From 2a7795aa565dfa4e371f806b799ce6a01a2db6c9 Mon Sep 17 00:00:00 2001
From: Rod Widdowson <rdw@steadingsoftware.com>
Date: Sat, 22 Oct 2011 15:00:03 +0100
Subject: [PATCH 1/1] Windows:  Defer deref of a directoryEntry

During the handling of SL_OPEN_TARGET opens (usually associated
with a rename) a directory entry was deferenced prior to its
contents being used (to set up a seconding inforation field).

This change just holds on to the reference until after that processing.

Change-Id: I26dbd4bfb6595863109e549893f2367f71ad6404
Reviewed-on: http://gerrit.openafs.org/5651
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
---
 src/WINNT/afsrdr/kernel/lib/AFSCreate.cpp | 32 ++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSCreate.cpp b/src/WINNT/afsrdr/kernel/lib/AFSCreate.cpp
index 6d479f1..ce90ce5 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSCreate.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSCreate.cpp
@@ -577,20 +577,11 @@ AFSCommonCreate( IN PDEVICE_OBJECT DeviceObject,
                               NULL,
                               pParentDirectoryCB->OpenReferenceCount);
 
-                InterlockedDecrement( &pDirectoryCB->OpenReferenceCount);
-
-                AFSDbgLogMsg( AFS_SUBSYSTEM_DIRENTRY_REF_COUNTING,
-                              AFS_TRACE_LEVEL_VERBOSE,
-                              "AFSCreate Decrement2 count on %wZ DE %p Ccb %p Cnt %d\n",
-                              &pDirectoryCB->NameInformation.FileName,
-                              pDirectoryCB,
-                              NULL,
-                              pDirectoryCB->OpenReferenceCount);
-
                 //
-                // The name array also contains a reference to the pDirectoryCB so we need to remove it
-                // Note that this could decrement the count to zero allowing it to be deleted, hence
-                // don't access the pointer contents beyond here.
+                // Do NOT decrement the reference count on the pDirectoryCB yet.
+                // The BackupEntry below might drop the count to zero leaving
+                // the entry subject to being deleted and we need some of the
+                // contents during later processing
                 //
 
                 AFSBackupEntry( pNameArray);
@@ -613,6 +604,21 @@ AFSCommonCreate( IN PDEVICE_OBJECT DeviceObject,
                                                &uniComponentName,
                                                &pFcb,
                                                &pCcb);
+            if( pDirectoryCB != NULL)
+            {
+                //
+                // It is now safe to drop the Reference Count
+                //
+                InterlockedDecrement( &pDirectoryCB->OpenReferenceCount);
+
+                AFSDbgLogMsg( AFS_SUBSYSTEM_DIRENTRY_REF_COUNTING,
+                              AFS_TRACE_LEVEL_VERBOSE,
+                              "AFSCreate Decrement2 count on %wZ DE %p Ccb %p Cnt %d\n",
+                              &pDirectoryCB->NameInformation.FileName,
+                              pDirectoryCB,
+                              NULL,
+                              pDirectoryCB->OpenReferenceCount);
+            }
 
             if( !NT_SUCCESS( ntStatus))
             {
-- 
1.9.4