[ros-kernel] Bugs in NtRead/WriteFile (Eric)

Eric Kohl ekohl at rz-online.de
Sun Nov 30 16:54:27 CET 2003

"Gunnar André Dalsnes" <hardon at online.no> wrote:

> Huh? If the operation was synchronous, NtWriteFile should wait for io to
> complete thus it's not possible for IoStatusBlock to get out of scope...
> And where did usetup.exe crash? In
> IoSecondStageCompletion->*Irp->UserIosb=Irp->IoStatus ????

Allocating Irp->UserIosb from the kernel mode stack fixed the crash.
Strange, isn't is?

> Allocating IoStatusBlock (Irp->UserIosb) from NonPagedPool is not a
> requirement, so it seems to me you are trying to work-around another bug.


> We should do a MmSafeCopyToUserMode in IoSecondStageCompletion when doing
> *Irp->UserIosb=Irp->IoStatus, if the irp originated from umode. This makes
> it unnecessary (and incorrect) to use a local "safe" variable for
> IoStatusBlock (Irp->UserIosb) no matter what kind of operation
> (asynch/synch).

I'll try that!

> I think the real bug is that IoSecondStageCompletion are sometimes, for
> synchronous operations, called at DISPATCH_LEVEL. Copying read data back
> to umode and copying the Irp->IoStatus to the umode buffer in
> Irp->UserIosb should fail in this case, but strangely, this seems to work
> ok (i have never seen it crash). You might have been "unlucky", having the
> umode stack paged out while waiting for the write to complete, making
> usetup.exe crash in IoSecondStageCompletion->*Irp->UserIosb=Irp->IoStatus.

Shouldn't IoSecondStageCompletion only be running at PASSIVE_LEVEL?


More information about the Ros-kernel mailing list