From ca4d8c09238b8755a7d363f8b5b28e33dc16c82d Mon Sep 17 00:00:00 2001
From: Filip Navara <filip.navara@gmail.com>
Date: Sun, 6 Mar 2005 12:37:31 +0000
Subject: [PATCH] Fix some cancellation race conditions.

svn path=/trunk/; revision=13851
---
 reactos/drivers/fs/np/create.c |  9 +++++++--
 reactos/drivers/fs/np/fsctrl.c | 21 +++++++++++++++------
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/reactos/drivers/fs/np/create.c b/reactos/drivers/fs/np/create.c
index 106c511cdc0..c2a5aaa0512 100644
--- a/reactos/drivers/fs/np/create.c
+++ b/reactos/drivers/fs/np/create.c
@@ -54,10 +54,15 @@ NpfsFindListeningServerInstance(PNPFS_PIPE Pipe)
   while (CurrentEntry != &Pipe->WaiterListHead)
     {
       Waiter = CONTAINING_RECORD(CurrentEntry, NPFS_WAITER_ENTRY, Entry);
-      if (Waiter->Fcb->PipeState == FILE_PIPE_LISTENING_STATE)
+      if (Waiter->Fcb->PipeState == FILE_PIPE_LISTENING_STATE &&
+          !Waiter->Irp->Cancel)
 	{
 	  DPRINT("Server found! Fcb %p\n", Waiter->Fcb);
-	  return Waiter->Fcb;
+
+          if (IoSetCancelRoutine(Waiter->Irp, NULL) != NULL)
+            {
+              return Waiter->Fcb;
+            }
 	}
 
       CurrentEntry = CurrentEntry->Flink;
diff --git a/reactos/drivers/fs/np/fsctrl.c b/reactos/drivers/fs/np/fsctrl.c
index 815198974ad..4bb68190c5f 100644
--- a/reactos/drivers/fs/np/fsctrl.c
+++ b/reactos/drivers/fs/np/fsctrl.c
@@ -25,18 +25,26 @@ NpfsListeningCancelRoutine(IN PDEVICE_OBJECT DeviceObject,
   PNPFS_WAITER_ENTRY Waiter;
 
   DPRINT1("NpfsListeningCancelRoutine() called\n");
+
   /* FIXME: Not tested. */
 
+  IoReleaseCancelSpinLock(Irp->CancelIrql);
+
   Waiter = Irp->Tail.Overlay.DriverContext[0];
 
+  KeLockMutex(&Waiter->Pipe->FcbListLock);
   RemoveEntryList(&Waiter->Entry);
-  ExFreePool(Waiter);
-
-  IoReleaseCancelSpinLock(Irp->CancelIrql);
+  if (IoSetCancelRoutine(Waiter->Irp, NULL) == NULL)
+    {
+      KeUnlockMutex(&Waiter->Pipe->FcbListLock);
+      return;
+    }
+  KeUnlockMutex(&Waiter->Pipe->FcbListLock);
 
   Irp->IoStatus.Status = STATUS_CANCELLED;
   Irp->IoStatus.Information = 0;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
+  ExFreePool(Waiter);
 }
 
 
@@ -53,7 +61,7 @@ NpfsAddListeningServerInstance(PIRP Irp,
 
   Entry->Irp = Irp;
   Entry->Fcb = Fcb;
-  InsertTailList(&Fcb->Pipe->WaiterListHead, &Entry->Entry);
+  Entry->Pipe = Fcb->Pipe;
 
   IoAcquireCancelSpinLock(&OldIrql);
   if (!Irp->Cancel)
@@ -61,14 +69,15 @@ NpfsAddListeningServerInstance(PIRP Irp,
       Irp->Tail.Overlay.DriverContext[0] = Entry;
       IoMarkIrpPending(Irp);
       IoSetCancelRoutine(Irp, NpfsListeningCancelRoutine);
+      KeLockMutex(&Fcb->Pipe->FcbListLock);
+      InsertTailList(&Fcb->Pipe->WaiterListHead, &Entry->Entry);
+      KeUnlockMutex(&Fcb->Pipe->FcbListLock);
       IoReleaseCancelSpinLock(OldIrql);
       return STATUS_PENDING;
     }
   /* IRP has already been cancelled */
   IoReleaseCancelSpinLock(OldIrql);
 
-  DPRINT1("FIXME: Remove waiter entry!\n");
-  RemoveEntryList(&Entry->Entry);
   ExFreePool(Entry);
 
   return STATUS_CANCELLED;