import UBI nginx-1.22.1-8.module+el9.5.0+22073+31039499

This commit is contained in:
eabdullin 2024-11-12 10:25:40 +00:00
parent ee5be62a0b
commit 5013421fd1
3 changed files with 324 additions and 3 deletions

View File

@ -0,0 +1,126 @@
From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 13 Jun 2024 17:44:28 +0200
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
---
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 11 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index fb05ab9..3e06791 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -16,7 +16,7 @@ typedef struct {
ngx_uint_t engine; /* unsigned engine:1; */
} ngx_openssl_conf_t;
-
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool,
@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index;
int ngx_ssl_stapling_index;
+static ngx_int_t
+ngx_ssl_engine_cleanup(void *data){
+ ENGINE *e = data;
+
+ ENGINE_finish(e);
+
+ return NGX_OK;
+}
+
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
#ifndef OPENSSL_NO_ENGINE
- u_char *p, *last;
- ENGINE *engine;
+ u_char *p, *last;
+ ENGINE *engine;
+ ngx_pool_cleanup_t *cln;
p = cert->data + sizeof("engine:") - 1;
last = (u_char *) ngx_strchr(p, ':');
@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
struct {
@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
/* set chain to null */
@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u)
static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg)
{
- BIO *bio;
- EVP_PKEY *pkey;
- ngx_str_t *pwd;
- ngx_uint_t tries;
- pem_password_cb *cb;
+ BIO *bio;
+ EVP_PKEY *pkey;
+ ngx_str_t *pwd;
+ ngx_uint_t tries;
+ pem_password_cb *cb;
+ ngx_pool_cleanup_t *cln;
+
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
if (pkey == NULL) {
*err = "ENGINE_load_private_key() failed";
- ENGINE_finish(engine);
ENGINE_free(engine);
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
return pkey;
--
2.44.0

View File

@ -0,0 +1,183 @@
From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 12 Jun 2024 12:49:28 +0200
Subject: [PATCH] Optimized chain link usage
Previously chain links could sometimes be dropped instead of being reused,
which could result in increased memory consumption during long requests.
---
src/core/ngx_output_chain.c | 10 ++++++++--
src/http/modules/ngx_http_grpc_module.c | 5 ++++-
.../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++----
src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++---
src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++--
src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++--
6 files changed, 45 insertions(+), 14 deletions(-)
diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c
index 5c3dbe8..4aa1b02 100644
--- a/src/core/ngx_output_chain.c
+++ b/src/core/ngx_output_chain.c
@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
ngx_debug_point();
- ctx->in = ctx->in->next;
+ cl = ctx->in;
+ ctx->in = cl->next;
+
+ ngx_free_chain(ctx->pool, cl);
continue;
}
@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
/* delete the completed buf from the ctx->in chain */
if (ngx_buf_size(ctx->in->buf) == 0) {
- ctx->in = ctx->in->next;
+ cl = ctx->in;
+ ctx->in = cl->next;
+
+ ngx_free_chain(ctx->pool, cl);
}
cl = ngx_alloc_chain_link(ctx->pool);
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 53bc547..9f13089 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
ngx_buf_t *b;
ngx_int_t rc;
ngx_uint_t next, last;
- ngx_chain_t *cl, *out, **ll;
+ ngx_chain_t *cl, *out, *ln, **ll;
ngx_http_upstream_t *u;
ngx_http_grpc_ctx_t *ctx;
ngx_http_grpc_frame_t *f;
@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
last = 1;
}
+ ln = in;
in = in->next;
+
+ ngx_free_chain(r->pool, ln);
}
ctx->in = in;
diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c
index c1341f5..5d170a1 100644
--- a/src/http/modules/ngx_http_gunzip_filter_module.c
+++ b/src/http/modules/ngx_http_gunzip_filter_module.c
@@ -333,6 +333,8 @@ static ngx_int_t
ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
ngx_http_gunzip_ctx_t *ctx)
{
+ ngx_chain_t *cl;
+
if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) {
return NGX_OK;
}
@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
return NGX_DECLINED;
}
- ctx->in_buf = ctx->in->buf;
- ctx->in = ctx->in->next;
+ cl = ctx->in;
+ ctx->in_buf = cl->buf;
+ ctx->in = cl->next;
+
+ ngx_free_chain(r->pool, cl);
ctx->zstream.next_in = ctx->in_buf->pos;
ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos;
@@ -374,6 +379,7 @@ static ngx_int_t
ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
ngx_http_gunzip_ctx_t *ctx)
{
+ ngx_chain_t *cl;
ngx_http_gunzip_conf_t *conf;
if (ctx->zstream.avail_out) {
@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module);
if (ctx->free) {
- ctx->out_buf = ctx->free->buf;
- ctx->free = ctx->free->next;
+
+ cl = ctx->free;
+ ctx->out_buf = cl->buf;
+ ctx->free = cl->next;
+
+ ngx_free_chain(r->pool, cl);
ctx->out_buf->flush = 0;
diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c
index b8c5ccc..1d17a6d 100644
--- a/src/http/modules/ngx_http_gzip_filter_module.c
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
@@ -978,10 +978,14 @@ static void
ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r,
ngx_http_gzip_ctx_t *ctx)
{
- ngx_chain_t *cl;
+ ngx_chain_t *cl, *ln;
+
+ for (cl = ctx->copied; cl; /* void */) {
+ ln = cl;
+ cl = cl->next;
- for (cl = ctx->copied; cl; cl = cl->next) {
- ngx_pfree(r->pool, cl->buf->start);
+ ngx_pfree(r->pool, ln->buf->start);
+ ngx_free_chain(r->pool, ln);
}
ctx->copied = NULL;
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c
index 6737965..a55f6e5 100644
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
while (ctx->in || ctx->buf) {
if (ctx->buf == NULL) {
- ctx->buf = ctx->in->buf;
- ctx->in = ctx->in->next;
+
+ cl = ctx->in;
+ ctx->buf = cl->buf;
+ ctx->in = cl->next;
ctx->pos = ctx->buf->pos;
+
+ ngx_free_chain(r->pool, cl);
}
if (ctx->state == ssi_start_state) {
diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c
index 6d3de59..456bb27 100644
--- a/src/http/modules/ngx_http_sub_filter_module.c
+++ b/src/http/modules/ngx_http_sub_filter_module.c
@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
while (ctx->in || ctx->buf) {
if (ctx->buf == NULL) {
- ctx->buf = ctx->in->buf;
- ctx->in = ctx->in->next;
+
+ cl = ctx->in;
+ ctx->buf = cl->buf;
+ ctx->in = cl->next;
ctx->pos = ctx->buf->pos;
+
+ ngx_free_chain(r->pool, cl);
}
if (ctx->buf->flush || ctx->buf->recycled) {
--
2.44.0

View File

@ -56,7 +56,7 @@
Name: nginx
Epoch: 1
Version: 1.22.1
Release: 5%{?dist}.1
Release: 8%{?dist}
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@ -114,6 +114,12 @@ Patch6: 0008-add-ssl-pass-phrase-dialog.patch
# security fix - https://issues.redhat.com/browse/RHEL-12737
Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
# downstream patch - https://issues.redhat.com/browse/RHEL-40621
Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-40075
Patch9: 0011-Optimized-chain-link-usage.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -626,8 +632,14 @@ fi
%changelog
* Wed May 29 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-5.1
- Resolves: RHEL-39334 - Nginx seg faults when proxy_ssl_certificate is set
* Tue Jul 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-8
- Resolves: RHEL-49349 - nginx worker processes memory leak
* Thu Jun 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-7
- Resolves: RHEL-40621 - openssl 3.2 ENGINE regression in nginx
* Thu May 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-6
- Resolves: RHEL-32650 - Nginx seg faults when proxy_ssl_certificate is set
* Mon Oct 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-5
- Resolves: RHEL-12737 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web