SERVER-21568 Fix a use after-free

(cherry picked from commit 2d01a566) Conflicts: src/btree/bt_split.c
author: Alex Gorrod <alexander.gorrod@mongodb.com> 2015-11-20 14:42:34 +1100
committer: Alex Gorrod <alexg@wiredtiger.com> 2015-12-02 05:40:57 +0000
commit: 1da2d3a517392d71e13b7ecdeaa97b01a2627d2d (patch)
tree: 5ddb27802573ab2f0a212eae8775412d3b439062 /src/btree/bt_delete.c
parent: 42282959f7d9928552456cf41186f115d412c7ca (diff)
download: mongo-1da2d3a517392d71e13b7ecdeaa97b01a2627d2d.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/src/btree/bt_delete.c b/src/btree/bt_delete.c
index 7313e31267f..e19085830bd 100644
--- a/src/btree/bt_delete.c
+++ b/src/btree/bt_delete.c
@@ -250,6 +250,18 @@ __wt_delete_page_skip(WT_SESSION_IMPL *session, WT_REF *ref, bool visible_all)
 	    __wt_txn_visible_all(session, ref->page_del->txnid) :
 	    __wt_txn_visible(session, ref->page_del->txnid));
 
+	/*
+	 * The page_del structure can be freed as soon as the delete is stable:
+	 * it is only read when the ref state is WT_REF_DELETED.  It is worth
+	 * checking every time we come through because once this is freed, we
+	 * no longer need synchronization to check the ref.
+	 */
+	if (skip && ref->page_del != NULL && (visible_all ||
+	    __wt_txn_visible_all(session, ref->page_del->txnid))) {
+		__wt_free(session, ref->page_del->update_list);
+		__wt_free(session, ref->page_del);
+	}
+
 	WT_PUBLISH(ref->state, WT_REF_DELETED);
 	return (skip);
 }
author	Alex Gorrod <alexander.gorrod@mongodb.com>	2015-11-20 14:42:34 +1100
committer	Alex Gorrod <alexg@wiredtiger.com>	2015-12-02 05:40:57 +0000
commit	1da2d3a517392d71e13b7ecdeaa97b01a2627d2d (patch)
tree	5ddb27802573ab2f0a212eae8775412d3b439062 /src/btree/bt_delete.c
parent	42282959f7d9928552456cf41186f115d412c7ca (diff)
download	mongo-1da2d3a517392d71e13b7ecdeaa97b01a2627d2d.tar.gz