Commit e1addb05 authored by Alexey Botchkov's avatar Alexey Botchkov

Bug#51377 Crash in information_schema / processlist on concurrent DDL workload

    the fill_schema_processlist function accesses THD::query() without proper protection
    so the parallel thread killing can lead to access to the freed meemory.

per-file comments:
  sql/sql_load.cc
Bug#51377      Crash in information_schema / processlist on concurrent DDL workload
    the THD::set_query_inner() call needs to be protected.
    But here we don't need to change the original thd->query() at all.
  sql/sql_show.cc
Bug#51377      Crash in information_schema / processlist on concurrent DDL workload
    protect the THD::query() access with the THD::LOCK_thd_data mutex.
parent 6d701d3e
...@@ -689,12 +689,10 @@ static bool write_execute_load_query_log_event(THD *thd, sql_exchange* ex, ...@@ -689,12 +689,10 @@ static bool write_execute_load_query_log_event(THD *thd, sql_exchange* ex,
strcpy(end, p); strcpy(end, p);
end += pl; end += pl;
thd->set_query_inner(load_data_query, end - load_data_query);
Execute_load_query_log_event Execute_load_query_log_event
e(thd, thd->query(), thd->query_length(), e(thd, load_data_query, end-load_data_query,
(uint) ((char*) fname_start - (char*) thd->query() - 1), (uint) ((char*) fname_start - load_data_query - 1),
(uint) ((char*) fname_end - (char*) thd->query()), (uint) ((char*) fname_end - load_data_query),
(duplicates == DUP_REPLACE) ? LOAD_DUP_REPLACE : (duplicates == DUP_REPLACE) ? LOAD_DUP_REPLACE :
(ignore ? LOAD_DUP_IGNORE : LOAD_DUP_ERROR), (ignore ? LOAD_DUP_IGNORE : LOAD_DUP_ERROR),
transactional_table, FALSE, errcode); transactional_table, FALSE, errcode);
......
...@@ -1991,6 +1991,8 @@ int fill_schema_processlist(THD* thd, TABLE_LIST* tables, COND* cond) ...@@ -1991,6 +1991,8 @@ int fill_schema_processlist(THD* thd, TABLE_LIST* tables, COND* cond)
pthread_mutex_unlock(&mysys_var->mutex); pthread_mutex_unlock(&mysys_var->mutex);
/* INFO */ /* INFO */
/* Lock THD mutex that protects its data when looking at it. */
pthread_mutex_lock(&tmp->LOCK_thd_data);
if (tmp->query()) if (tmp->query())
{ {
table->field[7]->store(tmp->query(), table->field[7]->store(tmp->query(),
...@@ -1998,6 +2000,7 @@ int fill_schema_processlist(THD* thd, TABLE_LIST* tables, COND* cond) ...@@ -1998,6 +2000,7 @@ int fill_schema_processlist(THD* thd, TABLE_LIST* tables, COND* cond)
tmp->query_length()), cs); tmp->query_length()), cs);
table->field[7]->set_notnull(); table->field[7]->set_notnull();
} }
pthread_mutex_unlock(&tmp->LOCK_thd_data);
if (schema_table_store_record(thd, table)) if (schema_table_store_record(thd, table))
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment