@@ -3,7 +3,7 @@

 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When

 # updating the binary version, consider updating github.com/docker/libnetwork

 # in vendor.conf accordingly

-LIBNETWORK_COMMIT=3931ba4d815e385ab97093c64477b82f14dadefb

+LIBNETWORK_COMMIT=19279f0492417475b6bfbd0aa529f73e8f178fb5

 install_proxy() {

 	case "$1" in

@@ -35,7 +35,7 @@ github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7

 #get libnetwork packages

 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy accordingly

-github.com/docker/libnetwork 3931ba4d815e385ab97093c64477b82f14dadefb

+github.com/docker/libnetwork 19279f0492417475b6bfbd0aa529f73e8f178fb5

 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9

 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80

 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

@@ -244,7 +244,15 @@ func (d *driver) DeleteNetwork(nid string) error {

 	}

 	d.Lock()

-	defer d.Unlock()

+	// Only perform a peer flush operation (if required) AFTER unlocking

+	// the driver lock to avoid deadlocking w/ the peerDB.

+	var doPeerFlush bool

+	defer func() {

+		d.Unlock()

+		if doPeerFlush {

+			d.peerFlush(nid)

+		}

+	}()

 	// This is similar to d.network(), but we need to keep holding the lock

 	// until we are done removing this network.

@@ -270,7 +278,7 @@ func (d *driver) DeleteNetwork(nid string) error {

 		}

 	}

 	// flush the peerDB entries

-	d.peerFlush(nid)

+	doPeerFlush = true

 	delete(d.networks, nid)

 	vnis, err := n.releaseVxlanID()

@@ -279,7 +279,7 @@ const ingressChain = "DOCKER-INGRESS"

 var (

 	ingressOnce     sync.Once

-	ingressProxyMu  sync.Mutex

+	ingressMu       sync.Mutex // lock for operations on ingress

 	ingressProxyTbl = make(map[string]io.Closer)

 	portConfigMu    sync.Mutex

 	portConfigTbl   = make(map[PortConfig]int)

@@ -328,6 +328,9 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 		addDelOpt = "-D"

 	}

+	ingressMu.Lock()

+	defer ingressMu.Unlock()

+

 	chainExists := iptables.ExistChain(ingressChain, iptables.Nat)

 	filterChainExists := iptables.ExistChain(ingressChain, iptables.Filter)

@@ -497,13 +500,11 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error {

 	portSpec := fmt.Sprintf("%d/%s", iPort.PublishedPort, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]))

 	if isDelete {

-		ingressProxyMu.Lock()

 		if listener, ok := ingressProxyTbl[portSpec]; ok {

 			if listener != nil {

 				listener.Close()

 			}

 		}

-		ingressProxyMu.Unlock()

 		return nil

 	}

@@ -523,9 +524,7 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error {

 		return err

 	}

-	ingressProxyMu.Lock()

 	ingressProxyTbl[portSpec] = l

-	ingressProxyMu.Unlock()

 	return nil

 }