[ros-diffs] [cgutman] 63898: [HAL] Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in f...

17 Aug 2014

Author: cgutman
Date: Sun Aug 17 01:42:02 2014
New Revision: 63898

URL: http://svn.reactos.org/svn/reactos?rev=63898&view=rev
Log:
[HAL]
Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs
and the old AllocateAdapterChannel API when it comes to having multiple requests in
flight. Callers of (Io)AllocateAdapterChannel CANNOT queue another request until the
AdapterControlRoutine is called. S/G DMA allows multiple concurrent DMA requests, but ROS
was using IoAllocateAdapterChannel in the S/G API. As a result, the wait block stored in
the device object was unexpectedly reinitalized and queued again. This results in a leak
of the originally queued request context, potentially performing the new DMA operation
twice while dropping the old request, and use after free of the context passed to
HalpScatterGatherAdapterControl.

Modified:
    trunk/reactos/hal/halx86/generic/dma.c

Modified: trunk/reactos/hal/halx86/generic/dma.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/hal/halx86/generic/dma.c?r…
==============================================================================

--- trunk/reactos/hal/halx86/generic/dma.c	[iso-8859-1] (original)
+++ trunk/reactos/hal/halx86/generic/dma.c	[iso-8859-1] Sun Aug 17 01:42:02 2014
@@ -919,6 +919,7 @@
 	PVOID AdapterListControlContext, MapRegisterBase;
 	ULONG MapRegisterCount;
 	BOOLEAN WriteToDevice;
+	WAIT_CONTEXT_BLOCK Wcb;
 } SCATTER_GATHER_CONTEXT, *PSCATTER_GATHER_CONTEXT;
 
 
@@ -1041,11 +1042,14 @@
 	AdapterControlContext->AdapterListControlContext = Context;
 	AdapterControlContext->WriteToDevice = WriteToDevice;
 
-	return IoAllocateAdapterChannel(AdapterObject,
-	                                DeviceObject,
-									AdapterControlContext->MapRegisterCount,
-									HalpScatterGatherAdapterControl,
-									AdapterControlContext);
+	AdapterControlContext->Wcb.DeviceObject = DeviceObject;
+	AdapterControlContext->Wcb.DeviceContext = AdapterControlContext;
+	AdapterControlContext->Wcb.CurrentIrp = DeviceObject->CurrentIrp;
+
+	return HalAllocateAdapterChannel(AdapterObject,
+		&AdapterControlContext->Wcb,
+		AdapterControlContext->MapRegisterCount,
+		HalpScatterGatherAdapterControl);
 }
 
 /**



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [cgutman] 63898: [HAL] Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in f...