Alex Ionescu wrote:
Hi,
Sorry but I accidentally lost 60 emails including the one I'm supposed to reply to.
Hartmut, you have done a recent change in kill.c in which you change the APC inside PspTerminateThreadByPointer to a user-mode APC. This is incorrect and I don't understand why it was done... furthermore, I've even documented a source of information which proves my code was correct (on top of the function header), so why did you change it?
Hi,
the thread termination APC must be a user mode APC. The kernel routine (PsExitSpecialApc) calls PspExitThread. PspExitThread can only be called if no cleanup is necessary like freeing pool memory or dereferencing kernel mode objects. The only point for the thread terminating is the return to user mode after a system call or at the end of an exception or hardware interrupt. PspExitThread can not be called from a kernel mode APC, because the apc is delivered at any point where the irql drops below APC_LEVEL. The thread may have referenced some kernel objects at this point, may have allocated pool memory or may have locked the kernel address space and so on. Currently there exist some situations where it isn't possible to terminate a thread if the thread runs in kernel mode. Such a situation is if the thread waits on an object which will not be signaled.
- Hartmut