18 Jul
2005
18 Jul
'05
6:58 p.m.
Hartmut Birr wrote:
Alex Ionescu wrote:
Hi,
Your reply makes perfect sense and now that I look at it, I see that
there is a certain part of the code that I forgot to write (I wrote a
comment on it)...however I insist that the first APC queued is Kernel,
you can see it for yourself in the NT source code snippet...but in the
end it does become a user-mode APC...I'll write up a patch.
Best regards,
Alex Ionescu
Hi,
Sorry but I accidentally lost 60 emails including the one I'm supposed
to reply to.
Hartmut, you have done a recent change in kill.c in which you change
the APC inside PspTerminateThreadByPointer to a user-mode APC. This is
incorrect and I don't understand why it was done... furthermore, I've
even documented a source of information which proves my code was
correct (on top of the function header), so why did you change it?
Hi,
the thread termination APC must be a user mode APC. The kernel routine
(PsExitSpecialApc) calls PspExitThread. PspExitThread can only be called
if no cleanup is necessary like freeing pool memory or dereferencing
kernel mode objects. The only point for the thread terminating is the
return to user mode after a system call or at the end of an exception or
hardware interrupt. PspExitThread can not be called from a kernel mode
APC, because the apc is delivered at any point where the irql drops
below APC_LEVEL. The thread may have referenced some kernel objects at
this point, may have allocated pool memory or may have locked the kernel
address space and so on. Currently there exist some situations where it
isn't possible to terminate a thread if the thread runs in kernel mode.
Such a situation is if the thread waits on an object which will not be
signaled.
- Hartmut