id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1782 NULL dereference in ngx_http_upstream.c Antony Dovgal "Nginx workers started to crash recently with the following backtrace: {{{ Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000506193 in ngx_http_upstream_cache_background_update (u=0x85e2450, r=0x864f640) at src/http/ngx_http_upstream.c:1102 1102 src/http/ngx_http_upstream.c: No such file or directory. (gdb) bt #0 0x0000000000506193 in ngx_http_upstream_cache_background_update (u=0x85e2450, r=0x864f640) at src/http/ngx_http_upstream.c:1102 #1 ngx_http_upstream_init_request (r=0x864f640) at src/http/ngx_http_upstream.c:598 #2 0x00000000004f5177 in ngx_http_read_client_request_body (r=r@entry=0x864f640, post_handler=0x503710 ) at src/http/ngx_http_request_body.c:77 #3 0x000000000053cde9 in ngx_http_proxy_handler (r=0x864f640) at src/http/modules/ngx_http_proxy_module.c:973 #4 0x00000000004e4c1f in ngx_http_core_content_phase (r=0x864f640, ph=) at src/http/ngx_http_core_module.c:1176 #5 0x00000000004e350d in ngx_http_core_run_phases (r=0x864f640) at src/http/ngx_http_core_module.c:865 #6 ngx_http_handler (r=r@entry=0x864f640) at src/http/ngx_http_core_module.c:848 #7 0x00000000004ebd17 in ngx_http_process_request (r=0x864f640) at src/http/ngx_http_request.c:1954 #8 0x00000000004ecff0 in ngx_http_process_request_line (rev=0x7f24ba0e4fb0) at src/http/ngx_http_request.c:1054 #9 0x00000000004d2921 in ngx_epoll_process_events (cycle=0x34f8410, timer=, flags=) at src/event/modules/ngx_epoll_module.c:902 #10 0x00000000004c7d08 in ngx_process_events_and_timers (cycle=cycle@entry=0x34f8410) at src/event/ngx_event.c:242 #11 0x00000000004d0025 in ngx_worker_process_cycle (cycle=0x34f8410, data=) at src/os/unix/ngx_process_cycle.c:750 #12 0x00000000004ce7b5 in ngx_spawn_process (cycle=cycle@entry=0x34f8410, proc=0x4cffe0 , data=0x2, name=0xd9da9d ""worker process"", respawn=respawn@entry=2) at src/os/unix/ngx_process.c:199 #13 0x00000000004d13cd in ngx_reap_children (cycle=0x34f8410) at src/os/unix/ngx_process_cycle.c:622 #14 ngx_master_process_cycle (cycle=cycle@entry=0x34f8410) at src/os/unix/ngx_process_cycle.c:175 #15 0x00000000004a413a in main (argc=, argv=) at src/core/nginx.c:382 (gdb) p r $1 = (ngx_http_request_t *) 0x864f640 (gdb) p r.cache $2 = (ngx_http_cache_t *) 0x0 }}} [https://github.com/nginx/nginx/blob/master/src/http/ngx_http_upstream.c#L860 It seems] that r->cache can actually become NULL without r->cached reset to 0, so I believe it makes sense to check r->cache for NULL before dereferencing it. See proposed patch attached." defect closed minor other 1.14.x fixed Linux images3 4.13.6-0.1-default #1 SMP PREEMPT Thu Oct 12 18:24:34 UTC 2017 (5a88d59) x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.14.1 (20190415_master_66) built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-debug --prefix=/local/nginx --build=20190415_master_66 --with-openssl=../openssl-1.1.1 --with-pcre=../pcre-8.41 --with-pcre-jit --with-http_stub_status_module --with-http_realip_module --with-http_flv_module --with-http_gzip_static_module --with-http_ssl_module --with-http_v2_module --with-stream"