Thread Pool memory ownership

Maxim Dounin mdounin at mdounin.ru
Wed May 31 02:15:24 UTC 2023


Hello!

On Wed, May 31, 2023 at 01:26:35AM +1000, Mathew Heard wrote:

> I've been going through the threadpool code for native modules in an
> attempt to fix a third party module with what appears to be a
> use-after free error looking for inspiration.
> 
> I thought I would see a strategy to prevent thread pool tasks that are
> in the queue for processing being freed when the request / connection
> their memory is allocated from is cleared but I'm not.
> 
> For example there does not for example appear to be any protection
> against linux sendfile tasks from reading memory allocated from the
> ngx_connection_t if the connection is closed while the task is in the
> task queue.
> 
> Is this correct? Is this a bug?

As long as there is a thread task or an AIO request scheduled, the 
request is expected to be blocked with r->blocked, so it won't be 
freed.

For sendfile in threads, this is done by 
ngx_http_copy_thread_handler() (in 
src/http/ngx_http_copy_filter_module.c), which is called by 
ngx_linux_sendfile_thread() as file->file->thread_handler() when a 
sendfile task is queued.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list