511c4e19b0191fbe1c98cfd823a3c5d6) - [wt: the offending patch was just backported as the previous one] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hathreads.c b/src/hathreads.c -index 238cbb80..ba05fe27 100644 ---- a/src/hathreads.c -+++ b/src/hathreads.c -@@ -71,7 +71,7 @@ void thread_sync_enable(void) - */ - void thread_want_sync() - { -- if (all_threads_mask) { -+ if (all_threads_mask & (all_threads_mask - 1)) { - if (threads_want_sync & tid_bit) - return; - if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit) diff --git a/net/haproxy/patches/0009-MEDIUM-hathreads-implement-a-more-flexible-rendez-vous-point.patch b/net/haproxy/patches/0009-MEDIUM-hathreads-implement-a-more-flexible-rendez-vous-point.patch deleted file mode 100644 index a12d3616d..000000000 --- a/net/haproxy/patches/0009-MEDIUM-hathreads-implement-a-more-flexible-rendez-vous-point.patch +++ /dev/null @@ -1,340 +0,0 @@ -commit b505a8d719c208073959eff07f4af202ef49a8a1 -Author: Willy Tarreau <w@1wt.eu> -Date: Thu Aug 2 10:16:17 2018 +0200 - - MEDIUM: hathreads: implement a more flexible rendez-vous point - - The current synchronization point enforces certain restrictions which - are hard to workaround in certain areas of the code. The fact that the - critical code can only be called from the sync point itself is a problem - for some callback-driven parts. The "show fd" command for example is - fragile regarding this. - - Also it is expensive in terms of CPU usage because it wakes every other - thread just to be sure all of them join to the rendez-vous point. It's a - problem because the sleeping threads would not need to be woken up just - to know they're doing nothing. - - Here we implement a different approach. We keep track of harmless threads, - which are defined as those either doing nothing, or doing harmless things. - The rendez-vous is used "for others" as a way for a thread to isolate itself. - A thread then requests to be alone using thread_isolate() when approaching - the dangerous area, and then waits until all other threads are either doing - the same or are doing something harmless (typically polling). The function - only returns once the thread is guaranteed to be alone, and the critical - section is terminated using thread_release(). - - (cherry picked from commit 60b639ccbe919b86790267d7e45a39b75434acbe) - [wt: this will be needed to fix the "show fd" command with threads] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/hathreads.h b/include/common/hathreads.h -index 7eb5d127..f8fda87a 100644 ---- a/include/common/hathreads.h -+++ b/include/common/hathreads.h -@@ -117,6 +117,27 @@ static inline void __ha_barrier_full(void) - { - } - -+static inline void thread_harmless_now() -+{ -+} -+ -+static inline void thread_harmless_end() -+{ -+} -+ -+static inline void thread_isolate() -+{ -+} -+ -+static inline void thread_release() -+{ -+} -+ -+static inline unsigned long thread_isolated() -+{ -+ return 1; -+} -+ - #else /* USE_THREAD */ - - #include <stdio.h> -@@ -229,10 +250,34 @@ void thread_enter_sync(void); - void thread_exit_sync(void); - int thread_no_sync(void); - int thread_need_sync(void); -+void thread_harmless_till_end(); -+void thread_isolate(); -+void thread_release(); - - extern THREAD_LOCAL unsigned int tid; /* The thread id */ - extern THREAD_LOCAL unsigned long tid_bit; /* The bit corresponding to the thread id */ - extern volatile unsigned long all_threads_mask; -+extern volatile unsigned long threads_want_rdv_mask; -+extern volatile unsigned long threads_harmless_mask; -+ -+/* explanation for threads_want_rdv_mask and threads_harmless_mask : -+ * - threads_want_rdv_mask is a bit field indicating all threads that have -+ * requested a rendez-vous of other threads using thread_isolate(). -+ * - threads_harmless_mask is a bit field indicating all threads that are -+ * currently harmless in that they promise not to access a shared resource. -+ * -+ * For a given thread, its bits in want_rdv and harmless can be translated like -+ * this : -+ * -+ * ----------+----------+---------------------------------------------------- -+ * want_rdv | harmless | description -+ * ----------+----------+---------------------------------------------------- -+ * 0 | 0 | thread not interested in RDV, possibly harmful -+ * 0 | 1 | thread not interested in RDV but harmless -+ * 1 | 1 | thread interested in RDV and waiting for its turn -+ * 1 | 0 | thread currently working isolated from others -+ * ----------+----------+---------------------------------------------------- -+ */ - - #define ha_sigmask(how, set, oldset) pthread_sigmask(how, set, oldset) - -@@ -243,6 +288,38 @@ static inline void ha_set_tid(unsigned int data) - tid_bit = (1UL << tid); - } - -+/* Marks the thread as harmless. Note: this must be true, i.e. the thread must -+ * not be touching any unprotected shared resource during this period. Usually -+ * this is called before poll(), but it may also be placed around very slow -+ * calls (eg: some crypto operations). Needs to be terminated using -+ * thread_harmless_end(). -+ */ -+static inline void thread_harmless_now() -+{ -+ HA_ATOMIC_OR(&threads_harmless_mask, tid_bit); -+} -+ -+/* Ends the harmless period started by thread_harmless_now(). Usually this is -+ * placed after the poll() call. If it is discovered that a job was running and -+ * is relying on the thread still being harmless, the thread waits for the -+ * other one to finish. -+ */ -+static inline void thread_harmless_end() -+{ -+ while (1) { -+ HA_ATOMIC_AND(&threads_harmless_mask, ~tid_bit); -+ if (likely((threads_want_rdv_mask & all_threads_mask) == 0)) -+ break; -+ thread_harmless_till_end(); -+ } -+} -+ -+/* an isolated thread has harmless cleared and want_rdv set */ -+static inline unsigned long thread_isolated() -+{ -+ return threads_want_rdv_mask & ~threads_harmless_mask & tid_bit; -+} -+ - - #if defined(DEBUG_THREAD) || defined(DEBUG_FULL) - -diff --git a/src/ev_epoll.c b/src/ev_epoll.c -index adc15acd..09d1abb6 100644 ---- a/src/ev_epoll.c -+++ b/src/ev_epoll.c -@@ -17,6 +17,7 @@ - #include <common/config.h> - #include <common/debug.h> - #include <common/epoll.h> -+#include <common/hathreads.h> - #include <common/standard.h> - #include <common/ticks.h> - #include <common/time.h> -@@ -153,6 +154,8 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - } - HA_SPIN_UNLOCK(FD_UPDATE_LOCK, &fd_updt_lock); - -+ thread_harmless_now(); -+ - /* compute the epoll_wait() timeout */ - if (!exp) - wait_time = MAX_DELAY_MS; -@@ -173,6 +176,8 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - tv_update_date(wait_time, status); - measure_idle(); - -+ thread_harmless_end(); -+ - /* process polled events */ - - for (count = 0; count < status; count++) { -diff --git a/src/ev_kqueue.c b/src/ev_kqueue.c -index 642de8b3..1f4762e6 100644 ---- a/src/ev_kqueue.c -+++ b/src/ev_kqueue.c -@@ -19,6 +19,7 @@ - - #include <common/compat.h> - #include <common/config.h> -+#include <common/hathreads.h> - #include <common/ticks.h> - #include <common/time.h> - #include <common/tools.h> -@@ -127,6 +128,8 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - } - HA_SPIN_UNLOCK(FD_UPDATE_LOCK, &fd_updt_lock); - -+ thread_harmless_now(); -+ - if (changes) { - #ifdef EV_RECEIPT - kev[0].flags |= EV_RECEIPT; -@@ -169,6 +172,8 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - tv_update_date(delta_ms, status); - measure_idle(); - -+ thread_harmless_end(); -+ - for (count = 0; count < status; count++) { - unsigned int n = 0; - fd = kev[count].ident; -diff --git a/src/ev_poll.c b/src/ev_poll.c -index c913ced2..7da992d6 100644 ---- a/src/ev_poll.c -+++ b/src/ev_poll.c -@@ -19,6 +19,7 @@ - - #include <common/compat.h> - #include <common/config.h> -+#include <common/hathreads.h> - #include <common/ticks.h> - #include <common/time.h> - -@@ -149,6 +150,9 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - - } - HA_SPIN_UNLOCK(FD_UPDATE_LOCK, &fd_updt_lock); -+ -+ thread_harmless_now(); -+ - fd_nbupdt = 0; - - nbfd = 0; -@@ -200,6 +204,8 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - tv_update_date(wait_time, status); - measure_idle(); - -+ thread_harmless_end(); -+ - for (count = 0; status > 0 && count < nbfd; count++) { - unsigned int n; - int e = poll_events[count].revents; -diff --git a/src/ev_select.c b/src/ev_select.c -index bde923ea..9daf74d9 100644 ---- a/src/ev_select.c -+++ b/src/ev_select.c -@@ -16,6 +16,7 @@ - - #include <common/compat.h> - #include <common/config.h> -+#include <common/hathreads.h> - #include <common/ticks.h> - #include <common/time.h> - -@@ -123,6 +124,9 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - - } - HA_SPIN_UNLOCK(FD_UPDATE_LOCK, &fd_updt_lock); -+ -+ thread_harmless_now(); -+ - fd_nbupdt = 0; - - /* let's restore fdset state */ -@@ -171,6 +175,8 @@ REGPRM2 static void _do_poll(struct poller *p, int exp) - tv_update_date(delta_ms, status); - measure_idle(); - -+ thread_harmless_end(); -+ - if (status <= 0) - return; - -diff --git a/src/hathreads.c b/src/hathreads.c -index ba05fe27..97ed31c5 100644 ---- a/src/hathreads.c -+++ b/src/hathreads.c -@@ -30,6 +30,8 @@ void thread_sync_io_handler(int fd) - static HA_SPINLOCK_T sync_lock; - static int threads_sync_pipe[2]; - static unsigned long threads_want_sync = 0; -+volatile unsigned long threads_want_rdv_mask = 0; -+volatile unsigned long threads_harmless_mask = 0; - volatile unsigned long all_threads_mask = 1; // nbthread 1 assumed by default - THREAD_LOCAL unsigned int tid = 0; - THREAD_LOCAL unsigned long tid_bit = (1UL << 0); -@@ -163,6 +165,68 @@ void thread_exit_sync() - thread_sync_barrier(&barrier); - } - -+/* Marks the thread as harmless until the last thread using the rendez-vous -+ * point quits. Given that we can wait for a long time, sched_yield() is used -+ * when available to offer the CPU resources to competing threads if needed. -+ */ -+void thread_harmless_till_end() -+{ -+ HA_ATOMIC_OR(&threads_harmless_mask, tid_bit); -+ while (threads_want_rdv_mask & all_threads_mask) { -+#if _POSIX_PRIORITY_SCHEDULING -+ sched_yield(); -+#else -+ pl_cpu_relax(); -+#endif -+ } -+} -+ -+/* Isolates the current thread : request the ability to work while all other -+ * threads are harmless. Only returns once all of them are harmless, with the -+ * current thread's bit in threads_harmless_mask cleared. Needs to be completed -+ * using thread_release(). -+ */ -+void thread_isolate() -+{ -+ unsigned long old; -+ -+ HA_ATOMIC_OR(&threads_harmless_mask, tid_bit); -+ __ha_barrier_store(); -+ HA_ATOMIC_OR(&threads_want_rdv_mask, tid_bit); -+ -+ /* wait for all threads to become harmless */ -+ old = threads_harmless_mask; -+ while (1) { -+ if (unlikely((old & all_threads_mask) != all_threads_mask)) -+ old = threads_harmless_mask; -+ else if (HA_ATOMIC_CAS(&threads_harmless_mask, &old, old & ~tid_bit)) -+ break; -+ -+#if _POSIX_PRIORITY_SCHEDULING -+ sched_yield(); -+#else -+ pl_cpu_relax(); -+#endif -+ } -+ /* one thread gets released at a time here, with its harmess bit off. -+ * The loss of this bit makes the other one continue to spin while the -+ * thread is working alone. -+ */ -+} -+ -+/* Cancels the effect of thread_isolate() by releasing the current thread's bit -+ * in threads_want_rdv_mask and by marking this thread as harmless until the -+ * last worker finishes. -+ */ -+void thread_release() -+{ -+ while (1) { -+ HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit); -+ if (!(threads_want_rdv_mask & all_threads_mask)) -+ break; -+ thread_harmless_till_end(); -+ } -+} - - __attribute__((constructor)) - static void __hathreads_init(void) diff --git a/net/haproxy/patches/0010-BUG-MEDIUM-cli-make-show-fd-thread-safe.patch b/net/haproxy/patches/0010-BUG-MEDIUM-cli-make-show-fd-thread-safe.patch deleted file mode 100644 index efefdd6b6..000000000 --- a/net/haproxy/patches/0010-BUG-MEDIUM-cli-make-show-fd-thread-safe.patch +++ /dev/null @@ -1,50 +0,0 @@ -commit f41ca2546e3c35cc389f45428341ec03dade314d -Author: Willy Tarreau <w@1wt.eu> -Date: Thu Aug 2 11:05:48 2018 +0200 - - BUG/MEDIUM: cli: make "show fd" thread-safe - - The "show fd" command was implemented as a debugging aid but it's not - thread safe. Its features have grown, it can now dump some mux-specific - parts and is being used in production to capture some useful debugging - traces. But it will quickly crash the process when used during an H2 load - test for example, especially when haproxy is built with the DEBUG_UAF - option. It cannot afford not to be thread safe anymore. Let's make use - of the new rendez-vous point using thread_isolate() / thread_release() - to ensure that the data being dumped are not changing under us. The dump - becomes slightly slower under load but now it's safe. - - This should be backported to 1.8 along with the rendez-vous point code - once considered stable enough. - (cherry picked from commit bf9fd650883b23604b7cd4aabf04fc0c4c8fe7c7) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/cli.c b/src/cli.c -index 233c2323..8344fe10 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -787,10 +787,14 @@ static int cli_io_handler_show_fd(struct appctx *appctx) - void *ctx = NULL; - uint32_t conn_flags = 0; - -+ thread_isolate(); -+ - fdt = fdtab[fd]; - -- if (!fdt.owner) -+ if (!fdt.owner) { -+ thread_release(); - goto skip; // closed -+ } - - if (fdt.iocb == conn_fd_handler) { - conn_flags = ((struct connection *)fdt.owner)->flags; -@@ -855,6 +859,8 @@ static int cli_io_handler_show_fd(struct appctx *appctx) - li->bind_conf->frontend->id); - } - -+ thread_release(); -+ - chunk_appendf(&trash, "\n"); - - if (ci_putchk(si_ic(si), &trash) == -1) { diff --git a/net/haproxy/patches/0011-BUG-MINOR-ssl-empty-connections-reported-as-errors.patch b/net/haproxy/patches/0011-BUG-MINOR-ssl-empty-connections-reported-as-errors.patch deleted file mode 100644 index 99e508ae5..000000000 --- a/net/haproxy/patches/0011-BUG-MINOR-ssl-empty-connections-reported-as-errors.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit 8c2e3b35a951c41b80efe4c3368d1244bab2bea4 -Author: Emeric Brun <ebrun@haproxy.com> -Date: Thu Aug 16 11:36:40 2018 +0200 - - BUG/MINOR: ssl: empty connections reported as errors. - - Empty connection is reported as handshake error - even if dont-log-null is specified. - - This bug affect is a regression du to: - - BUILD: ssl: fix to build (again) with boringssl - - New openssl 1.1.1 defines OPENSSL_NO_HEARTBEATS as boring ssl - so the test was replaced by OPENSSL_IS_BORINGSSL - - This fix should be backported on 1.8 - - (cherry picked from commit 77e8919fc6f382f3a7facdc814b8618b8987200f) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 7edfb799..49389f01 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -5121,7 +5121,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) - if (!errno && conn->flags & CO_FL_WAIT_L4_CONN) - conn->flags &= ~CO_FL_WAIT_L4_CONN; - if (!conn->err_code) { --#ifdef OPENSSL_NO_HEARTBEATS /* BoringSSL */ -+#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */ - conn->err_code = CO_ER_SSL_HANDSHAKE; - #else - int empty_handshake; -@@ -5205,7 +5205,7 @@ check_error: - if (!errno && conn->flags & CO_FL_WAIT_L4_CONN) - conn->flags &= ~CO_FL_WAIT_L4_CONN; - if (!conn->err_code) { --#ifdef OPENSSL_NO_HEARTBEATS /* BoringSSL */ -+#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */ - conn->err_code = CO_ER_SSL_HANDSHAKE; - #else - int empty_handshake; diff --git a/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-missing-error-loading-a-keytype-cert-from-a-bundle.patch b/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-missing-error-loading-a-keytype-cert-from-a-bundle.patch deleted file mode 100644 index 57d1f19c8..000000000 --- a/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-missing-error-loading-a-keytype-cert-from-a-bundle.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 9923082f94e0af83d03e030f4274d3db374b248c -Author: Emeric Brun <ebrun@haproxy.com> -Date: Thu Aug 16 15:11:12 2018 +0200 - - BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. - - If there was an issue loading a keytype's part of a bundle, the bundle - was implicitly ignored without errors. - - This patch should be backported in 1.8 (and perhaps 1.7) - - (cherry picked from commit eb155b6ca6c1a8aaffa30285d453909b97979f5f) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 49389f01..9f0ff1f0 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3475,7 +3475,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err) - } - - snprintf(fp, sizeof(fp), "%s/%s", path, dp); -- ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err); -+ cfgerr += ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err); - - /* Successfully processed the bundle */ - goto ignore_entry; diff --git a/net/haproxy/patches/0013-BUG-MEDIUM-ssl-loading-dh-param-from-certifile-causes-unpredictable-error.patch b/net/haproxy/patches/0013-BUG-MEDIUM-ssl-loading-dh-param-from-certifile-causes-unpredictable-error.patch deleted file mode 100644 index 9591c2763..000000000 --- a/net/haproxy/patches/0013-BUG-MEDIUM-ssl-loading-dh-param-from-certifile-causes-unpredictable-error.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 399714287a04d6b453ba95e4a3904a7644827d0b -Author: Emeric Brun <ebrun@haproxy.com> -Date: Thu Aug 16 15:14:12 2018 +0200 - - BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. - - If the dh parameter is not found, the openssl's error global - stack was not correctly cleared causing unpredictable error - during the following parsing (chain cert parsing for instance). - - This patch should be backported in 1.8 (and perhaps 1.7) - - (cherry picked from commit e1b4ed4352619f985d7d65f5d95a830ef5775c46) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 9f0ff1f0..9be2fc4c 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2597,6 +2597,8 @@ end: - if (in) - BIO_free(in); - -+ ERR_clear_error(); -+ - return dh; - } - diff --git a/net/haproxy/patches/0014-BUG-MINOR-map-fix-map_regm-with-backref.patch b/net/haproxy/patches/0014-BUG-MINOR-map-fix-map_regm-with-backref.patch deleted file mode 100644 index 2f9d79b89..000000000 --- a/net/haproxy/patches/0014-BUG-MINOR-map-fix-map_regm-with-backref.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit a1110e24e5be53ba5fe9ab82372c02a60da06cf9 -Author: Emeric Brun <ebrun@haproxy.com> -Date: Tue Jul 17 09:47:07 2018 -0400 - - BUG/MINOR: map: fix map_regm with backref - - Due to a cascade of get_trash_chunk calls the sample is - corrupted when we want to read it. - - The fix consist to use a temporary chunk to copy the sample - value and use it. - - (cherry picked from commit 271022150d7961b9aa39dbfd88e0c6a4bc48c3ee) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/map.c b/src/map.c -index a9a1e53c..da399088 100644 ---- a/src/map.c -+++ b/src/map.c -@@ -184,10 +184,27 @@ static int sample_conv_map(const struct arg *arg_p, struct sample *smp, void *pr - if (pat->data) { - /* In the regm case, merge the sample with the input. */ - if ((long)private == PAT_MATCH_REGM) { -+ struct chunk *tmptrash; -+ -+ /* Copy the content of the sample because it could -+ be scratched by incoming get_trash_chunk */ -+ tmptrash = alloc_trash_chunk(); -+ if (!tmptrash) -+ return 0; -+ -+ tmptrash->len = smp->data.u.str.len; -+ if (tmptrash->len > (tmptrash->size-1)) -+ tmptrash->len = tmptrash->size-1; -+ -+ memcpy(tmptrash->str, smp->data.u.str.str, tmptrash->len); -+ tmptrash->str[tmptrash->len] = 0; -+ - str = get_trash_chunk(); -- str->len = exp_replace(str->str, str->size, smp->data.u.str.str, -+ str->len = exp_replace(str->str, str->size, tmptrash->str, - pat->data->u.str.str, - (regmatch_t *)smp->ctx.a[0]); -+ -+ free_trash_chunk(tmptrash); - if (str->len == -1) - return 0; - smp->data.u.str = *str; diff --git a/net/haproxy/patches/0015-DOC-dns-explain-set-server-fqdn-requires-resolver.patch b/net/haproxy/patches/0015-DOC-dns-explain-set-server-fqdn-requires-resolver.patch deleted file mode 100644 index e8455e3d0..000000000 --- a/net/haproxy/patches/0015-DOC-dns-explain-set-server-fqdn-requires-resolver.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 29a43c20faa06100ade61fc24a5ee3bddfa3021a -Author: Lukas Tribus <lukas@ltri.eu> -Date: Tue Aug 14 11:39:35 2018 +0200 - - DOC: dns: explain set server ... fqdn requires resolver - - Abhishek Gupta reported on discourse that set server [...] fqdn always - fails. Further investigation showed that this requires the internal - DNS resolver to be configured. Add this requirement to the docs. - - Must be backported to 1.8. - - (cherry picked from commit c5dd5a500a237780eb9ab6e7069949cb19b6ff7d) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/management.txt b/doc/management.txt -index 68a17c25..46e7fd07 100644 ---- a/doc/management.txt -+++ b/doc/management.txt -@@ -1675,7 +1675,8 @@ set server <backend>/<server> weight <weight>[%] - equivalent of the "set weight" command below. - - set server <backend>/<server> fqdn <FQDN> -- Change a server's FQDN to the value passed in argument. -+ Change a server's FQDN to the value passed in argument. This requires the -+ internal run-time DNS resolver to be configured and enabled for this server. - - set severity-output [ none | number | string ] - Change the severity output format of the stats socket connected to for the diff --git a/net/haproxy/patches/0016-DOC-ssl-Use-consistent-naming-for-TLS-protocols.patch b/net/haproxy/patches/0016-DOC-ssl-Use-consistent-naming-for-TLS-protocols.patch deleted file mode 100644 index f0f0f43a8..000000000 --- a/net/haproxy/patches/0016-DOC-ssl-Use-consistent-naming-for-TLS-protocols.patch +++ /dev/null @@ -1,49 +0,0 @@ -commit 54aecf18aeabe09bccf8db5e34b99bc36d468088 -Author: Bertrand Jacquin <bertrand@jacquin.bzh> -Date: Tue Aug 14 00:56:13 2018 +0100 - - DOC: ssl: Use consistent naming for TLS protocols - - In most cases, "TLSv1.x" naming is used across and documentation, lazy - people tend to grep too much and may not find what they are looking for. - - Fixing people is hard. - - (cherry picked from commit a25282bb399bfad8ed04b494b567fe97f0a58d65) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 1973bbf2..43e28785 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -10447,7 +10447,7 @@ accept-proxy - setting of which client is allowed to use the protocol. - - allow-0rtt -- Allow receiving early data when using TLS 1.3. This is disabled by default, -+ Allow receiving early data when using TLSv1.3. This is disabled by default, - due to security considerations. - - alpn <protocols> -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 9be2fc4c..0b49e0b4 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -1986,7 +1986,7 @@ static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) { - : SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method()); - #endif - } --/* TLS 1.2 is the last supported version in this context. */ -+/* TLSv1.2 is the last supported version in this context. */ - static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {} - /* Unusable in this context. */ - static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) {} -@@ -2187,7 +2187,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) - break; - } - } else { -- /* without TLSEXT_TYPE_signature_algorithms extension (< TLS 1.2) */ -+ /* without TLSEXT_TYPE_signature_algorithms extension (< TLSv1.2) */ - has_rsa = 1; - } - if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */ diff --git a/net/haproxy/patches/0017-BUG-MEDIUM-lua-socket-timeouts-are-not-applied.patch b/net/haproxy/patches/0017-BUG-MEDIUM-lua-socket-timeouts-are-not-applied.patch deleted file mode 100644 index 3df6b31ef..000000000 --- a/net/haproxy/patches/0017-BUG-MEDIUM-lua-socket-timeouts-are-not-applied.patch +++ /dev/null @@ -1,42 +0,0 @@ -commit 947a3f71ad9733dde6645edb91b6becb3ee51e7c -Author: Cyril Bonté <cyril.bonte@free.fr> -Date: Fri Aug 17 23:51:02 2018 +0200 - - BUG/MEDIUM: lua: socket timeouts are not applied - - Sachin Shetty reported that socket timeouts set in LUA code have no effect. - Indeed, connect timeout is never modified and is always set to its default, - set to 5 seconds. Currently, this patch will apply the specified timeout - value to the connect timeout. - For the read and write timeouts, the issue is that the timeout is updated but - the expiration dates were not updated. - - This patch should be backported up to the 1.6 branch. - - (cherry picked from commit 7bb634549794298fc701d33efd93c7289dcf9cb7) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index 4e50fa64..daf775fc 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -2566,10 +2566,19 @@ __LJMP static int hlua_socket_settimeout(struct lua_State *L) - si = appctx->owner; - s = si_strm(si); - -+ s->sess->fe->timeout.connect = tmout; - s->req.rto = tmout; - s->req.wto = tmout; - s->res.rto = tmout; - s->res.wto = tmout; -+ s->req.rex = tick_add_ifset(now_ms, tmout); -+ s->req.wex = tick_add_ifset(now_ms, tmout); -+ s->res.rex = tick_add_ifset(now_ms, tmout); -+ s->res.wex = tick_add_ifset(now_ms, tmout); -+ -+ s->task->expire = tick_add_ifset(now_ms, tmout); -+ task_queue(s->task); -+ - xref_unlock(&socket->xref, peer); - - lua_pushinteger(L, 1); diff --git a/net/haproxy/patches/0018-BUG-MEDIUM-cli-threads-protect-all-proxy-commands-against-concurrent-updates.patch b/net/haproxy/patches/0018-BUG-MEDIUM-cli-threads-protect-all-proxy-commands-against-concurrent-updates.patch deleted file mode 100644 index 385db51c5..000000000 --- a/net/haproxy/patches/0018-BUG-MEDIUM-cli-threads-protect-all-proxy-commands-against-concurrent-updates.patch +++ /dev/null @@ -1,212 +0,0 @@ -commit 3c42f13badd149c9c3152d7b2e653bde5da7c17a -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Aug 21 14:50:44 2018 +0200 - - BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates - - The proxy-related commands like "{enable|disable|shutdown} frontend", - "{enable|disable} dynamic-cookie", "set dynamic-cookie-key" were not - protected against concurrent accesses making their use dangerous with - threads. - - This patch must be backported to 1.8. - - (cherry picked from commit a275a3710eaa365150fe89e2e7a8fbdce87bb30e) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/proxy.c b/src/proxy.c -index 4437b703..8926ba8b 100644 ---- a/src/proxy.c -+++ b/src/proxy.c -@@ -1560,7 +1560,10 @@ static int cli_io_handler_show_backend(struct appctx *appctx) - return 1; - } - --/* Parses the "enable dynamic-cookies backend" directive, it always returns 1 */ -+/* Parses the "enable dynamic-cookies backend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock and each server's lock. -+ */ - static int cli_parse_enable_dyncookie_backend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -@@ -1573,15 +1576,25 @@ static int cli_parse_enable_dyncookie_backend(char **args, struct appctx *appctx - if (!px) - return 1; - -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); -+ - px->ck_opts |= PR_CK_DYNAMIC; - -- for (s = px->srv; s != NULL; s = s->next) -+ for (s = px->srv; s != NULL; s = s->next) { -+ HA_SPIN_LOCK(SERVER_LOCK, &s->lock); - srv_set_dyncookie(s); -+ HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock); -+ } -+ -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); - - return 1; - } - --/* Parses the "disable dynamic-cookies backend" directive, it always returns 1 */ -+/* Parses the "disable dynamic-cookies backend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock and each server's lock. -+ */ - static int cli_parse_disable_dyncookie_backend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -@@ -1594,19 +1607,28 @@ static int cli_parse_disable_dyncookie_backend(char **args, struct appctx *appct - if (!px) - return 1; - -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); -+ - px->ck_opts &= ~PR_CK_DYNAMIC; - - for (s = px->srv; s != NULL; s = s->next) { -+ HA_SPIN_LOCK(SERVER_LOCK, &s->lock); - if (!(s->flags & SRV_F_COOKIESET)) { - free(s->cookie); - s->cookie = NULL; - } -+ HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock); - } - -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); -+ - return 1; - } - --/* Parses the "set dynamic-cookie-key backend" directive, it always returns 1 */ -+/* Parses the "set dynamic-cookie-key backend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock and each server's lock. -+ */ - static int cli_parse_set_dyncookie_key_backend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -@@ -1634,16 +1656,27 @@ static int cli_parse_set_dyncookie_key_backend(char **args, struct appctx *appct - appctx->st0 = CLI_ST_PRINT; - return 1; - } -+ -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); -+ - free(px->dyncookie_key); - px->dyncookie_key = newkey; - -- for (s = px->srv; s != NULL; s = s->next) -+ for (s = px->srv; s != NULL; s = s->next) { -+ HA_SPIN_LOCK(SERVER_LOCK, &s->lock); - srv_set_dyncookie(s); -+ HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock); -+ } -+ -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); - - return 1; - } - --/* Parses the "set maxconn frontend" directive, it always returns 1 */ -+/* Parses the "set maxconn frontend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock. -+ */ - static int cli_parse_set_maxconn_frontend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -@@ -1675,6 +1708,8 @@ static int cli_parse_set_maxconn_frontend(char **args, struct appctx *appctx, vo - /* OK, the value is fine, so we assign it to the proxy and to all of - * its listeners. The blocked ones will be dequeued. - */ -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); -+ - px->maxconn = v; - list_for_each_entry(l, &px->conf.listeners, by_fe) { - l->maxconn = v; -@@ -1685,10 +1720,15 @@ static int cli_parse_set_maxconn_frontend(char **args, struct appctx *appctx, vo - if (px->maxconn > px->feconn && !LIST_ISEMPTY(&px->listener_queue)) - dequeue_all_listeners(&px->listener_queue); - -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); -+ - return 1; - } - --/* Parses the "shutdown frontend" directive, it always returns 1 */ -+/* Parses the "shutdown frontend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock. -+ */ - static int cli_parse_shutdown_frontend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -@@ -1711,14 +1751,22 @@ static int cli_parse_shutdown_frontend(char **args, struct appctx *appctx, void - px->id, px->fe_counters.cum_conn, px->be_counters.cum_conn); - send_log(px, LOG_WARNING, "Proxy %s stopped (FE: %lld conns, BE: %lld conns).\n", - px->id, px->fe_counters.cum_conn, px->be_counters.cum_conn); -+ -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); - stop_proxy(px); -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); -+ - return 1; - } - --/* Parses the "disable frontend" directive, it always returns 1 */ -+/* Parses the "disable frontend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock. -+ */ - static int cli_parse_disable_frontend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -+ int ret; - - if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) - return 1; -@@ -1741,7 +1789,11 @@ static int cli_parse_disable_frontend(char **args, struct appctx *appctx, void * - return 1; - } - -- if (!pause_proxy(px)) { -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); -+ ret = pause_proxy(px); -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); -+ -+ if (!ret) { - appctx->ctx.cli.severity = LOG_ERR; - appctx->ctx.cli.msg = "Failed to pause frontend, check logs for precise cause.\n"; - appctx->st0 = CLI_ST_PRINT; -@@ -1750,10 +1802,14 @@ static int cli_parse_disable_frontend(char **args, struct appctx *appctx, void * - return 1; - } - --/* Parses the "enable frontend" directive, it always returns 1 */ -+/* Parses the "enable frontend" directive, it always returns 1. -+ * -+ * Grabs the proxy lock. -+ */ - static int cli_parse_enable_frontend(char **args, struct appctx *appctx, void *private) - { - struct proxy *px; -+ int ret; - - if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) - return 1; -@@ -1776,7 +1832,11 @@ static int cli_parse_enable_frontend(char **args, struct appctx *appctx, void *p - return 1; - } - -- if (!resume_proxy(px)) { -+ HA_SPIN_LOCK(PROXY_LOCK, &px->lock); -+ ret = resume_proxy(px); -+ HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock); -+ -+ if (!ret) { - appctx->ctx.cli.severity = LOG_ERR; - appctx->ctx.cli.msg = "Failed to resume frontend, check logs for precise cause (port conflict?).\n"; - appctx->st0 = CLI_ST_PRINT; diff --git a/net/haproxy/patches/0019-BUG-MEDIUM-cli-threads-protect-some-server-commands-against-concurrent-operations.patch b/net/haproxy/patches/0019-BUG-MEDIUM-cli-threads-protect-some-server-commands-against-concurrent-operations.patch deleted file mode 100644 index c69f874d3..000000000 --- a/net/haproxy/patches/0019-BUG-MEDIUM-cli-threads-protect-some-server-commands-against-concurrent-operations.patch +++ /dev/null @@ -1,188 +0,0 @@ -commit 0dbaa252df906cc9c1d0dc7a075c16e039ab1c5b -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Aug 21 15:35:31 2018 +0200 - - BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations - - The server-specific CLI commands "set weight", "set maxconn", - "disable agent", "enable agent", "disable health", "enable health", - "disable server" and "enable server" were not protected against - concurrent accesses. Now they take the server lock around the - sensitive part. - - This patch must be backported to 1.8. - - (cherry picked from commit 3bcc2699ba08dd3971ae7a56631994b2524d2acb) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/server.c b/src/server.c -index 36a05e27..98dae535 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -4299,6 +4299,10 @@ static int cli_parse_get_weight(char **args, struct appctx *appctx, void *privat - return 1; - } - -+/* Parse a "set weight" command. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_set_weight(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4311,16 +4315,24 @@ static int cli_parse_set_weight(char **args, struct appctx *appctx, void *privat - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); -+ - warning = server_parse_weight_change_request(sv, args[3]); - if (warning) { - appctx->ctx.cli.severity = LOG_ERR; - appctx->ctx.cli.msg = warning; - appctx->st0 = CLI_ST_PRINT; - } -+ -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); -+ - return 1; - } - --/* parse a "set maxconn server" command. It always returns 1. */ -+/* parse a "set maxconn server" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_set_maxconn_server(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4333,16 +4345,24 @@ static int cli_parse_set_maxconn_server(char **args, struct appctx *appctx, void - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); -+ - warning = server_parse_maxconn_change_request(sv, args[4]); - if (warning) { - appctx->ctx.cli.severity = LOG_ERR; - appctx->ctx.cli.msg = warning; - appctx->st0 = CLI_ST_PRINT; - } -+ -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); -+ - return 1; - } - --/* parse a "disable agent" command. It always returns 1. */ -+/* parse a "disable agent" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_disable_agent(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4354,11 +4374,16 @@ static int cli_parse_disable_agent(char **args, struct appctx *appctx, void *pri - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); - sv->agent.state &= ~CHK_ST_ENABLED; -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); - return 1; - } - --/* parse a "disable health" command. It always returns 1. */ -+/* parse a "disable health" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_disable_health(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4370,11 +4395,16 @@ static int cli_parse_disable_health(char **args, struct appctx *appctx, void *pr - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); - sv->check.state &= ~CHK_ST_ENABLED; -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); - return 1; - } - --/* parse a "disable server" command. It always returns 1. */ -+/* parse a "disable server" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_disable_server(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4386,11 +4416,16 @@ static int cli_parse_disable_server(char **args, struct appctx *appctx, void *pr - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); - srv_adm_set_maint(sv); -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); - return 1; - } - --/* parse a "enable agent" command. It always returns 1. */ -+/* parse a "enable agent" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_enable_agent(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4409,11 +4444,16 @@ static int cli_parse_enable_agent(char **args, struct appctx *appctx, void *priv - return 1; - } - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); - sv->agent.state |= CHK_ST_ENABLED; -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); - return 1; - } - --/* parse a "enable health" command. It always returns 1. */ -+/* parse a "enable health" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_enable_health(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4425,11 +4465,16 @@ static int cli_parse_enable_health(char **args, struct appctx *appctx, void *pri - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); - sv->check.state |= CHK_ST_ENABLED; -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); - return 1; - } - --/* parse a "enable server" command. It always returns 1. */ -+/* parse a "enable server" command. It always returns 1. -+ * -+ * Grabs the server lock. -+ */ - static int cli_parse_enable_server(char **args, struct appctx *appctx, void *private) - { - struct server *sv; -@@ -4441,11 +4486,13 @@ static int cli_parse_enable_server(char **args, struct appctx *appctx, void *pri - if (!sv) - return 1; - -+ HA_SPIN_LOCK(SERVER_LOCK, &sv->lock); - srv_adm_set_ready(sv); - if (!(sv->flags & SRV_F_COOKIESET) - && (sv->proxy->ck_opts & PR_CK_DYNAMIC) && - sv->cookie) - srv_check_for_dup_dyncookie(sv); -+ HA_SPIN_UNLOCK(SERVER_LOCK, &sv->lock); - return 1; - } - diff --git a/net/haproxy/patches/0020-DOC-Fix-spelling-error-in-configuration-doc.patch b/net/haproxy/patches/0020-DOC-Fix-spelling-error-in-configuration-doc.patch deleted file mode 100644 index 7871b9304..000000000 --- a/net/haproxy/patches/0020-DOC-Fix-spelling-error-in-configuration-doc.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit d13cb1516cb5ae4cb8322ed630e1d4e1f584fd77 -Author: Jens Bissinger <whiterabbit.init@googlemail.com> -Date: Thu Aug 23 14:11:27 2018 +0200 - - DOC: Fix spelling error in configuration doc - - Fix spelling error in logging section of configuration doc. - - (cherry picked from commit 15c64ff4fb9f1f64b31306ac53b38fc4d5fb1538) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 43e28785..0dd212ad 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -16089,7 +16089,7 @@ Please refer to the table below for currently defined variables : - | | %t | date_time (with millisecond resolution) | date | - | H | %tr | date_time of HTTP request | date | - | H | %trg | gmt_date_time of start of HTTP request | date | -- | H | %trl | locla_date_time of start of HTTP request | date | -+ | H | %trl | local_date_time of start of HTTP request | date | - | | %ts | termination_state | string | - | H | %tsc | termination_state with cookie status | string | - +---+------+-----------------------------------------------+-------------+ diff --git a/net/haproxy/patches/0021-BUG-MEDIUM-unix-provide-a---drain-function.patch b/net/haproxy/patches/0021-BUG-MEDIUM-unix-provide-a---drain-function.patch deleted file mode 100644 index 95613f849..000000000 --- a/net/haproxy/patches/0021-BUG-MEDIUM-unix-provide-a---drain-function.patch +++ /dev/null @@ -1,57 +0,0 @@ -commit f87ea7d2fdcfa3ccd5d605b3ce96642d28f20f6b -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Aug 24 14:31:53 2018 +0200 - - BUG/MEDIUM: unix: provide a ->drain() function - - Right now conn_sock_drain() calls the protocol's ->drain() function if - it exists, otherwise it simply tries to disable polling for receiving - on the connection. This doesn't work well anymore since we've implemented - the muxes in 1.8, and it has a side effect with keep-alive backend - connections established over unix sockets. What happens is that if - during the idle time after a request, a connection reports some data, - si_idle_conn_null_cb() is called, which will call conn_sock_drain(). - This one sees there's no drain() on unix sockets and will simply disable - polling for data on the connection. But it doesn't do anything on the - conn_stream. Thus while leaving the conn_fd_handler, the mux's polling - is updated and recomputed based on the conn_stream's polling state, - which is still enabled, and nothing changes, so we see the process - use 100% CPU in this case because the FD remains active in the cache. - - There are several issues that need to be addressed here. The first and - most important is that we cannot expect some protocols to simply stop - reading data when asked to drain pending data. So this patch make the - unix sockets rely on tcp_drain() since the functions are the same. This - solution is appropriate for backporting, but a better one is desired for - the long term. The second issue is that si_idle_conn_null_cb() shouldn't - drain the connection but the conn_stream. - - At the moment we don't have any way to drain a conn_stream, though a flag - on rcv_buf() will do it well. Until we support muxes on the server side - it is not a problem so this part can be addressed later. - - This fix must be backported to 1.8. - - (cherry picked from commit fe5d2ac65fd58a8320e8dc725219c1bce5839592) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/proto_uxst.c b/src/proto_uxst.c -index f2374be6..0b3a57b8 100644 ---- a/src/proto_uxst.c -+++ b/src/proto_uxst.c -@@ -42,6 +42,7 @@ - #include <proto/listener.h> - #include <proto/log.h> - #include <proto/protocol.h> -+#include <proto/proto_tcp.h> - #include <proto/task.h> - - static int uxst_bind_listener(struct listener *listener, char *errmsg, int errlen); -@@ -71,6 +72,7 @@ static struct protocol proto_unix = { - .disable_all = disable_all_listeners, - .get_src = uxst_get_src, - .get_dst = uxst_get_dst, -+ .drain = tcp_drain, - .pause = uxst_pause_listener, - .add = uxst_add_listener, - .listeners = LIST_HEAD_INIT(proto_unix.listeners), diff --git a/net/haproxy/patches/0022-BUG-MINOR-lua-Bad-HTTP-client-request-duration.patch b/net/haproxy/patches/0022-BUG-MINOR-lua-Bad-HTTP-client-request-duration.patch deleted file mode 100644 index 4985ac991..000000000 --- a/net/haproxy/patches/0022-BUG-MINOR-lua-Bad-HTTP-client-request-duration.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit 5b58c92dc9357a87aa3fe94c8121f683feb9c80e -Author: Frédéric Lécaille <flecaille@haproxy.com> -Date: Wed Jul 18 14:25:26 2018 +0200 - - BUG/MINOR: lua: Bad HTTP client request duration. - - HTTP LUA applet callback should not update the date on which the HTTP client requests - arrive. This was done just after the LUA applet has completed its job. - - This patch simply removes the affected statement. The same fixe has been applied - to TCP LUA applet callback. - - To reproduce this issue, as reported by Patrick Hemmer, implement an HTTP LUA applet - which sleeps a bit before replying: - - core.register_service("foo", "http", function(applet) - core.msleep(100) - applet:set_status(200) - applet:start_response() - end) - - This had as a consequence to log %TR field with approximatively the same value as - the LUA sleep time. - - Thank you to Patrick Hemmer for having reported this issue. - - Must be backported to 1.8, 1.7 and 1.6. - - (cherry picked from commit 83ed5d58d2c767d03ce97aef484863a6e1c37a94) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index daf775fc..8147ed15 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -6374,9 +6374,6 @@ static void hlua_applet_tcp_fct(struct appctx *ctx) - case HLUA_E_OK: - ctx->ctx.hlua_apptcp.flags |= APPLET_DONE; - -- /* log time */ -- strm->logs.tv_request = now; -- - /* eat the whole request */ - co_skip(si_oc(si), si_ob(si)->o); - res->flags |= CF_READ_NULL; -@@ -6675,9 +6672,8 @@ static void hlua_applet_http_fct(struct appctx *ctx) - - /* close the connection. */ - -- /* status / log */ -+ /* status */ - strm->txn->status = ctx->ctx.hlua_apphttp.status; -- strm->logs.tv_request = now; - - /* eat the whole request */ - co_skip(si_oc(si), si_ob(si)->o); diff --git a/net/haproxy/patches/0023-BUG-MEDIUM-mux_pt-dereference-the-connection-with-care-in-mux_pt_wake.patch b/net/haproxy/patches/0023-BUG-MEDIUM-mux_pt-dereference-the-connection-with-care-in-mux_pt_wake.patch deleted file mode 100644 index 6552f7e33..000000000 --- a/net/haproxy/patches/0023-BUG-MEDIUM-mux_pt-dereference-the-connection-with-care-in-mux_pt_wake.patch +++ /dev/null @@ -1,33 +0,0 @@ -commit d9a130e1962c2a5352f33088c563f4248a102c48 -Author: Willy Tarreau <w@1wt.eu> -Date: Fri Aug 24 15:48:59 2018 +0200 - - BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake() - - mux_pt_wake() calls data->wake() which can return -1 indicating that the - connection was just destroyed. We need to check for this condition and - immediately exit in this case otherwise we dereference a just freed - connection. Note that this mainly happens on idle connections between - two HTTP requests. It can have random implications between requests as - it may lead a wrong connection's polling to be re-enabled or disabled - for example, especially with threads. - - This patch must be backported to 1.8. - - (cherry picked from commit ad7f0ad1c3c9c541a4c315b24d4500405d1383ee) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/mux_pt.c b/src/mux_pt.c -index a68b9621..c43e30f2 100644 ---- a/src/mux_pt.c -+++ b/src/mux_pt.c -@@ -51,6 +51,9 @@ static int mux_pt_wake(struct connection *conn) - - ret = cs->data_cb->wake ? cs->data_cb->wake(cs) : 0; - -+ if (ret < 0) -+ return ret; -+ - /* If we had early data, and we're done with the handshake - * then whe know the data are safe, and we can remove the flag. - */ |