diff options
| author | John Naylor <john.naylor@postgresql.org> | 2025-10-03 16:05:02 +0700 |
|---|---|---|
| committer | John Naylor <john.naylor@postgresql.org> | 2025-10-03 16:05:02 +0700 |
| commit | 54ab74865147c0051357d23af63314ff5e7332f4 (patch) | |
| tree | be9d62c82eed5c7306f2bda8e637f15281c5e72b | |
| parent | 605bfb7dbe5d952b91b92d8b7b98cef549dab36c (diff) | |
Fix reuse-after-free hazard in dead_items_reset
In similar vein to commit ccc8194e427, a reset instance of a shared
memory TID store happened to occupy the same private memory as the old
one for the entry point, since the chunk freed after the last round
of index vacuuming was put on the context's freelist. The failure
to update the vacrel->dead_items pointer was evident by nudging the
system to allocate memory in a different area. This was not discovered
at the time of the earlier commit since our regression tests didn't
cover multiple index passes with parallel vacuum.
Backpatch to v17, when TidStore came in.
Author: Kevin Oommen Anish <kevin.o@zohocorp.com>
Reviewed-by: Richard Guo <guofenglinux@gmail.com>
Tested-by: Richard Guo <guofenglinux@gmail.com>
Discussion: https://postgr.es/m/199a07cbdfc.7a1c4aac25838.1675074408277594551%40zohocorp.com
Backpatch-through: 17
| -rw-r--r-- | src/backend/access/heap/vacuumlazy.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/backend/access/heap/vacuumlazy.c b/src/backend/access/heap/vacuumlazy.c index 981d9380a92..ab6938d1da1 100644 --- a/src/backend/access/heap/vacuumlazy.c +++ b/src/backend/access/heap/vacuumlazy.c @@ -3567,6 +3567,8 @@ dead_items_reset(LVRelState *vacrel) if (ParallelVacuumIsActive(vacrel)) { parallel_vacuum_reset_dead_items(vacrel->pvs); + vacrel->dead_items = parallel_vacuum_get_dead_items(vacrel->pvs, + &vacrel->dead_items_info); return; } |