Re: [PATCH] BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in server-template

[Willy Tarreau]

On Wed, Jan 09, 2019 at 08:20:47AM -0500, Daniel Corbett wrote:
> Sure -- attached you will find the new patch with the updated details.

Now merged, thank you!

Willy

Re: [PATCH] BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in server-template

[Daniel Corbett]

Hello,

On 1/9/19 6:06 AM, Willy Tarreau wrote:

On Wed, Jan 09, 2019 at 11:54:36AM +0100, Olivier Houchard wrote:

Oops, that seems right, and the patch looks fine, Willy can you push it ?

Sure. Daniel, may I put your real name or do you want to resubmit the
patch ? We usually don't take patches using aliases only for the author.

Thanks!
Willy



Sure -- attached you will find the new patch with the updated details.

Thanks,
-- Daniel
>From 13b37d5366be36535b3c67242ae0ac328e3aaaf8 Mon Sep 17 00:00:00 2001
From: Daniel Corbett 
Date: Wed, 9 Jan 2019 08:13:29 -0500
Subject: [PATCH] BUG/MEDIUM: init: Initialize idle_orphan_conns for first
 server in server-template

When initializing server-template all of the servers after the first
have srv->idle_orphan_conns initialized within server_template_init()
The first server does not have this initialized and when http-reuse
is active this causes a segmentation fault when accessed from
srv_add_to_idle_list().  This patch removes the check for
srv->tmpl_info.prefix within server_finalize_init() and allows
the first server within a server-template to have srv->idle_orphan_conns
properly initialized.

This should be backported to 1.9.
---
 src/server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index 4cd8784..bc9e805 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1936,7 +1936,7 @@ static int server_finalize_init(const char *file, int linenum, char **args, int
 		px->srv_act++;
 	srv_lb_commit_status(srv);
 
-	if (!srv->tmpl_info.prefix && srv->max_idle_conns != 0) {
+	if (srv->max_idle_conns != 0) {
 			int i;
 
 			srv->idle_orphan_conns = calloc(global.nbthread, sizeof(*srv->idle_orphan_conns));
-- 
2.7.4

Re: [PATCH] BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in server-template

[Willy Tarreau]

On Wed, Jan 09, 2019 at 11:54:36AM +0100, Olivier Houchard wrote:
> Oops, that seems right, and the patch looks fine, Willy can you push it ?

Sure. Daniel, may I put your real name or do you want to resubmit the
patch ? We usually don't take patches using aliases only for the author.

Thanks!
Willy

Re: [PATCH] BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in server-template

[Olivier Houchard]

Hi,

On Wed, Jan 09, 2019 at 01:44:08AM -0500, cripy wrote:
> Hi,
> 
> I found a segfault when using server-template within 1.9.x and 2.0-dev.
> This seems to be related to  "http-reuse" as when I set to "never" it does
> not crash anymore.
> 
> It appears that idle_orphan_conns is not being properly initialized for the
> first server within the server-template.  I was able to confirm this by
> creating a small server-template with 4 servers and setting all of the
> addresses except for the first 1.  This did not result in a crash.  As soon
> as I set and was sent to the first address it resulted in a crash.
> 
> I found that server_template_init() establishes everything fine for all
> servers (setting id from prefix with srv_set_id_from_prefix() , etc... )
> and then at the bottom of the function you can see it calls
> srv_set_id_from_prefix() to then establish the id for the first server --
> however, the first server doesn't get any of the logic to initialize the
> idle_orphan_conns.
> 
> My initial fix added the idle_orphan_conns initialization code to the
> bottom of server_template_init() (right below the srv_set_id_from_prefix()
> which sets the prefix specifically for the first server slot) -- however
> this seemed like it might be too messy.
> 
> I believe a better option is to remove the check for !srv->tmpl_info.prefix
> within server_finalize_init().  Patch attached.
> 
> Feel free to correct me if I am wrong on this assumption.
> 
> Here is the config which results in a crash:
> 
> listen fe_main
> mode http
> bind *:80
> timeout server 5ms
> timeout client 5ms
> timeout connect 5ms
> server-template srv 2 10.1.0.1:80
> 
> (Should segfault after the first request)
> 
> HA-Proxy version 2.0-dev0-251a6b-97 2019/01/08 - https://haproxy.org/
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
> -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
> -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
> -Wno-missing-field-initializers -Wtype-limits
>   OPTIONS = USE_OPENSSL=1
> 
> Backtrace:
> [New LWP 14046]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `./haproxy -f crash.cfg -d'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x004f82fe in srv_add_to_idle_list (conn=0x2331320,
> srv=0x22aeb60) at include/proto/server.h:244
> 244LIST_ADDQ(>idle_orphan_conns[tid], >list);
> (gdb) bt
> #0  0x004f82fe in srv_add_to_idle_list (conn=0x2331320,
> srv=0x22aeb60) at include/proto/server.h:244
> #1  session_free (sess=0x2330970) at src/session.c:90
> #2  0x0050dca3 in mux_pt_destroy (ctx=0x2330920) at src/mux_pt.c:38
> #3  0x00446bdb in cs_destroy (cs=0x2331230) at
> include/proto/connection.h:708
> #4  si_release_endpoint (si=si@entry=0x2330cd8) at
> include/proto/stream_interface.h:170
> #5  0x0044c9ec in stream_free (s=0x2330a40) at src/stream.c:446
> #6  process_stream (t=t@entry=0x2330e30, context=0x2330a40,
> state=) at src/stream.c:2610
> #7  0x00509955 in process_runnable_tasks () at src/task.c:432
> #8  0x0048b485 in run_poll_loop () at src/haproxy.c:2619
> #9  run_thread_poll_loop (data=data@entry=0x23267d0) at src/haproxy.c:2684
> #10 0x0040aa0c in main (argc=, argv=0x7fffd8018e48)
> at src/haproxy.c:3313
> 
> (gdb) frame 0
> #0  0x004f82fe in srv_add_to_idle_list (conn=0x2331320,
> srv=0x22aeb60) at include/proto/server.h:244
> 244LIST_ADDQ(>idle_orphan_conns[tid], >list);
> 
> (gdb) print >idle_orphan_conns[tid]
> $1 = (struct list *) 0x0
> 
> (gdb) print >list
> $2 = (struct list *) 0x2331370


Oops, that seems right, and the patch looks fine, Willy can you push it ?

Thanks a lot !

Olivier

[PATCH] BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in server-template

[cripy]

Hi,

I found a segfault when using server-template within 1.9.x and 2.0-dev.
This seems to be related to  "http-reuse" as when I set to "never" it does
not crash anymore.

It appears that idle_orphan_conns is not being properly initialized for the
first server within the server-template.  I was able to confirm this by
creating a small server-template with 4 servers and setting all of the
addresses except for the first 1.  This did not result in a crash.  As soon
as I set and was sent to the first address it resulted in a crash.

I found that server_template_init() establishes everything fine for all
servers (setting id from prefix with srv_set_id_from_prefix() , etc... )
and then at the bottom of the function you can see it calls
srv_set_id_from_prefix() to then establish the id for the first server --
however, the first server doesn't get any of the logic to initialize the
idle_orphan_conns.

My initial fix added the idle_orphan_conns initialization code to the
bottom of server_template_init() (right below the srv_set_id_from_prefix()
which sets the prefix specifically for the first server slot) -- however
this seemed like it might be too messy.

I believe a better option is to remove the check for !srv->tmpl_info.prefix
within server_finalize_init().  Patch attached.

Feel free to correct me if I am wrong on this assumption.

Here is the config which results in a crash:

listen fe_main
mode http
bind *:80
timeout server 5ms
timeout client 5ms
timeout connect 5ms
server-template srv 2 10.1.0.1:80

(Should segfault after the first request)

HA-Proxy version 2.0-dev0-251a6b-97 2019/01/08 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
-Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
-Wno-missing-field-initializers -Wtype-limits
  OPTIONS = USE_OPENSSL=1

Backtrace:
[New LWP 14046]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./haproxy -f crash.cfg -d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x004f82fe in srv_add_to_idle_list (conn=0x2331320,
srv=0x22aeb60) at include/proto/server.h:244
244LIST_ADDQ(>idle_orphan_conns[tid], >list);
(gdb) bt
#0  0x004f82fe in srv_add_to_idle_list (conn=0x2331320,
srv=0x22aeb60) at include/proto/server.h:244
#1  session_free (sess=0x2330970) at src/session.c:90
#2  0x0050dca3 in mux_pt_destroy (ctx=0x2330920) at src/mux_pt.c:38
#3  0x00446bdb in cs_destroy (cs=0x2331230) at
include/proto/connection.h:708
#4  si_release_endpoint (si=si@entry=0x2330cd8) at
include/proto/stream_interface.h:170
#5  0x0044c9ec in stream_free (s=0x2330a40) at src/stream.c:446
#6  process_stream (t=t@entry=0x2330e30, context=0x2330a40,
state=) at src/stream.c:2610
#7  0x00509955 in process_runnable_tasks () at src/task.c:432
#8  0x0048b485 in run_poll_loop () at src/haproxy.c:2619
#9  run_thread_poll_loop (data=data@entry=0x23267d0) at src/haproxy.c:2684
#10 0x0040aa0c in main (argc=, argv=0x7fffd8018e48)
at src/haproxy.c:3313

(gdb) frame 0
#0  0x004f82fe in srv_add_to_idle_list (conn=0x2331320,
srv=0x22aeb60) at include/proto/server.h:244
244LIST_ADDQ(>idle_orphan_conns[tid], >list);

(gdb) print >idle_orphan_conns[tid]
$1 = (struct list *) 0x0

(gdb) print >list
$2 = (struct list *) 0x2331370


0001-BUG-MEDIUM-init-Initialize-idle_orphan_conns-for-fir.patch
Description: Binary data