MDEV-26158 SIGSEGV in spider_free_mem from ha_spider::open on INSERT

nayuta-yanagisawa · nayuta-yanagisawa · commit e7208bd93445 · 2021-10-19T19:04:05.000+09:00
The server crashes due to passing NULL to spider_free().

In some cases, this == pt_handler_share_handlers[0] at the label
error_get_share in ha_spider::open().

In such cases, to nullify pt_handler_share_handlers[0]-&gt;wide_handler
is nothing but to nullify this-&gt;wide_handler. We should not do this
before freeing this-&gt;wide_handler.
diff --git a/storage/spider/ha_spider.cc b/storage/spider/ha_spider.cc
@@ -659,13 +659,13 @@ int ha_spider::open(
 error_get_share:
   if (wide_handler_alloc)
   {
+    spider_free(spider_current_trx, wide_handler, MYF(0));
 #ifdef WITH_PARTITION_STORAGE_ENGINE
     if (pt_handler_share_handlers)
     {
       pt_handler_share_handlers[0]->wide_handler = NULL;
     }
 #endif
-    spider_free(spider_current_trx, wide_handler, MYF(0));
     spider->wide_handler = NULL;
     owner->wide_handler = NULL;
     owner->wide_handler_owner = FALSE;
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_26158.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_26158.result
@@ -0,0 +1,27 @@
+#
+# MDEV-26158 SIGSEGV in spider_free_mem from ha_spider::open on INSERT
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+connection master_1;
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE t (
+c INT
+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a"'
+PARTITION BY LIST COLUMNS(`c`) (
+PARTITION `pt1` DEFAULT COMMENT = 'srv "s_2_1"'
+);
+INSERT INTO t SELECT * FROM t;
+ERROR 42000: Unknown database 'auto_test_remote'
+DROP DATABASE auto_test_local;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.cnf
@@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.test
@@ -0,0 +1,31 @@
+--echo #
+--echo # MDEV-26158 SIGSEGV in spider_free_mem from ha_spider::open on INSERT
+--echo #
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+
+--connection master_1
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+
+eval CREATE TABLE t (
+    c INT
+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a"'
+PARTITION BY LIST COLUMNS(`c`) (
+    PARTITION `pt1` DEFAULT COMMENT = 'srv "s_2_1"'
+);
+
+--error ER_BAD_DB_ERROR
+INSERT INTO t SELECT * FROM t;
+
+DROP DATABASE auto_test_local;
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log

Original file line number	Diff line number	Diff line change
`@@ -659,13 +659,13 @@ int ha_spider::open(`
`659`	`659`	`error_get_share:`
`660`	`660`	`if (wide_handler_alloc)`
`661`	`661`	`{`
	`662`	`+ spider_free(spider_current_trx, wide_handler, MYF(0));`
`662`	`663`	`#ifdef WITH_PARTITION_STORAGE_ENGINE`
`663`	`664`	`if (pt_handler_share_handlers)`
`664`	`665`	`{`
`665`	`666`	`pt_handler_share_handlers[0]->wide_handler = NULL;`
`666`	`667`	`}`
`667`	`668`	`#endif`
`668`		`- spider_free(spider_current_trx, wide_handler, MYF(0));`
`669`	`669`	`spider->wide_handler = NULL;`
`670`	`670`	`owner->wide_handler = NULL;`
`671`	`671`	`owner->wide_handler_owner = FALSE;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+!include include/default_mysqld.cnf`
	`2`	`+!include ../my_1_1.cnf`
	`3`	`+!include ../my_2_1.cnf`