[ros-diffs] [cgutman] 63898: [HAL] Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in f...

Sat, 16 Aug 2014 18:43:53 -0700 

Author: cgutman
Date: Sun Aug 17 01:42:02 2014
New Revision: 63898

URL: http://svn.reactos.org/svn/reactos?rev=63898&view=rev
Log:
[HAL]
Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G 
DMA APIs and the old AllocateAdapterChannel API when it comes to having 
multiple requests in flight. Callers of (Io)AllocateAdapterChannel CANNOT queue 
another request until the AdapterControlRoutine is called. S/G DMA allows 
multiple concurrent DMA requests, but ROS was using IoAllocateAdapterChannel in 
the S/G API. As a result, the wait block stored in the device object was 
unexpectedly reinitalized and queued again. This results in a leak of the 
originally queued request context, potentially performing the new DMA operation 
twice while dropping the old request, and use after free of the context passed 
to HalpScatterGatherAdapterControl.

Modified:
    trunk/reactos/hal/halx86/generic/dma.c

Modified: trunk/reactos/hal/halx86/generic/dma.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/hal/halx86/generic/dma.c?rev=63898&r1=63897&r2=63898&view=diff
==============================================================================
--- trunk/reactos/hal/halx86/generic/dma.c      [iso-8859-1] (original)
+++ trunk/reactos/hal/halx86/generic/dma.c      [iso-8859-1] Sun Aug 17 
01:42:02 2014
@@ -919,6 +919,7 @@
        PVOID AdapterListControlContext, MapRegisterBase;
        ULONG MapRegisterCount;
        BOOLEAN WriteToDevice;
+       WAIT_CONTEXT_BLOCK Wcb;
 } SCATTER_GATHER_CONTEXT, *PSCATTER_GATHER_CONTEXT;
 
 
@@ -1041,11 +1042,14 @@
        AdapterControlContext->AdapterListControlContext = Context;
        AdapterControlContext->WriteToDevice = WriteToDevice;
 
-       return IoAllocateAdapterChannel(AdapterObject,
-                                       DeviceObject,
-                                                                       
AdapterControlContext->MapRegisterCount,
-                                                                       
HalpScatterGatherAdapterControl,
-                                                                       
AdapterControlContext);
+       AdapterControlContext->Wcb.DeviceObject = DeviceObject;
+       AdapterControlContext->Wcb.DeviceContext = AdapterControlContext;
+       AdapterControlContext->Wcb.CurrentIrp = DeviceObject->CurrentIrp;
+
+       return HalAllocateAdapterChannel(AdapterObject,
+               &AdapterControlContext->Wcb,
+               AdapterControlContext->MapRegisterCount,
+               HalpScatterGatherAdapterControl);
 }
 
 /**

Reply via email to