haproxy: Update HAProxy to v1.8.5

- Update haproxy download URL and hash
- Remove all already included patches

Signed-off-by: Christian Lachner <gladiac@gmail.com>

net/haproxy/Makefile

@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
-PKG_VERSION:=1.8.4
-PKG_RELEASE:=02
+PKG_VERSION:=1.8.5
+PKG_RELEASE:=01
 
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
-PKG_HASH:=e305b0a4e7dec08072841eef6ac6dcd1b5586b1eff09c2d51e152a912e8884a6
+PKG_HASH:=1c22083fa85332d5ab1c9aa8a7ec47a28d87ad9d802558808f9921d938ba20c9
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0

net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch

@@ -1,61 +0,0 @@
-From 2fcd544272a5498ffa49544e9f06b51bc93e55d1 Mon Sep 17 00:00:00 2001
-From: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue, 13 Feb 2018 15:17:23 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as
- unrecovarable.
-
-Bart Geesink reported some random errors appearing under the form of
-termination flags SD in the logs for connections involving SSL traffic
-to reach the servers.
-
-Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit
-c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens
-that the special case of SSL_ERROR_SYSCALL isn't handled anymore since
-this commit.
-
-SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL,
-without meaning the connection is gone. Before flagging the connection
-as in error, check the errno value.
-
-This should be backported to 1.8.
-
-(cherry picked from commit 7e2e505006feb8f3b4a7f9e0ac5e89b5a8c4895e)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c |    9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index aecf3dd..f118724 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -5437,6 +5437,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 				break;
- 			} else if (ret == SSL_ERROR_ZERO_RETURN)
- 				goto read0;
-+			/* For SSL_ERROR_SYSCALL, make sure the error is
-+			 * unrecoverable before flagging the connection as
-+			 * in error.
-+			 */
-+			if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
-+				goto clear_ssl_error;
- 			/* otherwise it's a real error */
- 			goto out_error;
- 		}
-@@ -5451,11 +5457,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 	conn_sock_read0(conn);
- 	goto leave;
-  out_error:
-+	conn->flags |= CO_FL_ERROR;
-+clear_ssl_error:
- 	/* Clear openssl global errors stack */
- 	ssl_sock_dump_errors(conn);
- 	ERR_clear_error();
- 
--	conn->flags |= CO_FL_ERROR;
- 	goto leave;
- }
- 
--- 
-1.7.10.4
-

net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch

@@ -1,63 +0,0 @@
-From f7fa1d461aa71bbc8a6c23fdcfc305f2e52ce5dd Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon, 19 Feb 2018 14:25:15 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl: Shutdown the connection for reading on
- SSL_ERROR_SYSCALL
-
-When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the
-connection must be shut down for reading. Else, the connection loops infinitly,
-consuming all the CPU.
-
-The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always
-treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in
-1.8 too.
-
-(cherry picked from commit 4ac77a98cda3d0f9b1d9de7bbbda2c91357f0767)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c |   14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index f118724..a065bbb 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -5437,10 +5437,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 				break;
- 			} else if (ret == SSL_ERROR_ZERO_RETURN)
- 				goto read0;
--			/* For SSL_ERROR_SYSCALL, make sure the error is
--			 * unrecoverable before flagging the connection as
--			 * in error.
--			 */
-+			/* For SSL_ERROR_SYSCALL, make sure to clear the error
-+			 * stack before shutting down the connection for
-+			 * reading. */
- 			if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
- 				goto clear_ssl_error;
- 			/* otherwise it's a real error */
-@@ -5453,16 +5452,19 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 	conn_cond_update_sock_polling(conn);
- 	return done;
- 
-+ clear_ssl_error:
-+	/* Clear openssl global errors stack */
-+	ssl_sock_dump_errors(conn);
-+	ERR_clear_error();
-  read0:
- 	conn_sock_read0(conn);
- 	goto leave;
-+
-  out_error:
- 	conn->flags |= CO_FL_ERROR;
--clear_ssl_error:
- 	/* Clear openssl global errors stack */
- 	ssl_sock_dump_errors(conn);
- 	ERR_clear_error();
--
- 	goto leave;
- }
- 
--- 
-1.7.10.4
-

net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch

@@ -1,69 +0,0 @@
-From 8a5949f2d74c3a3a6c6da25449992c312b183ef3 Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Fri, 2 Feb 2018 15:54:15 +0100
-Subject: [PATCH] BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as
- earlier as possible
-
-When the body length is undefined (no Content-Length or Transfer-Encoding
-headers), The reponse remains in ending mode, waiting the request is done. So,
-most of time this is not a problem because the resquest is done before the
-response. But when a client sends data to a server that replies without waiting
-all the data, it is really not desirable to wait the end of the request to
-finish the response.
-
-This bug was introduced when the tunneling of the request and the reponse was
-refactored, in commit 4be980391 ("MINOR: http: Switch requests/responses in
-TUNNEL mode only by checking txn flag").
-
-This patch should be backported in 1.8 and 1.7.
-
-(cherry picked from commit fd04fcf5edb0a24cd29ce8f4d4dc2aa3a0e2e82c)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/proto_http.c |   15 +++++----------
- 1 file changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 64bd410..29880ea 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -4634,16 +4634,8 @@ int http_sync_res_state(struct stream *s)
- 			 * let's enforce it now that we're not expecting any new
- 			 * data to come. The caller knows the stream is complete
- 			 * once both states are CLOSED.
--			 *
--			 * However, there is an exception if the response length
--			 * is undefined. In this case, we switch in TUNNEL mode.
- 			 */
--			if (!(txn->rsp.flags & HTTP_MSGF_XFER_LEN)) {
--				channel_auto_read(chn);
--				txn->rsp.msg_state = HTTP_MSG_TUNNEL;
--				chn->flags |= CF_NEVER_WAIT;
--			}
--			else if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) {
-+			if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) {
- 				channel_shutr_now(chn);
- 				channel_shutw_now(chn);
- 			}
-@@ -6241,6 +6233,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg)
- 		/* The server still sending data that should be filtered */
- 		if (!(chn->flags & CF_SHUTR) && HAS_DATA_FILTERS(s, chn))
- 			goto missing_data_or_waiting;
-+		msg->msg_state = HTTP_MSG_TUNNEL;
-+		goto ending;
- 	}
- 
- 	msg->msg_state = HTTP_MSG_ENDING;
-@@ -6262,7 +6256,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg)
- 			 /* default_ret */ 1,
- 			 /* on_error    */ goto error,
- 			 /* on_wait     */ goto waiting);
--	msg->msg_state = HTTP_MSG_DONE;
-+	if (msg->msg_state == HTTP_MSG_ENDING)
-+		msg->msg_state = HTTP_MSG_DONE;
- 	return 1;
- 
-   missing_data_or_waiting:
--- 
-1.7.10.4
-

net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch

@@ -1,103 +0,0 @@
-From 7ccf7c9791f2b2329f3940d1347618af3a77bebc Mon Sep 17 00:00:00 2001
-From: Emeric Brun <ebrun@haproxy.com>
-Date: Mon, 19 Feb 2018 15:59:48 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken.
-
-Since the split between connections and conn-stream objects, this
-keywords are broken.
-
-This patch must be backported in 1.8
-
-(cherry picked from commit eb8def9f34c37537d56a69fcd211d4c4c8006bea)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c |   31 ++++++++++++++-----------------
- 1 file changed, 14 insertions(+), 17 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 4d0d5db..d832d76 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -6580,8 +6580,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *
- static int
- smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->data.type = SMP_T_BOOL;
- 	smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
-@@ -6625,8 +6625,8 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
- static int
- smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->flags = 0;
- 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6651,9 +6651,8 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *
- static int
- smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
--
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 	int sint;
- 
- 	smp->flags = 0;
-@@ -6676,8 +6675,8 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c
- static int
- smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->flags = 0;
- 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6747,8 +6746,8 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
- static int
- smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->flags = 0;
- 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6773,9 +6772,8 @@ static int
- smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
- #if OPENSSL_VERSION_NUMBER > 0x0090800fL
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
--
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 	SSL_SESSION *ssl_sess;
- 
- 	smp->flags = SMP_F_CONST;
-@@ -6917,9 +6915,8 @@ static int
- smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
- #if OPENSSL_VERSION_NUMBER > 0x0090800fL
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
--
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 	int finished_len;
- 	struct chunk *finished_trash;
- 
--- 
-1.7.10.4
-

net/haproxy/patches/0005-BUG-MEDIUM-h2-always-consume-any-trailing-data-after-end-of-output-buffers.patch

@@ -1,71 +0,0 @@
-From 6fc36785addd45cc76a029a023296def53cff135 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 27 Feb 2018 15:37:25 +0100
-Subject: [PATCH] BUG/MEDIUM: h2: always consume any trailing data after end
- of output buffers
-
-In case a stream tries to emit more data than advertised by the chunks
-or content-length headers, the extra data remains in the channel's output
-buffer until the channel's timeout expires. It can easily happen when
-sending malformed error files making use of a wrong content-length or
-having extra CRLFs after the empty chunk. It may also be possible to
-forge such a bad response using Lua.
-
-The H1 to H2 encoder must protect itself against this by marking the data
-presented to it as consumed if it decides to discard them, so that the
-sending stream doesn't wait for the timeout to trigger.
-
-The visible effect of this problem is a huge memory usage and a high
-concurrent connection count during benchmarks when using such bad data
-(a typical place where this easily happens).
-
-This fix must be backported to 1.8.
-
-(cherry picked from commit 35a62705df65632e2717ae0d20a93e0cb3f8f163)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/mux_h2.c |   13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/mux_h2.c b/src/mux_h2.c
-index caae041..4303a06 100644
---- a/src/mux_h2.c
-+++ b/src/mux_h2.c
-@@ -3020,6 +3020,9 @@ static int h2s_frt_make_resp_headers(struct h2s *h2s, struct buffer *buf)
- 	 * body or directly end in TRL2.
- 	 */
- 	if (es_now) {
-+		// trim any possibly pending data (eg: inconsistent content-length)
-+		bo_del(buf, buf->o);
-+
- 		h1m->state = HTTP_MSG_DONE;
- 		h2s->flags |= H2_SF_ES_SENT;
- 		if (h2s->st == H2_SS_OPEN)
-@@ -3269,8 +3272,12 @@ static int h2s_frt_make_resp_data(struct h2s *h2s, struct buffer *buf)
- 		else
- 			h2c_stream_close(h2c, h2s);
- 
--		if (!(h1m->flags & H1_MF_CHNK))
-+		if (!(h1m->flags & H1_MF_CHNK)) {
-+			// trim any possibly pending data (eg: inconsistent content-length)
-+			bo_del(buf, buf->o);
-+
- 			h1m->state = HTTP_MSG_DONE;
-+		}
- 
- 		h2s->flags |= H2_SF_ES_SENT;
- 	}
-@@ -3319,6 +3326,10 @@ static int h2_snd_buf(struct conn_stream *cs, struct buffer *buf, int flags)
- 			}
- 			total += count;
- 			bo_del(buf, count);
-+
-+			// trim any possibly pending data (eg: extra CR-LF, ...)
-+			bo_del(buf, buf->o);
-+
- 			h2s->res.state = HTTP_MSG_DONE;
- 			break;
- 		}
--- 
-1.7.10.4
-

net/haproxy/patches/0006-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bo_putblk.patch

@@ -1,33 +0,0 @@
-From fefb8592821ff0fa56f435c581d6e92e563e7ad7 Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon, 26 Feb 2018 10:47:03 +0100
-Subject: [PATCH] BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk
-
-When the block of data need to be split to support the wrapping, the start of
-the second block of data was wrong. We must be sure to skip data copied during
-the first memcpy.
-
-This patch must be backported to 1.8, 1.7, 1.6 and 1.5.
-
-(cherry picked from commit b2b279464c5c0f3dfadf02333e06eb0ae8ae8793)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- include/common/buffer.h |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/common/buffer.h b/include/common/buffer.h
-index 976085e..ae9aafd 100644
---- a/include/common/buffer.h
-+++ b/include/common/buffer.h
-@@ -468,7 +468,7 @@ static inline int bo_putblk(struct buffer *b, const char *blk, int len)
- 	memcpy(b->p, blk, half);
- 	b->p = b_ptr(b, half);
- 	if (len > half) {
--		memcpy(b->p, blk, len - half);
-+		memcpy(b->p, blk + half, len - half);
- 		b->p = b_ptr(b, half);
- 	}
- 	b->o += len;
--- 
-1.7.10.4
-

net/haproxy/patches/0007-BUG-MEDIUM-buffer-Fix-the-wrapping-case-in-bi_putblk.patch

@@ -1,33 +0,0 @@
-From 14f325000b91649b9d117c4d53d6b194ed3c7b11 Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon, 26 Feb 2018 10:51:28 +0100
-Subject: [PATCH] BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk
-
-When the block of data need to be split to support the wrapping, the start of
-the second block of data was wrong. We must be sure to skup data copied during
-the first memcpy.
-
-This patch must be backported to 1.8.
-
-(cherry picked from commit ca6ef506610e9d78f99b7ab2095ce0f8a47e18df)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- include/common/buffer.h |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/common/buffer.h b/include/common/buffer.h
-index ae9aafd..0e63913 100644
---- a/include/common/buffer.h
-+++ b/include/common/buffer.h
-@@ -577,7 +577,7 @@ static inline int bi_putblk(struct buffer *b, const char *blk, int len)
- 
- 	memcpy(bi_end(b), blk, half);
- 	if (len > half)
--		memcpy(b_ptr(b, b->i + half), blk, len - half);
-+		memcpy(b_ptr(b, b->i + half), blk + half, len - half);
- 	b->i += len;
- 	return len;
- }
--- 
-1.7.10.4
-

net/haproxy/patches/0008-BUG-MEDIUM-h2-also-arm-the-h2-timeout-when-sending.patch

@@ -1,46 +0,0 @@
-From ccfb5d755f1708f890b197375d962d8c938e78bd Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 5 Mar 2018 16:10:54 +0100
-Subject: [PATCH] BUG/MEDIUM: h2: also arm the h2 timeout when sending
-
-Right now the h2 idle timeout is only set when there is no stream. If we
-fail to send because the socket buffers are full (generally indicating
-the client has left), we also need to arm it so that we can properly
-expire such connections, otherwise some failed transfers might leave
-H2 connections pending forever.
-
-Thanks to Thierry Fournier for the diag and the traces.
-
-This patch needs to be backported to 1.8.
-
-(cherry picked from commit 84b118f3120b3c61156f0ada12ae6456bd1a0b5a)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/mux_h2.c |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/mux_h2.c b/src/mux_h2.c
-index 4303a06..5446fd4 100644
---- a/src/mux_h2.c
-+++ b/src/mux_h2.c
-@@ -2329,7 +2329,7 @@ static int h2_wake(struct connection *conn)
- 	}
- 
- 	if (h2c->task) {
--		if (eb_is_empty(&h2c->streams_by_id)) {
-+		if (eb_is_empty(&h2c->streams_by_id) || h2c->mbuf->o) {
- 			h2c->task->expire = tick_add(now_ms, h2c->last_sid < 0 ? h2c->timeout : h2c->shut_timeout);
- 			task_queue(h2c->task);
- 		}
-@@ -2501,7 +2501,7 @@ static void h2_detach(struct conn_stream *cs)
- 			h2_release(h2c->conn);
- 		}
- 		else if (h2c->task) {
--			if (eb_is_empty(&h2c->streams_by_id)) {
-+			if (eb_is_empty(&h2c->streams_by_id) || h2c->mbuf->o) {
- 				h2c->task->expire = tick_add(now_ms, h2c->last_sid < 0 ? h2c->timeout : h2c->shut_timeout);
- 				task_queue(h2c->task);
- 			}
--- 
-1.7.10.4
-

net/haproxy/patches/0009-BUG-MEDIUM-fix-a-100-cpu-usage-with-cpu-map-and-nbthread-nbproc.patch

@@ -1,55 +0,0 @@
-From 5149cd3c7abad68ddb19a0a5b3b604786d5f1b95 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
-Date: Mon, 12 Mar 2018 21:47:39 +0100
-Subject: [PATCH] BUG/MEDIUM: fix a 100% cpu usage with cpu-map and
- nbthread/nbproc
-
-Krishna Kumar reported a 100% cpu usage with a configuration using
-cpu-map and a high number of threads,
-
-Indeed, this minimal configuration to reproduce the issue :
-  global
-    nbthread 40
-    cpu-map auto:1/1-40 0-39
-
-  frontend test
-    bind :8000
-
-This is due to a wrong type in a shift operator (int vs unsigned long int),
-causing an endless loop while applying the cpu affinity on threads. The same
-issue may also occur with nbproc under FreeBSD. This commit addresses both
-cases.
-
-This patch must be backported to 1.8.
-
-(cherry picked from commit d400ab3a369523538c426cb70e059954c76b69c3)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/haproxy.c |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/haproxy.c b/src/haproxy.c
-index 09f7b5e..7d6e019 100644
---- a/src/haproxy.c
-+++ b/src/haproxy.c
-@@ -2838,7 +2838,7 @@ int main(int argc, char **argv)
- 			CPU_ZERO(&cpuset);
- 			while ((i = ffsl(cpu_map)) > 0) {
- 				CPU_SET(i - 1, &cpuset);
--				cpu_map &= ~(1 << (i - 1));
-+				cpu_map &= ~(1UL << (i - 1));
- 			}
- 			ret = cpuset_setaffinity(CPU_LEVEL_WHICH, CPU_WHICH_PID, -1, sizeof(cpuset), &cpuset);
- 		}
-@@ -3038,7 +3038,7 @@ int main(int argc, char **argv)
- 
- 				while ((j = ffsl(cpu_map)) > 0) {
- 					CPU_SET(j - 1, &cpuset);
--					cpu_map &= ~(1 << (j - 1));
-+					cpu_map &= ~(1UL << (j - 1));
- 				}
- 				pthread_setaffinity_np(threads[i],
- 						       sizeof(cpuset), &cpuset);
--- 
-1.7.10.4
-

net/haproxy/patches/0010-BUG-MEDIUM-spoe-Remove-idle-applets-from-idle-list-when-HAProxy-is-stopping.patch

@@ -1,43 +0,0 @@
-From 7034083b5063d28276b986d645d18071aba5f4d5 Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Wed, 28 Feb 2018 13:33:26 +0100
-Subject: [PATCH] BUG/MEDIUM: spoe: Remove idle applets from idle list when
- HAProxy is stopping
-
-In the SPOE applet's handler, when an applet is switched from the state IDLE to
-PROCESSING, it is removed for the list of idle applets. But when HAProxy is
-stopping, this applet can be switched to DISCONNECT. In this case, we also need
-to remove it from the list of idle applets. Else the applet is removed but still
-present in the list. It could lead to a segmentation fault or an infinite loop,
-depending the code path.
-
-(cherry picked from commit 7d9f1ba246055046eed547fa35aa546683021dce)
-[wt: adapted context for 1.8]
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/flt_spoe.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/flt_spoe.c b/src/flt_spoe.c
-index 8fb6e0b..e76a352 100644
---- a/src/flt_spoe.c
-+++ b/src/flt_spoe.c
-@@ -1866,6 +1866,7 @@ spoe_handle_appctx(struct appctx *appctx)
- 			goto switchstate;
- 
- 		case SPOE_APPCTX_ST_IDLE:
-+			agent->rt[tid].applets_idle--;
- 			if (stopping &&
- 			    LIST_ISEMPTY(&agent->rt[tid].sending_queue) &&
- 			    LIST_ISEMPTY(&SPOE_APPCTX(appctx)->waiting_queue)) {
-@@ -1874,7 +1875,6 @@ spoe_handle_appctx(struct appctx *appctx)
- 				appctx->st0 = SPOE_APPCTX_ST_DISCONNECT;
- 				goto switchstate;
- 			}
--			agent->rt[tid].applets_idle--;
- 			appctx->st0 = SPOE_APPCTX_ST_PROCESSING;
- 			/* fall through */
- 
--- 
-1.7.10.4
-