diff options
author | Marko Mäkelä <marko.makela@mariadb.com> | 2021-08-23 17:00:01 +0300 |
---|---|---|
committer | Marko Mäkelä <marko.makela@mariadb.com> | 2021-08-23 17:00:01 +0300 |
commit | c0a84fb9b0367b4cbd0a8e36d7cb219eb5f919e9 (patch) | |
tree | 48d13db9079cb4f0cb6392b8673afc14cf2fa373 | |
parent | 687417e5c57aa4c40573b16da0e40e3be8ba7dae (diff) | |
download | mariadb-git-c0a84fb9b0367b4cbd0a8e36d7cb219eb5f919e9.tar.gz |
MDEV-26465 Race condition in trx_purge_rseg_get_next_history_log()st-10.3-marko
trx_purge_rseg_get_next_history_log(): Fix a race condition that
was introduced in commit e46f76c9749d7758765ba274a212cfc2dcf3eeb8
(MDEV-15912). The buffer pool page contents must not be accessed
while not holding a page latch. The page latch was released by
mtr_t::commit().
This race resulted in an ASAN heap-use-after-poison during a stress test.
-rw-r--r-- | storage/innobase/trx/trx0purge.cc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/storage/innobase/trx/trx0purge.cc b/storage/innobase/trx/trx0purge.cc index 59d60d204d8..c8f471f1f7a 100644 --- a/storage/innobase/trx/trx0purge.cc +++ b/storage/innobase/trx/trx0purge.cc @@ -1155,15 +1155,16 @@ static void trx_purge_rseg_get_next_history_log( trx_no = mach_read_from_8(log_hdr + TRX_UNDO_TRX_NO); ut_ad(mach_read_from_2(log_hdr + TRX_UNDO_NEEDS_PURGE) <= 1); + const byte needs_purge = log_hdr[TRX_UNDO_NEEDS_PURGE + 1]; - mtr_commit(&mtr); + mtr.commit(); mutex_enter(&purge_sys.rseg->mutex); purge_sys.rseg->last_page_no = static_cast<uint32_t>( prev_log_addr.page); purge_sys.rseg->set_last_commit(prev_log_addr.boffset, trx_no); - purge_sys.rseg->needs_purge = log_hdr[TRX_UNDO_NEEDS_PURGE + 1] != 0; + purge_sys.rseg->needs_purge = needs_purge != 0; /* Purge can also produce events, however these are already ordered in the rollback segment and any user generated event will be greater |