[PATCH 3/3] server: Hold a reference to the file in delete_file().
Zebediah Figura
z.figura12 at gmail.com
Fri Feb 14 12:10:21 CST 2020
From: Michael Müller <michael at fds-team.de>
Otherwise, we may attempt to access freed memory trawling the device list.
This can occur if a device driver crashes during an IRP_CALL_CLOSE request.
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
server/device.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/server/device.c b/server/device.c
index b02d965e33..12208ec8a2 100644
--- a/server/device.c
+++ b/server/device.c
@@ -729,12 +729,18 @@ static void delete_file( struct device_file *file )
{
struct irp_call *irp, *next;
+ /* The pending requests may be the only thing holding a reference to the
+ * file. */
+ grab_object( file );
+
/* terminate all pending requests */
LIST_FOR_EACH_ENTRY_SAFE( irp, next, &file->requests, struct irp_call, dev_entry )
{
list_remove( &irp->mgr_entry );
set_irp_result( irp, STATUS_FILE_DELETED, NULL, 0, 0 );
}
+
+ release_object( file );
}
static void delete_device( struct device *device )
--
2.25.0
More information about the wine-devel
mailing list