From 98f7b2cb09d73758e3f2af6d57b6e0a804387d3e Mon Sep 17 00:00:00 2001
From: Thirunarayanan Balathandayuthapani <thiru@mariadb.com>
Date: Fri, 14 May 2021 14:13:59 +0530
Subject: [PATCH] MDEV-25663 Double free of transaction during truncate
 operation

InnoDB truncate table fails to load the fts stopword table into
cache. In that case, InnoDB double frees the truncate creation
transaction. InnoDB should free the transaction which was
created inside ha_innobase::create.
---
 storage/innobase/handler/ha_innodb.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
index b7c6fa98b1c..f19bde12714 100644
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@@ -13024,7 +13024,6 @@ create_table_info_t::create_table_update_dict()
 		if (!innobase_fts_load_stopword(innobase_table, NULL, m_thd)) {
 			dict_table_close(innobase_table, FALSE, FALSE);
 			srv_active_wake_master_thread();
-			trx_free_for_mysql(m_trx);
 			DBUG_RETURN(-1);
 		}
 
@@ -13169,6 +13168,12 @@ ha_innobase::create(
 
 	error = info.create_table_update_dict();
 
+	/* In case of error, free the transaction only if
+	it is newly created transaction in ha_innobase::create() */
+	if (own_trx && error) {
+		trx_free_for_mysql(info.trx());
+	}
+
 	/* Tell the InnoDB server that there might be work for
 	utility threads: */