Fix dangling smgr_owner pointer when a fake relcache entry is freed.

A fake relcache entry can "own" a SmgrRelation object, like a regular
relcache entry. But when it was free'd, the owner field in SmgrRelation
was not cleared, so it was left pointing to free'd memory.

Amazingly this apparently hasn't caused crashes in practice, or we would've
heard about it earlier. Andres found this with Valgrind.

Report and fix by Andres Freund, with minor modifications by me. Backpatch
to all supported versions.

diff --git a/src/backend/access/transam/xlogutils.c b/src/backend/access/transam/xlogutils.c
index 99414d98bc4f8c0560b6093d8d001a679872a7e1..e9134be3d3509c70af4406652f1c0289f06f6243 100644 (file)
--- a/src/backend/access/transam/xlogutils.c
+++ b/src/backend/access/transam/xlogutils.c
@@ -444,6 +444,9 @@ CreateFakeRelcacheEntry(RelFileNode rnode)
 void
 FreeFakeRelcacheEntry(Relation fakerel)
 {
+       /* make sure the fakerel is not referenced by the SmgrRelation anymore */
+       if (fakerel->rd_smgr != NULL)
+               smgrclearowner(&fakerel->rd_smgr, fakerel->rd_smgr);
        pfree(fakerel);
 }
 

diff --git a/src/backend/storage/smgr/smgr.c b/src/backend/storage/smgr/smgr.c
index 5dff8b3702ee64c355a050aa76242b99b6eea151..18b972f2c69093662fa8225c278d04ec123b8e8e 100644 (file)
--- a/src/backend/storage/smgr/smgr.c
+++ b/src/backend/storage/smgr/smgr.c
@@ -84,6 +84,7 @@ static SMgrRelation first_unowned_reln = NULL;
 
 /* local function prototypes */
 static void smgrshutdown(int code, Datum arg);
+static void add_to_unowned_list(SMgrRelation reln);
 static void remove_from_unowned_list(SMgrRelation reln);
 
 
@@ -174,9 +175,8 @@ smgropen(RelFileNode rnode, BackendId backend)
                for (forknum = 0; forknum <= MAX_FORKNUM; forknum++)
                        reln->md_fd[forknum] = NULL;
 
-               /* place it at head of unowned list (to make smgrsetowner cheap) */
-               reln->next_unowned_reln = first_unowned_reln;
-               first_unowned_reln = reln;
+               /* it has no owner yet */
+               add_to_unowned_list(reln);
        }
 
        return reln;
@@ -191,7 +191,7 @@ smgropen(RelFileNode rnode, BackendId backend)
 void
 smgrsetowner(SMgrRelation *owner, SMgrRelation reln)
 {
-       /* We don't currently support "disowning" an SMgrRelation here */
+       /* We don't support "disowning" an SMgrRelation here, use smgrclearowner */
        Assert(owner != NULL);
 
        /*
@@ -213,6 +213,40 @@ smgrsetowner(SMgrRelation *owner, SMgrRelation reln)
        *owner = reln;
 }
 
+/*
+ * smgrclearowner() -- Remove long-lived reference to an SMgrRelation object
+ *                                        if one exists
+ */
+void
+smgrclearowner(SMgrRelation *owner, SMgrRelation reln)
+{
+       /* Do nothing if the SMgrRelation object is not owned by the owner */
+       if (reln->smgr_owner != owner)
+               return;
+
+       /* unset the owner's reference */
+       *owner = NULL;
+
+       /* unset our reference to the owner */
+       reln->smgr_owner = NULL;
+
+       add_to_unowned_list(reln);
+}
+
+/*
+ * add_to_unowned_list -- link an SMgrRelation onto the unowned list
+ *
+ * Check remove_from_unowned_list()'s comments for performance
+ * considerations.
+ */
+static void
+add_to_unowned_list(SMgrRelation reln)
+{
+       /* place it at head of the list (to make smgrsetowner cheap) */
+       reln->next_unowned_reln = first_unowned_reln;
+       first_unowned_reln = reln;
+}
+
 /*
  * remove_from_unowned_list -- unlink an SMgrRelation from the unowned list
  *

diff --git a/src/include/storage/smgr.h b/src/include/storage/smgr.h
index 9eccf7671ed99be4c068e3df50a75c21c1ce9e51..d91e9f35d05734ff0ebe9fc5ea3640869e5cc20c 100644 (file)
--- a/src/include/storage/smgr.h
+++ b/src/include/storage/smgr.h
@@ -80,6 +80,7 @@ extern void smgrinit(void);
 extern SMgrRelation smgropen(RelFileNode rnode, BackendId backend);
 extern bool smgrexists(SMgrRelation reln, ForkNumber forknum);
 extern void smgrsetowner(SMgrRelation *owner, SMgrRelation reln);
+extern void smgrclearowner(SMgrRelation *owner, SMgrRelation reln);
 extern void smgrclose(SMgrRelation reln);
 extern void smgrcloseall(void);
 extern void smgrclosenode(RelFileNodeBackend rnode);