Module: wine Branch: master Commit: 504cf18e19535759e75ce81db0909ba3136c9bfe URL: https://source.winehq.org/git/wine.git/?a=commit;h=504cf18e19535759e75ce81db... Author: Michael Müller <michael(a)fds-team.de> Date: Fri Feb 14 12:10:21 2020 -0600 server: Hold a reference to the file in delete_file(). Otherwise, we may attempt to access freed memory trawling the device list. This can occur if a device driver crashes during an IRP_CALL_CLOSE request. Signed-off-by: Zebediah Figura <z.figura12(a)gmail.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- server/device.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server/device.c b/server/device.c index b02d965e33..01e08f295f 100644 --- a/server/device.c +++ b/server/device.c @@ -729,12 +729,17 @@ static void delete_file( struct device_file *file ) { struct irp_call *irp, *next; + /* the pending requests may be the only thing holding a reference to the file */ + grab_object( file ); + /* terminate all pending requests */ LIST_FOR_EACH_ENTRY_SAFE( irp, next, &file->requests, struct irp_call, dev_entry ) { list_remove( &irp->mgr_entry ); set_irp_result( irp, STATUS_FILE_DELETED, NULL, 0, 0 ); } + + release_object( file ); } static void delete_device( struct device *device )