diff options
| author | Vlad Lesin <vlad_lesin@mail.ru> | 2022-09-30 19:38:59 +0300 |
|---|---|---|
| committer | Vlad Lesin <vlad_lesin@mail.ru> | 2022-10-03 14:41:06 +0300 |
| commit | c0817dac99c28698dfc2b548d89acf1fb41dc32e (patch) | |
| tree | 757326d78ca319d25587d98a49a379ec38619b87 | |
| parent | dd8833bff0af1b75e007e3db1d18debfb7c4a096 (diff) | |
| download | mariadb-git-c0817dac99c28698dfc2b548d89acf1fb41dc32e.tar.gz | |
MDEV-29575 Access to innodb_trx, innodb_locks and innodb_lock_waits along with detached XA's can cause SIGSEGV
trx->mysql_thd can be zeroed-out between thd_get_thread_id() and
thd_query_safe() calls in fill_trx_row(). trx_disconnect_prepared() zeroes out
trx->mysql_thd. And this can cause null pointer dereferencing in
fill_trx_row().
fill_trx_row() is invoked from fetch_data_into_cache() under trx_sys.mutex.
Bug fix is in reseting trx_t::mysql_thd in trx_disconnect_prepared() under
trx_sys.mutex lock too.
MTR test case can't be created for the fix, as we need to wait for
trx_t::mysql_thd reseting in fill_trx_row() after trx_t::mysql_thd was
checked for null while trx_sys.mutex is held. But trx_t::mysql_thd must be
reset in trx_disconnect_prepared() under trx_sys.mutex. There will be deadlock.
| -rw-r--r-- | storage/innobase/trx/trx0trx.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/storage/innobase/trx/trx0trx.cc b/storage/innobase/trx/trx0trx.cc index b2cfbd9b4e3..7658af76709 100644 --- a/storage/innobase/trx/trx0trx.cc +++ b/storage/innobase/trx/trx0trx.cc @@ -564,8 +564,10 @@ void trx_disconnect_prepared(trx_t *trx) ut_ad(trx_state_eq(trx, TRX_STATE_PREPARED)); ut_ad(trx->mysql_thd); trx->read_view.close(); + mutex_enter(&trx_sys.mutex); trx->is_recovered= true; trx->mysql_thd= NULL; + mutex_exit(&trx_sys.mutex); /* todo/fixme: suggest to do it at innodb prepare */ trx->will_lock= false; } |