diff --git a/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch b/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch new file mode 100644 index 0000000..030c34a --- /dev/null +++ b/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch @@ -0,0 +1,126 @@ +From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 13 Jun 2024 17:44:28 +0200 +Subject: [PATCH] defer ENGINE_finish() calls to a cleanup + +--- + src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index fb05ab9..3e06791 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -16,7 +16,7 @@ typedef struct { + ngx_uint_t engine; /* unsigned engine:1; */ + } ngx_openssl_conf_t; + +- ++static ngx_int_t ngx_ssl_engine_cleanup(void *data); + static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, + ngx_str_t *cert, STACK_OF(X509) **chain); + static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, +@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index; + int ngx_ssl_stapling_index; + + ++static ngx_int_t ++ngx_ssl_engine_cleanup(void *data){ ++ ENGINE *e = data; ++ ++ ENGINE_finish(e); ++ ++ return NGX_OK; ++} ++ + ngx_int_t + ngx_ssl_init(ngx_log_t *log) + { +@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + + #ifndef OPENSSL_NO_ENGINE + +- u_char *p, *last; +- ENGINE *engine; ++ u_char *p, *last; ++ ENGINE *engine; ++ ngx_pool_cleanup_t *cln; + + p = cert->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); +@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + struct { +@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + /* set chain to null */ +@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u) + static EVP_PKEY * + ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg) + { +- BIO *bio; +- EVP_PKEY *pkey; +- ngx_str_t *pwd; +- ngx_uint_t tries; +- pem_password_cb *cb; ++ BIO *bio; ++ EVP_PKEY *pkey; ++ ngx_str_t *pwd; ++ ngx_uint_t tries; ++ pem_password_cb *cb; ++ ngx_pool_cleanup_t *cln; ++ + + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { + +@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); + + if (pkey == NULL) { + *err = "ENGINE_load_private_key() failed"; +- ENGINE_finish(engine); + ENGINE_free(engine); + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + return pkey; +-- +2.44.0 + diff --git a/SOURCES/0011-Optimized-chain-link-usage.patch b/SOURCES/0011-Optimized-chain-link-usage.patch new file mode 100644 index 0000000..afbd7aa --- /dev/null +++ b/SOURCES/0011-Optimized-chain-link-usage.patch @@ -0,0 +1,183 @@ +From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 12 Jun 2024 12:49:28 +0200 +Subject: [PATCH] Optimized chain link usage + +Previously chain links could sometimes be dropped instead of being reused, +which could result in increased memory consumption during long requests. +--- + src/core/ngx_output_chain.c | 10 ++++++++-- + src/http/modules/ngx_http_grpc_module.c | 5 ++++- + .../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++---- + src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++--- + src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++-- + src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++-- + 6 files changed, 45 insertions(+), 14 deletions(-) + +diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c +index 5c3dbe8..4aa1b02 100644 +--- a/src/core/ngx_output_chain.c ++++ b/src/core/ngx_output_chain.c +@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in) + + ngx_debug_point(); + +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(ctx->pool, cl); + + continue; + } +@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in) + /* delete the completed buf from the ctx->in chain */ + + if (ngx_buf_size(ctx->in->buf) == 0) { +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(ctx->pool, cl); + } + + cl = ngx_alloc_chain_link(ctx->pool); +diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c +index 53bc547..9f13089 100644 +--- a/src/http/modules/ngx_http_grpc_module.c ++++ b/src/http/modules/ngx_http_grpc_module.c +@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in) + ngx_buf_t *b; + ngx_int_t rc; + ngx_uint_t next, last; +- ngx_chain_t *cl, *out, **ll; ++ ngx_chain_t *cl, *out, *ln, **ll; + ngx_http_upstream_t *u; + ngx_http_grpc_ctx_t *ctx; + ngx_http_grpc_frame_t *f; +@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in) + last = 1; + } + ++ ln = in; + in = in->next; ++ ++ ngx_free_chain(r->pool, ln); + } + + ctx->in = in; +diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c +index c1341f5..5d170a1 100644 +--- a/src/http/modules/ngx_http_gunzip_filter_module.c ++++ b/src/http/modules/ngx_http_gunzip_filter_module.c +@@ -333,6 +333,8 @@ static ngx_int_t + ngx_http_gunzip_filter_add_data(ngx_http_request_t *r, + ngx_http_gunzip_ctx_t *ctx) + { ++ ngx_chain_t *cl; ++ + if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) { + return NGX_OK; + } +@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r, + return NGX_DECLINED; + } + +- ctx->in_buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in_buf = cl->buf; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(r->pool, cl); + + ctx->zstream.next_in = ctx->in_buf->pos; + ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos; +@@ -374,6 +379,7 @@ static ngx_int_t + ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r, + ngx_http_gunzip_ctx_t *ctx) + { ++ ngx_chain_t *cl; + ngx_http_gunzip_conf_t *conf; + + if (ctx->zstream.avail_out) { +@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r, + conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module); + + if (ctx->free) { +- ctx->out_buf = ctx->free->buf; +- ctx->free = ctx->free->next; ++ ++ cl = ctx->free; ++ ctx->out_buf = cl->buf; ++ ctx->free = cl->next; ++ ++ ngx_free_chain(r->pool, cl); + + ctx->out_buf->flush = 0; + +diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c +index b8c5ccc..1d17a6d 100644 +--- a/src/http/modules/ngx_http_gzip_filter_module.c ++++ b/src/http/modules/ngx_http_gzip_filter_module.c +@@ -978,10 +978,14 @@ static void + ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r, + ngx_http_gzip_ctx_t *ctx) + { +- ngx_chain_t *cl; ++ ngx_chain_t *cl, *ln; ++ ++ for (cl = ctx->copied; cl; /* void */) { ++ ln = cl; ++ cl = cl->next; + +- for (cl = ctx->copied; cl; cl = cl->next) { +- ngx_pfree(r->pool, cl->buf->start); ++ ngx_pfree(r->pool, ln->buf->start); ++ ngx_free_chain(r->pool, ln); + } + + ctx->copied = NULL; +diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c +index 6737965..a55f6e5 100644 +--- a/src/http/modules/ngx_http_ssi_filter_module.c ++++ b/src/http/modules/ngx_http_ssi_filter_module.c +@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in) + while (ctx->in || ctx->buf) { + + if (ctx->buf == NULL) { +- ctx->buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ ++ cl = ctx->in; ++ ctx->buf = cl->buf; ++ ctx->in = cl->next; + ctx->pos = ctx->buf->pos; ++ ++ ngx_free_chain(r->pool, cl); + } + + if (ctx->state == ssi_start_state) { +diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c +index 6d3de59..456bb27 100644 +--- a/src/http/modules/ngx_http_sub_filter_module.c ++++ b/src/http/modules/ngx_http_sub_filter_module.c +@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in) + while (ctx->in || ctx->buf) { + + if (ctx->buf == NULL) { +- ctx->buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ ++ cl = ctx->in; ++ ctx->buf = cl->buf; ++ ctx->in = cl->next; + ctx->pos = ctx->buf->pos; ++ ++ ngx_free_chain(r->pool, cl); + } + + if (ctx->buf->flush || ctx->buf->recycled) { +-- +2.44.0 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 601bc9f..7b8dd2a 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -56,7 +56,7 @@ Name: nginx Epoch: 1 Version: 1.24.0 -Release: 1%{?dist}.1 +Release: 4%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -114,6 +114,12 @@ Patch6: 0008-add-ssl-pass-phrase-dialog.patch # security fix - https://issues.redhat.com/browse/RHEL-12737 Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch +# downstream patch - https://issues.redhat.com/browse/RHEL-40621 +Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch + +# upstream patch - https://issues.redhat.com/browse/RHEL-40075 +Patch9: 0011-Optimized-chain-link-usage.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -626,8 +632,14 @@ fi %changelog -* Wed May 29 2024 Luboš Uhliarik - 1:1.24.0-1.1 -- Resolves: RHEL-39333 - Nginx seg faults when proxy_ssl_certificate is set +* Tue Jul 16 2024 Luboš Uhliarik - 1:1.24.0-4 +- Resolves: RHEL-49350 - nginx worker processes memory leak + +* Thu Jun 13 2024 Luboš Uhliarik - 1:1.24.0-3 +- Resolves: RHEL-40622 - openssl 3.2 ENGINE regression in nginx + +* Thu May 23 2024 Luboš Uhliarik - 1:1.24.0-2 +- Resolves: RHEL-38498 - Nginx seg faults when proxy_ssl_certificate is set * Thu Jan 18 2024 Luboš Uhliarik - 1:1.24.0-1 - new version 1.24.0