s3: VFS: vfs_glusterfs. Protect vfs_gluster_pread_done() from accessing a freed req pointer.

If the fsp is forced closed by a SHUTDOWN_CLOSE whilst the
request is in flight (share forced closed by smbcontrol),
then we set state->req = NULL in the state destructor.

The existing state destructor prevents the state memory
from being freed, so when the thread completes and calls
vfs_gluster_pread_done(), just throw away the result if
state->req == NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14301

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

source3/modules/vfs_glusterfs.c

@@ -807,6 +807,15 @@ static void vfs_gluster_pread_do(void *private_data)
 
 static int vfs_gluster_pread_state_destructor(struct vfs_gluster_pread_state *state)
 {
+	/*
+	 * This destructor only gets called if the request is still
+	 * in flight, which is why we deny it by returning -1. We
+	 * also set the req pointer to NULL so the _done function
+	 * can detect the caller doesn't want the result anymore.
+	 *
+	 * Forcing the fsp closed by a SHUTDOWN_CLOSE can cause this.
+	 */
+	state->req = NULL;
 	return -1;
 }
 
@@ -821,6 +830,17 @@ static void vfs_gluster_pread_done(struct tevent_req *subreq)
 	TALLOC_FREE(subreq);
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes);
 	talloc_set_destructor(state, NULL);
+	if (req == NULL) {
+		/*
+		 * We were shutdown closed in flight. No one
+		 * wants the result, and state has been reparented
+		 * to the NULL context, so just free it so we
+		 * don't leak memory.
+		 */
+		DBG_NOTICE("gluster pread request abandoned in flight\n");
+		TALLOC_FREE(state);
+		return;
+	}
 	if (ret != 0) {
 		if (ret != EAGAIN) {
 			tevent_req_error(req, ret);