Commit c0817dac authored by Vlad Lesin's avatar Vlad Lesin

MDEV-29575 Access to innodb_trx, innodb_locks and innodb_lock_waits along with...

MDEV-29575 Access to innodb_trx, innodb_locks and innodb_lock_waits along with detached XA's can cause SIGSEGV

trx->mysql_thd can be zeroed-out between thd_get_thread_id() and
thd_query_safe() calls in fill_trx_row(). trx_disconnect_prepared() zeroes out
trx->mysql_thd. And this can cause null pointer dereferencing in
fill_trx_row().

fill_trx_row() is invoked from fetch_data_into_cache() under trx_sys.mutex.

Bug fix is in reseting trx_t::mysql_thd in trx_disconnect_prepared() under
trx_sys.mutex lock too.

MTR test case can't be created for the fix, as we need to wait for
trx_t::mysql_thd reseting in fill_trx_row() after trx_t::mysql_thd was
checked for null while trx_sys.mutex is held. But trx_t::mysql_thd must be
reset in trx_disconnect_prepared() under trx_sys.mutex. There will be deadlock.
parent dd8833bf
...@@ -564,8 +564,10 @@ void trx_disconnect_prepared(trx_t *trx) ...@@ -564,8 +564,10 @@ void trx_disconnect_prepared(trx_t *trx)
ut_ad(trx_state_eq(trx, TRX_STATE_PREPARED)); ut_ad(trx_state_eq(trx, TRX_STATE_PREPARED));
ut_ad(trx->mysql_thd); ut_ad(trx->mysql_thd);
trx->read_view.close(); trx->read_view.close();
mutex_enter(&trx_sys.mutex);
trx->is_recovered= true; trx->is_recovered= true;
trx->mysql_thd= NULL; trx->mysql_thd= NULL;
mutex_exit(&trx_sys.mutex);
/* todo/fixme: suggest to do it at innodb prepare */ /* todo/fixme: suggest to do it at innodb prepare */
trx->will_lock= false; trx->will_lock= false;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment