s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().

They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.

Found via some *amazing* debugging work from Ashok Ramakrishnan <aramakrishnan@nasuni.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184

diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 68154a61ab515b41235ca25bc352353be4461956..9974877edc254463681d5771f725c006ef03e1cc 100644 (file)
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -666,7 +666,19 @@ static void assert_no_pending_aio(struct files_struct *fsp,
                 * fsp->aio_requests[x], causing a crash.
                 */
                while (fsp->num_aio_requests != 0) {
-                       TALLOC_FREE(fsp->aio_requests[0]);
+                       /*
+                        * NB. We *MUST* use
+                        * talloc_free(fsp->aio_requests[0]),
+                        * and *NOT* TALLOC_FREE() here, as
+                        * TALLOC_FREE(fsp->aio_requests[0])
+                        * will overwrite any new contents of
+                        * fsp->aio_requests[0] that were
+                        * copied into it via the destructor
+                        * aio_del_req_from_fsp().
+                        *
+                        * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515
+                        */
+                       talloc_free(fsp->aio_requests[0]);
                }
                return;
        }