[driver] fixing kernel crash when mount quits

Problem: say nfsd is not running but the redirector is active already (ie. start deamon, stop deamon). problem doesn't exist if nfsd has never been started. now a user process executes a mount command, the kernel ends up creating a system thread to handle creation of the vnetroot. that thread places a mount upcall and waits for the down call. now kill the user process. now start the nfsd. it will pick up a queued up upcall entry. however, in the arguments there are pointers to server name and mount point values that are stored in the memory of the user process that started the mount but now ended. Solution: check that Mount.srv_name and Mount.root are still valid addresses before dereferencing them.
2011-03-25 13:11:08 -04:00 · 2011-03-25 13:11:08 -04:00 · 3a06ec9080
commit 3a06ec9080
parent 5482c0e51f
1 changed files with 6 additions and 0 deletions
--- a/sys/nfs41_driver.c
+++ b/sys/nfs41_driver.c
@ -523,6 +523,12 @@ NTSTATUS marshal_nfs41_mount(nfs41_updowncall_entry *entry,
        goto out;
    else 
        tmp += *len;
+    /* 03/25/2011: Kernel crash to nfsd not running but mount upcall cued up */
+    if (!MmIsAddressValid(entry->u.Mount.srv_name) || 
+            !MmIsAddressValid(entry->u.Mount.root)) {
+        status = STATUS_INTERNAL_ERROR;
+        goto out;
+    }
    header_len = *len + length_as_ansi(entry->u.Mount.srv_name) +
        length_as_ansi(entry->u.Mount.root) + sizeof(entry->u.Mount.sec_flavor);
    if (header_len > buf_len) {