From 870b2e0a2b4a66c6b4b4f15792d72a7415190650 Mon Sep 17 00:00:00 2001
From: unknown <tsmith@quadxeon.mysql.com>
Date: Thu, 9 Nov 2006 05:03:35 +0100
Subject: [PATCH] This ChangeSet must be null-merged to 5.0.  Applied
 innodb-4.1-ss33

Fixes:
- Bug #24089: Race condition in fil_flush_file_spaces()


innobase/fil/fil0fil.c:
  Applied innodb-4.1-ss33

  Revision r33:
  innodb-4.1: Merge r1002 from innodb/trunk:

  fil_flush_file_spaces(): Copy the system->unflushed_spaces list to an
  array while holding the mutex.  This removes the crash-triggering
  race condition that was introduced when fixing Bug 15653.  (Bug #24089)
---
 innobase/fil/fil0fil.c | 48 +++++++++++++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 15 deletions(-)

diff --git a/innobase/fil/fil0fil.c b/innobase/fil/fil0fil.c
index c696c940790..b576e4f5a70 100644
--- a/innobase/fil/fil0fil.c
+++ b/innobase/fil/fil0fil.c
@@ -4252,29 +4252,47 @@ fil_flush_file_spaces(
 {
 	fil_system_t*	system	= fil_system;
 	fil_space_t*	space;
+	ulint*		space_ids;
+	ulint		n_space_ids;
+	ulint		i;
 
 	mutex_enter(&(system->mutex));
 
-	space = UT_LIST_GET_FIRST(system->unflushed_spaces);
+	n_space_ids = UT_LIST_GET_LEN(system->unflushed_spaces);
+	if (n_space_ids == 0) {
+
+		mutex_exit(&system->mutex);
+		return;
+	}
+
+	/* Assemble a list of space ids to flush.  Previously, we
+	traversed system->unflushed_spaces and called UT_LIST_GET_NEXT()
+	on a space that was just removed from the list by fil_flush().
+	Thus, the space could be dropped and the memory overwritten. */
+	space_ids = mem_alloc(n_space_ids * sizeof *space_ids);
+
+	n_space_ids = 0;
+
+	for (space = UT_LIST_GET_FIRST(system->unflushed_spaces);
+	     space;
+	     space = UT_LIST_GET_NEXT(unflushed_spaces, space)) {
 
-	while (space) {
 		if (space->purpose == purpose && !space->is_being_deleted) {
 
-			space->n_pending_flushes++; /* prevent dropping of the
-						    space while we are
-						    flushing */
-			mutex_exit(&(system->mutex));
-
-			fil_flush(space->id);
-
-			mutex_enter(&(system->mutex));
-
-			space->n_pending_flushes--;
+			space_ids[n_space_ids++] = space->id;
 		}
-		space = UT_LIST_GET_NEXT(unflushed_spaces, space);
 	}
-	
-	mutex_exit(&(system->mutex));
+
+	mutex_exit(&system->mutex);
+
+	/* Flush the spaces.  It will not hurt to call fil_flush() on
+	a non-existing space id. */
+	for (i = 0; i < n_space_ids; i++) {
+
+		fil_flush(space_ids[i]);
+	}
+
+	mem_free(space_ids);
 }
 
 /**********************************************************************