Fix MarkBufferDirtyHint() to not call GetBufferDescriptor() for local buffers

GetBufferDescriptor() was called before checking if the buffer is local.
Such buffers have a negative ID, meaning that we could call
GetBufferDescriptor() with a wrapped-around uint32 value causing a
potential out-of-bound access to the BufferDescriptors array.

This is harmless in the existing code for the current uses of
MarkBufferDirtyHint(), but the author has found a way to make that
buggy while working on a different patch set, and the order of the
operations is wrong.

Oversight in 82467f627bd4.  No backpatch is required, as this is new to
v19.

Author: Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>
Discussion: https://postgr.es/m/CAExHW5uzRMYVZsXXS3HXXT0fG_sNrpUhUqwP4NorhaCqH9JDhA@mail.gmail.com

diff --git a/src/backend/storage/buffer/bufmgr.c b/src/backend/storage/buffer/bufmgr.c
index cc398db124d7fce8cc67be342ff234692e0a8e23..d6c0cc1f6d489c23a37fa2817ded25fe5082cc4e 100644 (file)
--- a/src/backend/storage/buffer/bufmgr.c
+++ b/src/backend/storage/buffer/bufmgr.c
@@ -5831,8 +5831,6 @@ MarkBufferDirtyHint(Buffer buffer, bool buffer_std)
 {
        BufferDesc *bufHdr;
 
-       bufHdr = GetBufferDescriptor(buffer - 1);
-
        if (!BufferIsValid(buffer))
                elog(ERROR, "bad buffer ID: %d", buffer);
 
@@ -5842,6 +5840,8 @@ MarkBufferDirtyHint(Buffer buffer, bool buffer_std)
                return;
        }
 
+       bufHdr = GetBufferDescriptor(buffer - 1);
+
        MarkSharedBufferDirtyHint(buffer, bufHdr,
                                                          pg_atomic_read_u64(&bufHdr->state),
                                                          buffer_std);