I saw the crash after patching mux_h1.c only but it was perhaps because I 
reloaded the service.

On 29/06/2026 16:34, Yaacov Akiba Slama wrote:
> On 29/06/2026 16:23, Christopher Faulet wrote:
>> Le 28/06/2026 à 5:28 PM, Yaacov Akiba Slama a écrit :
>>> Hi,
>>>
>>> Sending again because the patch was scrambled.
>>>
>>>
>>> After upgrading to 3.4.1 we hit repeated BUG_ON crashes in __b_putblk()
>>> triggered by the FCGI drain fix (84b952515).  The drain fix is correct,
>>> but it exposed missing b_room() checks in four b_xfer() zero-copy call
>>> sites.  Patch in attachment fixes all four.
>>
>> Could you share your backtrace please ?
> Here is the backtrace. I think that hlua_process_task` and `cli_io_handler` 
> are misresolved (huge offsets), so the only reliable symbol in the chain is 
> `sc_conn_io_cb`.
> 
> Jun 28 05:33:56 server1 haproxy[3703705]: FATAL: bug condition "b_data(b) + 
> len > b_size(b)" matched at src/buf.c:318
> Jun 28 05:33:56 server1 haproxy[3703705]: 65.52.160.255:26171 
> [28/Jun/2026:05:33:56.755] http-in http-in/<NOSRV> 0/-1/-1/-1/+0 302 +0 - - 
> LR-- 219/79/0/0/0 0/0 "GET /edit-tags.php HTTP/1.1"
> Jun 28 05:33:56 server1 haproxy[3703705]:   call trace(13):
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc396e630 <b5 ee ff e8 50 
> 8c ee ff]: __b_putblk+0xd0/0xe8 > ha_backtrace_to_stderr
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc396e7a8 <89 4d f8 e8 b8 
> fd ff ff]: b_xfer+0x158/0x194 > __b_putblk
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc36f5914 <89 4d c8 e8 3c 
> 8d 27 00]: hlua_process_task+0x291c4 > b_xfer
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc3846908 <08 0f 29 45 90 
> ff 50 10]: cli_io_handler+0x3a318
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc384a917 <89 75 e8 e8 29 
> bb ff ff]: sc_conn_io_cb+0x97/0xf2 > cli_io_handler+0x39e50
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc39319a7 <c2 0f 29 45 a0 
> 41 ff d2]: run_tasks_from_lists+0x2c7/0xaa7
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc39325bd <89 75 ac e8 23 
> f1 ff ff]: process_runnable_tasks+0x42d/0xad9 > run_tasks_from_lists
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc386fa08 <01 00 00 e8 88 
> 27 0c 00]: run_poll_loop+0xb8/0x55f > process_runnable_tasks
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x55dfc387012d <00 00 00 e8 23 
> f8 ff ff]: run_thread_poll_loop+0x27d/0x523 > run_poll_loop
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x7f5e79c9dda9 <10 e9 9b fd ff 
> ff ff d0]: libc:+0x95da9
> Jun 28 05:33:56 server1 haproxy[3703705]:   | 0x7f5e79d1ce08 <c3 31 ed 4c 89 
> c7 ff d2]: libc:+0x114e08
> Jun 28 05:33:56 server1 haproxy[3703705]: Hint: when reporting this bug to 
> developers, please check if a core file was
> Jun 28 05:33:56 server1 haproxy[3703705]:       produced, open it with 'gdb', 
> issue 'bt' to produce a backtrace for the
> Jun 28 05:33:56 server1 haproxy[3703705]:       current thread only, then 
> join it with the bug report.
> Jun 28 05:33:56 server1 haproxy[3703703]: [ALERT]    (3703703) : Current 
> worker (3703705) exited with code 132 (Illegal instruction)
> Jun 28 05:33:56 server1 haproxy[3703703]: [WARNING]  (3703703) : A worker 
> process unexpectedly died and this can only be explained by a bug in haproxy 
> or its dependencies.
> Jun 28 05:33:56 server1 haproxy[3703703]: Please check that you are running 
> an up to date and maintained version of haproxy and open a bug report.
> Jun 28 05:33:56 server1 haproxy[3703703]: HAProxy version 3.4.1-1+0awslc 
> 2026/06/27 - https://haproxy.org/
> Jun 28 05:33:56 server1 haproxy[3703703]: Status: long-term supported branch 
> - will stop receiving fixes around Q2 2031.
> Jun 28 05:33:56 server1 haproxy[3703703]: Known bugs: 
> http://www.haproxy.org/bugs/bugs-3.4.1.html
> Jun 28 05:33:56 server1 haproxy[3703703]: Running on: Linux 
> 7.0.10+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 7.0.10-1 (2026-05-27) x86_64
> Jun 28 05:33:56 server1 haproxy[3703703]: [ALERT]    (3703703) : 
> exit-on-failure: killing every processes with SIGTERM
> Jun 28 05:33:56 server1 haproxy[3703703]: [WARNING]  (3703703) : All workers 
> exited. Exiting... (132)
> Jun 28 05:33:56 server1 systemd[1]: haproxy.service: Main process exited, 
> code=exited, status=132/n/a
> Jun 28 05:33:56 server1 systemd[1]: haproxy.service: Failed with result 
> 'exit-code'.
> Jun 28 05:33:56 server1 systemd[1]: haproxy.service: Consumed 6min 18.613s 
> CPU time over 1h 8min 43.559s wall clock time, 295.7M memory peak.
> Jun 28 05:33:57 server1 systemd[1]: haproxy.service: Scheduled restart job, 
> restart counter is at 61.
> Jun 28 05:33:57 server1 systemd[1]: Starting haproxy.service - HAProxy Load 
> Balancer...
>>
>> Your patch should not fix anything. In appctx_htx_rcv_buf(), h2_rcv_buf() 
>> and qcs_http_rcv_buf(), b_xfer() is called when the destination buffer is 
>> empty. So there is always enough space, the buffers are swapped.__b_putblk() 
>> is never called.
>>
>> Remains the fix for h1_nego_ff(). In that case, relying on b_contig_space() 
>> is safe, especially because the buffer is realigned if the free space wraps. 
>> In fact b_room() and b_contig_space() should be equivalent.
>>
>> Your backtrace should help me to better understand your issue.
>>
>> Regards,
> 



Reply via email to