VOID
NTAPI
ExWaitForCallBacks(IN PEX_CALLBACK_ROUTINE_BLOCK CallbackBlock)
{
/* Wait on the rundown */
ExWaitForRundownProtectionRelease(&CallbackBlock->RundownProtect);
}
VOID
ExWaitForCallBacks (
IN PEX_CALLBACK_ROUTINE_BLOCK CallBackBlock
)
/*++
Routine Description:
This function waits for all outcalls on the specified
callback block to complete
Arguments:
CallBackBlock - Call back block to wait for
Return Value:
None.
--*/
{
//
// Wait for all active callbacks to be finished.
//
ExWaitForRundownProtectionRelease (&CallBackBlock->RundownProtect);
}
static VOID EvhdFinalize(ParserInstance *parser)
{
if (parser->pRecoveryStatusIrp)
{
IoCancelIrp(parser->pRecoveryStatusIrp);
ExWaitForRundownProtectionRelease(&parser->RecoveryRundownProtection);
IoFreeIrp(parser->pRecoveryStatusIrp);
parser->pRecoveryStatusIrp = NULL;
}
if (parser->pDirectIoIrp)
{
IoFreeIrp(parser->pDirectIoIrp);
parser->pDirectIoIrp = NULL;
}
if (parser->pQoSStatusIrp)
{
IoFreeIrp(parser->pQoSStatusIrp);
parser->pQoSStatusIrp = NULL;
}
if (parser->pQoSStatusBuffer)
{
ExFreePoolWithTag(parser->pQoSStatusBuffer, EvhdQoSPoolTag);
parser->pQoSStatusBuffer = NULL;
}
if (parser->pVhdmpFileObject)
{
ObDereferenceObject(parser->pVhdmpFileObject);
parser->pVhdmpFileObject = NULL;
}
if (parser->FileHandle)
{
ZwClose(parser->FileHandle);
parser->FileHandle = NULL;
}
}
/* KphProtectDeinit
*
* Removes process protection and frees associated structures.
*
* IRQL: <= APC_LEVEL
*/
NTSTATUS KphProtectDeinit()
{
NTSTATUS status = STATUS_SUCCESS;
KIRQL oldIrql;
LARGE_INTEGER waitLi;
/* Unhook. */
status = KphObOpenUnhook(&ProcessOpenHook);
status = KphObOpenUnhook(&ThreadOpenHook);
/* Wait for all activity to finish. */
ExWaitForRundownProtectionRelease(&ProtectedProcessRundownProtect);
/* Wait for a bit (some regions of hook target functions
are NOT guarded by rundown protection, e.g.
prologues and epilogues). */
waitLi.QuadPart = KPH_REL_TIMEOUT_IN_SEC(1);
KeDelayExecutionThread(KernelMode, FALSE, &waitLi);
/* Free all process protection entries. */
ExDeleteNPagedLookasideList(&ProtectedProcessLookasideList);
return status;
}
/*
* FUNCTION: Terminates the current thread
* See "Windows Internals" - Chapter 13, Page 50-53
*/
VOID
NTAPI
PspExitThread(IN NTSTATUS ExitStatus)
{
CLIENT_DIED_MSG TerminationMsg;
NTSTATUS Status;
PTEB Teb;
PEPROCESS CurrentProcess;
PETHREAD Thread, OtherThread, PreviousThread = NULL;
PVOID DeallocationStack;
SIZE_T Dummy;
BOOLEAN Last = FALSE;
PTERMINATION_PORT TerminationPort, NextPort;
PLIST_ENTRY FirstEntry, CurrentEntry;
PKAPC Apc;
PTOKEN PrimaryToken;
PAGED_CODE();
PSTRACE(PS_KILL_DEBUG, "ExitStatus: %d\n", ExitStatus);
/* Get the Current Thread and Process */
Thread = PsGetCurrentThread();
CurrentProcess = Thread->ThreadsProcess;
ASSERT((Thread) == PsGetCurrentThread());
/* Can't terminate a thread if it attached another process */
if (KeIsAttachedProcess())
{
/* Bugcheck */
KeBugCheckEx(INVALID_PROCESS_ATTACH_ATTEMPT,
(ULONG_PTR)CurrentProcess,
(ULONG_PTR)Thread->Tcb.ApcState.Process,
(ULONG_PTR)Thread->Tcb.ApcStateIndex,
(ULONG_PTR)Thread);
}
/* Lower to Passive Level */
KeLowerIrql(PASSIVE_LEVEL);
/* Can't be a worker thread */
if (Thread->ActiveExWorker)
{
/* Bugcheck */
KeBugCheckEx(ACTIVE_EX_WORKER_THREAD_TERMINATION,
(ULONG_PTR)Thread,
0,
0,
0);
}
/* Can't have pending APCs */
if (Thread->Tcb.CombinedApcDisable != 0)
{
/* Bugcheck */
KeBugCheckEx(KERNEL_APC_PENDING_DURING_EXIT,
0,
Thread->Tcb.CombinedApcDisable,
0,
1);
}
/* Lock the thread */
ExWaitForRundownProtectionRelease(&Thread->RundownProtect);
/* Cleanup the power state */
PopCleanupPowerState((PPOWER_STATE)&Thread->Tcb.PowerState);
/* Call the WMI Callback for Threads */
//WmiTraceThread(Thread, NULL, FALSE);
/* Run Thread Notify Routines before we desintegrate the thread */
PspRunCreateThreadNotifyRoutines(Thread, FALSE);
/* Lock the Process before we modify its thread entries */
KeEnterCriticalRegion();
ExAcquirePushLockExclusive(&CurrentProcess->ProcessLock);
/* Decrease the active thread count, and check if it's 0 */
if (!(--CurrentProcess->ActiveThreads))
{
/* Set the delete flag */
InterlockedOr((PLONG)&CurrentProcess->Flags, PSF_PROCESS_DELETE_BIT);
/* Remember we are last */
Last = TRUE;
/* Check if this termination is due to the thread dying */
if (ExitStatus == STATUS_THREAD_IS_TERMINATING)
{
/* Check if the last thread was pending */
if (CurrentProcess->ExitStatus == STATUS_PENDING)
{
/* Use the last exit status */
CurrentProcess->ExitStatus = CurrentProcess->
LastThreadExitStatus;
}
}
else
{
/* Just a normal exit, write the code */
CurrentProcess->ExitStatus = ExitStatus;
}
/* Loop all the current threads */
FirstEntry = &CurrentProcess->ThreadListHead;
CurrentEntry = FirstEntry->Flink;
while (FirstEntry != CurrentEntry)
{
/* Get the thread on the list */
OtherThread = CONTAINING_RECORD(CurrentEntry,
ETHREAD,
ThreadListEntry);
/* Check if it's a thread that's still alive */
if ((OtherThread != Thread) &&
!(KeReadStateThread(&OtherThread->Tcb)) &&
(ObReferenceObjectSafe(OtherThread)))
{
/* It's a live thread and we referenced it, unlock process */
ExReleasePushLockExclusive(&CurrentProcess->ProcessLock);
KeLeaveCriticalRegion();
/* Wait on the thread */
KeWaitForSingleObject(OtherThread,
Executive,
KernelMode,
FALSE,
NULL);
/* Check if we had a previous thread to dereference */
if (PreviousThread) ObDereferenceObject(PreviousThread);
/* Remember the thread and re-lock the process */
PreviousThread = OtherThread;
KeEnterCriticalRegion();
ExAcquirePushLockExclusive(&CurrentProcess->ProcessLock);
}
/* Go to the next thread */
CurrentEntry = CurrentEntry->Flink;
}
}
else if (ExitStatus != STATUS_THREAD_IS_TERMINATING)
{
/* Write down the exit status of the last thread to get killed */
CurrentProcess->LastThreadExitStatus = ExitStatus;
}
/* Unlock the Process */
ExReleasePushLockExclusive(&CurrentProcess->ProcessLock);
KeLeaveCriticalRegion();
/* Check if we had a previous thread to dereference */
if (PreviousThread) ObDereferenceObject(PreviousThread);
/* Check if the process has a debug port and if this is a user thread */
if ((CurrentProcess->DebugPort) && !(Thread->SystemThread))
{
/* Notify the Debug API. */
Last ? DbgkExitProcess(CurrentProcess->ExitStatus) :
DbgkExitThread(ExitStatus);
}
/* Check if this is a Critical Thread */
if ((KdDebuggerEnabled) && (Thread->BreakOnTermination))
{
/* Break to debugger */
PspCatchCriticalBreak("Critical thread 0x%p (in %s) exited\n",
Thread,
CurrentProcess->ImageFileName);
}
/* Check if it's the last thread and this is a Critical Process */
if ((Last) && (CurrentProcess->BreakOnTermination))
{
/* Check if a debugger is here to handle this */
if (KdDebuggerEnabled)
{
/* Break to debugger */
PspCatchCriticalBreak("Critical process 0x%p (in %s) exited\n",
CurrentProcess,
CurrentProcess->ImageFileName);
}
else
{
/* Bugcheck, we can't allow this */
KeBugCheckEx(CRITICAL_PROCESS_DIED,
(ULONG_PTR)CurrentProcess,
0,
0,
0);
}
}
/* Sanity check */
ASSERT(Thread->Tcb.CombinedApcDisable == 0);
/* Process the Termination Ports */
TerminationPort = Thread->TerminationPort;
if (TerminationPort)
{
/* Setup the message header */
TerminationMsg.h.u2.ZeroInit = 0;
TerminationMsg.h.u2.s2.Type = LPC_CLIENT_DIED;
TerminationMsg.h.u1.s1.TotalLength = sizeof(TerminationMsg);
TerminationMsg.h.u1.s1.DataLength = sizeof(TerminationMsg) -
sizeof(PORT_MESSAGE);
/* Loop each port */
do
{
/* Save the Create Time */
TerminationMsg.CreateTime = Thread->CreateTime;
/* Loop trying to send message */
while (TRUE)
{
/* Send the LPC Message */
Status = LpcRequestPort(TerminationPort->Port,
&TerminationMsg.h);
if ((Status == STATUS_NO_MEMORY) ||
(Status == STATUS_INSUFFICIENT_RESOURCES))
{
/* Wait a bit and try again */
KeDelayExecutionThread(KernelMode, FALSE, &ShortTime);
continue;
}
break;
}
/* Dereference this LPC Port */
ObDereferenceObject(TerminationPort->Port);
/* Move to the next one */
NextPort = TerminationPort->Next;
/* Free the Termination Port Object */
ExFreePoolWithTag(TerminationPort, '=TsP');
/* Keep looping as long as there is a port */
TerminationPort = NextPort;
} while (TerminationPort);
}
else if (((ExitStatus == STATUS_THREAD_IS_TERMINATING) &&
(Thread->DeadThread)) ||
!(Thread->DeadThread))
{
/*
* This case is special and deserves some extra comments. What
* basically happens here is that this thread doesn't have a termination
* port, which means that it died before being fully created. Since we
* still have to notify an LPC Server, we'll use the exception port,
* which we know exists. However, we need to know how far the thread
* actually got created. We have three possibilities:
*
* - NtCreateThread returned an error really early: DeadThread is set.
* - NtCreateThread managed to create the thread: DeadThread is off.
* - NtCreateThread was creating the thread (with DeadThread set,
* but the thread got killed prematurely: STATUS_THREAD_IS_TERMINATING
* is our exit code.)
*
* For the 2 & 3rd scenarios, the thread has been created far enough to
* warrant notification to the LPC Server.
*/
/* Setup the message header */
TerminationMsg.h.u2.ZeroInit = 0;
TerminationMsg.h.u2.s2.Type = LPC_CLIENT_DIED;
TerminationMsg.h.u1.s1.TotalLength = sizeof(TerminationMsg);
TerminationMsg.h.u1.s1.DataLength = sizeof(TerminationMsg) -
sizeof(PORT_MESSAGE);
/* Make sure the process has an exception port */
if (CurrentProcess->ExceptionPort)
{
/* Save the Create Time */
TerminationMsg.CreateTime = Thread->CreateTime;
/* Loop trying to send message */
while (TRUE)
{
/* Send the LPC Message */
Status = LpcRequestPort(CurrentProcess->ExceptionPort,
&TerminationMsg.h);
if ((Status == STATUS_NO_MEMORY) ||
(Status == STATUS_INSUFFICIENT_RESOURCES))
{
/* Wait a bit and try again */
KeDelayExecutionThread(KernelMode, FALSE, &ShortTime);
continue;
}
break;
}
}
}
/* Rundown Win32 Thread if there is one */
if (Thread->Tcb.Win32Thread) PspW32ThreadCallout(Thread,
PsW32ThreadCalloutExit);
/* If we are the last thread and have a W32 Process */
if ((Last) && (CurrentProcess->Win32Process))
{
/* Run it down too */
PspW32ProcessCallout(CurrentProcess, FALSE);
}
/* Make sure Stack Swap is enabled */
if (!Thread->Tcb.EnableStackSwap)
{
/* Stack swap really shouldn't be disabled during exit! */
KeBugCheckEx(KERNEL_STACK_LOCKED_AT_EXIT, 0, 0, 0, 0);
}
/* Cancel I/O for the thread. */
IoCancelThreadIo(Thread);
/* Rundown Timers */
ExTimerRundown();
/* FIXME: Rundown Registry Notifications (NtChangeNotify)
CmNotifyRunDown(Thread); */
/* Rundown Mutexes */
KeRundownThread();
/* Check if we have a TEB */
Teb = Thread->Tcb.Teb;
if (Teb)
{
/* Check if the thread is still alive */
if (!Thread->DeadThread)
{
/* Check if we need to free its stack */
if (Teb->FreeStackOnTermination)
{
/* Set the TEB's Deallocation Stack as the Base Address */
Dummy = 0;
DeallocationStack = Teb->DeallocationStack;
/* Free the Thread's Stack */
ZwFreeVirtualMemory(NtCurrentProcess(),
&DeallocationStack,
&Dummy,
MEM_RELEASE);
}
/* Free the debug handle */
if (Teb->DbgSsReserved[1]) ObCloseHandle(Teb->DbgSsReserved[1],
UserMode);
}
/* Decommit the TEB */
MmDeleteTeb(CurrentProcess, Teb);
Thread->Tcb.Teb = NULL;
}
/* Free LPC Data */
LpcExitThread(Thread);
/* Save the exit status and exit time */
Thread->ExitStatus = ExitStatus;
KeQuerySystemTime(&Thread->ExitTime);
/* Sanity check */
ASSERT(Thread->Tcb.CombinedApcDisable == 0);
/* Check if this is the final thread or not */
if (Last)
{
/* Set the process exit time */
CurrentProcess->ExitTime = Thread->ExitTime;
/* Exit the process */
PspExitProcess(TRUE, CurrentProcess);
/* Get the process token and check if we need to audit */
PrimaryToken = PsReferencePrimaryToken(CurrentProcess);
if (SeDetailedAuditingWithToken(PrimaryToken))
{
/* Audit the exit */
SeAuditProcessExit(CurrentProcess);
}
/* Dereference the process token */
ObFastDereferenceObject(&CurrentProcess->Token, PrimaryToken);
/* Check if this is a VDM Process and rundown the VDM DPCs if so */
if (CurrentProcess->VdmObjects) { /* VdmRundownDpcs(CurrentProcess); */ }
/* Kill the process in the Object Manager */
ObKillProcess(CurrentProcess);
/* Check if we have a section object */
if (CurrentProcess->SectionObject)
{
/* Dereference and clear the Section Object */
ObDereferenceObject(CurrentProcess->SectionObject);
CurrentProcess->SectionObject = NULL;
}
/* Check if the process is part of a job */
if (CurrentProcess->Job)
{
/* Remove the process from the job */
PspExitProcessFromJob(CurrentProcess->Job, CurrentProcess);
}
}
/* Disable APCs */
KeEnterCriticalRegion();
/* Disable APC queueing, force a resumption */
Thread->Tcb.ApcQueueable = FALSE;
KeForceResumeThread(&Thread->Tcb);
/* Re-enable APCs */
KeLeaveCriticalRegion();
/* Flush the User APCs */
FirstEntry = KeFlushQueueApc(&Thread->Tcb, UserMode);
if (FirstEntry)
{
/* Start with the first entry */
CurrentEntry = FirstEntry;
do
{
/* Get the APC */
Apc = CONTAINING_RECORD(CurrentEntry, KAPC, ApcListEntry);
/* Move to the next one */
CurrentEntry = CurrentEntry->Flink;
/* Rundown the APC or de-allocate it */
if (Apc->RundownRoutine)
{
/* Call its own routine */
Apc->RundownRoutine(Apc);
}
else
{
/* Do it ourselves */
ExFreePool(Apc);
}
}
while (CurrentEntry != FirstEntry);
}
/* Clean address space if this was the last thread */
if (Last) MmCleanProcessAddressSpace(CurrentProcess);
/* Call the Lego routine */
if (Thread->Tcb.LegoData) PspRunLegoRoutine(&Thread->Tcb);
/* Flush the APC queue, which should be empty */
FirstEntry = KeFlushQueueApc(&Thread->Tcb, KernelMode);
if ((FirstEntry) || (Thread->Tcb.CombinedApcDisable != 0))
{
/* Bugcheck time */
KeBugCheckEx(KERNEL_APC_PENDING_DURING_EXIT,
(ULONG_PTR)FirstEntry,
Thread->Tcb.CombinedApcDisable,
KeGetCurrentIrql(),
0);
}
/* Signal the process if this was the last thread */
if (Last) KeSetProcess(&CurrentProcess->Pcb, 0, FALSE);
/* Terminate the Thread from the Scheduler */
KeTerminateThread(0);
}
_Use_decl_annotations_
NDIS_STATUS
FilterPause(
NDIS_HANDLE FilterModuleContext,
PNDIS_FILTER_PAUSE_PARAMETERS PauseParameters
)
/*++
Routine Description:
Filter pause routine.
Complete all the outstanding sends and queued sends,
wait for all the outstanding recvs to be returned
and return all the queued receives.
Arguments:
FilterModuleContext - pointer to the filter context stucture
PauseParameters - additional information about the pause
Return Value:
NDIS_STATUS_SUCCESS if filter pauses successfully, NDIS_STATUS_PENDING
if not. No other return value is allowed (pause must succeed, eventually).
N.B.: When the filter is in Pausing state, it can still process OID requests,
complete sending, and returning packets to NDIS, and also indicate status.
After this function completes, the filter must not attempt to send or
receive packets, but it may still process OID requests and status
indications.
--*/
{
PMS_FILTER pFilter = (PMS_FILTER)(FilterModuleContext);
NDIS_STATUS Status = STATUS_SUCCESS;
UNREFERENCED_PARAMETER(PauseParameters);
LogFuncEntryMsg(DRIVER_DEFAULT, "Filter: %p", FilterModuleContext);
//
// Set the flag that the filter is going to pause
//
NT_ASSERT(pFilter->State == FilterRunning);
NdisAcquireSpinLock(&FilterListLock);
pFilter->State = FilterPausing;
NdisReleaseSpinLock(&FilterListLock);
//
// Send final notification of interface removal
//
otLwfNotifyDeviceAvailabilityChange(pFilter, FALSE);
LogInfo(DRIVER_DEFAULT, "Interface %!GUID! removal.", &pFilter->InterfaceGuid);
//
// Disable external references and wait for existing calls to complete
//
LogInfo(DRIVER_DEFAULT, "Disabling and waiting for external references to release");
ExWaitForRundownProtectionRelease(&pFilter->ExternalRefs);
LogInfo(DRIVER_DEFAULT, "External references released.");
//
// Clean up based on the device mode
//
if (pFilter->DeviceStatus == OTLWF_DEVICE_STATUS_RADIO_MODE)
{
otLwfUninitializeThreadMode(pFilter);
}
else if (pFilter->DeviceStatus == OTLWF_DEVICE_STATUS_THREAD_MODE)
{
otLwfTunUninitialize(pFilter);
}
pFilter->DeviceStatus = OTLWF_DEVICE_STATUS_UNINTIALIZED;
//
// Clean up the Spinel command processing
//
otLwfCmdUninitialize(pFilter);
//
// Set the state back to Paused now that we are done
//
pFilter->State = FilterPaused;
LogFuncExitNDIS(DRIVER_DEFAULT, Status);
return Status;
}
