I noticed that in ExpAllocateHandleTableEntry(...) there are certain cases when FirstFree field of HandleTable is accessed without proper locking:
1. HandleTable->FirstFree in line 657
2. HandleTable->FirstFree in line 690
Despite this the patch also makes locking more clear by removing multiple unlock statements before break in while loop.
There is also a tiny enhancement in ExpAllocateHandleTable(...) to call RtlZeroMemory on a TableHandle after a NULL pointer check.