MDEV-29575 Access to innodb_trx, innodb_locks and innodb_lock_waits along with detached XA's can cause SIGSEGVst-10.6-MDEV-29575-is_crash

trx->mysql_thd can be zeroed-out between thd_get_thread_id() and
thd_query_safe() calls in fill_trx_row(). trx_disconnect_prepared()
zeroes out trx->mysql_thd. And this can cause null pointer dereferencing
in fill_trx_row().

fill_trx_row() is invoked from fetch_data_into_cache(), which, in turns,
iterates transactions with trx_sys.trx_list.for_each() function, which
holds trx_sys.trx_list.mutex during the iteration.

Bug fix is in reseting trx_t::mysql_thd in trx_disconnect_prepared()
under trx_sys.trx_list.mutex lock.

MTR test case can't be created for the fix, as we need to wait for
trx_t::mysql_thd reseting in fill_trx_row() after trx_t::mysql_thd was
checked for null while trx_sys.trx_list.mutex is held. But
trx_t::mysql_thd must be reset in trx_disconnect_prepared() under
trx_sys.trx_list.mutex. There will be deadlock.

1 files changed, 2 insertions, 0 deletions

diff --git a/storage/innobase/trx/trx0trx.cc b/storage/innobase/trx/trx0trx.cc
index 3b19d213d5a..111f8fe5f3a 100644
--- a/storage/innobase/trx/trx0trx.cc
+++ b/storage/innobase/trx/trx0trx.cc
@@ -548,8 +548,10 @@ void trx_disconnect_prepared(trx_t *trx)
   ut_ad(trx->mysql_thd);
   ut_ad(!trx->mysql_log_file_name);
   trx->read_view.close();
+  trx_sys.trx_list.freeze();
   trx->is_recovered= true;
   trx->mysql_thd= NULL;
+  trx_sys.trx_list.unfreeze();
   /* todo/fixme: suggest to do it at innodb prepare */
   trx->will_lock= false;
   trx_sys.rw_trx_hash.put_pins(trx);