Race condition in kill_threads_for_user
Bug #910817 reported by
Vladislav Vaintroub
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MariaDB |
Fix Released
|
Undecided
|
Kristian Nielsen |
Bug Description
kill_threads_
while ((ptr= it++))
{
ptr-
mysql_
(*rows)++;
}
The problem with this code is that once ptr->LOCK_thd_data is unlocked, very short thereafter memory pointed to by
'ptr' can be freed, and the ptr->next becomes invalid, and ptr=it++ might crash.
Possible fix would be calculating 'next' pointer before unlocking the LOCK_thd_data.
Changed in maria: | |
assignee: | nobody → Michael Widenius (monty) |
To post a comment you must log in.
Hi!
don't see an issue with the above code.
'it' above is threads_to_kill that is not related to THD in any way.
In other words, we never use ptr->next anywhere.
So even if ptr disappears, it++ will point to the next element in the list.