From 8150fca1aaf9934fe602fe2c9fdb3892ca3379fc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 26 Sep 2020 22:14:33 -0700 Subject: [PATCH] s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They may have been carefully set by the aio_del_req_from_fsp() destructor so we must not overwrite here. Found via some *amazing* debugging work from Ashok Ramakrishnan . BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184 (cherry picked from commit fca8cb63762faff54cda243c1ed8217b36333131) --- source3/smbd/close.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/source3/smbd/close.c b/source3/smbd/close.c index 68154a61ab5..9974877edc2 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -666,7 +666,19 @@ static void assert_no_pending_aio(struct files_struct *fsp, * fsp->aio_requests[x], causing a crash. */ while (fsp->num_aio_requests != 0) { - TALLOC_FREE(fsp->aio_requests[0]); + /* + * NB. We *MUST* use + * talloc_free(fsp->aio_requests[0]), + * and *NOT* TALLOC_FREE() here, as + * TALLOC_FREE(fsp->aio_requests[0]) + * will overwrite any new contents of + * fsp->aio_requests[0] that were + * copied into it via the destructor + * aio_del_req_from_fsp(). + * + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515 + */ + talloc_free(fsp->aio_requests[0]); } return; } -- 2.25.1