Bug#19070633 - POSSIBLE ACCESS TO FREED MEMORY IN IS_FREE_LOCK()

phulakun · phulakun · commit fea02bbbbc9e · 2014-09-16T11:31:46.000+05:30
AND IS_USED_LOCK().

Merging from 5.5 to 5.6.
diff --git a/mysql-test/r/lock_sync.result b/mysql-test/r/lock_sync.result
@@ -853,3 +853,54 @@ connection con2;
 #Clean up.
 DROP TABLE t1;
 SET DEBUG_SYNC= 'RESET';
+#
+# Bug#19070633 - POSSIBLE ACCESS TO FREED MEMORY IN IS_FREE_LOCK() AND IS_USED_LOCK().
+#
+# Verifying issue for IS_FREE_LOCK() function.
+SELECT GET_LOCK("lock_19070633", 600);
+GET_LOCK("lock_19070633", 600)
+1
+connect  con1, localhost, root,,;
+# Waiting after getting user level lock info and releasing mutex.
+SET DEBUG_SYNC= 'after_getting_user_level_lock_info SIGNAL parked WAIT_FOR go';
+# Sending: SELECT IS_FREE_LOCK("lock_19070633");
+SELECT IS_FREE_LOCK("lock_19070633");
+connection default;
+SET DEBUG_SYNC= 'now WAIT_FOR parked';
+SELECT RELEASE_LOCK("lock_19070633");
+RELEASE_LOCK("lock_19070633")
+1
+# Signaling connection con1 after releasing the lock.
+# Without fix, accessing user level lock info in con1 would result in
+# crash or valgrind issue invalid read is reported.
+SET DEBUG_SYNC= 'now SIGNAL go';
+connection con1;
+# Reaping: SELECT IS_FREE_LOCK("lock_19070633");
+IS_FREE_LOCK("lock_19070633")
+0
+connection default;
+# Verifying issue for IS_USED_LOCK() function.
+SELECT GET_LOCK("lock_19070633", 600);
+GET_LOCK("lock_19070633", 600)
+1
+connection con1;
+# Waiting after getting user level lock info and releasing mutex.
+SET DEBUG_SYNC= 'after_getting_user_level_lock_info SIGNAL parked WAIT_FOR go';
+# Sending: SELECT IS_USED_LOCK("lock_19070633");
+SELECT IS_USED_LOCK("lock_19070633");
+connection default;
+SET DEBUG_SYNC= 'now WAIT_FOR parked';
+SELECT RELEASE_LOCK("lock_19070633");
+RELEASE_LOCK("lock_19070633")
+1
+# Signaling connection con1 after releasing the lock.
+# Without fix, accessing user level lock info in con1 would result in
+# crash or valgrind issue invalid read is reported.
+SET DEBUG_SYNC= 'now SIGNAL go';
+connection con1;
+# Reaping: SELECT IS_USED_LOCK("lock_19070633");
+IS_USED_LOCK("lock_19070633")
+#
+connection default;
+SET DEBUG_SYNC= 'RESET';
+disconnect con1;
diff --git a/mysql-test/t/lock_sync.test b/mysql-test/t/lock_sync.test
@@ -1242,6 +1242,62 @@ SET DEBUG_SYNC= 'RESET';
 --disconnect con1
 
 
+--echo #
+--echo # Bug#19070633 - POSSIBLE ACCESS TO FREED MEMORY IN IS_FREE_LOCK() AND IS_USED_LOCK().
+--echo #
+
+--enable_connect_log
+
+--echo # Verifying issue for IS_FREE_LOCK() function.
+SELECT GET_LOCK("lock_19070633", 600);
+
+connect (con1, localhost, root,,);
+--echo # Waiting after getting user level lock info and releasing mutex.
+SET DEBUG_SYNC= 'after_getting_user_level_lock_info SIGNAL parked WAIT_FOR go';
+--echo # Sending: SELECT IS_FREE_LOCK("lock_19070633");
+send SELECT IS_FREE_LOCK("lock_19070633");
+
+connection default;
+SET DEBUG_SYNC= 'now WAIT_FOR parked';
+SELECT RELEASE_LOCK("lock_19070633");
+--echo # Signaling connection con1 after releasing the lock.
+--echo # Without fix, accessing user level lock info in con1 would result in
+--echo # crash or valgrind issue invalid read is reported.
+SET DEBUG_SYNC= 'now SIGNAL go';
+
+connection con1;
+--echo # Reaping: SELECT IS_FREE_LOCK("lock_19070633");
+--reap
+
+connection default;
+--echo # Verifying issue for IS_USED_LOCK() function.
+SELECT GET_LOCK("lock_19070633", 600);
+
+connection con1;
+--echo # Waiting after getting user level lock info and releasing mutex.
+SET DEBUG_SYNC= 'after_getting_user_level_lock_info SIGNAL parked WAIT_FOR go';
+--echo # Sending: SELECT IS_USED_LOCK("lock_19070633");
+send SELECT IS_USED_LOCK("lock_19070633");
+
+connection default;
+SET DEBUG_SYNC= 'now WAIT_FOR parked';
+SELECT RELEASE_LOCK("lock_19070633");
+--echo # Signaling connection con1 after releasing the lock.
+--echo # Without fix, accessing user level lock info in con1 would result in
+--echo # crash or valgrind issue invalid read is reported.
+SET DEBUG_SYNC= 'now SIGNAL go';
+
+connection con1;
+--echo # Reaping: SELECT IS_USED_LOCK("lock_19070633");
+--replace_column 1 #
+--reap
+
+connection default;
+SET DEBUG_SYNC= 'RESET';
+disconnect con1;
+
+--disable_connect_log
+
 # Check that all connections opened by test cases in this file are really
 # gone so execution of other tests won't be affected by their presence.
 --source include/wait_until_count_sessions.inc
diff --git a/sql/item_func.cc b/sql/item_func.cc
@@ -6499,28 +6499,32 @@ longlong Item_func_is_free_lock::val_int()
   DBUG_ASSERT(fixed == 1);
   String *res=args[0]->val_str(&value);
   User_level_lock *ull;
+  longlong ret_val= 0LL;
 
   null_value=0;
   if (!res || !res->length())
   {
     null_value=1;
-    return 0;
+    return ret_val;
   }
   
   mysql_mutex_lock(&LOCK_user_locks);
   ull= (User_level_lock *) my_hash_search(&hash_user_locks, (uchar*) res->ptr(),
                                           (size_t) res->length());
-  mysql_mutex_unlock(&LOCK_user_locks);
   if (!ull || !ull->locked)
-    return 1;
-  return 0;
+    ret_val= 1;
+  mysql_mutex_unlock(&LOCK_user_locks);
+  DEBUG_SYNC(current_thd, "after_getting_user_level_lock_info");
+
+  return ret_val;
 }
 
 longlong Item_func_is_used_lock::val_int()
 {
   DBUG_ASSERT(fixed == 1);
   String *res=args[0]->val_str(&value);
   User_level_lock *ull;
+  my_thread_id thread_id= 0UL;
 
   null_value=1;
   if (!res || !res->length())
@@ -6529,12 +6533,15 @@ longlong Item_func_is_used_lock::val_int()
   mysql_mutex_lock(&LOCK_user_locks);
   ull= (User_level_lock *) my_hash_search(&hash_user_locks, (uchar*) res->ptr(),
                                           (size_t) res->length());
+  if ((ull != NULL) && ull->locked)
+  {
+    null_value= 0;
+    thread_id= ull->thread_id;
+  }
   mysql_mutex_unlock(&LOCK_user_locks);
-  if (!ull || !ull->locked)
-    return 0;
+  DEBUG_SYNC(current_thd, "after_getting_user_level_lock_info");
 
-  null_value=0;
-  return ull->thread_id;
+  return thread_id;
 }
 
 
