MDEV-9728 - Hard crash in metadata_lock_info

metadata_lock_info plugin called MDL_context::find_ticket() to obtain lock
duration, which in turn iterates foreign thread private lists. These lists
can be updated by owner thread without protection.

Fixed by iterating threads (instead of MDL locks and tickets) and obtaining
data through APC.

Also fixed mdl_iterate_lock() to initialize iterator under prlock protection.

2 files changed, 3 insertions, 3 deletions

diff --git a/sql/mdl.cc b/sql/mdl.cc
index b94a3710fd1..28d2006b023 100644
--- a/sql/mdl.cc
+++ b/sql/mdl.cc
@@ -706,10 +706,10 @@ static inline int mdl_iterate_lock(MDL_lock *lock,
                                    int (*callback)(MDL_ticket *ticket, void *arg),
                                    void *arg)
 {
-  MDL_lock::Ticket_iterator ticket_it(lock->m_granted);
-  MDL_ticket *ticket;
   int res= 0;
   mysql_prlock_rdlock(&lock->m_rwlock);
+  MDL_lock::Ticket_iterator ticket_it(lock->m_granted);
+  MDL_ticket *ticket;
   while ((ticket= ticket_it++) && !(res= callback(ticket, arg))) /* no-op */;
   mysql_prlock_unlock(&lock->m_rwlock);
   return res;
diff --git a/sql/mdl.h b/sql/mdl.h
index c4d792acd29..ec7b633a67d 100644
--- a/sql/mdl.h
+++ b/sql/mdl.h
@@ -953,7 +953,7 @@ private:
   MDL_context &operator=(MDL_context &rhs);     /* not implemented */
 
   /* metadata_lock_info plugin */
-  friend int i_s_metadata_lock_info_fill_row(MDL_ticket*, void*);
+  friend class Ticket_info;
 };