From: Robert Haas <rhaas@postgresql.org>
Date: Mon, 6 Mar 2017 17:13:06 +0000 (-0500)
Subject: Fix user-after-free bug.
X-Git-Tag: REL_10_BETA1~777
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7f6fa29f18aa84743185ee7ada97f277459228a7;p=postgresql

Fix user-after-free bug.

Introduced by commit aea5d298362e881b13d95a48c5ae116879237389.

Patch from Amit Kapila.  Issue discovered independently by Amit Kapila
and Ashutosh Sharma.
---

diff --git a/src/backend/postmaster/bgworker.c b/src/backend/postmaster/bgworker.c
index 42760b92bb..10e0f88b0d 100644
--- a/src/backend/postmaster/bgworker.c
+++ b/src/backend/postmaster/bgworker.c
@@ -440,12 +440,14 @@ ReportBackgroundWorkerExit(slist_mutable_iter *cur)
 {
 	RegisteredBgWorker *rw;
 	BackgroundWorkerSlot *slot;
+	int		notify_pid;
 
 	rw = slist_container(RegisteredBgWorker, rw_lnode, cur->cur);
 
 	Assert(rw->rw_shmem_slot < max_worker_processes);
 	slot = &BackgroundWorkerData->slot[rw->rw_shmem_slot];
 	slot->pid = rw->rw_pid;
+	notify_pid = rw->rw_worker.bgw_notify_pid;
 
 	/*
 	 * If this worker is slated for deregistration, do that before notifying
@@ -458,8 +460,8 @@ ReportBackgroundWorkerExit(slist_mutable_iter *cur)
 		rw->rw_worker.bgw_restart_time == BGW_NEVER_RESTART)
 		ForgetBackgroundWorker(cur);
 
-	if (rw->rw_worker.bgw_notify_pid != 0)
-		kill(rw->rw_worker.bgw_notify_pid, SIGUSR1);
+	if (notify_pid != 0)
+		kill(notify_pid, SIGUSR1);
 }
 
 /*