[nginx] Changed ngx_chain_update_chains() to test tag first (ticket #2248).

Maxim Dounin mdounin at mdounin.ru
Tue Nov 16 14:51:25 UTC 2021


details:   https://hg.nginx.org/nginx/rev/84c60a3cd12a
branches:  stable-1.20
changeset: 7969:84c60a3cd12a
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sat Oct 30 02:39:19 2021 +0300
description:
Changed ngx_chain_update_chains() to test tag first (ticket #2248).

Without this change, aio used with HTTP/2 can result in connection hang,
as observed with "aio threads; aio_write on;" and proxying (ticket #2248).

The problem is that HTTP/2 updates buffers outside of the output filters
(notably, marks them as sent), and then posts a write event to call
output filters.  If a filter does not call the next one for some reason
(for example, because of an AIO operation in progress), this might
result in a state when the owner of a buffer already called
ngx_chain_update_chains() and can reuse the buffer, while the same buffer
is still sitting in the busy chain of some other filter.

In the particular case a buffer was sitting in output chain's ctx->busy,
and was reused by event pipe.  Output chain's ctx->busy was permanently
blocked by it, and this resulted in connection hang.

Fix is to change ngx_chain_update_chains() to skip buffers from other
modules unconditionally, without trying to wait for these buffers to
become empty.

diffstat:

 src/core/ngx_buf.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (24 lines):

diff -r 5354bf552520 -r 84c60a3cd12a src/core/ngx_buf.c
--- a/src/core/ngx_buf.c	Wed Oct 06 18:01:42 2021 +0300
+++ b/src/core/ngx_buf.c	Sat Oct 30 02:39:19 2021 +0300
@@ -203,16 +203,16 @@ ngx_chain_update_chains(ngx_pool_t *p, n
     while (*busy) {
         cl = *busy;
 
-        if (ngx_buf_size(cl->buf) != 0) {
-            break;
-        }
-
         if (cl->buf->tag != tag) {
             *busy = cl->next;
             ngx_free_chain(p, cl);
             continue;
         }
 
+        if (ngx_buf_size(cl->buf) != 0) {
+            break;
+        }
+
         cl->buf->pos = cl->buf->start;
         cl->buf->last = cl->buf->start;
 


More information about the nginx-devel mailing list