From 640f42311a72fa82bf7117c2791fc47ceb420361 Mon Sep 17 00:00:00 2001
From: Monty <monty@mariadb.org>
Date: Sat, 20 Feb 2021 14:46:19 +0200
Subject: MDEV-24929 Server crash in thr_multi_unlock or in
 get_schema_tables_result

This was caused by two different bugs:
1) Information_schema tables where not locked by lock_tables, but
   get_lock_data() was not filtering these out. This caused a crash when
   mysql_unlock_some_tables() tried to unlock tables early, including
   not locked information schema tables.

Fixed by not locking SYSTEM_TMP_TABLES

2) In some cases the optimizer will notice that we do not need to read
   the information_schema tables at all. In this case
   join_tab->read_record is not set, which caused a crash in
   get_schema_tables_result()

Fixed by ignoring const tables in get_schema_tables_result()
---
 sql/lock.cc | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

(limited to 'sql/lock.cc')

diff --git a/sql/lock.cc b/sql/lock.cc
index 7dcba179a36..4d055f58242 100644
--- a/sql/lock.cc
+++ b/sql/lock.cc
@@ -727,6 +727,9 @@ static int unlock_external(THD *thd, TABLE **table,uint count)
            - GET_LOCK_STORE_LOCKS : Store lock info in TABLE
            - GET_LOCK_SKIP_SEQUENCES : Ignore sequences (for temporary unlock)
            - GET_LOCK_ON_THD      : Store lock in thd->mem_root
+
+  Temporary tables are not locked (as these are single user), except for
+  TRANSACTIONAL_TMP_TABLES as locking is needed to handle transactions.
 */
 
 MYSQL_LOCK *get_lock_data(THD *thd, TABLE **table_ptr, uint count, uint flags)
@@ -743,8 +746,8 @@ MYSQL_LOCK *get_lock_data(THD *thd, TABLE **table_ptr, uint count, uint flags)
   {
     TABLE *t= table_ptr[i];
     
-    if (t->s->tmp_table != NON_TRANSACTIONAL_TMP_TABLE && 
-        t->s->tmp_table != INTERNAL_TMP_TABLE &&
+    if ((likely(!t->s->tmp_table) ||
+         (t->s->tmp_table == TRANSACTIONAL_TMP_TABLE)) &&
         (!(flags & GET_LOCK_SKIP_SEQUENCES) || t->s->sequence == 0))
     {
       lock_count+= t->file->lock_count();
@@ -772,13 +775,13 @@ MYSQL_LOCK *get_lock_data(THD *thd, TABLE **table_ptr, uint count, uint flags)
 
   for (i=0 ; i < count ; i++)
   {
-    TABLE *table;
+    TABLE *table= table_ptr[i];
     enum thr_lock_type lock_type;
     THR_LOCK_DATA **locks_start;
-    table= table_ptr[i];
-    if (table->s->tmp_table == NON_TRANSACTIONAL_TMP_TABLE ||
-        table->s->tmp_table == INTERNAL_TMP_TABLE ||
-        ((flags & GET_LOCK_SKIP_SEQUENCES) && table->s->sequence))
+
+    if (!((likely(!table->s->tmp_table) ||
+           (table->s->tmp_table == TRANSACTIONAL_TMP_TABLE)) &&
+          (!(flags & GET_LOCK_SKIP_SEQUENCES) || table->s->sequence == 0)))
       continue;
     lock_type= table->reginfo.lock_type;
     DBUG_ASSERT(lock_type != TL_WRITE_DEFAULT && lock_type != TL_READ_DEFAULT);
-- 
cgit v1.2.1