From a7d600b8b8499cad36b0e24e1e211b3461fb431c Mon Sep 17 00:00:00 2001 From: Aleksey Bragin Date: Tue, 15 Jul 2008 14:24:47 +0000 Subject: [PATCH] - Save pointer to driver's section in DriverSection during driver loading. - Fix unloading function to check if a driver to be unloaded really has DriverSection set, and if not, fail. - Inspired by bug 3221. See issue #3221 for more details. svn path=/trunk/; revision=34526 --- reactos/ntoskrnl/io/iomgr/driver.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/reactos/ntoskrnl/io/iomgr/driver.c b/reactos/ntoskrnl/io/iomgr/driver.c index 7d0e549d3b5..d69b47eb8ac 100644 --- a/reactos/ntoskrnl/io/iomgr/driver.c +++ b/reactos/ntoskrnl/io/iomgr/driver.c @@ -1085,7 +1085,7 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers) */ /* Call the load/unload routine, depending on current process */ - if (DriverObject->DriverUnload) + if (DriverObject->DriverUnload && DriverObject->DriverSection) { if (PsGetCurrentProcess() == PsInitialSystemProcess) { @@ -1111,13 +1111,22 @@ IopUnloadDriver(PUNICODE_STRING DriverServiceName, BOOLEAN UnloadPnpDrivers) KeWaitForSingleObject(&LoadParams.Event, UserRequest, KernelMode, FALSE, NULL); } + + /* Unload the driver */ + ObDereferenceObject(DriverObject); + ObDereferenceObject(DriverObject); + MmUnloadSystemImage(DriverObject->DriverSection); + + return STATUS_SUCCESS; } + else + { + /* Dereference one time (refd inside this function) */ + ObDereferenceObject(DriverObject); - ObDereferenceObject(DriverObject); - ObDereferenceObject(DriverObject); - MmUnloadSystemImage(DriverObject->DriverSection); - - return STATUS_SUCCESS; + /* Return unloading failure */ + return STATUS_INVALID_DEVICE_REQUEST; + } } VOID @@ -1718,6 +1727,9 @@ IopLoadUnloadDriver(PLOAD_UNLOAD_PARAMS LoadParams) } } + /* Store its DriverSection, so that it could be unloaded */ + DriverObject->DriverSection = ModuleObject; + /* We have a driver for this DeviceNode */ DeviceNode->Flags |= DN_DRIVER_LOADED; }