- Fix a memory leak in IopUnloadDriver.

- Driver object temporary was not marked temporary, thus it wasn't really deleted after reference counter reached 0. Fix this (inspired by bug #3501).
See issue #3501 for more details.

svn path=/trunk/; revision=36719

reactos/ntoskrnl/io/iomgr/driver.c

@@ -1010,9 +1010,19 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
    /*
     * Find the driver object
     */
+   Status = ObReferenceObjectByName(&ObjectName,
+                                    0,
+                                    0,
+                                    0,
+                                    IoDriverObjectType,
+                                    KernelMode,
+                                    0,
+                                    (PVOID*)&DriverObject);
 
-   Status = ObReferenceObjectByName(&ObjectName, 0, 0, 0, IoDriverObjectType,
-      KernelMode, 0, (PVOID*)&DriverObject);
+   /*
+    * Free the buffer for driver object name
+    */
+   ExFreePool(ObjectName.Buffer);
 
    if (!NT_SUCCESS(Status))
    {
@@ -1020,12 +1030,6 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
       return Status;
    }
 
-   /*
-    * Free the buffer for driver object name
-    */
-
-   ExFreePool(ObjectName.Buffer);
-
    /*
     * Get path of service...
     */
@@ -1097,9 +1101,14 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers)
              FALSE, NULL);
       }
 
+      /* Mark the driver object temporary, so it could be deleted later */
+      ObMakeTemporaryObject(DriverObject);
+
+      /* Dereference it 2 times */
+      ObDereferenceObject(DriverObject);
+      ObDereferenceObject(DriverObject);
+
       /* Unload the driver */
-      ObDereferenceObject(DriverObject);
-      ObDereferenceObject(DriverObject);
       MmUnloadSystemImage(DriverObject->DriverSection);
 
       return STATUS_SUCCESS;