[ros-diffs] [ion] 20846: - Fix flaw in win32k hardware message queue which used KMUTEX instead of KMUTANT, thus double-disabling Kernel APCs during the parsing of the queue, which would result in actually deliving hardware message callbacks with Kernel APCs disabled when going to user-mode. This was detected when my new user-mode callback rewrite added checks for this situation, and it originally caused a bugcheck. Since the message queue code is now fixed, the bugcheck has been re-enabled, hopefully no other such violations will be detected (I was able to run/install firefox for a couple of minutes and there was no APC_INDEX_MISMATCH crash). Fixes bug 1272, and thanks to Filip for doing some late-night IRC analysis with me.

[ion at svn.reactos.org]

- Fix flaw in win32k hardware message queue which used KMUTEX instead of
KMUTANT, thus double-disabling Kernel APCs during the parsing of the
queue, which would result in actually deliving hardware message
callbacks with Kernel APCs disabled when going to user-mode. This was
detected when my new user-mode callback rewrite added checks for this
situation, and it originally caused a bugcheck. Since the message queue
code is now fixed, the bugcheck has been re-enabled, hopefully no other
such violations will be detected (I was able to run/install firefox for
a couple of minutes and there was no APC_INDEX_MISMATCH crash). Fixes
bug 1272, and thanks to Filip for doing some late-night IRC analysis
with me.
Modified: trunk/reactos/ntoskrnl/ke/i386/usercall_asm.S
Modified: trunk/reactos/subsys/win32k/ntuser/msgqueue.c
  _____  

Modified: trunk/reactos/ntoskrnl/ke/i386/usercall_asm.S
--- trunk/reactos/ntoskrnl/ke/i386/usercall_asm.S	2006-01-14
04:32:37 UTC (rev 20845)
+++ trunk/reactos/ntoskrnl/ke/i386/usercall_asm.S	2006-01-14
08:49:10 UTC (rev 20846)
@@ -87,7 +87,6 @@

 
 AtPassive:
 
-#if 0
     /* Make sure that we are not attached and that APCs are not
disabled */
     movzx eax, byte ptr [ebx+KTHREAD_APC_STATE_INDEX]
     mov edx, [ebx+KTHREAD_COMBINED_APC_DISABLE]
@@ -104,7 +103,6 @@
     push 0
     push APC_INDEX_MISMATCH
     call _KeBugCheckEx at 20
-#endif
 ApcsEnabled:
 #endif
 
  _____  

Modified: trunk/reactos/subsys/win32k/ntuser/msgqueue.c
--- trunk/reactos/subsys/win32k/ntuser/msgqueue.c	2006-01-14
04:32:37 UTC (rev 20845)
+++ trunk/reactos/subsys/win32k/ntuser/msgqueue.c	2006-01-14
08:49:10 UTC (rev 20846)
@@ -46,7 +46,7 @@

 
 static ULONG volatile HardwareMessageQueueStamp = 0;
 static LIST_ENTRY HardwareMessageQueueHead;
-static KMUTEX HardwareMessageQueueLock;
+static KMUTANT HardwareMessageQueueLock;
 
 static KEVENT HardwareMessageEvent;
 
@@ -60,7 +60,7 @@
   KeReleaseSpinLock(&SystemMessageQueueLock, OldIrql)
 
 #define IntUnLockSystemHardwareMessageQueueLock(Wait) \
-  KeReleaseMutex(&HardwareMessageQueueLock, Wait)
+  KeReleaseMutant(&HardwareMessageQueueLock, IO_NO_INCREMENT, FALSE,
Wait)
 
 /* FUNCTIONS
*****************************************************************/
 
@@ -122,7 +122,7 @@
    InitializeListHead(&HardwareMessageQueueHead);
    KeInitializeEvent(&HardwareMessageEvent, NotificationEvent, 0);
    KeInitializeSpinLock(&SystemMessageQueueLock);
-   KeInitializeMutex(&HardwareMessageQueueLock, 0);
+   KeInitializeMutant(&HardwareMessageQueueLock, 0);
 
    ExInitializePagedLookasideList(&MessageLookasideList,
                                   NULL,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.reactos.org/pipermail/ros-diffs/attachments/20060114/482eda53/attachment.html