[cgutman] 63898: [HAL] Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in f...
17 Aug
2014
17 Aug
'14
1:42 a.m.
Author: cgutman
Date: Sun Aug 17 01:42:02 2014
New Revision: 63898
URL: http://svn.reactos.org/svn/reactos?rev=63898&view=rev
Log:
[HAL]
Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs
and the old AllocateAdapterChannel API when it comes to having multiple requests in
flight. Callers of (Io)AllocateAdapterChannel CANNOT queue another request until the
AdapterControlRoutine is called. S/G DMA allows multiple concurrent DMA requests, but ROS
was using IoAllocateAdapterChannel in the S/G API. As a result, the wait block stored in
the device object was unexpectedly reinitalized and queued again. This results in a leak
of the originally queued request context, potentially performing the new DMA operation
twice while dropping the old request, and use after free of the context passed to
HalpScatterGatherAdapterControl.
Modified:
trunk/reactos/hal/halx86/generic/dma.c
Modified: trunk/reactos/hal/halx86/generic/dma.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/hal/halx86/generic/dma.c?r…
==============================================================================
--- trunk/reactos/hal/halx86/generic/dma.c [iso-8859-1] (original)
+++ trunk/reactos/hal/halx86/generic/dma.c [iso-8859-1] Sun Aug 17 01:42:02 2014
@@ -919,6 +919,7 @@
PVOID AdapterListControlContext, MapRegisterBase;
ULONG MapRegisterCount;
BOOLEAN WriteToDevice;
+ WAIT_CONTEXT_BLOCK Wcb;
} SCATTER_GATHER_CONTEXT, *PSCATTER_GATHER_CONTEXT;
@@ -1041,11 +1042,14 @@
AdapterControlContext->AdapterListControlContext = Context;
AdapterControlContext->WriteToDevice = WriteToDevice;
- return IoAllocateAdapterChannel(AdapterObject,
- DeviceObject,
- AdapterControlContext->MapRegisterCount,
- HalpScatterGatherAdapterControl,
- AdapterControlContext);
+ AdapterControlContext->Wcb.DeviceObject = DeviceObject;
+ AdapterControlContext->Wcb.DeviceContext = AdapterControlContext;
+ AdapterControlContext->Wcb.CurrentIrp = DeviceObject->CurrentIrp;
+
+ return HalAllocateAdapterChannel(AdapterObject,
+ &AdapterControlContext->Wcb,
+ AdapterControlContext->MapRegisterCount,
+ HalpScatterGatherAdapterControl);
}
/**
3738
days inactive
3738
days old
0 comments
1 participants
participants (1)
-
cgutman@svn.reactos.org