Michael Müller : server: Hold a reference to the file in delete_file().
Alexandre Julliard
julliard at winehq.org
Tue Mar 3 16:24:51 CST 2020
Module: wine
Branch: master
Commit: 504cf18e19535759e75ce81db0909ba3136c9bfe
URL: https://source.winehq.org/git/wine.git/?a=commit;h=504cf18e19535759e75ce81db0909ba3136c9bfe
Author: Michael Müller <michael at fds-team.de>
Date: Fri Feb 14 12:10:21 2020 -0600
server: Hold a reference to the file in delete_file().
Otherwise, we may attempt to access freed memory trawling the device list.
This can occur if a device driver crashes during an IRP_CALL_CLOSE request.
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
server/device.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/server/device.c b/server/device.c
index b02d965e33..01e08f295f 100644
--- a/server/device.c
+++ b/server/device.c
@@ -729,12 +729,17 @@ static void delete_file( struct device_file *file )
{
struct irp_call *irp, *next;
+ /* the pending requests may be the only thing holding a reference to the file */
+ grab_object( file );
+
/* terminate all pending requests */
LIST_FOR_EACH_ENTRY_SAFE( irp, next, &file->requests, struct irp_call, dev_entry )
{
list_remove( &irp->mgr_entry );
set_irp_result( irp, STATUS_FILE_DELETED, NULL, 0, 0 );
}
+
+ release_object( file );
}
static void delete_device( struct device *device )
More information about the wine-cvs
mailing list