From 7f6fa29f18aa84743185ee7ada97f277459228a7 Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Mon, 6 Mar 2017 12:13:06 -0500 Subject: [PATCH] Fix user-after-free bug. Introduced by commit aea5d298362e881b13d95a48c5ae116879237389. Patch from Amit Kapila. Issue discovered independently by Amit Kapila and Ashutosh Sharma. --- src/backend/postmaster/bgworker.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/backend/postmaster/bgworker.c b/src/backend/postmaster/bgworker.c index 42760b92bb..10e0f88b0d 100644 --- a/src/backend/postmaster/bgworker.c +++ b/src/backend/postmaster/bgworker.c @@ -440,12 +440,14 @@ ReportBackgroundWorkerExit(slist_mutable_iter *cur) { RegisteredBgWorker *rw; BackgroundWorkerSlot *slot; + int notify_pid; rw = slist_container(RegisteredBgWorker, rw_lnode, cur->cur); Assert(rw->rw_shmem_slot < max_worker_processes); slot = &BackgroundWorkerData->slot[rw->rw_shmem_slot]; slot->pid = rw->rw_pid; + notify_pid = rw->rw_worker.bgw_notify_pid; /* * If this worker is slated for deregistration, do that before notifying @@ -458,8 +460,8 @@ ReportBackgroundWorkerExit(slist_mutable_iter *cur) rw->rw_worker.bgw_restart_time == BGW_NEVER_RESTART) ForgetBackgroundWorker(cur); - if (rw->rw_worker.bgw_notify_pid != 0) - kill(rw->rw_worker.bgw_notify_pid, SIGUSR1); + if (notify_pid != 0) + kill(notify_pid, SIGUSR1); } /* -- 2.40.0