Hello!

On Wed, May 31, 2023 at 01:26:35AM +1000, Mathew Heard wrote:

> I've been going through the threadpool code for native modules in an
> attempt to fix a third party module with what appears to be a
> use-after free error looking for inspiration.
>
> I thought I would see a strategy to prevent thread pool tasks that are
> in the queue for processing being freed when the request / connection
> their memory is allocated from is cleared but I'm not.
>
> For example there does not for example appear to be any protection
> against linux sendfile tasks from reading memory allocated from the
> ngx_connection_t if the connection is closed while the task is in the
> task queue.
>
> Is this correct? Is this a bug?

As long as there is a thread task or an AIO request scheduled, the
request is expected to be blocked with r->blocked, so it won't be
freed.

For sendfile in threads, this is done by
ngx_http_copy_thread_handler() (in
src/http/ngx_http_copy_filter_module.c), which is called by
ngx_linux_sendfile_thread() as file->file->thread_handler() when a
sendfile task is queued.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel