From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Mon, 26 Mar 2012 15:10:36 +0000 (-0400)
Subject: Windows: AFSInvalidateObject can overwrite input param
X-Git-Tag: openafs-stable-1_8_0pre1~2670
X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=32ad50bcee9a5b087bea7e0c9c1cfe3d1e58293e

Windows: AFSInvalidateObject can overwrite input param

AFSInvalidateObject() must not be called with an AFSObjectInformationCB
pointer variable that it is not safe to overwrite as the function sets
the input value to NULL if the invalidation is going to be performed
asynchronously in a worker thread.

In AFSEnumerateDirectory(), the following call took place:

  AFSInvalidateObject( &pDirNode->ObjectInformation,
                       AFS_INVALIDATE_DATA_VERSION);

which requires a worker thread to process.  As a result, the
ObjectInformation pointer was being set to NULL which detached the
AFSObjectInformationCB from the AFSDirectoryCB.  That in turn produced
an execption in AFSLocateName() which resulted in a resource not being
freed that in turn produced a deadlock.

Change-Id: Id30e84cf96b69156d648e3b452e7e03390559c43
Reviewed-on: http://gerrit.openafs.org/6962
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
---

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSCommSupport.cpp b/src/WINNT/afsrdr/kernel/lib/AFSCommSupport.cpp
index 1f684d0..9afcdf9 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSCommSupport.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSCommSupport.cpp
@@ -303,8 +303,19 @@ AFSEnumerateDirectory( IN GUID *AuthGroup,
                         if( pDirNode->ObjectInformation->DataVersion.QuadPart != pCurrentDirEntry->DataVersion.QuadPart)
                         {
 
-                            AFSInvalidateObject( &pDirNode->ObjectInformation,
-+                                                 AFS_INVALIDATE_DATA_VERSION);
+                            LONG lCount;
+                            AFSObjectInfoCB *pObjectInfo = pDirNode->ObjectInformation;
+
+                            lCount = InterlockedIncrement( &pObjectInfo->ObjectReferenceCount);
+
+                            AFSInvalidateObject( &pObjectInfo,
+                                                 AFS_INVALIDATE_DATA_VERSION);
+
+                            if( pObjectInfo != NULL)
+                            {
+
+                                lCount = InterlockedDecrement( &pObjectInfo->ObjectReferenceCount);
+                            }
                         }
                         else
                         {
@@ -748,6 +759,7 @@ AFSVerifyDirectoryContent( IN AFSObjectInfoCB *ObjectInfoCB,
     AFSObjectInfoCB *pObjectInfo = NULL;
     ULONGLONG ullIndex = 0;
     UNICODE_STRING uniGUID;
+    LONG lCount;
 
     __Enter
     {
@@ -1058,8 +1070,16 @@ AFSVerifyDirectoryContent( IN AFSObjectInfoCB *ObjectInfoCB,
                         if( pObjectInfo->DataVersion.QuadPart != pCurrentDirEntry->DataVersion.QuadPart)
                         {
 
+                            lCount = InterlockedIncrement( &pObjectInfo->ObjectReferenceCount);
+
                             AFSInvalidateObject( &pObjectInfo,
                                                  AFS_INVALIDATE_DATA_VERSION);
+
+                            if( pObjectInfo != NULL)
+                            {
+
+                                lCount = InterlockedDecrement( &pObjectInfo->ObjectReferenceCount);
+                            }
                         }
                         else
                         {
diff --git a/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp b/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp
index fbdfa31..80a1b4c 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp
@@ -2481,13 +2481,17 @@ AFSInvalidateVolume( IN AFSVolumeCB *VolumeCB,
             AFSInvalidateObject( &pCurrentObject,
                                  Reason);
 
-            lCount = InterlockedDecrement( &pCurrentObject->ObjectReferenceCount);
+            if ( pCurrentObject)
+            {
 
-            AFSDbgLogMsg( AFS_SUBSYSTEM_OBJECT_REF_COUNTING,
-                          AFS_TRACE_LEVEL_VERBOSE,
-                          "AFSInvalidateVolumeObjects Decrement count on object %08lX Cnt %d\n",
-                          pCurrentObject,
-                          lCount);
+                lCount = InterlockedDecrement( &pCurrentObject->ObjectReferenceCount);
+
+                AFSDbgLogMsg( AFS_SUBSYSTEM_OBJECT_REF_COUNTING,
+                              AFS_TRACE_LEVEL_VERBOSE,
+                              "AFSInvalidateVolumeObjects Decrement count on object %08lX Cnt %d\n",
+                              pCurrentObject,
+                              lCount);
+            }
         }
 
         //