From c0a84fb9b0367b4cbd0a8e36d7cb219eb5f919e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20M=C3=A4kel=C3=A4?= Date: Mon, 23 Aug 2021 17:00:01 +0300 Subject: MDEV-26465 Race condition in trx_purge_rseg_get_next_history_log() trx_purge_rseg_get_next_history_log(): Fix a race condition that was introduced in commit e46f76c9749d7758765ba274a212cfc2dcf3eeb8 (MDEV-15912). The buffer pool page contents must not be accessed while not holding a page latch. The page latch was released by mtr_t::commit(). This race resulted in an ASAN heap-use-after-poison during a stress test. --- storage/innobase/trx/trx0purge.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/storage/innobase/trx/trx0purge.cc b/storage/innobase/trx/trx0purge.cc index 59d60d204d8..c8f471f1f7a 100644 --- a/storage/innobase/trx/trx0purge.cc +++ b/storage/innobase/trx/trx0purge.cc @@ -1155,15 +1155,16 @@ static void trx_purge_rseg_get_next_history_log( trx_no = mach_read_from_8(log_hdr + TRX_UNDO_TRX_NO); ut_ad(mach_read_from_2(log_hdr + TRX_UNDO_NEEDS_PURGE) <= 1); + const byte needs_purge = log_hdr[TRX_UNDO_NEEDS_PURGE + 1]; - mtr_commit(&mtr); + mtr.commit(); mutex_enter(&purge_sys.rseg->mutex); purge_sys.rseg->last_page_no = static_cast( prev_log_addr.page); purge_sys.rseg->set_last_commit(prev_log_addr.boffset, trx_no); - purge_sys.rseg->needs_purge = log_hdr[TRX_UNDO_NEEDS_PURGE + 1] != 0; + purge_sys.rseg->needs_purge = needs_purge != 0; /* Purge can also produce events, however these are already ordered in the rollback segment and any user generated event will be greater -- cgit v1.2.1