[cgutman] 63898: [HAL] Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in f... - Ros-diffs

17 Aug 2014

Author: cgutman
Date: Sun Aug 17 01:42:02 2014
New Revision: 63898
URL: http://svn.reactos.org/svn/reactos?rev=63898&view=rev
Log:
[HAL]
Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in flight. Callers of (Io)AllocateAdapterChannel CANNOT queue another request until the AdapterControlRoutine is called. S/G DMA allows multiple concurrent DMA requests, but ROS was using IoAllocateAdapterChannel in the S/G API. As a result, the wait block stored in the device object was unexpectedly reinitalized and queued again. This results in a leak of the originally queued request context, potentially performing the new DMA operation twice while dropping the old request, and use after free of the context passed to HalpScatterGatherAdapterControl.
Modified:
    trunk/reactos/hal/halx86/generic/dma.c
Modified: trunk/reactos/hal/halx86/generic/dma.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/hal/halx86/generic/dma.c?re...
==============================================================================

--- trunk/reactos/hal/halx86/generic/dma.c	[iso-8859-1] (original)
+++ trunk/reactos/hal/halx86/generic/dma.c	[iso-8859-1] Sun Aug 17 01:42:02 2014
@@ -919,6 +919,7 @@
    PVOID AdapterListControlContext, MapRegisterBase;
    ULONG MapRegisterCount;
    BOOLEAN WriteToDevice;
+	WAIT_CONTEXT_BLOCK Wcb;
 } SCATTER_GATHER_CONTEXT, *PSCATTER_GATHER_CONTEXT;
@@ -1041,11 +1042,14 @@
    AdapterControlContext->AdapterListControlContext = Context;
    AdapterControlContext->WriteToDevice = WriteToDevice;
-	return IoAllocateAdapterChannel(AdapterObject,
-	                                DeviceObject,
-									AdapterControlContext->MapRegisterCount,
-									HalpScatterGatherAdapterControl,
-									AdapterControlContext);
+	AdapterControlContext->Wcb.DeviceObject = DeviceObject;
+	AdapterControlContext->Wcb.DeviceContext = AdapterControlContext;
+	AdapterControlContext->Wcb.CurrentIrp = DeviceObject->CurrentIrp;
+
+	return HalAllocateAdapterChannel(AdapterObject,
+		&AdapterControlContext->Wcb,
+		AdapterControlContext->MapRegisterCount,
+		HalpScatterGatherAdapterControl);
 }
/**

    