On Wed, May 29, 2013 at 12:23:04PM -0700, Anand Avati wrote:
>
> We just uncovered this issue in our QE testing -
>
> On Wed, May 29, 2013 at 4:21 AM, Anand Avati <avati@xxxxxxxxxx> wrote:
> +static DIR *vfs_gluster_fdopendir(struct vfs_handle_struct *handle,
> + files_struct *fsp, const char *mask,
> + uint32 attributes)
> +{
> + return (DIR *) glfd_fd_get(fsp->fh->fd);
> +}
>
> When code takes this vfs_fdopendir() path (happened when testing
> fsstress, most of the times vfs_opendir() is called - not sure why),
> we are just passing a pointer of glfs_fd structure ...
The vfs_fdopendir() will get called when SMB2 is being
used and a directory listing is being done on an open
SMB2 directory handle.
> +static int vfs_gluster_closedir(struct vfs_handle_struct *handle,
> DIR *dirp)
> +{
> + return glfs_closedir((void *)dirp);
> +}
>
> ... and Samba does a vfs_closedir() _and_ vfs_close(), essentially
> doing a double free on the glfs_fd structure.
Let me look into the mainline Samba code here. As I recall
it should set the fsp->fh->fd to -1 after doing the vfs_closedir()
when the file handle on the directory is closed. Thus the
vfs_close should see the fsp->fh->fd as already zero and
just ignore it.
Jeremy.
