From b90a91c760058ee83ede9f852b7326c0b5f763cc Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Thu, 3 Jul 2008 06:54:47 +0000
Subject: [PATCH] DEVEL15-windows-dead-vc-cleanup-take-two-20080703

LICENSE MIT

Prevent an infinite recursion when attempting to cleanup a previously
dead vc.


(cherry picked from commit be32aef3831529f30f59088be5ea2060b55a95f6)
---
 src/WINNT/afsd/smb.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/WINNT/afsd/smb.c b/src/WINNT/afsd/smb.c
index 9a4002a9f..0713e65d4 100644
--- a/src/WINNT/afsd/smb.c
+++ b/src/WINNT/afsd/smb.c
@@ -1001,7 +1001,7 @@ void smb_CleanupDeadVC(smb_vc_t *vcp)
     smb_user_t *uidpIter;
     smb_user_t *uidpNext;
     smb_vc_t **vcpp;
-
+    afs_uint32 refCount = 0;
 
     lock_ObtainMutex(&vcp->mx);
     if (vcp->flags & SMB_VCFLAG_CLEAN_IN_PROGRESS) {
@@ -1077,14 +1077,22 @@ void smb_CleanupDeadVC(smb_vc_t *vcp)
 	uidpNext = vcp->usersp;
     }
 
-    lock_ObtainMutex(&vcp->mx);
-    vcp->flags &= ~SMB_VCFLAG_CLEAN_IN_PROGRESS;
-    lock_ReleaseMutex(&vcp->mx);
-
     /* The vcp is now on the deadVCsp list.  We intentionally drop the
      * reference so that the refcount can reach 0 and we can delete it */
+    refCount = vcp->refCount;
     smb_ReleaseVCNoLock(vcp);
 
+    /* 
+     * If the refCount == 1 going into the ReleaseVCNoLock call 
+     * the object will be freed and it won't be safe to clear 
+     * the flag.
+     */
+    if (refCount > 1) {
+        lock_ObtainMutex(&vcp->mx);
+        vcp->flags &= ~SMB_VCFLAG_CLEAN_IN_PROGRESS;
+        lock_ReleaseMutex(&vcp->mx);
+    }
+
     lock_ReleaseWrite(&smb_rctLock);
     osi_Log1(smb_logp, "Finished cleaning up dead vcp 0x%x", vcp);
 }
-- 
2.39.5