From e38334c4572318705bfe17ab7a0015b8b3000be5 Mon Sep 17 00:00:00 2001
From: Johan Wikman <johan.wikman@mariadb.com>
Date: Wed, 25 Nov 2015 23:42:05 +0200
Subject: [PATCH] Fix locking issue in blr_close_binlog

In blr_open_binlog the refcnt increase of file which is already
open is protected by router->fileslock. In blr_close_binlog the
decrease of the refcnt was protected by file->lock.

This lead to a situation where it was possible that a file was
closed and the file instance freed, even though it just had been
taken into use by somebody else.

This is now fixed by solely using the router->fileslock for protecting
the increase and decrease of the refcnt.
---
 server/modules/routing/binlog/blr_file.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/server/modules/routing/binlog/blr_file.c b/server/modules/routing/binlog/blr_file.c
index e1132fa4f..6e4e268de 100644
--- a/server/modules/routing/binlog/blr_file.c
+++ b/server/modules/routing/binlog/blr_file.c
@@ -643,11 +643,10 @@ struct	stat	statb;
 void
 blr_close_binlog(ROUTER_INSTANCE *router, BLFILE *file)
 {
-	spinlock_acquire(&file->lock);
+	spinlock_acquire(&router->fileslock);
 	file->refcnt--;
 	if (file->refcnt == 0)
 	{
-		spinlock_acquire(&router->fileslock);
 		if (router->files == file)
 			router->files = file->next;
 		else
@@ -658,18 +657,18 @@ blr_close_binlog(ROUTER_INSTANCE *router, BLFILE *file)
 			if (ptr)
 				ptr->next = file->next;
 		}
-		spinlock_release(&router->fileslock);
+	}
+	else
+	{
+		file = NULL;
+	}
+	spinlock_release(&router->fileslock);
 
+	if (file)
+	{
 		close(file->fd);
 		file->fd = -1;
-	}
-
-	if (file->refcnt == 0) {
-		spinlock_release(&file->lock);
-
 		free(file);
-	} else {
-		spinlock_release(&file->lock);
 	}
 }