server: Hold a reference to the file in delete_file().

Otherwise, we may attempt to access freed memory trawling the device list. This can occur if a device driver crashes during an IRP_CALL_CLOSE request. Signed-off-by: Zebediah Figura <z.figura12@gmail.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

server: Hold a reference to the file in delete_file().
504cf18e · Michael Müller · Alexandre Julliard · 0bd7da42 · 504cf18e
Commit 504cf18e authored Feb 14, 2020 by Michael Müller Committed by Alexandre Julliard Mar 03, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

device.c server/device.c +5 -0

No files found.
--- a/server/device.c
+++ b/server/device.c
@@ -729,12 +729,17 @@ static void delete_file( struct device_file *file )
 {
    struct irp_call *irp, *next;

+    /* the pending requests may be the only thing holding a reference to the file */
+    grab_object( file );
+
    /* terminate all pending requests */
    LIST_FOR_EACH_ENTRY_SAFE( irp, next, &file->requests, struct irp_call, dev_entry )
    {
        list_remove( &irp->mgr_entry );
        set_irp_result( irp, STATUS_FILE_DELETED, NULL, 0, 0 );
    }
+
+    release_object( file );
 }

 static void delete_device( struct device *device )