Commit c24ef7e9 authored by Magne Mahre's avatar Magne Mahre

Bug#35589 SET PASSWORD caused a crash

Bug#35591 FLUSH PRIVILEGES caused a crash

A race condition on the privilege hash tables (proc_priv_hash
and func_priv_hash) caused one thread to try to delete elements
that had already been deleted by another thread.

The bug was caused by reading and saving the pointers to 
the hash tables outside mutex protection.  This led to an
inconsistency where a thread copied a pointer to a hash,
another thread did the same, the first thread then deleted
the hash, and the second then crashed when it in turn tried to
delete the deleted hash.

The fix is to ensure that operations on the shared hash structures
happens under mutex protection (moving the locking up a little)
parent a92c6c1b
...@@ -3806,11 +3806,11 @@ static my_bool grant_reload_procs_priv(THD *thd) ...@@ -3806,11 +3806,11 @@ static my_bool grant_reload_procs_priv(THD *thd)
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
} }
rw_wrlock(&LOCK_grant);
/* Save a copy of the current hash if we need to undo the grant load */ /* Save a copy of the current hash if we need to undo the grant load */
old_proc_priv_hash= proc_priv_hash; old_proc_priv_hash= proc_priv_hash;
old_func_priv_hash= func_priv_hash; old_func_priv_hash= func_priv_hash;
rw_wrlock(&LOCK_grant);
if ((return_val= grant_load_procs_priv(table.table))) if ((return_val= grant_load_procs_priv(table.table)))
{ {
/* Error; Reverting to old hash */ /* Error; Reverting to old hash */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment