Hello! On Wed, May 31, 2023 at 01:26:35AM +1000, Mathew Heard wrote:
> I've been going through the threadpool code for native modules in an > attempt to fix a third party module with what appears to be a > use-after free error looking for inspiration. > > I thought I would see a strategy to prevent thread pool tasks that are > in the queue for processing being freed when the request / connection > their memory is allocated from is cleared but I'm not. > > For example there does not for example appear to be any protection > against linux sendfile tasks from reading memory allocated from the > ngx_connection_t if the connection is closed while the task is in the > task queue. > > Is this correct? Is this a bug? As long as there is a thread task or an AIO request scheduled, the request is expected to be blocked with r->blocked, so it won't be freed. For sendfile in threads, this is done by ngx_http_copy_thread_handler() (in src/http/ngx_http_copy_filter_module.c), which is called by ngx_linux_sendfile_thread() as file->file->thread_handler() when a sendfile task is queued. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
