Alex Ionescu wrote:
Ok, well that indicates that our VFAT driver is broken. It should be fixed instead of breaking correct code.
That isn't correct. The bug is in IoCreateFile or/and SecondStageCompletion. It is possible that a FS driver returns STATUS_PENDING and does later complete the irp with an error. IoCreateFile does wait on the FileObject event but in some cases IoSecontCompletion doesn't set the result in Irp->UserIosb. This is the reason for bug #609. There exists more bugs. All Directory/File function may always provide an user event handle. In some conditions they must provide an user event handle. IoSecondStageCompletion does sometimes dereference the user event and sometimes not. An other problem is the copying of the results to Irp->UserIosb. The old code has used MmSafeCopyToUser. It must use this function or guard the copy operation by an exception frame and use MmProbeForWrite. If the operation is asynchronous, the calling thread may be buggy and does dereference the status block. In this case ros does crash. I've the feeling, you should start a second rewrite of the io completion code.
- Hartmut