| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Nico Williams <nico(at)cryptonector(dot)com>, Jimmy Yih <jyih(at)pivotal(dot)io>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [HACKERS] possible self-deadlock window after bad ProcessStartupPacket |
| Date: | 2018-07-19 20:36:45 |
| Message-ID: | 20180719203645.vzj4yoi5kqmp3hdp@alap3.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On 2018-07-19 16:16:31 -0400, Tom Lane wrote:
> Nico Williams <nico(at)cryptonector(dot)com> writes:
> > I dunno if it is or isn't helpful. But I do know that this must be done
> > in an async-signal-safe way.
>
> I haven't actually heard a convincing reason why that's true. As per
> the previous discussion, if we happen to service the SIGQUIT at an
> unfortunate moment, we might get a deadlock or crash in the backend
> process, and thereby fail to send the message.
That crash could very well be exploitable. Corrupting internal
management state is far from guaranteed to only deadlock or crash
cleanly.
> But we're no worse off in such cases than if we'd not tried to send it
> at all. The only likely penalty is that, in the deadlock case, a few
> seconds will elapse before the postmaster runs out of patience and
> sends SIGKILL.
Which for deterministic failover *IS* a problem.
Greetings,
Andres Freund
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nico Williams | 2018-07-19 20:38:11 | Re: [HACKERS] possible self-deadlock window after bad ProcessStartupPacket |
| Previous Message | Andres Freund | 2018-07-19 20:35:02 | Re: [HACKERS] possible self-deadlock window after bad ProcessStartupPacket |