MDEV-8474: InnoDB sets per-connection data unsafely

Analysis: At check_trx_exists function InnoDB allocates a new trx if no trx is found from thd but this newly allocated trx is not registered to thd. This is unsafe, because nothing prevents InnoDB plugin from being uninstalled while there's active transaction. This can cause crashes, hang and any other odd behavior. It may also corrupt stack, as functions pointers are not available after dlclose. Fix: The fix is to use thd_set_ha_data() when manipulating per-connection handler data. It does appropriate plugin locking.
author: Jan Lindström <jan.lindstrom@mariadb.com> 2015-07-21 12:12:58 +0300
committer: Jan Lindström <jan.lindstrom@mariadb.com> 2015-07-21 12:12:58 +0300
commit: 7a9670218b2d1b5673432ebf4e0f028a7c963494 (patch)
tree: 20a3f1b93dd71d62dbe869ac3b925eaf4b57eeb0 /storage/innobase
parent: a63d873861c2ed2e1155850ad0d4a48b7bf79a9c (diff)
download: mariadb-git-7a9670218b2d1b5673432ebf4e0f028a7c963494.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
index 7c17f20ce40..c97b5bfadc2 100644
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@@ -1597,6 +1597,7 @@ check_trx_exists(
 
 	if (trx == NULL) {
 		trx = innobase_trx_allocate(thd);
+		thd_set_ha_data(thd, innodb_hton_ptr, trx);
 	} else if (UNIV_UNLIKELY(trx->magic_n != TRX_MAGIC_N)) {
 		mem_analyze_corruption(trx);
 		ut_error;
author	Jan Lindström <jan.lindstrom@mariadb.com>	2015-07-21 12:12:58 +0300
committer	Jan Lindström <jan.lindstrom@mariadb.com>	2015-07-21 12:12:58 +0300
commit	7a9670218b2d1b5673432ebf4e0f028a7c963494 (patch)
tree	20a3f1b93dd71d62dbe869ac3b925eaf4b57eeb0 /storage/innobase
parent	a63d873861c2ed2e1155850ad0d4a48b7bf79a9c (diff)
download	mariadb-git-7a9670218b2d1b5673432ebf4e0f028a7c963494.tar.gz