From 3a06ec90803b158db09a4f2bc6087cf9fcae4e01 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia Date: Fri, 25 Mar 2011 13:11:08 -0400 Subject: [PATCH] [driver] fixing kernel crash when mount quits Problem: say nfsd is not running but the redirector is active already (ie. start deamon, stop deamon). problem doesn't exist if nfsd has never been started. now a user process executes a mount command, the kernel ends up creating a system thread to handle creation of the vnetroot. that thread places a mount upcall and waits for the down call. now kill the user process. now start the nfsd. it will pick up a queued up upcall entry. however, in the arguments there are pointers to server name and mount point values that are stored in the memory of the user process that started the mount but now ended. Solution: check that Mount.srv_name and Mount.root are still valid addresses before dereferencing them. --- sys/nfs41_driver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c index 2de3979..0e1f8d8 100644 --- a/sys/nfs41_driver.c +++ b/sys/nfs41_driver.c @@ -523,6 +523,12 @@ NTSTATUS marshal_nfs41_mount(nfs41_updowncall_entry *entry, goto out; else tmp += *len; + /* 03/25/2011: Kernel crash to nfsd not running but mount upcall cued up */ + if (!MmIsAddressValid(entry->u.Mount.srv_name) || + !MmIsAddressValid(entry->u.Mount.root)) { + status = STATUS_INTERNAL_ERROR; + goto out; + } header_len = *len + length_as_ansi(entry->u.Mount.srv_name) + length_as_ansi(entry->u.Mount.root) + sizeof(entry->u.Mount.sec_flavor); if (header_len > buf_len) {