src/hash_index: fix hash_index fd ownership handling

When calling r_hash_index_open(), the ownership of the file descriptor
provided should be handed over to the hash index and will be later
closed in r_hash_index_free().

Thus, the file descriptor provided must not be closed by the calling
code anymore. In other code, this is done by setting

  data_fd = -1;

after successfully opening the hash index.

In generate_adaptive_data() however, this manual invalidation of the
fd was missing and the fd was closed manually in later error handling.
This could lead to cases where a double-call of g_close() on the same
pointer happened.

This was wrong anyway but results in a critical error in RAUC since glib
version 2.75.0 which comes with a more pickier g_close() handling:
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2964

Fix this and add a hint to the function documentation.

Signed-off-by: Enrico Joerns <[email protected]>

include/hash_index.h

@@ -38,6 +38,10 @@ typedef struct {
  * If an existing hash index file is provided via 'hashes_filename', this will
  * be used instead of building a new index.
  *
+ * If creating the hash index succeeded, the ownership of the provided file
+ * descriptor must be 'transferred' to the hash index by manually setting the
+ * provided file descriptor to -1!
+ *
  * @param label label for hash index (used for debugging/identification)
  * @param data_fd open file descriptor of file to hash
  * @param hashes_filename name of existing hash index file to use instead, or NULL

src/bundle.c

@@ -422,13 +422,16 @@ static gboolean generate_adaptive_data(RaucManifest *manifest, const gchar *dir,
 					g_close(fd, NULL);
 					return FALSE;
 				}
+				fd = -1; /* belongs to idx now */
 
 				if (!r_hash_index_export(index, indexpath, &ierror)) {
 					g_propagate_prefixed_error(
 							error,
 							ierror,
 							"Failed to write hash index for %s: ", image->filename);
-					g_close(fd, NULL);
+					if (fd >= 0) {
+						g_close(fd, NULL);
+					}
 					return FALSE;
 				}