[PATCH 2/3] server: Hold a reference to the device on behalf of the device manager.

[Zebediah Figura]

Otherwise, the only thing holding a reference to a device may be a
device_file. If this is released in delete_device(), the subsequent call to
unlink_named_object() will crash. This can occur if a device driver crashes
with pending IRPs outstanding.

Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
This seems to be what's meant to be helped by this Staging patch:

https://raw.githubusercontent.com/wine-staging/wine-staging/master/patches/server-device_manager_destroy/0001-server-Fix-crash-when-a-device-driver-segfaults-duri.patch

When testing it, I couldn't reproduce a server crash just by crashing during an
IRP_MJ_CREATE request, but I encountered this much later debugging bug 48530.

I think it makes more sense to formalize the reference to the device as
belonging to the manager, rather than to add a temporary reference around
deletion.

 server/device.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/device.c b/server/device.c
index d3e2a84c1e..b02d965e33 100644
--- a/server/device.c
+++ b/server/device.c
@@ -700,6 +700,7 @@ static struct device *create_device( struct object *root, const struct unicode_s
     {
         device->unix_path = NULL;
         device->manager = manager;
+        grab_object( device );
         list_add_tail( &manager->devices, &device->entry );
         list_init( &device->kernel_object );
         list_init( &device->files );
@@ -748,6 +749,7 @@ static void delete_device( struct device *device )
     unlink_named_object( &device->obj );
     list_remove( &device->entry );
     device->manager = NULL;
+    release_object( device );
 }
 
 
-- 
2.25.0