From 51e049cff6a3110504b67644bf02a037dc8b1c5c Mon Sep 17 00:00:00 2001 From: Balasubramanian Kandasamy Date: Mon, 27 Nov 2017 15:33:02 +0530 Subject: [PATCH 01/14] Raise version number after cloning 5.5.59 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 87b72051a84..44f719ca097 100644 --- a/VERSION +++ b/VERSION @@ -1,4 +1,4 @@ MYSQL_VERSION_MAJOR=5 MYSQL_VERSION_MINOR=5 -MYSQL_VERSION_PATCH=59 +MYSQL_VERSION_PATCH=60 MYSQL_VERSION_EXTRA= From 8bc828b982f678d6b57c1853bbe78080c8f84e84 Mon Sep 17 00:00:00 2001 From: Karthik Kamath Date: Mon, 27 Nov 2017 19:59:29 +0530 Subject: [PATCH 02/14] BUG#26502135: MYSQLD SEGFAULTS IN MDL_CONTEXT::TRY_ACQUIRE_LOCK_IMPL ANALYSIS: ========= Server sometimes exited when multiple threads tried to acquire and release metadata locks simultaneously (for example, necessary to access a table). The same problem could have occurred when new objects were registered/ deregistered in Performance Schema. The problem was caused by a bug in LF_HASH - our lock free hash implementation which is used by metadata locking subsystem in 5.7 branch. In 5.5 and 5.6 we only use LF_HASH in Performance Schema Instrumentation implementation. So for these versions, the problem was limited to P_S. The problem was in my_lfind() function, which searches for the specific hash element by going through the elements list. During this search it loads information about element checked such as key pointer and hash value into local variables. Then it confirms that they are not corrupted by concurrent delete operation (which will set pointer to 0) by checking if element is still in the list. The latter check did not take into account that compiler (and processor) can reorder reads in such a way that load of key pointer will happen after it, making result of the check invalid. FIX: ==== This patch fixes the problem by ensuring that no such reordering can take place. This is achieved by using my_atomic_loadptr() which contains compiler and processor memory barriers for the check mentioned above and other similar places. The default (for non-Windows systems) implementation of my_atomic*() relies on old __sync intrisics and implements my_atomic_loadptr() as read-modify operation. To avoid scalability/performance penalty associated with addition of my_atomic_loadptr()'s we change the my_atomic*() to use newer __atomic intrisics when available. This new default implementation doesn't have such a drawback. --- mysys/lf_hash.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/mysys/lf_hash.c b/mysys/lf_hash.c index dc019b07bd9..3a3f665a4f1 100644 --- a/mysys/lf_hash.c +++ b/mysys/lf_hash.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -83,7 +83,8 @@ retry: do { /* PTR() isn't necessary below, head is a dummy node */ cursor->curr= (LF_SLIST *)(*cursor->prev); _lf_pin(pins, 1, cursor->curr); - } while (*cursor->prev != (intptr)cursor->curr && LF_BACKOFF); + } while (my_atomic_loadptr((void**)cursor->prev) != cursor->curr && + LF_BACKOFF); for (;;) { if (unlikely(!cursor->curr)) @@ -97,7 +98,7 @@ retry: cur_hashnr= cursor->curr->hashnr; cur_key= cursor->curr->key; cur_keylen= cursor->curr->keylen; - if (*cursor->prev != (intptr)cursor->curr) + if (my_atomic_loadptr((void**)cursor->prev) != cursor->curr) { (void)LF_BACKOFF; goto retry; From ecc5a07874d44307b835ff5dbd091343961fbc93 Mon Sep 17 00:00:00 2001 From: Shishir Jaiswal Date: Sat, 2 Dec 2017 15:12:32 +0530 Subject: [PATCH 03/14] Bug#26585560 - MYSQL DAEMON SHOULD CREATE ITS PID FILE AS ROOT DESCRIPTION =========== If the .pid file is created at a world-writable location, it can be compromised by replacing the server's pid with another running server's (or some other non-mysql process) PID causing abnormal behaviour. ANALYSIS ======== In such a case, user should be warned that .pid file is being created at a world-writable location. FIX === A new function is_file_or_dir_world_writable() is defined and it is called in create_pid_file() before .pid file creation. If the location is world-writable, a relevant warning is thrown. NOTE ==== 1. PID file is always created with permission bit 0664, so for outside world its read-only. 2. Ignoring the case when permission is denied to get the dir stats since the .pid file creation would fail anyway in such a case. --- include/sql_common.h | 1 + mysql-test/include/mtr_warnings.sql | 8 ++++- sql-common/my_path_permissions.cc | 54 +++++++++++++++++++++++++++++ sql/CMakeLists.txt | 2 +- sql/mysqld.cc | 36 ++++++++++++++++++- 5 files changed, 98 insertions(+), 3 deletions(-) create mode 100644 sql-common/my_path_permissions.cc diff --git a/include/sql_common.h b/include/sql_common.h index 05bbb5a4f53..45e90d438fb 100644 --- a/include/sql_common.h +++ b/include/sql_common.h @@ -107,6 +107,7 @@ void mysql_client_plugin_deinit(); struct st_mysql_client_plugin; extern struct st_mysql_client_plugin *mysql_client_builtins[]; extern my_bool libmysql_cleartext_plugin_enabled; +int is_file_or_dir_world_writable(const char *filepath); #ifdef __cplusplus } diff --git a/mysql-test/include/mtr_warnings.sql b/mysql-test/include/mtr_warnings.sql index 0a3c3bc60b3..fb6d24c03e9 100644 --- a/mysql-test/include/mtr_warnings.sql +++ b/mysql-test/include/mtr_warnings.sql @@ -1,4 +1,4 @@ --- Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved. +-- Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by @@ -209,6 +209,12 @@ INSERT INTO global_suppressions VALUES */ ("Insecure configuration for --secure-file-priv:*"), + /* + Bug#26585560, warning related to --pid-file + */ + ("Insecure configuration for --pid-file:*"), + ("Few location(s) are inaccessible while checking PID filepath"), + ("THE_LAST_SUPPRESSION")|| diff --git a/sql-common/my_path_permissions.cc b/sql-common/my_path_permissions.cc new file mode 100644 index 00000000000..22cd748ff03 --- /dev/null +++ b/sql-common/my_path_permissions.cc @@ -0,0 +1,54 @@ +/* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301, USA */ + +#include "my_dir.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + Check if a file/dir is world-writable (only on non-Windows platforms) + + @param [in] Path of the file/dir to be checked + + @returns Status of the file/dir check + @retval -2 Permission denied to check attributes of file/dir + @retval -1 Error in reading file/dir + @retval 0 File/dir is not world-writable + @retval 1 File/dir is world-writable + */ + +int is_file_or_dir_world_writable(const char *path) +{ + MY_STAT stat_info; + (void)path; // avoid unused param warning when built on Windows +#ifndef _WIN32 + if (!my_stat(path, &stat_info, MYF(0))) + { + return (errno == EACCES) ? -2 : -1; + } + if ((stat_info.st_mode & S_IWOTH) && + ((stat_info.st_mode & S_IFMT) == S_IFREG || /* file */ + (stat_info.st_mode & S_IFMT) == S_IFDIR)) /* or dir */ + return 1; +#endif + return 0; +} + +#ifdef __cplusplus +} +#endif diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt index 531561ac36d..aa7e0312e05 100644 --- a/sql/CMakeLists.txt +++ b/sql/CMakeLists.txt @@ -78,7 +78,7 @@ SET (SQL_SOURCE sql_profile.cc event_parse_data.cc sql_alter.cc sql_signal.cc rpl_handler.cc mdl.cc sql_admin.cc transaction.cc sys_vars.cc sql_truncate.cc datadict.cc - sql_reload.cc + sql_reload.cc ../sql-common/my_path_permissions.cc ${GEN_SOURCES} ${CONF_SOURCES} ${MYSYS_LIBWRAP_SOURCE}) diff --git a/sql/mysqld.cc b/sql/mysqld.cc index c969fd8a62a..fd39e252c26 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify @@ -7996,6 +7996,40 @@ static int test_if_case_insensitive(const char *dir_name) static void create_pid_file() { File file; + bool check_parent_path= 1, is_path_accessible= 1; + char pid_filepath[FN_REFLEN], *pos= NULL; + /* Copy pid file name to get pid file path */ + strcpy(pid_filepath, pidfile_name); + + /* Iterate through the entire path to check if even one of the sub-dirs + is world-writable */ + while (check_parent_path && (pos= strrchr(pid_filepath, FN_LIBCHAR)) + && (pos != pid_filepath)) /* shouldn't check root */ + { + *pos= '\0'; /* Trim the inner-most dir */ + switch (is_file_or_dir_world_writable(pid_filepath)) + { + case -2: + is_path_accessible= 0; + break; + case -1: + sql_perror("Can't start server: can't check PID filepath"); + exit(1); + case 1: + sql_print_warning("Insecure configuration for --pid-file: Location " + "'%s' in the path is accessible to all OS users. " + "Consider choosing a different directory.", + pid_filepath); + check_parent_path= 0; + break; + case 0: + continue; /* Keep checking the parent dir */ + } + } + if (!is_path_accessible) + { + sql_print_warning("Few location(s) are inaccessible while checking PID filepath."); + } if ((file= mysql_file_create(key_file_pid, pidfile_name, 0664, O_WRONLY | O_TRUNC, MYF(MY_WME))) >= 0) { From 9e1035c64f2db233995082397921f553810bdfbc Mon Sep 17 00:00:00 2001 From: Karthik Kamath Date: Tue, 5 Dec 2017 19:49:59 +0530 Subject: [PATCH 04/14] BUG#26881798: SERVER EXITS WHEN PRIMARY KEY IN MYSQL.PROC IS DROPPED ANALYSIS: ========= It is advised not to tamper with the system tables. When primary key is dropped from a system table, certain operations on the table which tries to access the table key information may lead to server exit. FIX: ==== An appropriate error is now reported in such a case. --- sql/event_db_repository.cc | 4 +++- sql/sp.cc | 4 ++-- sql/sql_acl.cc | 4 +++- sql/sql_plugin.cc | 12 +++++++++++- sql/table.cc | 16 ++++++++++++++-- sql/table.h | 5 +++-- 6 files changed, 36 insertions(+), 9 deletions(-) diff --git a/sql/event_db_repository.cc b/sql/event_db_repository.cc index 74da4d8f587..96d1279573d 100644 --- a/sql/event_db_repository.cc +++ b/sql/event_db_repository.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -174,6 +174,8 @@ protected: error_log_print(ERROR_LEVEL, fmt, args); va_end(args); } +public: + Event_db_intact() { has_keys= TRUE; } }; /** In case of an error, a message is printed to the error log. */ diff --git a/sql/sp.cc b/sql/sp.cc index 56a439481f5..82d25880168 100644 --- a/sql/sp.cc +++ b/sql/sp.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -351,7 +351,7 @@ private: bool m_print_once; public: - Proc_table_intact() : m_print_once(TRUE) {} + Proc_table_intact() : m_print_once(TRUE) { has_keys= TRUE; } protected: void report_error(uint code, const char *fmt, ...); diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index b48b8562679..385484f2b01 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -949,6 +949,8 @@ protected: va_end(args); } } +public: + Acl_table_intact() { has_keys= TRUE; } }; #define IP_ADDR_STRLEN (3 + 1 + 3 + 1 + 3 + 1 + 3) diff --git a/sql/sql_plugin.cc b/sql/sql_plugin.cc index 9ec0390483a..3af9136d37f 100644 --- a/sql/sql_plugin.cc +++ b/sql/sql_plugin.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1899,6 +1899,16 @@ bool mysql_uninstall_plugin(THD *thd, const LEX_STRING *name) if (! (table= open_ltable(thd, &tables, TL_WRITE, MYSQL_LOCK_IGNORE_TIMEOUT))) DBUG_RETURN(TRUE); + if (!table->key_info) + { + my_printf_error(ER_UNKNOWN_ERROR, + "The table '%s.%s' does not have the necessary key(s) " + "defined on it. Please check the table definition and " + "create index(s) accordingly.", MYF(0), + table->s->db.str, table->s->table_name.str); + DBUG_RETURN(TRUE); + } + /* Pre-acquire audit plugins for events that may potentially occur during [UN]INSTALL PLUGIN. diff --git a/sql/table.cc b/sql/table.cc index 5bc3ccdbf39..46397b794ee 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -3013,7 +3013,7 @@ Table_check_intact::check(TABLE *table, const TABLE_FIELD_DEF *table_def) /* Whether the table definition has already been validated. */ if (table->s->table_field_def_cache == table_def) - DBUG_RETURN(FALSE); + goto end; if (table->s->fields != table_def->count) { @@ -3129,6 +3129,18 @@ Table_check_intact::check(TABLE *table, const TABLE_FIELD_DEF *table_def) if (! error) table->s->table_field_def_cache= table_def; +end: + + if (has_keys && !error && !table->key_info) + { + my_printf_error(ER_UNKNOWN_ERROR, + "The table '%s.%s' does not have the necessary key(s) " + "defined on it. Please check the table definition and " + "create index(s) accordingly.", MYF(0), + table->s->db.str, table->s->table_name.str); + error= TRUE; + } + DBUG_RETURN(error); } diff --git a/sql/table.h b/sql/table.h index ac3533dc5d7..31cd385ef35 100644 --- a/sql/table.h +++ b/sql/table.h @@ -1,7 +1,7 @@ #ifndef TABLE_INCLUDED #define TABLE_INCLUDED -/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -484,10 +484,11 @@ typedef struct st_ha_data_partition class Table_check_intact { protected: + bool has_keys; virtual void report_error(uint code, const char *fmt, ...)= 0; public: - Table_check_intact() {} + Table_check_intact() : has_keys(FALSE) {} virtual ~Table_check_intact() {} /** Checks whether a table is intact. */ From 7cf10132cb83a04f6e0f59a7266fd54c03e2ade2 Mon Sep 17 00:00:00 2001 From: "mysql-builder@oracle.com" <> Date: Thu, 21 Dec 2017 10:11:49 +0530 Subject: [PATCH 05/14] From 2b1fe48504cb91eb6d18ec2188a5cc1737f3003e Mon Sep 17 00:00:00 2001 From: "mysql-builder@oracle.com" <> Date: Thu, 21 Dec 2017 18:12:26 +0530 Subject: [PATCH 06/14] From 20e75a3efdd12540bf0078e27c62e0daad034cb7 Mon Sep 17 00:00:00 2001 From: Bjorn Munch Date: Thu, 11 Jan 2018 09:31:36 +0100 Subject: [PATCH 07/14] Bug #27021754 MYSQLTEST MAN PAGES WILL BE REMOVED, PACKAGING MUST BE PREPARED Followup: now that the man pages have actually been removed, we no longer need to take deliberate action to ignore them. Thus we can remove that part of the original change. RPM: drop the conditional removal DEB: remove from the exclude list --- packaging/rpm-oel/mysql.spec.in | 13 ++++--------- packaging/rpm-sles/mysql.spec.in | 13 ++++--------- support-files/mysql.spec.sh | 11 ++++------- 3 files changed, 12 insertions(+), 25 deletions(-) diff --git a/packaging/rpm-oel/mysql.spec.in b/packaging/rpm-oel/mysql.spec.in index 755f922026e..f3f65da6605 100644 --- a/packaging/rpm-oel/mysql.spec.in +++ b/packaging/rpm-oel/mysql.spec.in @@ -1,4 +1,4 @@ -# Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -609,14 +609,6 @@ rm -rf %{buildroot}%{_bindir}/mysql_embedded rm -rf %{buildroot}%{_bindir}/mysql_setpermission rm -rf %{buildroot}%{_mandir}/man1/mysql_setpermission.1* -# Remove obsoleted man pages -rm -f %{buildroot}%{_mandir}/man1/mysql-stress-test.pl.1 -rm -f %{buildroot}%{_mandir}/man1/mysql-test-run.pl.1 -rm -f %{buildroot}%{_mandir}/man1/mysql_client_test.1 -rm -f %{buildroot}%{_mandir}/man1/mysql_client_test_embedded.1 -rm -f %{buildroot}%{_mandir}/man1/mysqltest.1 -rm -f %{buildroot}%{_mandir}/man1/mysqltest_embedded.1 - %check %if 0%{?runselftest} pushd release @@ -920,6 +912,9 @@ fi %endif %changelog +* Wed Jan 10 2018 Bjorn Munch - 5.5.60-1 +- No longer need to remove obsoleted mysqltest man pages + * Tue Oct 31 2017 Bjorn Munch - 5.5.59-1 - Remove obsoleted mysqltest man pages diff --git a/packaging/rpm-sles/mysql.spec.in b/packaging/rpm-sles/mysql.spec.in index d5a3ba8deff..75e0271b590 100644 --- a/packaging/rpm-sles/mysql.spec.in +++ b/packaging/rpm-sles/mysql.spec.in @@ -1,4 +1,4 @@ -# Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -446,14 +446,6 @@ rm -rf %{buildroot}%{_bindir}/mysql_embedded rm -rf %{buildroot}%{_bindir}/mysql_setpermission rm -rf %{buildroot}%{_mandir}/man1/mysql_setpermission.1* -# Remove obsoleted man pages -rm -f %{buildroot}%{_mandir}/man1/mysql-stress-test.pl.1 -rm -f %{buildroot}%{_mandir}/man1/mysql-test-run.pl.1 -rm -f %{buildroot}%{_mandir}/man1/mysql_client_test.1 -rm -f %{buildroot}%{_mandir}/man1/mysql_client_test_embedded.1 -rm -f %{buildroot}%{_mandir}/man1/mysqltest.1 -rm -f %{buildroot}%{_mandir}/man1/mysqltest_embedded.1 - # rcmysql symlink install -d %{buildroot}%{_sbindir} ln -sf %{_initrddir}/mysql %{buildroot}%{_sbindir}/rcmysql @@ -742,6 +734,9 @@ fi %attr(755, root, root) %{_libdir}/mysql/libmysqld.so %changelog +* Wed Jan 10 2018 Bjorn Munch - 5.5.60-1 +- No longer need to remove obsoleted mysqltest man pages + * Tue Oct 31 2017 Bjorn Munch - 5.5.59-1 - Remove obsoleted mysqltest man pages diff --git a/support-files/mysql.spec.sh b/support-files/mysql.spec.sh index 4060284ce9d..cb1462c57e5 100644 --- a/support-files/mysql.spec.sh +++ b/support-files/mysql.spec.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -621,12 +621,6 @@ install -m 644 "%{malloc_lib_source}" \ # Remove man pages we explicitly do not want to package, avoids 'unpackaged # files' warning. # This has become obsolete: rm -f $RBR%{_mandir}/man1/make_win_bin_dist.1* -rm -f $RBR%{_mandir}/man1/mysql-stress-test.pl.1 -rm -f $RBR%{_mandir}/man1/mysql-test-run.pl.1 -rm -f $RBR%{_mandir}/man1/mysql_client_test.1 -rm -f $RBR%{_mandir}/man1/mysql_client_test_embedded.1 -rm -f $RBR%{_mandir}/man1/mysqltest.1 -rm -f $RBR%{_mandir}/man1/mysqltest_embedded.1 ############################################################################## # Post processing actions, i.e. when installed @@ -1228,6 +1222,9 @@ echo "=====" >> $STATUS_HISTORY # merging BK trees) ############################################################################## %changelog +* Wed Jan 10 2018 Bjorn Munch +- No longer need to remove obsoleted mysqltest man pages + * Tue Oct 31 2017 Bjorn Munch - Remove obsoleted mysqltest man pages From 2af9e8af6efba951e33e148d0b1a34beb25be831 Mon Sep 17 00:00:00 2001 From: Karthik Kamath Date: Thu, 11 Jan 2018 19:48:12 +0530 Subject: [PATCH 08/14] BUG#27160888: MISSING FILE PRIVILEDGE CHECKS ON SOME STATEMENTS ANALYSIS: ========= A user not having FILE privilege is not allowed to create custom data/index directories for a table or for its partitions via CREATE TABLE but is allowed to do so via ALTER TABLE statement. ALTER TABLE ignores DATA DIRECTORY and INDEX DIRECTORY when given as table options. The issue occurs during the creation of partitions for a table via ALTER TABLE statement with the DATA DIRECTORY and/or INDEX DIRECTORY options. The issue exists because of the absence of FILE privilege check for the user. FIX: ==== A FILE privilege check has been introduced for resolving the above scenario. --- sql/sql_alter.cc | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/sql/sql_alter.cc b/sql/sql_alter.cc index 6247d581830..660efe2d177 100644 --- a/sql/sql_alter.cc +++ b/sql/sql_alter.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -18,6 +18,8 @@ // mysql_exchange_partition #include "sql_alter.h" +bool has_external_data_or_index_dir(partition_info &pi); + bool Alter_table_statement::execute(THD *thd) { LEX *lex= thd->lex; @@ -42,6 +44,16 @@ bool Alter_table_statement::execute(THD *thd) if (thd->is_fatal_error) /* out of memory creating a copy of alter_info */ DBUG_RETURN(TRUE); + +#ifdef WITH_PARTITION_STORAGE_ENGINE + { + partition_info *part_info= thd->lex->part_info; + if (part_info != NULL && has_external_data_or_index_dir(*part_info) && + check_access(thd, FILE_ACL, any_db, NULL, NULL, FALSE, FALSE)) + + DBUG_RETURN(TRUE); + } +#endif /* We also require DROP priv for ALTER TABLE ... DROP PARTITION, as well as for RENAME TO, as being done by SQLCOM_RENAME_TABLE From 3fb2f8db179c2ea9a15fcc2f142c5b98c5aab17a Mon Sep 17 00:00:00 2001 From: Joao Gramacho Date: Fri, 2 Feb 2018 11:45:56 +0000 Subject: [PATCH 09/14] BUG#24365972 BINLOG DECODING ISN'T RESILIENT TO CORRUPT BINLOG FILES Problem ======= When facing decoding of corrupt binary log files, server may misbehave without detecting the events corruption. This patch makes MySQL server more resilient to binary log decoding. Fixes for events de-serialization and apply =========================================== @sql/log_event.cc Query_log_event::Query_log_event: added a check to ensure query length is respecting event buffer limits. Query_log_event::do_apply_event: extended a debug print, added a check to character set to determine if it is "parseable" or not, verified if database name is valid for system collation. Start_log_event_v3::do_apply_event: report an error on applying a non-supported binary log version. Load_log_event::copy_log_event: added a check to table_name length. User_var_log_event::User_var_log_event: added checks to avoid reading out of buffer limits. User_var_log_event::do_apply_event: reported an sanity check error properly and added individual sanity checks for variable types that expect fixed (or minimum) amount of bytes to be read. Rows_log_event::Rows_log_event: added checks to avoid reading out of buffer limits. @sql/log_event_old.cc Old_rows_log_event::Old_rows_log_event: added a sanity check to avoid reading out of buffer limits. @sql/sql_priv.h Added a sanity check to available_buffer() function. --- sql/log_event.cc | 126 ++++++++++++++++++++++++++++++++++++++++--- sql/log_event_old.cc | 11 +++- sql/sql_priv.h | 7 ++- 3 files changed, 136 insertions(+), 8 deletions(-) diff --git a/sql/log_event.cc b/sql/log_event.cc index 5dbeb1eb4b9..ac1e105be8c 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -3024,6 +3024,25 @@ Query_log_event::Query_log_event(const char* buf, uint event_len, db= (char *)start; query= (char *)(start + db_len + 1); q_len= data_len - db_len -1; + + if (data_len && (data_len < db_len || + data_len < q_len || + data_len != (db_len + q_len + 1))) + { + q_len= 0; + query= NULL; + DBUG_VOID_RETURN; + } + + unsigned int max_length; + max_length= (event_len - ((const char*)(end + db_len + 1) - + (buf - common_header_len))); + if (q_len != max_length) + { + q_len= 0; + query= NULL; + DBUG_VOID_RETURN; + } /** Append the db length at the end of the buffer. This will be used by Query_cache::send_result_to_client() in case the query cache is On. @@ -3278,6 +3297,26 @@ int Query_log_event::do_apply_event(Relay_log_info const *rli, you. */ thd->catalog= catalog_len ? (char *) catalog : (char *)""; + + size_t valid_len; + bool len_error; + bool is_invalid_db_name= validate_string(system_charset_info, db, db_len, + &valid_len, &len_error); + + DBUG_PRINT("debug",("is_invalid_db_name= %s, valid_len=%zu, len_error=%s", + is_invalid_db_name ? "true" : "false", + valid_len, + len_error ? "true" : "false")); + + if (is_invalid_db_name || len_error) + { + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "Invalid database name in Query event."); + thd->is_slave_error= true; + goto end; + } + new_db.length= db_len; new_db.str= (char *) rpl_filter->get_rewrite_db(db, &new_db.length); thd->set_db(new_db.str, new_db.length); /* allocates a copy of 'db' */ @@ -3454,7 +3493,23 @@ int Query_log_event::do_apply_event(Relay_log_info const *rli, } else thd->variables.collation_database= thd->db_charset; - + + { + const CHARSET_INFO *cs= thd->charset(); + /* + We cannot ask for parsing a statement using a character set + without state_maps (parser internal data). + */ + if (!cs->state_map) + { + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "character_set cannot be parsed"); + thd->is_slave_error= true; + goto end; + } + } + thd->table_map_for_update= (table_map)table_map_for_update; thd->set_invoker(&user, &host); /* @@ -3898,7 +3953,13 @@ int Start_log_event_v3::do_apply_event(Relay_log_info const *rli) */ break; default: - /* this case is impossible */ + /* + This case is not expected. It can be either an event corruption or an + unsupported binary log version. + */ + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "Binlog version not supported"); DBUG_RETURN(1); } DBUG_RETURN(error); @@ -4724,6 +4785,9 @@ int Load_log_event::copy_log_event(const char *buf, ulong event_len, fields = (char*)field_lens + num_fields; table_name = fields + field_block_len; + if (strlen(table_name) > NAME_LEN) + goto err; + db = table_name + table_name_len + 1; DBUG_EXECUTE_IF ("simulate_invalid_address", db_len = data_len;); @@ -5889,6 +5953,13 @@ User_var_log_event(const char* buf, uint event_len, buf+= description_event->common_header_len + description_event->post_header_len[USER_VAR_EVENT-1]; name_len= uint4korr(buf); + /* Avoid reading out of buffer */ + if ((buf - buf_start) + UV_NAME_LEN_SIZE + name_len > event_len) + { + error= true; + goto err; + } + name= (char *) buf + UV_NAME_LEN_SIZE; /* @@ -5948,8 +6019,11 @@ User_var_log_event(const char* buf, uint event_len, we keep the flags set to UNDEF_F. */ uint bytes_read= ((val + val_len) - start); - DBUG_ASSERT(bytes_read==data_written || - bytes_read==(data_written-1)); + if (bytes_read > event_len) + { + error= true; + goto err; + } if ((data_written - bytes_read) > 0) { flags= (uint) *(buf + UV_VAL_IS_NULL + UV_VAL_TYPE_SIZE + @@ -6165,7 +6239,12 @@ int User_var_log_event::do_apply_event(Relay_log_info const *rli) } if (!(charset= get_charset(charset_number, MYF(MY_WME)))) + { + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "Invalid character set for User var event"); return 1; + } LEX_STRING user_var_name; user_var_name.str= name; user_var_name.length= name_len; @@ -6186,12 +6265,26 @@ int User_var_log_event::do_apply_event(Relay_log_info const *rli) { switch (type) { case REAL_RESULT: + if (val_len != 8) + { + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "Invalid variable length at User var event"); + return 1; + } float8get(real_val, val); it= new Item_float(real_val, 0); val= (char*) &real_val; // Pointer to value in native format val_len= 8; break; case INT_RESULT: + if (val_len != 8) + { + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "Invalid variable length at User var event"); + return 1; + } int_val= (longlong) uint8korr(val); it= new Item_int(int_val); val= (char*) &int_val; // Pointer to value in native format @@ -6199,6 +6292,13 @@ int User_var_log_event::do_apply_event(Relay_log_info const *rli) break; case DECIMAL_RESULT: { + if (val_len < 3) + { + rli->report(ERROR_LEVEL, ER_SLAVE_FATAL_ERROR, + ER_THD(thd, ER_SLAVE_FATAL_ERROR), + "Invalid variable length at User var event"); + return 1; + } Item_decimal *dec= new Item_decimal((uchar*) val+2, val[0], val[1]); it= dec; val= (char *)dec->val_decimal(NULL); @@ -7646,6 +7746,15 @@ Rows_log_event::Rows_log_event(const char *buf, uint event_len, DBUG_PRINT("debug", ("Reading from %p", ptr_after_width)); m_width = net_field_length(&ptr_after_width); DBUG_PRINT("debug", ("m_width=%lu", m_width)); + /* Avoid reading out of buffer */ + if (static_cast((ptr_after_width + + (m_width + 7) / 8) - + (uchar*)buf) > event_len) + { + m_cols.bitmap= NULL; + DBUG_VOID_RETURN; + } + /* if bitmap_init fails, catched in is_valid() */ if (likely(!bitmap_init(&m_cols, m_width <= sizeof(m_bitbuf)*8 ? m_bitbuf : NULL, @@ -7694,7 +7803,12 @@ Rows_log_event::Rows_log_event(const char *buf, uint event_len, const uchar* const ptr_rows_data= (const uchar*) ptr_after_width; - size_t const data_size= event_len - (ptr_rows_data - (const uchar *) buf); + size_t const read_size= ptr_rows_data - (const unsigned char *) buf; + if (read_size > event_len) + { + DBUG_VOID_RETURN; + } + size_t const data_size= event_len - read_size; DBUG_PRINT("info",("m_table_id: %lu m_flags: %d m_width: %lu data_size: %lu", m_table_id, m_flags, m_width, (ulong) data_size)); diff --git a/sql/log_event_old.cc b/sql/log_event_old.cc index eb9678ddaa5..6be4e086925 100644 --- a/sql/log_event_old.cc +++ b/sql/log_event_old.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2007, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1357,6 +1357,15 @@ Old_rows_log_event::Old_rows_log_event(const char *buf, uint event_len, DBUG_PRINT("debug", ("Reading from %p", ptr_after_width)); m_width = net_field_length(&ptr_after_width); DBUG_PRINT("debug", ("m_width=%lu", m_width)); + /* Avoid reading out of buffer */ + if (static_cast(m_width + + (ptr_after_width - + (const uchar *)buf)) > event_len) + { + m_cols.bitmap= NULL; + DBUG_VOID_RETURN; + } + /* if bitmap_init fails, catched in is_valid() */ if (likely(!bitmap_init(&m_cols, m_width <= sizeof(m_bitbuf)*8 ? m_bitbuf : NULL, diff --git a/sql/sql_priv.h b/sql/sql_priv.h index 523220b3c03..b12d22e3fc7 100644 --- a/sql/sql_priv.h +++ b/sql/sql_priv.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -191,6 +191,11 @@ template T available_buffer(const char* buf_start, const char* buf_current, T buf_len) { + /* Sanity check */ + if (buf_current < buf_start || + buf_len < static_cast(buf_current - buf_start)) + return static_cast(0); + return buf_len - (buf_current - buf_start); } From e585decb459740ec53b1ac1b85f332f7bd3c8ccf Mon Sep 17 00:00:00 2001 From: Pavan Naik Date: Mon, 5 Feb 2018 19:30:37 +0530 Subject: [PATCH 10/14] BUG#27448061: MYSQLD--DEFAULTS-FILE TEST FAILS FOR NDB RELEASES PREVIOUS TO MYSQL 8.0 Description : ------------- The mysqld--defaults-file test fails when the test suite is run from a non-canonical path, which happens when the current working directory when mysql-test-run.pl is started contains a symbolic link. The problem is that this test case uses --replace-result with $MYSQL_TEST_DIR. This variable is a potentially non-canonical path based on the current working directory when mtr is started. However, the path in the expected error message from mysqld contains a canonical path. This means it does not contain $MYSQL_TEST_DIR if mtr's working directory is not the canonical path of the working directory. Because other tests produce output that may contain non-canonical paths, making $MYSQL_TEST_DIR always canonical is not a fix. Fix : ----- Introduced a new environment variable '$ABS_MYSQL_TEST_DIR' which will contin the canonical path to the test directory and replaced $MYSQL_TEST_DIR with the new variable in main.mysqld--defaults-file test file. This is a back-port of BUG#24579973. Change-Id: I3b8df6f2d7ce2b04e188a896d76250cc1addbbc1 --- mysql-test/mysql-test-run.pl | 3 ++- mysql-test/t/mysqld--defaults-file.test | 10 ++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl index 2ca5c83e3f4..99d3203fb51 100755 --- a/mysql-test/mysql-test-run.pl +++ b/mysql-test/mysql-test-run.pl @@ -1,7 +1,7 @@ #!/usr/bin/perl # -*- cperl -*- -# Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -2344,6 +2344,7 @@ sub environment_setup { $ENV{'DEFAULT_MASTER_PORT'}= $mysqld_variables{'port'}; $ENV{'MYSQL_TMP_DIR'}= $opt_tmpdir; $ENV{'MYSQLTEST_VARDIR'}= $opt_vardir; + $ENV{'MYSQL_TEST_DIR_ABS'}= getcwd(); $ENV{'MYSQL_BINDIR'}= "$bindir"; $ENV{'MYSQL_SHAREDIR'}= $path_language; $ENV{'MYSQL_CHARSETSDIR'}= $path_charsetsdir; diff --git a/mysql-test/t/mysqld--defaults-file.test b/mysql-test/t/mysqld--defaults-file.test index 3bfe0aa891f..e2d5b40adbc 100644 --- a/mysql-test/t/mysqld--defaults-file.test +++ b/mysql-test/t/mysqld--defaults-file.test @@ -13,19 +13,21 @@ exec $MYSQLD --defaults-file=/path/with/no/extension --print-defaults 2>&1; --error 1 exec $MYSQLD --defaults-file=/path/with.ext --print-defaults 2>&1; ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +# Using $MYSQL_TEST_DIR_ABS which contains canonical path to the +# test directory since --print-default prints the absolute path. +--replace_result $MYSQL_TEST_DIR_ABS MYSQL_TEST_DIR --error 1 exec $MYSQLD --defaults-file=relative/path/with.ext --print-defaults 2>&1; ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--replace_result $MYSQL_TEST_DIR_ABS MYSQL_TEST_DIR --error 1 exec $MYSQLD --defaults-file=relative/path/without/extension --print-defaults 2>&1; ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--replace_result $MYSQL_TEST_DIR_ABS MYSQL_TEST_DIR --error 1 exec $MYSQLD --defaults-file=with.ext --print-defaults 2>&1; ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--replace_result $MYSQL_TEST_DIR_ABS MYSQL_TEST_DIR --error 1 exec $MYSQLD --defaults-file=no_extension --print-defaults 2>&1; From e4784703ee44d0a0a497a1a411dea20987d501ad Mon Sep 17 00:00:00 2001 From: Arun Kuruvila Date: Mon, 12 Feb 2018 15:19:43 +0530 Subject: [PATCH 11/14] Bug#25471090: MYSQL USE AFTER FREE Description:- Mysql client crashes when trying to connect to a fake server which is sending incorrect packets. Analysis:- Mysql client crashes when it tries to read server version details. Fix:- A check is added in "red_one_row()". --- include/mysql_com.h | 3 ++- sql-common/client.c | 16 +++++++++------- sql-common/pack.c | 37 +++++++++++++++++++++++++++++++++++-- 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/include/mysql_com.h b/include/mysql_com.h index 5cd40915743..52e8a367e3d 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -561,6 +561,7 @@ void my_thread_end(void); #ifdef _global_h ulong STDCALL net_field_length(uchar **packet); +ulong STDCALL net_field_length_checked(uchar **packet, ulong max_length); my_ulonglong net_field_length_ll(uchar **packet); uchar *net_store_length(uchar *pkg, ulonglong length); #endif diff --git a/sql-common/client.c b/sql-common/client.c index 759d95117cb..9972ca741f2 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1723,18 +1723,20 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths) end_pos=pos+pkt_len; for (field=0 ; field < fields ; field++) { - if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) + len=(ulong) net_field_length_checked(&pos, (ulong)(end_pos - pos)); + if (pos > end_pos) + { + set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate); + return -1; + } + + if (len == NULL_LENGTH) { /* null field */ row[field] = 0; *lengths++=0; } else { - if (len > (ulong) (end_pos - pos)) - { - set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate); - return -1; - } row[field] = (char*) pos; pos+=len; *lengths++=len; diff --git a/sql-common/pack.c b/sql-common/pack.c index 02e91b5c3e3..57ff55689a2 100644 --- a/sql-common/pack.c +++ b/sql-common/pack.c @@ -1,5 +1,4 @@ -/* Copyright (c) 2000-2003, 2007 MySQL AB - Use is subject to license terms +/* Copyright (c) 2000, 2018 Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -46,6 +45,40 @@ ulong STDCALL net_field_length(uchar **packet) return (ulong) uint4korr(pos+1); } +/* The same as above but with max length check */ +ulong STDCALL net_field_length_checked(uchar **packet, ulong max_length) +{ + ulong len; + uchar *pos= (uchar *)*packet; + + if (*pos < 251) + { + (*packet)++; + len= (ulong) *pos; + return (len > max_length) ? max_length : len; + } + if (*pos == 251) + { + (*packet)++; + return NULL_LENGTH; + } + if (*pos == 252) + { + (*packet)+=3; + len= (ulong) uint2korr(pos+1); + return (len > max_length) ? max_length : len; + } + if (*pos == 253) + { + (*packet)+=4; + len= (ulong) uint3korr(pos+1); + return (len > max_length) ? max_length : len; + } + (*packet)+=9; /* Must be 254 when here */ + len= (ulong) uint4korr(pos+1); + return (len > max_length) ? max_length : len; +} + /* The same as above but returns longlong */ my_ulonglong net_field_length_ll(uchar **packet) { From ddaf0f14704be3fd3d6960f7a3e2fdd0125e2dfd Mon Sep 17 00:00:00 2001 From: Karthik Kamath Date: Wed, 14 Feb 2018 09:35:18 +0530 Subject: [PATCH 12/14] --- storage/innobase/handler/ha_innodb.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index 1c6763ef93a..0591987f4ae 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -1,6 +1,6 @@ /***************************************************************************** -Copyright (c) 2000, 2015, Oracle and/or its affiliates. All Rights Reserved. +Copyright (c) 2000, 2018, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2008, 2009 Google Inc. Copyright (c) 2009, Percona Inc. @@ -9225,8 +9225,10 @@ ha_innobase::start_stmt( case SQLCOM_INSERT: case SQLCOM_UPDATE: case SQLCOM_DELETE: + case SQLCOM_REPLACE: init_table_handle_for_HANDLER(); prebuilt->select_lock_type = LOCK_X; + prebuilt->stored_select_lock_type = LOCK_X; error = row_lock_table_for_mysql(prebuilt, NULL, 1); if (error != DB_SUCCESS) { From 873f8c25b6de24d267cbdedc70de40dc4b5b83aa Mon Sep 17 00:00:00 2001 From: Lars Tangvald Date: Tue, 13 Feb 2018 13:58:43 +0100 Subject: [PATCH 13/14] Bug#27538614 DROP EXTRA CHANGELOG FILE FROM DEB/RPM PACKAGES Change the file to refer to published git repository directly --- Docs/ChangeLog | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Docs/ChangeLog diff --git a/Docs/ChangeLog b/Docs/ChangeLog new file mode 100644 index 00000000000..05c9065c3b9 --- /dev/null +++ b/Docs/ChangeLog @@ -0,0 +1,2 @@ +You can find a detailed list of changes at + to https://github.com/mysql/mysql-server/commits/5.5 From c0b4d74b52e7eec9b13af732193f7f8d7abe05de Mon Sep 17 00:00:00 2001 From: Nisha Gopalakrishnan Date: Mon, 26 Feb 2018 14:37:39 +0530 Subject: [PATCH 14/14] BUG#27216817: INNODB: FAILING ASSERTION: PREBUILT->TABLE->N_MYSQL_HANDLES_OPENED == 1 ANALYSIS: ========= Adding unique index to a InnoDB table which is locked as mutliple instances may trigger an InnoDB assert. When we add a primary key or an unique index, we need to drop the original table and rebuild all indexes. InnoDB expects that only the instance of the table that is being rebuilt, is open during the process. In the current scenario we have opened multiple instances of the table. This triggers an assert during table rebuild. 'Locked_tables_list' encapsulates a list of all instances of tables locked by LOCK TABLES statement. FIX: === We are now temporarily closing all the instances of the table except the one which is being altered and later reopen them via Locked_tables_list::reopen_tables(). --- sql/sql_admin.cc | 4 ++-- sql/sql_base.cc | 18 +++++++++++++----- sql/sql_base.h | 5 +++-- sql/sql_partition.cc | 6 +++--- sql/sql_table.cc | 22 ++++++++++++++++++---- sql/sql_trigger.cc | 4 ++-- sql/sql_truncate.cc | 4 ++-- 7 files changed, 43 insertions(+), 20 deletions(-) diff --git a/sql/sql_admin.cc b/sql/sql_admin.cc index efdb67d01c4..bfe4edb67c4 100644 --- a/sql/sql_admin.cc +++ b/sql/sql_admin.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights +/* Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify @@ -168,7 +168,7 @@ static int prepare_for_repair(THD *thd, TABLE_LIST *table_list, */ if (wait_while_table_is_used(thd, table, HA_EXTRA_FORCE_REOPEN)) goto end; - close_all_tables_for_name(thd, table_list->table->s, FALSE); + close_all_tables_for_name(thd, table_list->table->s, FALSE, NULL); table_list->table= 0; } /* diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 27dcbee7b8f..e9ce652cdb1 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1096,7 +1096,7 @@ bool close_cached_tables(THD *thd, TABLE_LIST *tables, result= TRUE; goto err_with_reopen; } - close_all_tables_for_name(thd, table->s, FALSE); + close_all_tables_for_name(thd, table->s, FALSE, NULL); } } @@ -1367,13 +1367,16 @@ static void close_open_tables(THD *thd) In that case the documented behaviour is to implicitly remove the table from LOCK TABLES list. + @param[in] skip_table + TABLE instance that should be kept open. @pre Must be called with an X MDL lock on the table. */ void close_all_tables_for_name(THD *thd, TABLE_SHARE *share, - bool remove_from_locked_tables) + bool remove_from_locked_tables, + TABLE *skip_table) { char key[MAX_DBKEY_LENGTH]; uint key_length= share->table_cache_key.length; @@ -1388,7 +1391,8 @@ close_all_tables_for_name(THD *thd, TABLE_SHARE *share, TABLE *table= *prev; if (table->s->table_cache_key.length == key_length && - !memcmp(table->s->table_cache_key.str, key, key_length)) + !memcmp(table->s->table_cache_key.str, key, key_length) && + table != skip_table) { thd->locked_tables_list.unlink_from_list(thd, table->pos_in_locked_tables, @@ -1401,7 +1405,8 @@ close_all_tables_for_name(THD *thd, TABLE_SHARE *share, mysql_lock_remove(thd, thd->lock, table); /* Inform handler that table will be dropped after close */ - if (table->db_stat) /* Not true for partitioned tables. */ + if (table->db_stat && /* Not true for partitioned tables. */ + skip_table == NULL) table->file->extra(HA_EXTRA_PREPARE_FOR_DROP); close_thread_table(thd, prev); } @@ -1411,9 +1416,12 @@ close_all_tables_for_name(THD *thd, TABLE_SHARE *share, prev= &table->next; } } + + if (skip_table == NULL) { /* Remove the table share from the cache. */ tdc_remove_table(thd, TDC_RT_REMOVE_ALL, db, table_name, FALSE); + } } diff --git a/sql/sql_base.h b/sql/sql_base.h index b118c93ac28..28568acc081 100644 --- a/sql/sql_base.h +++ b/sql/sql_base.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -306,7 +306,8 @@ bool close_cached_tables(THD *thd, TABLE_LIST *tables, bool wait_for_refresh, ulong timeout); bool close_cached_connection_tables(THD *thd, LEX_STRING *connect_string); void close_all_tables_for_name(THD *thd, TABLE_SHARE *share, - bool remove_from_locked_tables); + bool remove_from_locked_tables, + TABLE *skip_table); OPEN_TABLE_LIST *list_open_tables(THD *thd, const char *db, const char *wild); void tdc_remove_table(THD *thd, enum_tdc_remove_table_type remove_type, const char *db, const char *table_name, diff --git a/sql/sql_partition.cc b/sql/sql_partition.cc index 65d4da0f2f6..bd76a92dc68 100644 --- a/sql/sql_partition.cc +++ b/sql/sql_partition.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -6512,7 +6512,7 @@ static void alter_partition_lock_handling(ALTER_PARTITION_PARAM_TYPE *lpt) THD *thd= lpt->thd; if (lpt->old_table) - close_all_tables_for_name(thd, lpt->old_table->s, FALSE); + close_all_tables_for_name(thd, lpt->old_table->s, FALSE, NULL); if (lpt->table) { /* @@ -6549,7 +6549,7 @@ static int alter_close_tables(ALTER_PARTITION_PARAM_TYPE *lpt, bool close_old) } if (close_old && lpt->old_table) { - close_all_tables_for_name(lpt->thd, lpt->old_table->s, FALSE); + close_all_tables_for_name(lpt->thd, lpt->old_table->s, FALSE, NULL); lpt->old_table= 0; } DBUG_RETURN(0); diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 58bcf5ca1d4..6d02140cfcb 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -2165,7 +2165,7 @@ int mysql_rm_table_no_locks(THD *thd, TABLE_LIST *tables, bool if_exists, error= -1; goto err; } - close_all_tables_for_name(thd, table->table->s, TRUE); + close_all_tables_for_name(thd, table->table->s, TRUE, NULL); table->table= 0; } @@ -6168,7 +6168,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name, */ if (wait_while_table_is_used(thd, table, HA_EXTRA_FORCE_REOPEN)) goto err; - close_all_tables_for_name(thd, table->s, TRUE); + close_all_tables_for_name(thd, table->s, TRUE, NULL); /* Then, we want check once again that target table does not exist. Actually the order of these two steps does not matter since @@ -6305,6 +6305,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name, changes only" means also that the handler for the table does not change. The table is open and locked. The handler can be accessed. */ + if (need_copy_table == ALTER_TABLE_INDEX_CHANGED) { int pk_changed= 0; @@ -6606,6 +6607,19 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name, thd->count_cuted_fields= CHECK_FIELD_WARN; // calc cuted fields thd->cuted_fields=0L; copied=deleted=0; + + if (thd->locked_tables_mode == LTM_LOCK_TABLES || + thd->locked_tables_mode == LTM_PRELOCKED_UNDER_LOCK_TABLES) + { + /* + Temporarily close the TABLE instances belonging to this + thread except the one to be used for ALTER TABLE. + + This is mostly needed to satisfy InnoDB assumptions/asserts. + */ + close_all_tables_for_name(thd, table->s, false, table); + } + /* We do not copy data for MERGE tables. Only the children have data. MERGE tables have HA_NO_COPY_ON_ALTER set. @@ -6877,7 +6891,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name, } close_all_tables_for_name(thd, table->s, - new_name != table_name || new_db != db); + new_name != table_name || new_db != db, NULL); error=0; table_list->table= table= 0; /* Safety */ diff --git a/sql/sql_trigger.cc b/sql/sql_trigger.cc index 0a4f549a052..fe1131c4164 100644 --- a/sql/sql_trigger.cc +++ b/sql/sql_trigger.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -568,7 +568,7 @@ bool mysql_create_or_drop_trigger(THD *thd, TABLE_LIST *tables, bool create) if (result) goto end; - close_all_tables_for_name(thd, table->s, FALSE); + close_all_tables_for_name(thd, table->s, FALSE, NULL); /* Reopen the table if we were under LOCK TABLES. Ignore the return value for now. It's better to diff --git a/sql/sql_truncate.cc b/sql/sql_truncate.cc index 4f250e6e7a0..d8a0205a495 100644 --- a/sql/sql_truncate.cc +++ b/sql/sql_truncate.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -394,7 +394,7 @@ bool Truncate_statement::lock_table(THD *thd, TABLE_LIST *table_ref, m_ticket_downgrade= table->mdl_ticket; /* Close if table is going to be recreated. */ if (*hton_can_recreate) - close_all_tables_for_name(thd, table->s, FALSE); + close_all_tables_for_name(thd, table->s, FALSE, NULL); } else {