nrubsig.kpaste.net RSS- diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c
- index 9c0d2ee..4f6bf28 100644
- --- a/sys/nfs41_driver.c
- +++ b/sys/nfs41_driver.c
- @@ -1424,6 +1424,7 @@ NTSTATUS handle_upcall(
- * ---- snip ----
- */
- __try {
- + ObReferenceObject(entry->psec_ctx->ClientToken);
- status = SeImpersonateClientEx(entry->psec_ctx, NULL);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- NTSTATUS code;
- @@ -1553,7 +1554,10 @@ NTSTATUS nfs41_UpcallCreate(
- entry->psec_ctx = &entry->sec_ctx;
- status = SeCreateClientSecurityFromSubjectContext(&sec_ctx, &sec_qos,
- 1, entry->psec_ctx);
- - if (status != STATUS_SUCCESS) {
- + if (status == STATUS_SUCCESS) {
- + ObReferenceObject(entry->psec_ctx->ClientToken);
- + }
- + else {
- print_error("nfs41_UpcallCreate: "
- "SeCreateClientSecurityFromSubjectContext failed with %x\n",
- status);
- @@ -1562,8 +1566,12 @@ NTSTATUS nfs41_UpcallCreate(
- }
- SeReleaseSubjectContext(&sec_ctx);
- - } else
- + } else {
- entry->psec_ctx = clnt_sec_ctx;
- + ObReferenceObject(entry->psec_ctx->ClientToken);
- + }
- +
- +
- *entry_out = entry;
- out:
- @@ -1995,11 +2003,14 @@ NTSTATUS nfs41_downcall(
- }
- ExReleaseFastMutex(&downcallLock);
- SeStopImpersonatingClient();
- +
- if (!found) {
- print_error("Didn't find xid=%lld entry\n", tmp->xid);
- goto out_free;
- }
- + ObDereferenceObject(cur->psec_ctx->ClientToken);
- +
- ExAcquireFastMutex(&cur->lock);
- if (cur->state == NFS41_NOT_WAITING) {
- DbgP("[downcall] Nobody is waiting for this request!!!\n");
- @@ -2108,6 +2119,7 @@ NTSTATUS nfs41_shutdown_daemon(
- if (status) goto out;
- status = nfs41_UpcallWaitForReply(entry, UPCALL_TIMEOUT_DEFAULT);
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- if (entry->psec_ctx == &entry->sec_ctx) {
- SeDeleteClientSecurity(entry->psec_ctx);
- }
- @@ -2374,6 +2386,7 @@ NTSTATUS nfs41_unmount(
- nfs41_UpcallWaitForReply(entry, timeout);
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- if (entry->psec_ctx == &entry->sec_ctx) {
- SeDeleteClientSecurity(entry->psec_ctx);
- }
- @@ -2757,6 +2770,7 @@ NTSTATUS nfs41_mount(
- entry->u.Mount.FsAttrs = FsAttrs;
- status = nfs41_UpcallWaitForReply(entry, config->timeout);
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- if (entry->psec_ctx == &entry->sec_ctx) {
- SeDeleteClientSecurity(entry->psec_ctx);
- }
- @@ -3949,6 +3963,7 @@ retry_on_link:
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- #ifndef USE_MOUNT_SEC_CONTEXT
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- if (entry->psec_ctx == &entry->sec_ctx) {
- SeDeleteClientSecurity(entry->psec_ctx);
- }
- @@ -4352,6 +4367,9 @@ NTSTATUS nfs41_CloseSrvOpen(
- entry->u.Close.renamed = nfs41_fcb->Renamed;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- #ifndef USE_MOUNT_SEC_CONTEXT
- SeDeleteClientSecurity(&nfs41_fobx->sec_ctx);
- #endif
- @@ -4523,6 +4541,9 @@ NTSTATUS nfs41_QueryDirectory(
- entry->u.QueryFile.return_single = RxContext->QueryDirectory.ReturnSingleEntry;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- MmUnlockPages(entry->u.QueryFile.mdl);
- @@ -4724,6 +4745,9 @@ NTSTATUS nfs41_QueryVolumeInformation(
- entry->buf_len = RxContext->Info.LengthRemaining;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- if (entry->status == STATUS_BUFFER_TOO_SMALL) {
- @@ -4971,6 +4995,9 @@ NTSTATUS nfs41_SetEaInformation(
- entry->buf_len = buflen;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- #ifdef ENABLE_TIMINGS
- if (entry->status == STATUS_SUCCESS) {
- @@ -5075,6 +5102,9 @@ static NTSTATUS QueryCygwinSymlink(
- entry->u.Symlink.set = FALSE;
- status = nfs41_UpcallWaitForReply(entry, VNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- status = map_setea_error(entry->status);
- @@ -5231,6 +5261,9 @@ NTSTATUS nfs41_QueryEaInformation(
- entry->u.QueryEa.ReturnSingleEntry = RxContext->QueryEa.ReturnSingleEntry;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- if (entry->status == STATUS_SUCCESS) {
- @@ -5374,6 +5407,9 @@ NTSTATUS nfs41_QuerySecurityInformation(
- entry->buf_len = RxContext->CurrentIrpSp->Parameters.QuerySecurity.Length;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- if (entry->status == STATUS_BUFFER_TOO_SMALL) {
- @@ -5512,6 +5548,9 @@ NTSTATUS nfs41_SetSecurityInformation(
- #endif
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- status = map_query_acl_error(entry->status);
- @@ -5626,6 +5665,9 @@ NTSTATUS nfs41_QueryFileInformation(
- entry->buf_len = RxContext->Info.LengthRemaining;
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) {
- print_error("nfs41_UpcallWaitForReply() failed, status=%d\n", status);
- goto out;
- @@ -5939,6 +5981,9 @@ NTSTATUS nfs41_SetFileInformation(
- #endif
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- status = map_setfile_error(entry->status);
- @@ -6186,6 +6231,9 @@ NTSTATUS nfs41_Read(
- */
- io_delay = pVNetRootContext->timeout + 2 * entry->buf_len / 104857600;
- status = nfs41_UpcallWaitForReply(entry, io_delay);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- if (async) {
- @@ -6305,6 +6353,9 @@ NTSTATUS nfs41_Write(
- */
- io_delay = pVNetRootContext->timeout + 2 * entry->buf_len / 104857600;
- status = nfs41_UpcallWaitForReply(entry, io_delay);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- if (async) {
- @@ -6485,6 +6536,9 @@ NTSTATUS nfs41_Lock(
- retry_upcall:
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- /* blocking locks keep trying until it succeeds */
- @@ -6592,6 +6646,9 @@ NTSTATUS nfs41_Unlock(
- }
- status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- status = map_lock_errors(entry->status);
- @@ -6764,6 +6821,9 @@ NTSTATUS nfs41_SetReparsePoint(
- entry->u.Symlink.set = TRUE;
- status = nfs41_UpcallWaitForReply(entry, VNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- status = map_symlink_errors(entry->status);
- @@ -6850,6 +6910,9 @@ NTSTATUS nfs41_GetReparsePoint(
- entry->u.Symlink.set = FALSE;
- status = nfs41_UpcallWaitForReply(entry, VNetRootContext->timeout);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- status = map_symlink_errors(entry->status);
- @@ -7160,6 +7223,9 @@ VOID fcbopen_main(PVOID ctx)
- entry->buf_len = sizeof(binfo);
- status = nfs41_UpcallWaitForReply(entry, UPCALL_TIMEOUT_DEFAULT);
- +
- + ObDereferenceObject(entry->psec_ctx->ClientToken);
- +
- if (status) goto out;
- if (cur->ChangeTime != entry->ChangeTime) {
Prototype fix for token ref crashes
Posted by Anonymous on Tue 7th May 2024 15:02
raw | new post
Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.