Commit
477902bd2e ("MEDIUM: connections: Get ride of the xprt_done
callback.") broke the master CLI for a very obscure reason. It happens
that short requests immediately terminated by a shutdown are properly
received, CS_FL_EOS is correctly set, but in si_cs_recv(), we refrain
from setting CF_SHUTR on the channel because CO_FL_CONNECTED was not
yet set on the connection since we've not passed again through
conn_fd_handler() and it was not done in conn_complete_session(). While
commit
a8a415d31a ("BUG/MEDIUM: connections: Set CO_FL_CONNECTED in
conn_complete_session()") fixed the issue, such accident may happen
again as the root cause is deeper and actually comes down to the fact
that CO_FL_CONNECTED is lazily set at various check points in the code
but not every time we drop one wait bit. It is not the first time we
face this situation.
Originally this flag was used to detect the transition between WAIT_*
and CONNECTED in order to call ->wake() from the FD handler. But since
at least 1.8-dev1 with commit
7bf3fa3c23 ("BUG/MAJOR: connection: update
CO_FL_CONNECTED before calling the data layer"), CO_FL_CONNECTED is
always synchronized against the two others before being checked. Moreover,
with the I/Os moved to tasklets, the decision to call the ->wake() function
is performed after the I/Os in si_cs_process() and equivalent, which don't
care about this transition either.
So in essence, checking for CO_FL_CONNECTED has become a lazy wait to
check for (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN), but that always
relies on someone else having synchronized it.
This patch addresses it once for all by killing this flag and only checking
the two others (for which a composite mask CO_FL_WAIT_L4L6 was added). This
revealed a number of inconsistencies that were purposely not addressed here
for the sake of bisectability:
- while most places do check both L4+L6 and HANDSHAKE at the same time,
some places like assign_server() or back_handle_st_con() and a few
sample fetches looking for proxy protocol do check for L4+L6 but
don't care about HANDSHAKE ; these ones will probably fail on TCP
request session rules if the handshake is not complete.
- some handshake handlers do validate that a connection is established
at L4 but didn't clear CO_FL_WAIT_L4_CONN
- the ->ctl method of mux_fcgi, mux_pt and mux_h1 only checks for L4+L6
before declaring the mux ready while the snd_buf function also checks
for the handshake's completion. Likely the former should validate the
handshake as well and we should get rid of these extra tests in snd_buf.
- raw_sock_from_buf() would directly set CO_FL_CONNECTED and would only
later clear CO_FL_WAIT_L4_CONN.
- xprt_handshake would set CO_FL_CONNECTED itself without actually
clearing CO_FL_WAIT_L4_CONN, which could apparently happen only if
waiting for a pure Rx handshake.
- most places in ssl_sock that were checking CO_FL_CONNECTED don't need
to include the L4 check as an L6 check is enough to decide whether to
wait for more info or not.
It also becomes obvious when reading the test in si_cs_recv() that caused
the failure mentioned above that once converted it doesn't make any sense
anymore: having CS_FL_EOS set while still waiting for L4 and L6 to complete
cannot happen since for CS_FL_EOS to be set, the other ones must have been
validated.
Some of these parts will still deserve further cleanup, and some of the
observations above may induce some backports of potential bug fixes once
totally analyzed in their context. The risk of breaking existing stuff
is too high to blindly backport everything.
SHOW_FLAG(f, CO_FL_SEND_PROXY);
SHOW_FLAG(f, CO_FL_WAIT_L6_CONN);
SHOW_FLAG(f, CO_FL_WAIT_L4_CONN);
- SHOW_FLAG(f, CO_FL_CONNECTED);
SHOW_FLAG(f, CO_FL_ERROR);
SHOW_FLAG(f, CO_FL_SOCK_WR_SH);
SHOW_FLAG(f, CO_FL_SOCK_RD_SH);
CO_FL_NOTIFY_DONE = 0x001C0000, /* any xprt shut/error flags above needs to be reported */
/* flags used to report connection status updates */
- CO_FL_CONNECTED = 0x00200000, /* L4+L6 now ready ; extra handshakes may or may not exist */
CO_FL_WAIT_L4_CONN = 0x00400000, /* waiting for L4 to be connected */
CO_FL_WAIT_L6_CONN = 0x00800000, /* waiting for L6 to be connected (eg: SSL) */
+ CO_FL_WAIT_L4L6 = 0x00C00000, /* waiting for L4 and/or L6 to be connected */
/*** All the flags below are used for connection handshakes. Any new
* handshake should be added after this point, and CO_FL_HANDSHAKE
tmpsrv->nbpend + 1 < s->be->max_ka_queue))) &&
srv_currently_usable(tmpsrv)) {
list_for_each_entry(conn, &srv_list->conn_list, session_list) {
- if (conn->flags & CO_FL_CONNECTED) {
-
+ if (!(conn->flags & CO_FL_WAIT_L4L6)) {
srv = tmpsrv;
s->target = &srv->obj_type;
goto out_ok;
}
}
- if (((!reuse || (srv_conn && !(srv_conn->flags & CO_FL_CONNECTED)))
+ if (((!reuse || (srv_conn && (srv_conn->flags & CO_FL_WAIT_L4L6)))
&& ha_used_fds > global.tune.pool_high_count) && srv && srv->idle_orphan_conns) {
struct connection *tokill_conn;
}
/* first, let's see if we've made any progress on this connection */
- if (!conn->mux && (conn->flags & CO_FL_CONNECTED)) {
+ if (!conn->mux && !(conn->flags & CO_FL_WAIT_L4L6)) {
/* connection finished to set up */
struct server *srv;
/* connection allocation error before the connection was established */
set_server_check_status(check, HCHK_STATUS_SOCKERR, err_msg);
}
- else if ((conn->flags & (CO_FL_CONNECTED|CO_FL_WAIT_L4_CONN)) == CO_FL_WAIT_L4_CONN) {
+ else if (conn->flags & CO_FL_WAIT_L4_CONN) {
/* L4 not established (yet) */
if (conn->flags & CO_FL_ERROR || cs->flags & CS_FL_ERROR)
set_server_check_status(check, HCHK_STATUS_L4CON, err_msg);
dns_trigger_resolution(check->server->dns_requester);
}
- else if ((conn->flags & (CO_FL_CONNECTED|CO_FL_WAIT_L6_CONN)) == CO_FL_WAIT_L6_CONN) {
+ else if (conn->flags & CO_FL_WAIT_L6_CONN) {
/* L6 not established (yet) */
if (conn->flags & CO_FL_ERROR || cs->flags & CS_FL_ERROR)
set_server_check_status(check, HCHK_STATUS_L6RSP, err_msg);
}
/* the rest of the code below expects the connection to be ready! */
- if (!(conn->flags & CO_FL_CONNECTED) && !done)
+ if (conn->flags & CO_FL_WAIT_L4L6 && !done)
goto wait_more_data;
/* Intermediate or complete response received.
default:
/* good connection is enough for pure TCP check */
- if ((conn->flags & CO_FL_CONNECTED) && !check->type) {
+ if (!(conn->flags & CO_FL_WAIT_L4L6) && !check->type) {
if (check->use_ssl)
set_server_check_status(check, HCHK_STATUS_L6OK, NULL);
else
*/
if (check->result == CHK_RES_UNKNOWN) {
/* good connection is enough for pure TCP check */
- if ((conn->flags & CO_FL_CONNECTED) && !check->type) {
+ if (!(conn->flags & CO_FL_WAIT_L4L6) && !check->type) {
if (check->use_ssl)
set_server_check_status(check, HCHK_STATUS_L6OK, NULL);
else
next = LIST_NEXT(&next->list, struct tcpcheck_rule *, list);
if ((check->current_step || &next->list == head) &&
- (!(conn->flags & CO_FL_CONNECTED) || (conn->flags & CO_FL_HANDSHAKE))) {
+ (conn->flags & (CO_FL_WAIT_L4L6 | CO_FL_HANDSHAKE))) {
/* we allow up to min(inter, timeout.connect) for a connection
* to establish but only when timeout.check is set
* as it may be to short for a full check otherwise
break;
/* don't do anything until the connection is established */
- if (!(conn->flags & CO_FL_CONNECTED))
+ if (conn->flags & CO_FL_WAIT_L4L6)
break;
} /* end 'connect' */
} /* end loop over double chained step list */
/* don't do anything until the connection is established */
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L4L6) {
/* update expire time, should be done by process_chk */
/* we allow up to min(inter, timeout.connect) for a connection
* to establish but only when timeout.check is set
if (conn->flags & CO_FL_ERROR)
goto fail;
- /* Verify if the connection just established. */
- if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
- conn->flags |= CO_FL_CONNECTED;
if (conn_install_mux_be(conn, conn->ctx, conn->owner) < 0)
goto fail;
}
leave:
- /* Verify if the connection just established. */
- if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
- conn->flags |= CO_FL_CONNECTED;
-
/* If we don't yet have a mux, that means we were waiting for
* informations to create one, typically from the ALPN. If we're
* done with the handshake, attempt to create one.
* the fd (and return < 0 in this case).
*/
if ((io_available || (((conn->flags ^ flags) & CO_FL_NOTIFY_DONE) ||
- ((flags & (CO_FL_CONNECTED|CO_FL_HANDSHAKE)) != CO_FL_CONNECTED &&
- (conn->flags & (CO_FL_CONNECTED|CO_FL_HANDSHAKE)) == CO_FL_CONNECTED))) &&
+ ((flags & (CO_FL_WAIT_L4L6|CO_FL_HANDSHAKE)) &&
+ (conn->flags & (CO_FL_WAIT_L4L6|CO_FL_HANDSHAKE)) == 0))) &&
conn->mux && conn->mux->wake && conn->mux->wake(conn) < 0)
return;
goto fail;
}
+ conn->flags &= ~CO_FL_WAIT_L4_CONN;
+
if (trash.data < 6)
goto missing;
trash.data = ret;
} while (0);
+ conn->flags &= ~CO_FL_WAIT_L4_CONN;
+
if (!trash.data) {
/* client shutdown */
conn->err_code = CO_ER_CIP_EMPTY;
/* The connection is ready now, simply return and let the connection
* handler notify upper layers if needed.
*/
- if (conn->flags & CO_FL_WAIT_L4_CONN)
- conn->flags &= ~CO_FL_WAIT_L4_CONN;
+ conn->flags &= ~CO_FL_WAIT_L4_CONN;
if (conn->flags & CO_FL_SEND_PROXY) {
/*
}
} while (0);
+ conn->flags &= ~CO_FL_WAIT_L4_CONN;
+
if (ret < SOCKS4_HS_RSP_LEN) {
/* Missing data. Since we're using MSG_PEEK, we can only poll again if
* we are not able to read enough data.
if (!conn)
return 0;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L4L6) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
if (!conn)
return 0;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L4L6) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
int ret = 0;
switch (mux_ctl) {
case MUX_STATUS:
- if (conn->flags & CO_FL_CONNECTED)
+ if (!(conn->flags & CO_FL_WAIT_L4L6))
ret |= MUX_STATUS_READY;
return ret;
default:
* now, as we don't want to remove everything from the channel buffer
* before we're sure we can send it.
*/
- if (!(h1c->conn->flags & CO_FL_CONNECTED) ||
- (h1c->conn->flags & CO_FL_HANDSHAKE)) {
+ if (h1c->conn->flags & (CO_FL_WAIT_L4L6|CO_FL_HANDSHAKE)) {
TRACE_LEAVE(H1_EV_STRM_SEND, h1c->conn, h1s);
return 0;
}
int ret = 0;
switch (mux_ctl) {
case MUX_STATUS:
- if (conn->flags & CO_FL_CONNECTED)
+ if (!(conn->flags & CO_FL_WAIT_L4L6))
ret |= MUX_STATUS_READY;
return ret;
default:
int ret = 0;
switch (mux_ctl) {
case MUX_STATUS:
- if (conn->flags & CO_FL_CONNECTED)
+ if (!(conn->flags & CO_FL_WAIT_L4L6))
ret |= MUX_STATUS_READY;
return ret;
default:
count -= ret;
done += ret;
- /* A send succeeded, so we can consier ourself connected */
- conn->flags |= CO_FL_CONNECTED;
/* if the system buffer is full, don't insist */
if (ret < try)
break;
if (conn->flags & CO_FL_ERROR)
goto fail;
- /* Verify if the connection just established. */
- if (unlikely(!(conn->flags & (CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN | CO_FL_CONNECTED))))
- conn->flags |= CO_FL_CONNECTED;
-
/* if logs require transport layer information, note it on the connection */
if (sess->fe->to_log & LW_XPRT)
conn->flags |= CO_FL_XPRT_TRACKED;
*/
if (where & SSL_CB_HANDSHAKE_START) {
/* Disable renegotiation (CVE-2009-3555) */
- if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) {
+ if ((conn->flags & (CO_FL_WAIT_L6_CONN | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == 0) {
conn->flags |= CO_FL_ERROR;
conn->err_code = CO_ER_SSL_RENEG;
}
* the reneg handshake.
* Here we use SSL_peek as a workaround for reneg.
*/
- if ((conn->flags & CO_FL_CONNECTED) && SSL_renegotiate_pending(ctx->ssl)) {
+ if (!(conn->flags & CO_FL_WAIT_L6_CONN) && SSL_renegotiate_pending(ctx->ssl)) {
char c;
ret = SSL_peek(ctx->ssl, &c, 1);
goto out_error;
}
if (ret > 0) {
- /* A send succeeded, so we can consier ourself connected */
- conn->flags |= CO_FL_CONNECTED;
+ /* A send succeeded, so we can consider ourself connected */
+ conn->flags &= ~CO_FL_WAIT_L4L6;
ctx->xprt_st &= ~SSL_SOCK_SEND_UNLIMITED;
count -= ret;
done += ret;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
return 0;
ctx = conn->xprt_ctx;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
if (!conn || conn->xprt != &ssl_sock)
return 0;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
if (!conn || conn->xprt != &ssl_sock)
return 0;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
if (!conn || conn->xprt != &ssl_sock)
return 0;
- if (!(conn->flags & CO_FL_CONNECTED)) {
+ if (conn->flags & CO_FL_WAIT_L6_CONN) {
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
/* The connection is ready now, simply return and let the connection
* handler notify upper layers if needed.
*/
- if (conn->flags & CO_FL_WAIT_L4_CONN)
- conn->flags &= ~CO_FL_WAIT_L4_CONN;
+ conn->flags &= ~CO_FL_WAIT_L4_CONN;
conn->flags &= ~flag;
return 1;
}
if (!si_state_in(si->state, SI_SB_EST|SI_SB_DIS|SI_SB_CLO) &&
- (conn->flags & (CO_FL_CONNECTED | CO_FL_HANDSHAKE)) == CO_FL_CONNECTED) {
+ (conn->flags & (CO_FL_WAIT_L4L6 | CO_FL_HANDSHAKE)) == 0) {
si->exp = TICK_ETERNITY;
oc->flags |= CF_WRITE_NULL;
if (si->state == SI_ST_CON)
}
else if (cs->flags & CS_FL_EOS) {
/* connection closed */
- if (conn->flags & CO_FL_CONNECTED) {
+ if (!(conn->flags & CO_FL_WAIT_L4L6)) {
/* we received a shutdown */
ic->flags |= CF_READ_NULL;
if (ic->flags & CF_AUTO_CLOSE)
ctx->subs = NULL;
}
- if (!(conn->flags & CO_FL_ERROR))
- conn->flags |= CO_FL_CONNECTED;
-
/* Remove ourself from the xprt chain */
if (ctx->wait_event.events != 0)
ctx->xprt->unsubscribe(ctx->conn,
projects / thirdparty / haproxy.git / commitdiff
