Fix bug where the call to ntfs_attr_{put,reinit}_search_ctx() would

free the extent inode attached to the search context but leave it
attached to the base inode, so this would lead to memory corruption
and worse problems. Thanks to Szakacsits Szabolcs for spotting this.
We now don't close extent inodes any more at all and just leave it
to the closing of the base inode to dispose of all the extent inodes.

(Logical change 1.42)

ChangeLog

@@ -154,6 +154,12 @@
 	  was fixed in the NTFS kernel driver over six months ago but the fix
 	  was never taken over to libntfs. (Szakacsits Szabolcs)
 	- Fix stupid bug in ntfs_ucsncmp(). Spotted by Leonard Norrgard.
+	- Fix bug where the call to ntfs_attr_{put,reinit}_search_ctx() would
+	  free the extent inode attached to the search context but leave it
+	  attached to the base inode, so this would lead to memory corruption
+	  and worse problems. Thanks to Szakacsits Szabolcs for spotting this.
+	  We now don't close extent inodes any more at all and just leave it
+	  to the closing of the base inode to dispose of all the extent inodes.
 
 12/03/2002 - 1.6.0 - More mkntfs options and cleanups.
 	Fix typo in usage information of mkntfs. Thanks to Richard Russon for

libntfs/attrib.c

@@ -1786,8 +1786,7 @@ static __inline__ void ntfs_attr_init_search_ctx(ntfs_attr_search_ctx *ctx,
  * ntfs_attr_reinit_search_ctx - reinitialize an attribute search context
  * @ctx:	attribute search context to reinitialize
  *
- * Reinitialize the attribute search context @ctx, unmapping an associated
- * extent mft record if present, and initialize the search context again.
+ * Reinitialize the attribute search context @ctx.
  *
  * This is used when a search for a new attribute is being started to reset
  * the search context to the beginning.
@@ -1802,8 +1801,6 @@ void ntfs_attr_reinit_search_ctx(ntfs_attr_search_ctx *ctx)
 				le16_to_cpu(ctx->mrec->attrs_offset));
 		return;
 	} /* Attribute list. */
-	if (ctx->ntfs_ino != ctx->base_ntfs_ino)
-		ntfs_inode_close(ctx->ntfs_ino);
 	ntfs_attr_init_search_ctx(ctx, ctx->base_ntfs_ino, ctx->base_mrec);
 	return;
 }
@@ -1839,13 +1836,10 @@ ntfs_attr_search_ctx *ntfs_attr_get_search_ctx(ntfs_inode *ni, MFT_RECORD *mrec)
  * ntfs_attr_put_search_ctx - release an attribute search context
  * @ctx:	attribute search context to free
  *
- * Release the attribute search context @ctx, unmapping an associated extent
- * mft record if present.
+ * Release the attribute search context @ctx.
  */
 void ntfs_attr_put_search_ctx(ntfs_attr_search_ctx *ctx)
 {
-	if (ctx->base_ntfs_ino && ctx->ntfs_ino != ctx->base_ntfs_ino)
-		ntfs_inode_close(ctx->ntfs_ino);
 	free(ctx);
 	return;
 }

libntfs/inode.c

@@ -235,6 +235,9 @@ int ntfs_inode_close(ntfs_inode *ni)
  * Finally attach the ntfs inode to its base inode @base_ni and return a
  * pointer to the ntfs_inode structure on success or NULL on error, with errno
  * set to the error code.
+ *
+ * Note, extent inodes are never closed directly. They are automatically
+ * disposed off by the closing of the base inode.
  */
 ntfs_inode *ntfs_extent_inode_open(ntfs_inode *base_ni, const MFT_REF mref)
 {