From 028258e6393bd76df0944dc77266bfba176ada73 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Tue, 5 Feb 2013 00:29:12 -0500
Subject: [PATCH] Windows: AFSLocateNameEntry double free Volume RefCount

If AFSBuildMountPointTarget fails when called from AFSLocateNameEntry
the pCurrentVolume reference count will have been freed even though
the pointer has not been updated.   If the failure is
STATUS_OBJECT_NAME_NOT_FOUND and AFSLocateNameEntry was called
by AFSCreateCommon, the Volume reference count will be freed twice.

Change-Id: I0b5ccb512ea0ec2e24099dff38bbbeddebf0bee3
Reviewed-on: http://gerrit.openafs.org/9069
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
---
 .../afsrdr/kernel/lib/AFSNameSupport.cpp      | 33 ++++++++++---------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSNameSupport.cpp b/src/WINNT/afsrdr/kernel/lib/AFSNameSupport.cpp
index 03fcfa28d..45abe94dc 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSNameSupport.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSNameSupport.cpp
@@ -77,6 +77,7 @@ AFSLocateNameEntry( IN GUID *AuthGroup,
     AFSObjectInfoCB  *pCurrentObject = NULL;
     AFSObjectInfoCB  *pParentObjectInfo = NULL;
     AFSVolumeCB      *pCurrentVolume = *VolumeCB;
+    AFSVolumeCB      *pTargetVolume = NULL;
     BOOLEAN           bReleaseCurrentVolume = TRUE;
     LONG              VolumeReferenceReason = *pVolumeReferenceReason;
     BOOLEAN           bSubstitutedName = FALSE;
@@ -891,23 +892,9 @@ AFSLocateNameEntry( IN GUID *AuthGroup,
                     // Also decrement the ref count on the volume
                     //
 
-                    ASSERT( pCurrentVolume->VolumeReferenceCount > 0);
-
-                    lCount = AFSVolumeDecrement( pCurrentVolume,
-                                                 VolumeReferenceReason);
-
-                    AFSDbgLogMsg( AFS_SUBSYSTEM_VOLUME_REF_COUNTING,
-                                  AFS_TRACE_LEVEL_VERBOSE,
-                                  "AFSLocateNameEntry Decrement2 count on volume %p Reason %u Cnt %d\n",
-                                  pCurrentVolume,
-                                  VolumeReferenceReason,
-                                  lCount);
-
-                    bReleaseCurrentVolume = FALSE;
-
                     ntStatus = AFSBuildMountPointTarget( AuthGroup,
                                                          pDirEntry,
-                                                         &pCurrentVolume);
+                                                         &pTargetVolume);
 
                     if( !NT_SUCCESS( ntStatus))
                     {
@@ -928,7 +915,21 @@ AFSLocateNameEntry( IN GUID *AuthGroup,
 
                     ASSERT( pCurrentVolume->VolumeReferenceCount > 0);
 
-                    bReleaseCurrentVolume = TRUE;
+                    lCount = AFSVolumeDecrement( pCurrentVolume,
+                                                 VolumeReferenceReason);
+
+                    AFSDbgLogMsg( AFS_SUBSYSTEM_VOLUME_REF_COUNTING,
+                                  AFS_TRACE_LEVEL_VERBOSE,
+                                  "AFSLocateNameEntry Decrement2 count on volume %p Reason %u Cnt %d\n",
+                                  pCurrentVolume,
+                                  VolumeReferenceReason,
+                                  lCount);
+
+                    pCurrentVolume = pTargetVolume;
+
+                    pTargetVolume = NULL;
+
+                    ASSERT( pCurrentVolume->VolumeReferenceCount > 0);
 
                     VolumeReferenceReason = AFS_VOLUME_REFERENCE_MOUNTPT;
 
-- 
2.39.5