MDEV-23222 SIGSEG in maria_create() because of double free

montywi · montywi · commit 14d43f4fa691 · 2020-10-29T18:34:26.000+02:00
The crash happens because a double free in the case CREATE TABLE fails
because there is a conflicting tables on disk.

Fixed by ensuring that the double free can't happen.
diff --git a/mysql-test/suite/maria/create.result b/mysql-test/suite/maria/create.result
@@ -62,5 +62,16 @@ c1
 DROP TABLE t2,t3;
 SET @@SQL_MODE=@org_sql_mode;
 #
+# MDEV-23222 SIGSEGV in maria_status | Assertion `(longlong)
+# thd->status_var.local_memory_used >= 0
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1);
+CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = 'MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;;
+flush tables;
+CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = 'MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;;
+Got one of the listed errors
+DROP TABLE t1;
+#
 # End of 10.3 tests
 #
diff --git a/mysql-test/suite/maria/create.test b/mysql-test/suite/maria/create.test
@@ -70,6 +70,28 @@ SELECT c1 FROM t3 WHERE (c1) IN (SELECT MIN(DISTINCT c1) FROM t2);
 DROP TABLE t2,t3;
 SET @@SQL_MODE=@org_sql_mode;
 
+--echo #
+--echo # MDEV-23222 SIGSEGV in maria_status | Assertion `(longlong)
+--echo # thd->status_var.local_memory_used >= 0
+--echo #
+
+let $mysqld_datadir= `select @@datadir`;
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1);
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--eval CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = '$MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;
+flush tables;
+--remove_file $mysqld_datadir/test/MDEV_23222.frm
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--error 1,ER_TABLE_EXISTS_ERROR
+--eval CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = '$MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;
+DROP TABLE t1;
+--disable_warnings
+--remove_file $mysqld_datadir/test/MDEV_23222.MAD
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--remove_file $MYSQL_TMP_DIR/MDEV_23222.MAD
+--enable_warnings
+
 --echo #
 --echo # End of 10.3 tests
 --echo #
diff --git a/storage/maria/ma_create.c b/storage/maria/ma_create.c
@@ -1163,6 +1163,7 @@ int maria_create(const char *name, enum data_file_type datafile_type,
                                   FALSE, TRUE))
       goto err;
     my_free(log_data);
+    log_data= 0;
   }
 
   if (!(flags & HA_DONT_TOUCH_DATA))

Original file line number	Diff line number	Diff line change
`@@ -1163,6 +1163,7 @@ int maria_create(const char *name, enum data_file_type datafile_type,`
`1163`	`1163`	`FALSE, TRUE))`
`1164`	`1164`	`goto err;`
`1165`	`1165`	`my_free(log_data);`
	`1166`	`+ log_data= 0;`
`1166`	`1167`	`}`
`1167`	`1168`
`1168`	`1169`	`if (!(flags & HA_DONT_TOUCH_DATA))`