[driver] fixing kernel crash when mount quits
Problem: say nfsd is not running but the redirector is active already (ie. start deamon, stop deamon). problem doesn't exist if nfsd has never been started. now a user process executes a mount command, the kernel ends up creating a system thread to handle creation of the vnetroot. that thread places a mount upcall and waits for the down call. now kill the user process. now start the nfsd. it will pick up a queued up upcall entry. however, in the arguments there are pointers to server name and mount point values that are stored in the memory of the user process that started the mount but now ended. Solution: check that Mount.srv_name and Mount.root are still valid addresses before dereferencing them.
This commit is contained in:
Olga Kornievskaia
parent
5482c0e51f
commit
3a06ec9080
1 changed files with 6 additions and 0 deletions
|
|
@ -523,6 +523,12 @@ NTSTATUS marshal_nfs41_mount(nfs41_updowncall_entry *entry,
|
||||||
goto out;
|
goto out;
|
||||||
else
|
else
|
||||||
tmp += *len;
|
tmp += *len;
|
||||||
|
/* 03/25/2011: Kernel crash to nfsd not running but mount upcall cued up */
|
||||||
|
if (!MmIsAddressValid(entry->u.Mount.srv_name) ||
|
||||||
|
!MmIsAddressValid(entry->u.Mount.root)) {
|
||||||
|
status = STATUS_INTERNAL_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
header_len = *len + length_as_ansi(entry->u.Mount.srv_name) +
|
header_len = *len + length_as_ansi(entry->u.Mount.srv_name) +
|
||||||
length_as_ansi(entry->u.Mount.root) + sizeof(entry->u.Mount.sec_flavor);
|
length_as_ansi(entry->u.Mount.root) + sizeof(entry->u.Mount.sec_flavor);
|
||||||
if (header_len > buf_len) {
|
if (header_len > buf_len) {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue