mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-31 02:51:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/storage/innobase/row
History
Marko Mäkelä 8677c14e65 MDEV-24391 heap-use-after-free in fil_space_t::flush_low() 
We observed a race condition that involved two threads
executing fil_flush_file_spaces() and one thread
executing fil_delete_tablespace(). After one of the
fil_flush_file_spaces() observed that
space.needs_flush_not_stopping() is set and was
releasing the fil_system.mutex, the other fil_flush_file_spaces()
would complete the execution of fil_space_t::flush_low() on
the same tablespace. Then, fil_delete_tablespace() would
destroy the object, because the value of fil_space_t::n_pending
did not prevent that. Finally, the fil_flush_file_spaces() would
resume execution and invoke fil_space_t::flush_low() on the freed
object.

This race condition was introduced in
commit 118e258aaa of MDEV-23855.

fil_space_t::flush(): Add a template parameter that indicates
whether the caller is holding a reference to prevent the
tablespace from being freed.

buf_dblwr_t::flush_buffered_writes_completed(),
row_quiesce_table_start(): Acquire a reference for the duration
of the fil_space_t::flush_low() operation. It should be impossible
for the object to be freed in these code paths, but we want to
satisfy the debug assertions.

fil_space_t::flush_low(): Do not increment or decrement the
reference count, but instead assert that the caller is holding
a reference.

fil_space_extend_must_retry(), fil_flush_file_spaces():
Acquire a reference before releasing fil_system.mutex.
This is what will fix the race condition.
2020-12-11 09:05:26 +02:00
..
row0ext.cc Merge 10.3 into 10.4 2020-07-02 07:39:33 +03:00
row0ftsort.cc Merge 10.4 into 10.5 2020-08-21 20:32:04 +03:00
row0import.cc MDEV-23855: Remove fil_system.LRU and reduce fil_system.mutex contention 2020-10-26 17:09:01 +02:00
row0ins.cc Merge 10.4 to 10.5 2020-10-22 17:08:49 +03:00
row0log.cc Merge 10.4 into 10.5 2020-12-02 18:29:49 +02:00
row0merge.cc Cleanup: Fix Intel compiler warnings about sign conversions 2020-11-25 11:32:49 +02:00
row0mysql.cc Merge 10.4 into 10.5 2020-10-30 11:15:30 +02:00
row0purge.cc MDEV-23719: Make lock_sys use page_id_t 2020-09-17 14:08:41 +03:00
row0quiesce.cc MDEV-24391 heap-use-after-free in fil_space_t::flush_low() 2020-12-11 09:05:26 +02:00
row0row.cc MDEV-22593 - InnoDB: don't take trx_sys.mutex in ReadView::open() 2020-05-26 17:11:20 +04:00
row0sel.cc MDEV-24224 Gap lock on delete in 10.5 using READ COMMITTED 2020-11-18 10:27:18 +02:00
row0uins.cc Merge 10.4 into 10.5 2020-12-02 18:29:49 +02:00
row0umod.cc Merge 10.4 into 10.5 2020-12-02 18:29:49 +02:00
row0undo.cc Merge 10.4 to 10.5 2020-10-22 17:08:49 +03:00
row0upd.cc MDEV-23399: Performance regression with write workloads 2020-10-15 17:04:56 +03:00
row0vers.cc Merge 10.4 into 10.5 2020-09-04 18:44:44 +03:00