From 76613b539ac5d87d26f8026ec1e2cd11d0583b3d Mon Sep 17 00:00:00 2001 From: John Naylor Date: Fri, 3 Oct 2025 16:05:37 +0700 Subject: [PATCH] Fix reuse-after-free hazard in dead_items_reset In similar vein to commit ccc8194e427, a reset instance of a shared memory TID store happened to occupy the same private memory as the old one for the entry point, since the chunk freed after the last round of index vacuuming was put on the context's freelist. The failure to update the vacrel->dead_items pointer was evident by nudging the system to allocate memory in a different area. This was not discovered at the time of the earlier commit since our regression tests didn't cover multiple index passes with parallel vacuum. Backpatch to v17, when TidStore came in. Author: Kevin Oommen Anish Reviewed-by: Richard Guo Tested-by: Richard Guo Discussion: https://postgr.es/m/199a07cbdfc.7a1c4aac25838.1675074408277594551%40zohocorp.com Backpatch-through: 17 --- src/backend/access/heap/vacuumlazy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/backend/access/heap/vacuumlazy.c b/src/backend/access/heap/vacuumlazy.c index 0fef8e49e2b..8fbaf126756 100644 --- a/src/backend/access/heap/vacuumlazy.c +++ b/src/backend/access/heap/vacuumlazy.c @@ -3562,6 +3562,8 @@ dead_items_reset(LVRelState *vacrel) if (ParallelVacuumIsActive(vacrel)) { parallel_vacuum_reset_dead_items(vacrel->pvs); + vacrel->dead_items = parallel_vacuum_get_dead_items(vacrel->pvs, + &vacrel->dead_items_info); return; } -- 2.47.3