Bug #35591 FLUSH PRIVILEGES caused a crash
Submitted: 27 Mar 2008 8:51 Modified: 12 Mar 2010 17:50
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.1.23-debug OS:Any
Assigned to: Magne Mæhre CPU Architecture:Any
Tags: flush privileges

[27 Mar 2008 8:51] Shane Bester
Description:
FLUSH PRIVILEGES caused the following crash today:

mysqld.exe!_myfree
mysqld.exe!delete_dynamic
mysqld.exe!hash_free
mysqld.exe!grant_reload_procs_priv
mysqld.exe!grant_reload
mysqld.exe!reload_acl_and_cache
mysqld.exe!mysql_execute_command
mysqld.exe!mysql_parse
mysqld.exe!dispatch_command
mysqld.exe!do_command
mysqld.exe!handle_one_connection
mysqld.exe!pthread_start
mysqld.exe!_callthreadstart
mysqld.exe!_threadstart

How to repeat:
will attach testcase later.
[27 Mar 2008 13:58] MySQL Verification Team
use the testcase from bug #35589

in this scenario, flush privileges and drop/create user run concurrently causes a race condition when accessing the list.
[2 Dec 2009 20:20] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/92545

2916 Magne Mahre	2009-12-02
      Bug#35589 SET PASSWORD caused a crash
      Bug#35591 FLUSH PRIVILEGES caused a crash
      
      A race condition on the privilege hash tables (proc_priv_hash
      and func_priv_hash) caused one thread to try to delete elements
      that had already been deleted by another thread.
      
      The bug was caused by reading and saving the pointers to 
      the hash tables outside mutex protection.  This led to an
      inconsistency where a thread copied a pointer to a hash,
      another thread did the same, the first thread then deleted
      the hash, and the second then crashed when it in turn tried to
      delete the deleted hash.
      
      The fix is to ensure that operations on the shared hash structures
      happens under mutex protection (moving the locking up a little)
[8 Dec 2009 12:20] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/93167

2921 Magne Mahre	2009-12-08
      Bug#35589 SET PASSWORD caused a crash
      Bug#35591 FLUSH PRIVILEGES caused a crash
      
      A race condition on the privilege hash tables (proc_priv_hash
      and func_priv_hash) caused one thread to try to delete elements
      that had already been deleted by another thread.
      
      The bug was caused by reading and saving the pointers to 
      the hash tables outside mutex protection.  This led to an
      inconsistency where a thread copied a pointer to a hash,
      another thread did the same, the first thread then deleted
      the hash, and the second then crashed when it in turn tried to
      delete the deleted hash.
      
      The fix is to ensure that operations on the shared hash structures
      happens under mutex protection (moving the locking up a little)
[11 Dec 2009 6:01] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091211055901-yp18b3c7xuhl87rf) (version source revid:alik@sun.com-20091211055401-43rjwq7gjed6ds83) (merge vers: 6.0.14-alpha) (pib:13)
[11 Dec 2009 6:04] Bugs System
Pushed into 5.6.0-beta (revid:alik@sun.com-20091211055628-ltr7fero363uev7r) (version source revid:alik@sun.com-20091211055453-717czhtezc74u8db) (merge vers: 5.6.0-beta) (pib:13)
[15 Dec 2009 17:25] Paul DuBois
Noted in 5.6.0, 6.0.14 changelogs.

A race condition on the privilege hash tables allowed one thread to
try to delete elements that had already been deleted by another
thread. A consequence was that SET PASSWORD or FLUSH PRIVILEGES could
cause a crash.
[17 Dec 2009 22:23] Omer Barnir
triage: Correcting to SR51MRU tag (from CHECKED) and adding SR54RC, SRMRTBD
[18 Dec 2009 11:26] Magne Mæhre
Backported to 5.1-bugteam   (next-mr revid: 2921)
[15 Jan 2010 9:00] Bugs System
Pushed into 5.1.43 (revid:joro@sun.com-20100115085139-qkh0i0fpohd9u9p5) (version source revid:magne.mahre@sun.com-20091218104834-cr0eno87brui12qy) (merge vers: 5.1.42) (pib:16)
[15 Jan 2010 18:17] Paul DuBois
Noted in 5.1.43 changelog.
[5 Feb 2010 11:48] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100204063540-9czpdmpixi3iw2yb) (version source revid:alik@sun.com-20091224075613-es9uswo4lidkm3tj) (pib:16)
[5 Feb 2010 11:54] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100205113942-oqovjy0eoqbarn7i) (version source revid:alik@sun.com-20100204064210-ljwanqvrjs83s1gq) (merge vers: 6.0.14-alpha) (pib:16)
[5 Feb 2010 12:00] Bugs System
Pushed into 5.5.2-m2 (revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (version source revid:alexey.kopytov@sun.com-20091223134205-pk9yvgfvpn3hy7lh) (merge vers: 5.5.1-m2) (pib:16)
[5 Feb 2010 16:50] Paul DuBois
Noted in 5.5.2 changelog. Already fixed in 6.0.x. Removed 5.6.0 entry, that has become Celosia.

Setting report to Need Merge pending push into Celosia.
[6 Mar 2010 10:57] Bugs System
Pushed into 5.5.3-m3 (revid:alik@sun.com-20100306103849-hha31z2enhh7jwt3) (version source revid:vvaintroub@mysql.com-20091211201717-03qf8ckwiw0np80p) (merge vers: 5.6.0-beta) (pib:16)
[7 Mar 2010 18:50] Paul DuBois
Already fixed in earlier 5.5.x release.
[12 Mar 2010 14:12] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:28] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:43] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)