From 5a21306e073ae818e0a7cb68eae1f1e76b664260 Mon Sep 17 00:00:00 2001 From: Mattias Jonsson Date: Wed, 17 Mar 2010 15:10:41 +0100 Subject: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query There were two problem: 1) MYSQL_LOCK_IGNORE_FLUSH also ignored name locks 2) there was a race between abort_and_upgrade_locks and alter_close_tables (i.e. remove_table_from_cache and close_data_files_and_morph_locks) Which allowed the table to be opened with MYSQL_LOCK_IGNORE_FLUSH flag resulting in renaming a partition that was already in use, which could cause the table to be unusable. Solution was to not allow IGNORE_FLUSH to skip waiting for a named locked table. And to not release the LOCK_open mutex between the calls to remove_table_from_cache and close_data_files_and_morph_locks by merging the functions abort_and_upgrade_locks and alter_close_tables. mysql-test/suite/parts/r/partition_debug_sync_innodb.result: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Added test result mysql-test/suite/parts/t/partition_debug_sync_innodb-master.opt: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Added test option mysql-test/suite/parts/t/partition_debug_sync_innodb.test: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Added test file sql/authors.h: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Time to be acknowledged :) sql/ha_partition.cc: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Added DEBUG_SYNC for deterministic testing sql/mysql_priv.h: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Renamed function since merging alter_close_tables into abort_and_upgrade_lock. sql/sql_base.cc: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Changed MYSQL_LOCK_IGNORE_FLUSH to not ignore name locks (open_placeholder). Merged alter_close_tables into abort_and_upgrade_locks (and added _and_close_table to the name) to not release LOCK_open between remove_table_from_cache and close_data_files_and_morph_locks. Added DEBUG_SYNC for deterministic testing. sql/sql_partition.cc: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Removed alter_close_tables, (merged it into abort_and_upgrad_lock) so that LOCK_open never is released between remove_table_from_cache and close_data_files_and_morph_locks. sql/sql_show.cc: Bug#50561: ALTER PARTITIONS does not have adequate lock, breaks with concurrent I_S query Added DEBUG_SYNC for deterministic testing --- sql/sql_partition.cc | 38 +++----------------------------------- 1 file changed, 3 insertions(+), 35 deletions(-) (limited to 'sql/sql_partition.cc') diff --git a/sql/sql_partition.cc b/sql/sql_partition.cc index 395156dcd63..679d23b49ad 100644 --- a/sql/sql_partition.cc +++ b/sql/sql_partition.cc @@ -5955,32 +5955,6 @@ static void alter_partition_lock_handling(ALTER_PARTITION_PARAM_TYPE *lpt) } } -/* - Unlock and close table before renaming and dropping partitions - SYNOPSIS - alter_close_tables() - lpt Struct carrying parameters - RETURN VALUES - 0 -*/ - -static int alter_close_tables(ALTER_PARTITION_PARAM_TYPE *lpt) -{ - THD *thd= lpt->thd; - const char *db= lpt->db; - const char *table_name= lpt->table_name; - DBUG_ENTER("alter_close_tables"); - /* - We need to also unlock tables and close all handlers. - We set lock to zero to ensure we don't do this twice - and we set db_stat to zero to ensure we don't close twice. - */ - pthread_mutex_lock(&LOCK_open); - close_data_files_and_morph_locks(thd, db, table_name); - pthread_mutex_unlock(&LOCK_open); - DBUG_RETURN(0); -} - /* Handle errors for ALTER TABLE for partitioning @@ -6278,9 +6252,7 @@ uint fast_alter_partition_table(THD *thd, TABLE *table, write_log_drop_partition(lpt) || ERROR_INJECT_CRASH("crash_drop_partition_3") || (not_completed= FALSE) || - abort_and_upgrade_lock(lpt) || /* Always returns 0 */ - ERROR_INJECT_CRASH("crash_drop_partition_4") || - alter_close_tables(lpt) || + abort_and_upgrade_lock_and_close_table(lpt) || ERROR_INJECT_CRASH("crash_drop_partition_5") || ((!thd->lex->no_write_to_binlog) && (write_bin_log(thd, FALSE, @@ -6345,9 +6317,7 @@ uint fast_alter_partition_table(THD *thd, TABLE *table, ERROR_INJECT_CRASH("crash_add_partition_2") || mysql_change_partitions(lpt) || ERROR_INJECT_CRASH("crash_add_partition_3") || - abort_and_upgrade_lock(lpt) || /* Always returns 0 */ - ERROR_INJECT_CRASH("crash_add_partition_4") || - alter_close_tables(lpt) || + abort_and_upgrade_lock_and_close_table(lpt) || ERROR_INJECT_CRASH("crash_add_partition_5") || ((!thd->lex->no_write_to_binlog) && (write_bin_log(thd, FALSE, @@ -6435,9 +6405,7 @@ uint fast_alter_partition_table(THD *thd, TABLE *table, write_log_final_change_partition(lpt) || ERROR_INJECT_CRASH("crash_change_partition_4") || (not_completed= FALSE) || - abort_and_upgrade_lock(lpt) || /* Always returns 0 */ - ERROR_INJECT_CRASH("crash_change_partition_5") || - alter_close_tables(lpt) || + abort_and_upgrade_lock_and_close_table(lpt) || ERROR_INJECT_CRASH("crash_change_partition_6") || ((!thd->lex->no_write_to_binlog) && (write_bin_log(thd, FALSE, -- cgit v1.2.1 From cd9c0892d93af280065fae302b098ece1908d02e Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Fri, 21 May 2010 15:23:48 +0400 Subject: Bug #42064: low memory crash when importing hex strings, in Item_hex_string::Item_hex_string The status of memory allocation in the Lex_input_stream (called from the Parser_state constructor) was not checked which led to a parser crash in case of the out-of-memory error. The solution is to introduce new init() member function in Parser_state and Lex_input_stream so that status of memory allocation can be returned to the caller. mysql-test/r/error_simulation.result: Added a test case for bug #42064. mysql-test/t/error_simulation.test: Added a test case for bug #42064. mysys/my_alloc.c: Added error injection code for the regression test. mysys/my_malloc.c: Added error injection code for the regression test. mysys/safemalloc.c: Added error injection code for the regression test. sql/event_data_objects.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures. sql/mysqld.cc: Added error injection code for the regression test. sql/sp.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures. sql/sql_lex.cc: Moved memory allocation from constructor to the separate init() member function. Added error injection code for the regression test. sql/sql_lex.h: Moved memory allocation from constructor to the separate init() member function. sql/sql_parse.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures. sql/sql_partition.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures. sql/sql_prepare.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures. sql/sql_trigger.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures. sql/sql_view.cc: Use the new init() member function of Parser_state and check its return value to handle memory allocation failures.. sql/thr_malloc.cc: Added error injection code for the regression test. --- sql/sql_partition.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sql/sql_partition.cc') diff --git a/sql/sql_partition.cc b/sql/sql_partition.cc index 679d23b49ad..122ae661046 100644 --- a/sql/sql_partition.cc +++ b/sql/sql_partition.cc @@ -3892,7 +3892,9 @@ bool mysql_unpack_partition(THD *thd, thd->lex= &lex; thd->variables.character_set_client= system_charset_info; - Parser_state parser_state(thd, part_buf, part_info_len); + Parser_state parser_state; + if (parser_state.init(thd, part_buf, part_info_len)) + goto end; lex_start(thd); *work_part_info_used= false; -- cgit v1.2.1 From d7ad4352a1995b56693dea87135bb3107b917b91 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 29 Jul 2010 11:00:57 +0800 Subject: BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave /*![:version:] Query Code */, where [:version:] is a sequence of 5 digits representing the mysql server version(e.g /*!50200 ... */), is a special comment that the query in it can be executed on those servers whose versions are larger than the version appearing in the comment. It leads to a security issue when slave's version is larger than master's. A malicious user can improve his privileges on slaves. Because slave SQL thread is running with SUPER privileges, so it can execute queries that he/she does not have privileges on master. This bug is fixed with the logic below: - To replace '!' with ' ' in the magic comments which are not applied on master. So they become common comments and will not be applied on slave. - Example: 'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/ will be binlogged as 'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/ mysql-test/suite/rpl/t/rpl_conditional_comments.test: Test the patch for this bug. sql/mysql_priv.h: Rename inBuf as rawBuf and remove the const limitation. sql/sql_lex.cc: To replace '!' with ' ' in the magic comments which are not applied on master. sql/sql_lex.h: Remove the const limitation on parameter buff, as it can be modified in the function since this patch. Add member function yyUnput for Lex_input_stream. It set a character back the query buff. sql/sql_parse.cc: Rename inBuf as rawBuf and remove the const limitation. sql/sql_partition.cc: Remove the const limitation on parameter part_buff, as it can be modified in the function since this patch. sql/sql_partition.h: Remove the const limitation on parameter part_buff, as it can be modified in the function since this patch. sql/table.h: Remove the const limitation on variable partition_info, as it can be modified since this patch. --- sql/sql_partition.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/sql_partition.cc') diff --git a/sql/sql_partition.cc b/sql/sql_partition.cc index 122ae661046..76caa2b0c8d 100644 --- a/sql/sql_partition.cc +++ b/sql/sql_partition.cc @@ -3876,7 +3876,7 @@ void get_partition_set(const TABLE *table, uchar *buf, const uint index, */ bool mysql_unpack_partition(THD *thd, - const char *part_buf, uint part_info_len, + char *part_buf, uint part_info_len, const char *part_state, uint part_state_len, TABLE* table, bool is_create_table_ind, handlerton *default_db_type, -- cgit v1.2.1 From dda4eb8c0e157fe39ddec369cbd8bf03d2326968 Mon Sep 17 00:00:00 2001 From: Michael Widenius Date: Sat, 7 Aug 2010 15:27:23 +0300 Subject: Added extra argument to longlong2str() to make it have same prototype is int2str() Changed to use longlong10_to_str() instead of longlong2str() when base is 10 or -10 as former is much faster than later Changed my_vsnprintf() to use longlong2str instead of int2str() to get rid of warnings and to get support for long pointers even when long is 32 bit. client/mysqltest.cc: longlong2str() -> longlong10_to_str() include/m_string.h: Added extra argument to longlong2str() to make it have same prototype is int2str() mysys/charset.c: Fixed compiler warning mysys/mf_soundex.c: Fixed compiler warning mysys/my_getopt.c: longlong2str() -> longlong10_to_str() sql/create_options.cc: Fixed compiler warning sql/item_strfunc.cc: Added extra argument to longlong2str sql/opt_range.cc: longlong2str() -> longlong10_to_str() sql/partition_info.cc: longlong2str() -> longlong10_to_str() sql/slave.cc: longlong2str() -> longlong10_to_str() sql/sql_bitmap.h: Added extra argument to longlong2str sql/sql_partition.cc: Added extra argument to longlong2str sql/sql_select.cc: longlong2str() -> longlong10_to_str() sql/sql_show.cc: Added extra argument to longlong2str storage/innodb_plugin/handler/ha_innodb.cc: Update to new parameters for longlong2str() storage/maria/ma_dbug.c: longlong2str() -> longlong10_to_str() storage/maria/maria_chk.c: Added extra argument to longlong2str storage/myisam/mi_dbug.c: longlong2str() -> longlong10_to_str() storage/myisam/myisamchk.c: Added extra argument to longlong2str storage/xtradb/handler/ha_innodb.cc: Update to new parameters for longlong2str() strings/longlong2str.c: Added extra argument to longlong2str() to make it have same prototype is int2str() strings/my_vsnprintf.c: Changed my_vsnprintf() to use longlong2str instead of int2str() to get rid of warnings and to get support for long pointers even when long is 32 bit. Added cast to get rid of compiler warnings --- sql/sql_partition.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/sql_partition.cc') diff --git a/sql/sql_partition.cc b/sql/sql_partition.cc index 3dae2d1e8b4..6058db4aad4 100644 --- a/sql/sql_partition.cc +++ b/sql/sql_partition.cc @@ -1905,7 +1905,7 @@ static int add_int(File fptr, longlong number) static int add_uint(File fptr, ulonglong number) { char buff[32]; - longlong2str(number, buff, 10); + longlong2str(number, buff, 10, 1); return add_string(fptr, buff); } -- cgit v1.2.1