MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is usedbb-10.4-MDEV-26583

Spider dereferences a freed select_lex and then results in SIGSEGV.

4 files changed, 86 insertions, 0 deletions

diff --git a/sql/sql_insert.cc b/sql/sql_insert.cc
index 0f454e74a48..460fbba4ac5 100644
--- a/sql/sql_insert.cc
+++ b/sql/sql_insert.cc
@@ -2424,6 +2424,11 @@ bool delayed_get_table(THD *thd, MDL_request *grl_protection_request,
       di->table_list.alias.length= di->table_list.table_name.length= di->thd.query_length();
       di->table_list.db= di->thd.db;
       /*
+        Nulify select_lex because, if the thread that spawned the current one
+        disconnects, the select_lex will point to freed memory.
+      */
+      di->table_list.select_lex= NULL;
+      /*
         We need the tickets so that they can be cloned in
         handle_delayed_insert
       */
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result
new file mode 100644
index 00000000000..0ce268af7e3
--- /dev/null
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result
@@ -0,0 +1,34 @@
+#
+# MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+connection child2_1;
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+CREATE TABLE tbl_a (
+a INT AUTO_INCREMENT KEY,
+b INT,INDEX i (b)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+connection master_1;
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (
+a INT AUTO_INCREMENT KEY,
+b INT,INDEX i (b)
+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='srv "s_2_1", table "tbl_a"';
+INSERT DELAYED INTO tbl_a VALUES (0,0),(0,0),(0,0);
+connection master_1;
+DROP DATABASE auto_test_local;
+connection child2_1;
+DROP DATABASE auto_test_remote;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf
new file mode 100644
index 00000000000..05dfd8a0bce
--- /dev/null
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf
@@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test
new file mode 100644
index 00000000000..e4a2d64ba6d
--- /dev/null
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test
@@ -0,0 +1,44 @@
+--echo #
+--echo # MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used
+--echo #
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+
+--connection child2_1
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+
+eval CREATE TABLE tbl_a (
+    a INT AUTO_INCREMENT KEY,
+    b INT,INDEX i (b)
+) $CHILD2_1_ENGINE $CHILD2_1_CHARSET;
+
+--connection master_1
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+
+eval CREATE TABLE tbl_a (
+    a INT AUTO_INCREMENT KEY,
+    b INT,INDEX i (b)
+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='srv "s_2_1", table "tbl_a"';
+
+INSERT DELAYED INTO tbl_a VALUES (0,0),(0,0),(0,0);
+
+let $wait_condition=select count(*)=3 from tbl_a
+source include/wait_condition.inc;
+
+--connection master_1
+DROP DATABASE auto_test_local;
+
+--connection child2_1
+DROP DATABASE auto_test_remote;
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log