From: Michael Paquier Date: Wed, 10 Jun 2026 04:49:26 +0000 (+0900) Subject: Fix MarkBufferDirtyHint() to not call GetBufferDescriptor() for local buffers X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=e18b0cb7344cb4bd28468f6c0aeeb9b9241d30aa;p=thirdparty%2Fpostgresql.git Fix MarkBufferDirtyHint() to not call GetBufferDescriptor() for local buffers GetBufferDescriptor() was called before checking if the buffer is local. Such buffers have a negative ID, meaning that we could call GetBufferDescriptor() with a wrapped-around uint32 value causing a potential out-of-bound access to the BufferDescriptors array. This is harmless in the existing code for the current uses of MarkBufferDirtyHint(), but the author has found a way to make that buggy while working on a different patch set, and the order of the operations is wrong. Oversight in 82467f627bd4. No backpatch is required, as this is new to v19. Author: Ashutosh Bapat Discussion: https://postgr.es/m/CAExHW5uzRMYVZsXXS3HXXT0fG_sNrpUhUqwP4NorhaCqH9JDhA@mail.gmail.com --- diff --git a/src/backend/storage/buffer/bufmgr.c b/src/backend/storage/buffer/bufmgr.c index cc398db124d..d6c0cc1f6d4 100644 --- a/src/backend/storage/buffer/bufmgr.c +++ b/src/backend/storage/buffer/bufmgr.c @@ -5831,8 +5831,6 @@ MarkBufferDirtyHint(Buffer buffer, bool buffer_std) { BufferDesc *bufHdr; - bufHdr = GetBufferDescriptor(buffer - 1); - if (!BufferIsValid(buffer)) elog(ERROR, "bad buffer ID: %d", buffer); @@ -5842,6 +5840,8 @@ MarkBufferDirtyHint(Buffer buffer, bool buffer_std) return; } + bufHdr = GetBufferDescriptor(buffer - 1); + MarkSharedBufferDirtyHint(buffer, bufHdr, pg_atomic_read_u64(&bufHdr->state), buffer_std);