16043 – vfs_glusterfs: directory fd leak on close

Bug 16043 - vfs_glusterfs: directory fd leak on close

Summary: vfs_glusterfs: directory fd leak on close

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-03-27 14:46 UTC by Thales
Modified:	2026-04-10 06:42 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/4474

Attachments
patch from master for v4-24-test (5.52 KB, patch) 2026-04-10 06:42 UTC, Anoop C S	anoopcs: review? (gd)	Details
patch from master for v4-23-test (5.52 KB, patch) 2026-04-10 06:42 UTC, Anoop C S	anoopcs: review? (gd)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thales 2026-03-27 14:46:31 UTC

vfs_glusterfs leaks the glfs_fd_t opened by vfs_gluster_openat() every
time a directory FSP is closed.  One libgfapi file descriptor and one
server-side fd_t in glusterfsd are leaked per directory open/close
cycle.  With persistent SMB2 connections the leak is unbounded and
drives monotonic RSS growth on the GlusterFS brick process.

vfs_glusterfs creates two independent glfs_fd_t handles per directory:
one via glfs_open() in vfs_gluster_openat(), stored in the FSP
extension, and another via glfs_opendir() in vfs_gluster_fdopendir(),
tracked by struct smb_Dir.  On close, smb_Dir_destructor() closes the
opendir handle and calls fsp_set_fd(fsp, -1).  fd_close() then sees
fsp_get_pathref_fd() == -1 and returns without calling SMB_VFS_CLOSE,
so vfs_gluster_close() never runs and the glfs_open() handle is
orphaned.

The default VFS does not have this problem because fdopendir(3) wraps
the existing kernel fd rather than opening a new handle.  libgfapi has
no equivalent — glfs_opendir() always creates an independent handle.

Unfortunately the statedumps i have are too big for bugzilla.

-> The proposed FIX (see MR 4474):

Register a destroy callback on the FSP extension so the glfs_fd_t is
closed during file_free() even when SMB_VFS_CLOSE is bypassed.


-> Conceptual reproducer:

1. Configure a Samba share backed by vfs_glusterfs.
2. Connect from a Windows or smbclient session using SMB2/SMB3.
3. Browse directories repeatedly (e.g. enumerate a directory tree).
4. On the GlusterFS brick, run statedump and check the fd_t pool count:
     gluster volume statedump <volname>
     grep "pool-name=fd_t" /var/run/gluster/<volname>.*.dump

-> Actual results

The fd_t pool active count grows monotonically and never decreases.
In production (32 persistent SMB2 connections, continuous directory
operations), statedumps showed growth from 1,993 to 80,350 active
fd_t instances over 6 days (~13,000 leaked fds per day per brick).

-> (versus) expect results:

The fd_t pool count should remain stable; directory fds should be
released when the directory is closed.

Comment 1 Samba QA Contact 2026-04-08 16:47:11 UTC

This bug was referenced in samba master:

e7c1c49e647adeaf2c6dda0d42f48305c0a5bc58

Comment 2 Anoop C S 2026-04-10 06:42:07 UTC

Created attachment 18940 [details]
patch from master for v4-24-test

Comment 3 Anoop C S 2026-04-10 06:42:44 UTC

Created attachment 18941 [details]
patch from master for v4-23-test