Author: fireball Date: Sat Oct 11 12:39:12 2008 New Revision: 36719 URL: http://svn.reactos.org/svn/reactos?rev=36719&view=rev Log: - Fix a memory leak in IopUnloadDriver. - Driver object temporary was not marked temporary, thus it wasn't really deleted after reference counter reached 0. Fix this (inspired by bug #3501). See issue #3501 for more details. Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/driver.c… ============================================================================== --- trunk/reactos/ntoskrnl/io/iomgr/driver.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/io/iomgr/driver.c [iso-8859-1] Sat Oct 11 12:39:12 2008 @@ -1010,21 +1010,25 @@ /* * Find the driver object */ - - Status = ObReferenceObjectByName(&ObjectName, 0, 0, 0, IoDriverObjectType, - KernelMode, 0, (PVOID*)&DriverObject); + Status = ObReferenceObjectByName(&ObjectName, + 0, + 0, + 0, + IoDriverObjectType, + KernelMode, + 0, + (PVOID*)&DriverObject); + + /* + * Free the buffer for driver object name + */ + ExFreePool(ObjectName.Buffer); if (!NT_SUCCESS(Status)) { DPRINT1("Can't locate driver object for %wZ\n", &ObjectName); return Status; } - - /* - * Free the buffer for driver object name - */ - - ExFreePool(ObjectName.Buffer); /* * Get path of service... @@ -1097,9 +1101,14 @@ FALSE, NULL); } - /* Unload the driver */ + /* Mark the driver object temporary, so it could be deleted later */ + ObMakeTemporaryObject(DriverObject); + + /* Dereference it 2 times */ ObDereferenceObject(DriverObject); ObDereferenceObject(DriverObject); + + /* Unload the driver */ MmUnloadSystemImage(DriverObject->DriverSection); return STATUS_SUCCESS;