[ros-kernel] Bugs in NtRead/WriteFile (Eric)

Eric Kohl ekohl at rz-online.de
Sun Nov 30 16:54:27 CET 2003


"Gunnar André Dalsnes" <hardon at online.no> wrote:

> Huh? If the operation was synchronous, NtWriteFile should wait for io to
> complete thus it's not possible for IoStatusBlock to get out of scope...
>
> And where did usetup.exe crash? In
> IoSecondStageCompletion->*Irp->UserIosb=Irp->IoStatus ????

Exactly!
Allocating Irp->UserIosb from the kernel mode stack fixed the crash.
Strange, isn't is?


> Allocating IoStatusBlock (Irp->UserIosb) from NonPagedPool is not a
> requirement, so it seems to me you are trying to work-around another bug.

Obviously!

> We should do a MmSafeCopyToUserMode in IoSecondStageCompletion when doing
> *Irp->UserIosb=Irp->IoStatus, if the irp originated from umode. This makes
> it unnecessary (and incorrect) to use a local "safe" variable for
> IoStatusBlock (Irp->UserIosb) no matter what kind of operation
> (asynch/synch).

I'll try that!


> I think the real bug is that IoSecondStageCompletion are sometimes, for
> synchronous operations, called at DISPATCH_LEVEL. Copying read data back
> to umode and copying the Irp->IoStatus to the umode buffer in
> Irp->UserIosb should fail in this case, but strangely, this seems to work
> ok (i have never seen it crash). You might have been "unlucky", having the
> umode stack paged out while waiting for the write to complete, making
> usetup.exe crash in IoSecondStageCompletion->*Irp->UserIosb=Irp->IoStatus.

Oooops!
Shouldn't IoSecondStageCompletion only be running at PASSIVE_LEVEL?


Eric








More information about the Ros-kernel mailing list