MDEV-27069: heap-use-after-free in dict_stats_recalc_pool_del()

dr-m · dr-m · commit 14c5178f2545 · 2021-11-18T17:39:39.000+02:00
dict_stats_recalc_pool_del(): Always reposition the iterators after releasing and reacquiring the mutex. Another thread could have modified recalc_pool, causing reallocation of the underlying memory while we were waiting. This fixes a regression that was caused by commit 45a05fd (MDEV-25919).
diff --git a/storage/innobase/dict/dict0stats_bg.cc b/storage/innobase/dict/dict0stats_bg.cc
@@ -216,7 +216,7 @@ void dict_stats_recalc_pool_del(table_id_t id, bool have_mdl_exclusive)
 
   mysql_mutex_lock(&recalc_pool_mutex);
 
-  const auto end= recalc_pool.end();
+  auto end= recalc_pool.end();
   auto i= std::find_if(recalc_pool.begin(), end,
                        [&](const recalc &r){return r.id == id;});
   if (i != end)
@@ -227,7 +227,14 @@ void dict_stats_recalc_pool_del(table_id_t id, bool have_mdl_exclusive)
       {
         i->state= recalc::IN_PROGRESS_DELETING;
         do
+        {
           my_cond_wait(&recalc_pool_cond, &recalc_pool_mutex.m_mutex);
+          end= recalc_pool.end();
+          i= std::find_if(recalc_pool.begin(), end,
+                          [&](const recalc &r){return r.id == id;});
+          if (i == end)
+            goto done;
+        }
         while (i->state == recalc::IN_PROGRESS_DELETING);
       }
       /* fall through */
@@ -241,6 +248,7 @@ void dict_stats_recalc_pool_del(table_id_t id, bool have_mdl_exclusive)
     }
   }
 
+done:
   mysql_mutex_unlock(&recalc_pool_mutex);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,7 @@ void dict_stats_recalc_pool_del(table_id_t id, bool have_mdl_exclusive)`
`216`	`216`
`217`	`217`	`mysql_mutex_lock(&recalc_pool_mutex);`
`218`	`218`
`219`		`- const auto end= recalc_pool.end();`
	`219`	`+ auto end= recalc_pool.end();`
`220`	`220`	`auto i= std::find_if(recalc_pool.begin(), end,`
`221`	`221`	`[&](const recalc &r){return r.id == id;});`
`222`	`222`	`if (i != end)`
`@@ -227,7 +227,14 @@ void dict_stats_recalc_pool_del(table_id_t id, bool have_mdl_exclusive)`
`227`	`227`	`{`
`228`	`228`	`i->state= recalc::IN_PROGRESS_DELETING;`
`229`	`229`	`do`
	`230`	`+ {`
`230`	`231`	`my_cond_wait(&recalc_pool_cond, &recalc_pool_mutex.m_mutex);`
	`232`	`+ end= recalc_pool.end();`
	`233`	`+ i= std::find_if(recalc_pool.begin(), end,`
	`234`	`+ [&](const recalc &r){return r.id == id;});`
	`235`	`+ if (i == end)`
	`236`	`+ goto done;`
	`237`	`+ }`
`231`	`238`	`while (i->state == recalc::IN_PROGRESS_DELETING);`
`232`	`239`	`}`
`233`	`240`	`/* fall through */`
`@@ -241,6 +248,7 @@ void dict_stats_recalc_pool_del(table_id_t id, bool have_mdl_exclusive)`
`241`	`248`	`}`
`242`	`249`	`}`
`243`	`250`
	`251`	`+done:`
`244`	`252`	`mysql_mutex_unlock(&recalc_pool_mutex);`
`245`	`253`	`}`
`246`	`254`