buf_read_ahead_linear dereferences buffer page pointer without protection

Bug #1417953 reported by Laurynas Biveinis on 2015-02-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Laurynas Biveinis
5.1
Won't Fix
Undecided
Unassigned
5.5
Won't Fix
Undecided
Unassigned
5.6
Fix Released
High
Laurynas Biveinis

Bug Description

buf_read_ahead_linear contains the following:

 bpage = buf_page_hash_get(buf_pool, space, offset);

...

 switch (buf_page_get_state(bpage)) {
frame = bpage->frame or zip.data;
 }

 /* Read the natural predecessor and successor page addresses from
 the page; NOTE that because the calling thread may have an x-latch
 on the page, we do not acquire an s-latch on the page, this is to
 prevent deadlocks. Even if we read values which are nonsense, the
 algorithm will work. */

 pred_offset = fil_page_get_prev(frame);
 succ_offset = fil_page_get_next(frame);

After the buffer pool mutex split, the page returned by buf_page_hash_get is dereferenced without any protection.

At the same time, some other lesser issues noticed in the 5.7 port of the buffer pool mutex split:
- buf_pool_watch_set and buf_pool_watch_remove need not to lock the zip mutex. Page hash X latch is enough protection already.
- buf_pool_mutex_key for PFS is now unused;
- some bool variables (have_lru_mutex in buf_page_io_complete and must_restart in bf_flush_or_remove_page) are set to ibool TRUE and FALSE constants;
- buf_flush_page_try and i_s_innodb_fill_buffer_pool have misleading comments.

Related branches

summary: - buf_read_ahead dereferences buffer page pointer without protection
+ buf_read_ahead_linear dereferences buffer page pointer without
+ protection
tags: added: bp-split xtradb

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-868

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers