From 76abf59daa5409e8540d4ce7fc4aa2d9a263f590 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Wed, 15 Oct 2008 14:51:12 +0000 Subject: [PATCH] DEVEL15-windows-checkVCs-20081015 LICENSE MIT FIXES 116641 Do not drop references to 'nextp' until we are done with the object. Dropping the last reference can result in the object being destroyed. (cherry picked from commit 1115e29dacab98ed29ec603edfdaa8f697507daa) --- src/WINNT/afsd/smb.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c index d77ca29d1..0c430dcd1 100644 --- a/src/WINNT/afsd/smb.c +++ b/src/WINNT/afsd/smb.c @@ -3752,14 +3752,24 @@ void smb_CheckVCs(void) osi_panic("afsd: invalid smb_vc_t detected in smb_allVCsp", __FILE__, __LINE__); + /* on the first pass hold 'vcp' which was not held as 'nextp' */ + if (vcp != nextp) + smb_HoldVCNoLock(vcp); + + /* + * obtain a reference to 'nextp' now because we drop the + * smb_rctLock later and the list contents could change + * or 'vcp' could be destroyed when released. + */ nextp = vcp->nextp; + if (nextp) + smb_HoldVCNoLock(nextp); - if (vcp->flags & SMB_VCFLAG_ALREADYDEAD) + if (vcp->flags & SMB_VCFLAG_ALREADYDEAD) { + smb_ReleaseVCNoLock(vcp); continue; + } - smb_HoldVCNoLock(vcp); - if (nextp) - smb_HoldVCNoLock(nextp); smb_FormatResponsePacket(vcp, NULL, outp); smbp = (smb_t *)outp; outp->inCom = smbp->com = 0x2b /* Echo */; @@ -3778,8 +3788,6 @@ void smb_CheckVCs(void) lock_ObtainWrite(&smb_rctLock); smb_ReleaseVCNoLock(vcp); - if (nextp) - smb_ReleaseVCNoLock(nextp); } lock_ReleaseWrite(&smb_rctLock); smb_FreePacket(outp); -- 2.39.5