buf_read_ahead_linear dereferences buffer page pointer without protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
High
|
Laurynas Biveinis | ||
5.1 |
Won't Fix
|
Undecided
|
Unassigned | ||
5.5 |
Won't Fix
|
Undecided
|
Unassigned | ||
5.6 |
Fix Released
|
High
|
Laurynas Biveinis |
Bug Description
buf_read_
bpage = buf_page_
...
switch (buf_page_
frame = bpage->frame or zip.data;
}
/* Read the natural predecessor and successor page addresses from
the page; NOTE that because the calling thread may have an x-latch
on the page, we do not acquire an s-latch on the page, this is to
prevent deadlocks. Even if we read values which are nonsense, the
algorithm will work. */
pred_offset = fil_page_
succ_offset = fil_page_
After the buffer pool mutex split, the page returned by buf_page_hash_get is dereferenced without any protection.
At the same time, some other lesser issues noticed in the 5.7 port of the buffer pool mutex split:
- buf_pool_watch_set and buf_pool_
- buf_pool_mutex_key for PFS is now unused;
- some bool variables (have_lru_mutex in buf_page_
- buf_flush_page_try and i_s_innodb_
Related branches
- Laurynas Biveinis (community): Approve
-
Diff: 191 lines (+14/-25)8 files modifiedstorage/innobase/buf/buf0buf.cc (+2/-10)
storage/innobase/buf/buf0flu.cc (+4/-2)
storage/innobase/buf/buf0lru.cc (+1/-1)
storage/innobase/buf/buf0rea.cc (+5/-3)
storage/innobase/handler/ha_innodb.cc (+0/-1)
storage/innobase/handler/i_s.cc (+0/-5)
storage/innobase/include/buf0flu.h (+2/-2)
storage/innobase/include/sync0sync.h (+0/-1)
summary: |
- buf_read_ahead dereferences buffer page pointer without protection + buf_read_ahead_linear dereferences buffer page pointer without + protection |
tags: | added: bp-split xtradb |
Percona now uses JIRA for bug reports so this bug report is migrated to: https:/ /jira.percona. com/browse/ PS-868