From 33e3938bb1cd9d836f29c2c94ccdaf2bce03f180 Mon Sep 17 00:00:00 2001 From: Aleksey Bragin Date: Sat, 11 Oct 2008 17:39:12 +0000 Subject: [PATCH] - Fix a memory leak in IopUnloadDriver. - Driver object temporary was not marked temporary, thus it wasn't really deleted after reference counter reached 0. Fix this (inspired by bug #3501). See issue #3501 for more details. svn path=/trunk/; revision=36719 --- reactos/ntoskrnl/io/iomgr/driver.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/reactos/ntoskrnl/io/iomgr/driver.c b/reactos/ntoskrnl/io/iomgr/driver.c index d4fe8ab6b6c..363f17bc54e 100644 --- a/reactos/ntoskrnl/io/iomgr/driver.c +++ b/reactos/ntoskrnl/io/iomgr/driver.c @@ -1010,9 +1010,19 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers) /* * Find the driver object */ + Status = ObReferenceObjectByName(&ObjectName, + 0, + 0, + 0, + IoDriverObjectType, + KernelMode, + 0, + (PVOID*)&DriverObject); - Status = ObReferenceObjectByName(&ObjectName, 0, 0, 0, IoDriverObjectType, - KernelMode, 0, (PVOID*)&DriverObject); + /* + * Free the buffer for driver object name + */ + ExFreePool(ObjectName.Buffer); if (!NT_SUCCESS(Status)) { @@ -1020,12 +1030,6 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers) return Status; } - /* - * Free the buffer for driver object name - */ - - ExFreePool(ObjectName.Buffer); - /* * Get path of service... */ @@ -1097,9 +1101,14 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers) FALSE, NULL); } + /* Mark the driver object temporary, so it could be deleted later */ + ObMakeTemporaryObject(DriverObject); + + /* Dereference it 2 times */ + ObDereferenceObject(DriverObject); + ObDereferenceObject(DriverObject); + /* Unload the driver */ - ObDereferenceObject(DriverObject); - ObDereferenceObject(DriverObject); MmUnloadSystemImage(DriverObject->DriverSection); return STATUS_SUCCESS;