From 568ae072b6ff4f4b6c9e0080e6c4937062b233f9 Mon Sep 17 00:00:00 2001
From: Daniel Lehman <dlehman@esri.com>
Date: Thu, 7 Oct 2021 10:02:33 -0700
Subject: [PATCH] ntoskrnl.exe: Fix use-after-free when freeing IRP.

Signed-off-by: Daniel Lehman <dlehman@esri.com>
---
wineboot -u can crash on use-after-free
IoCompleteRequest calls IoFreeIrp which frees IRP
the following free_dispath_irp dereferences that freed pointer (irp->UserBuffer)
---
 dlls/ntoskrnl.exe/ntoskrnl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index f2fb0a6d66e2..ec297e7d64a5 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -1011,8 +1011,9 @@ NTSTATUS CDECL wine_ntoskrnl_main_loop( HANDLE stop_event )
         {
             if (context.irp_data->complete)
             {
-                IoCompleteRequest( context.irp_data->irp, IO_NO_INCREMENT );
+                IRP *irp = context.irp_data->irp;
                 free_dispatch_irp( context.irp_data );
+                IoCompleteRequest( irp, IO_NO_INCREMENT );
             }
             else
             {
-- 
2.27.0