mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-17 04:22:27 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

lp:910817: Race condition in kill_threads_for_user()

Browse source 
The code was accessing a pointer in a mem_root that might be freed by
another concurrent thread. Fix by moving the access to be done while the
LOCK_thd_data is held, preventing the memory from being freed too early.
This commit is contained in:
unknown 2012-02-10 21:19:12 +01:00
parent 296b450d3b
commit 3d61c1399d
1 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
sql/sql_parse.cc
View file

@ -7363,13 +7363,23 @@ static uint kill_threads_for_user(THD *thd, LEX_USER *user,
if (!threads_to_kill.is_empty())
{
List_iterator_fast<THD> it(threads_to_kill);
THD *ptr;
while ((ptr= it++))
THD *next_ptr;
THD *ptr= it++;
do
{
ptr->awake(kill_signal);
/*
Careful here: The list nodes are allocated on the memroots of the
THDs to be awakened.
But those THDs may be terminated and deleted as soon as we release
LOCK_thd_data, which will make the list nodes invalid.
Since the operation "it++" dereferences the "next" pointer of the
previous list node, we need to do this while holding LOCK_thd_data.
*/
next_ptr= it++;
pthread_mutex_unlock(&ptr->LOCK_thd_data);
(*rows)++;
}
} while ((ptr= next_ptr));
}
DBUG_RETURN(0);
}