Author: fireball Date: Tue Jul 15 09:24:47 2008 New Revision: 34526 URL: http://svn.reactos.org/svn/reactos?rev=34526&view=rev Log: - Save pointer to driver's section in DriverSection during driver loading. - Fix unloading function to check if a driver to be unloaded really has DriverSection set, and if not, fail. - Inspired by bug 3221. See issue #3221 for more details. Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c Modified: trunk/reactos/ntoskrnl/io/iomgr/driver.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/io/iomgr/driver.c… ============================================================================== --- trunk/reactos/ntoskrnl/io/iomgr/driver.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/io/iomgr/driver.c [iso-8859-1] Tue Jul 15 09:24:47 2008 @@ -1085,7 +1085,7 @@ */ /* Call the load/unload routine, depending on current process */ - if (DriverObject->DriverUnload) + if (DriverObject->DriverUnload && DriverObject->DriverSection) { if (PsGetCurrentProcess() == PsInitialSystemProcess) { @@ -1111,13 +1111,22 @@ KeWaitForSingleObject(&LoadParams.Event, UserRequest, KernelMode, FALSE, NULL); } - } - - ObDereferenceObject(DriverObject); - ObDereferenceObject(DriverObject); - MmUnloadSystemImage(DriverObject->DriverSection); - - return STATUS_SUCCESS; + + /* Unload the driver */ + ObDereferenceObject(DriverObject); + ObDereferenceObject(DriverObject); + MmUnloadSystemImage(DriverObject->DriverSection); + + return STATUS_SUCCESS; + } + else + { + /* Dereference one time (refd inside this function) */ + ObDereferenceObject(DriverObject); + + /* Return unloading failure */ + return STATUS_INVALID_DEVICE_REQUEST; + } } VOID @@ -1718,6 +1727,9 @@ } } + /* Store its DriverSection, so that it could be unloaded */ + DriverObject->DriverSection = ModuleObject; + /* We have a driver for this DeviceNode */ DeviceNode->Flags |= DN_DRIVER_LOADED; }