ReceiveTempSMS
/
Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

server: Hold a reference to the file in delete_file(). 

Otherwise, we may attempt to access freed memory trawling the device list.
This can occur if a device driver crashes during an IRP_CALL_CLOSE request.

Signed-off-by: Zebediah Figura <z.figura12@gmail.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Michael Müller 2020-02-14 12:10:21 -06:00 committed by Alexandre Julliard
parent 0bd7da4290
commit 504cf18e19
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/device.c
View File

@ -729,12 +729,17 @@ static void delete_file( struct device_file *file )
{ {
struct irp_call *irp, *next; struct irp_call *irp, *next;
/* the pending requests may be the only thing holding a reference to the file */
grab_object( file );
/* terminate all pending requests */ /* terminate all pending requests */
LIST_FOR_EACH_ENTRY_SAFE( irp, next, &file->requests, struct irp_call, dev_entry ) LIST_FOR_EACH_ENTRY_SAFE( irp, next, &file->requests, struct irp_call, dev_entry )
{ {
list_remove( &irp->mgr_entry ); list_remove( &irp->mgr_entry );
set_irp_result( irp, STATUS_FILE_DELETED, NULL, 0, 0 ); set_irp_result( irp, STATUS_FILE_DELETED, NULL, 0, 0 );
} }
release_object( file );
} }
static void delete_device( struct device *device ) static void delete_device( struct device *device )