s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(). (!1584) · Merge requests · The Samba Team / Samba

Jeremy Allison requested to merge samba-team/devel/samba:jra-bug-14515-fix into master Sep 27, 2020

s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().

They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.

Found via some *amazing* debugging work from Ashok Ramakrishnan <aramakrishnan@nasuni.com>.

Previous code in 4.11.x (written by Ralph) had:

00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1114)                 while (fsp->num_aio_requests != 0) {
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1115)                         /*
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1116)                          * The destructor of the req will remove itself from the
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1117)                          * fsp.  Don't use TALLOC_FREE here, this will overwrite
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1118)                          * what the destructor just wrote into aio_requests[0].
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1119)                          */
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1120)                         talloc_free(fsp->aio_requests[0]);
00a26ac9856d (Ralph Boehme      2018-03-21 20:41:44 +0100 1121)                 }

So I broke this in 4.12 and above, sorry.

s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().

Merge request reports