int body() {
__rho_1_ = nondet();
if (__rho_1_>0) {
// haven't stopped yet, lets do so
ntStatus = t1394Diag_PnpStopDevice(DeviceObject, Irp);
}
ntStatus = IoSetDeviceInterfaceState();
// lets free up any crom data structs we've allocated...
keA = 1; keA = 0; KeAcquireSpinLock(lock3, Irql);
__rho_2_ = nondet();
k1 = __rho_2_;
while (1) {
if (!(k1>0)) break;
__rho_3_ = nondet();
CromData = __rho_3_;
// get struct off list
k1--;
// need to free up everything associated with this allocate...
if (CromData>0)
{
__rho_4_ = nondet();
if (__rho_4_>0)
ExFreePool0();
__rho_5_ = nondet();
if (__rho_5_>0)
IoFreeMdl();
// we already checked CromData
ExFreePool1(CromData);
}
}
keR = 1; keR = 0; KeReleaseSpinLock(lock3, Irql);
keA = 1; keA = 0; KeAcquireSpinLock(lock1, Irql);
__rho_6_ = nondet();
k2 = __rho_6_;
while (1) {
if (!(k2>0)) break;
AsyncAddressData = nondet();
// get struct off list
AsyncAddressData = nondet();
k2--;
// need to free up everything associated with this allocate...
__rho_7_ = nondet();
if (__rho_7_>0)
IoFreeMdl();
__rho_8_ = nondet();
if (__rho_8_>0)
ExFreePool0();
__rho_9_ = nondet();
if (__rho_9_>0)
ExFreePool0();
if (AsyncAddressData>0)
ExFreePool0();
}
keR = 1; keR = 0; KeReleaseSpinLock(lock1, Irql);
// free up any attached isoch buffers
while (TRUE) {
keA = 1; keA = 0; KeAcquireSpinLock(lock4, Irql);
__rho_10_ = nondet();
k3 = __rho_10_;
if (k3>0) {
IsochDetachData = nondet();
i = nondet();
IsochDetachData = nondet();
k3--;
KeCancelTimer();
keR = 1; keR = 0; KeReleaseSpinLock(lock4, Irql);
t1394_IsochCleanup(IsochDetachData);
}
else {
keR = 1; keR = 0; KeReleaseSpinLock(lock4, Irql);
break;
}
}
// remove any isoch resource data
__rho_11_ = nondet();
k4 = __rho_11_;
while (TRUE) {
keA = 1; keA = 0; KeAcquireSpinLock(lock5, Irql);
if (k4>0) {
__rho_12_ = nondet();
IsochResourceData = __rho_12_;
k4--;
keR = 1; keR = 0; KeReleaseSpinLock(lock5, Irql);
if (IsochResourceData>0) {
pIrb = nondet();
ResourceIrp = nondet();
StackSize = nondet();
ResourceIrp = IoAllocateIrp(StackSize, FALSE);
if (ResourceIrp == 0) {
}
else {
pIrb = ExAllocatePool(NonPagedPool, 0);
if (pIrb<=0) {
IoFreeIrp(ResourceIrp);
}
else {
RtlZeroMemory (pIrb, 0);
ntStatus = t1394_SubmitIrpSynch(ResourceIrp, pIrb);
ExFreePool1(pIrb);
IoFreeIrp(ResourceIrp);
}
}
}
}
else {
keR = 1; keR = 0; KeReleaseSpinLock(lock5, Irql);
break;
}
}
// get rid of any pending bus reset notify requests
keA = 1; keA = 0; KeAcquireSpinLock(lock6, Irql);
__rho_13_ = nondet();
k5 = __rho_13_;
while (1) {
if (!(k5>0)) break;
prevCancel = NULL;
// get the irp off of the list
BusResetIrp = nondet();
k5--;
// make this irp non-cancelable...
prevCancel = IoSetCancelRoutine(NULL);
// and complete it...
IoCompleteRequest(IO_NO_INCREMENT);
ExFreePool1(BusResetIrp);
}
keR = 1; keR = 0; KeReleaseSpinLock(lock6, Irql);
// free up the symbolic link
while(1) { dummy=dummy; } L_return: return 0;
} // t1394Diag_PnpRemoveDevice
/* Source: WDK/src_5239/kmdf/1394/pnp.c, line 634. */
VOID
t1394_EvtDeviceSelfManagedIoCleanup(
/* IN WDFDEVICE Device */
PDEVICE_EXTENSION deviceExtension /* added for SLAyer */
)
{
PLIST_ENTRY listEntry;
//
// Remove any isoch resource data
//
WHILE (TRUE) {
WdfSpinLockAcquire(deviceExtension->IsochResourceSpinLock);
if (!IsListEmpty(&deviceExtension->IsochResourceData)) {
PISOCH_RESOURCE_DATA IsochResourceData = NULL;
/* SLAyer: memory unsafety in original code. Reported as Windows 8 Bug #59410. Fixed by Patrick Maninger 9/Aug/2010. */
listEntry = RemoveHeadList(&deviceExtension->CromData);
IsochResourceData = CONTAINING_RECORD(listEntry,
ISOCH_RESOURCE_DATA,
IsochResourceList);
WdfSpinLockRelease(deviceExtension->IsochResourceSpinLock);
/* TRACE(TL_TRACE, ("Surprise Removal: IsochResourceData = 0x%x\n", */
/* IsochResourceData)); */
if (IsochResourceData) {
PIRB pIrb;
WDFREQUEST request;
NTSTATUS status;
/* TRACE(TL_TRACE, ("Surprise Removal: Freeing hResource = 0x%x\n", */
/* IsochResourceData->hResource)); */
status = WdfRequestCreate(
WDF_NO_OBJECT_ATTRIBUTES,
deviceExtension->StackIoTarget,
&request);
if (!NT_SUCCESS(status)) {
/* TRACE(TL_ERROR, ("Failed to allocate request %x\n", status)); */
free(IsochResourceData); /* SLAyer: added */
}
else {
pIrb = ExAllocatePoolWithTag(NonPagedPool, sizeof(IRB), POOLTAG_1394);
if (!pIrb) {
WdfObjectDelete(request);
/* TRACE(TL_ERROR, ("Failed to allocate pIrb!\n")); */
free(IsochResourceData); /* SLAyer: added */
}
else {
RtlZeroMemory (pIrb, sizeof (IRB));
pIrb->FunctionNumber = REQUEST_ISOCH_FREE_RESOURCES;
pIrb->Flags = 0;
pIrb->u.IsochFreeResources.hResource = IsochResourceData->hResource;
status = t1394_SubmitIrpSynch(deviceExtension->StackIoTarget, request, pIrb);
free(IsochResourceData); /* SLAyer: added */
if (!NT_SUCCESS(status)) {
/* TRACE(TL_ERROR, ("SubmitIrpSync failed = 0x%x\n", status)); */
}
ExFreePool(pIrb);
WdfObjectDelete(request);
}
}
}
}
else {
WdfSpinLockRelease(deviceExtension->IsochResourceSpinLock);
break;
}
}
/* EXIT("t1394_PnpRemoveDevice", STATUS_SUCCESS); */
}
int main() {
if (__VERIFIER_nondet_int()) {
// haven't stopped yet, lets do so
ntStatus = t1394Diag_PnpStopDevice(DeviceObject, Irp);
}
ntStatus = IoSetDeviceInterfaceState();
// lets free up any crom data structs we've allocated...
KeAcquireSpinLock(&lock3, &Irql);
k1 = __VERIFIER_nondet_int();
while (k1>0) {
CromData = __VERIFIER_nondet_int();
// get struct off list
k1--;
// need to free up everything associated with this allocate...
if (CromData)
{
if (__VERIFIER_nondet_int())
ExFreePool0();
if (__VERIFIER_nondet_int())
IoFreeMdl();
// we already checked CromData
ExFreePool1(CromData);
}
}
KeReleaseSpinLock(&lock3, Irql);
KeAcquireSpinLock(&lock1, &Irql);
k2 = __VERIFIER_nondet_int();
while (k2>0) {
AsyncAddressData = __VERIFIER_nondet_int();
// get struct off list
AsyncAddressData = __VERIFIER_nondet_int();
k2--;
// need to free up everything associated with this allocate...
if (__VERIFIER_nondet_int())
IoFreeMdl();
if (__VERIFIER_nondet_int())
ExFreePool0();
if (__VERIFIER_nondet_int())
ExFreePool0();
if (AsyncAddressData)
ExFreePool0();
}
KeReleaseSpinLock(&lock1, Irql);
// free up any attached isoch buffers
while (TRUE) {
KeAcquireSpinLock(&lock4, &Irql);
k3 = __VERIFIER_nondet_int();
if (k3>0) {
IsochDetachData = __VERIFIER_nondet_int();
i = __VERIFIER_nondet_int();
IsochDetachData = __VERIFIER_nondet_int();
k3--;
KeCancelTimer();
KeReleaseSpinLock(&lock4, Irql);
t1394_IsochCleanup(IsochDetachData);
}
else {
KeReleaseSpinLock(&lock4, Irql);
break;
}
}
// remove any isoch resource data
k4 = __VERIFIER_nondet_int();
while (TRUE) {
KeAcquireSpinLock(&lock5, &Irql);
if (k4>0) {
IsochResourceData = __VERIFIER_nondet_int();
k4--;
KeReleaseSpinLock(&lock5, Irql);
if (IsochResourceData) {
pIrb = __VERIFIER_nondet_int();
ResourceIrp = __VERIFIER_nondet_int();
StackSize = __VERIFIER_nondet_int();
ResourceIrp = IoAllocateIrp(StackSize, FALSE);
if (ResourceIrp == NULL) {
}
else {
pIrb = ExAllocatePool(NonPagedPool, sizeof(IRB));
if (!pIrb) {
IoFreeIrp(ResourceIrp);
}
else {
RtlZeroMemory (pIrb, sizeof (IRB));
ntStatus = t1394_SubmitIrpSynch(ResourceIrp, pIrb);
ExFreePool1(pIrb);
IoFreeIrp(ResourceIrp);
}
}
}
}
else {
KeReleaseSpinLock(&lock5, Irql);
break;
}
}
// get rid of any pending bus reset notify requests
KeAcquireSpinLock(&lock6, &Irql);
k5 = __VERIFIER_nondet_int();
while (k5>0) {
prevCancel = NULL;
// get the irp off of the list
BusResetIrp = __VERIFIER_nondet_int();
k5--;
// make this irp non-cancelable...
prevCancel = IoSetCancelRoutine(NULL);
// and complete it...
IoCompleteRequest(IO_NO_INCREMENT);
ExFreePool1(BusResetIrp);
}
KeReleaseSpinLock(&lock6, Irql);
// free up the symbolic link
if(ntStatus != STATUS_SUCCESS) {
phi_nSUC_ret = 1;
}
while(1) {}
}
VOID
t1394_UpdateGenerationCount (
IN PDEVICE_OBJECT DeviceObject,
IN PVOID Context
)
{
PDEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension;
PIO_WORKITEM ioWorkItem = Context;
NTSTATUS ntStatus = STATUS_SUCCESS;
PIRB Irb = NULL;
PIRP Irp = NULL;
ENTER("t1394_UpdateGenerationCountWorkItem");
// allocate irp
Irp = IoAllocateIrp (deviceExtension->StackDeviceObject->StackSize, FALSE);
if (!Irp)
{
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
TRACE(TL_ERROR, ("Failed to allocate Irp!\n"));
goto Exit_UpdateGenerationCountWorkItem;
}
// allocate irb
Irb = ExAllocatePool(NonPagedPool, sizeof (IRB));
if (!Irb)
{
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
TRACE(TL_ERROR, ("Failed to allocate Irb!\n"));
goto Exit_UpdateGenerationCountWorkItem;
}
// send request down stack
RtlZeroMemory (Irb, sizeof (IRB));
Irb->FunctionNumber = REQUEST_GET_GENERATION_COUNT;
Irb->Flags = 0;
ntStatus = t1394_SubmitIrpSynch(deviceExtension->StackDeviceObject, Irp, Irb);
// update DeviceExtension->GenerationCount
if (NT_SUCCESS(ntStatus))
{
deviceExtension->GenerationCount = Irb->u.GetGenerationCount.GenerationCount;
TRACE(TL_TRACE, ("GenerationCount = 0x%x\n", deviceExtension->GenerationCount));
}
else
{
TRACE(TL_ERROR, ("SubmitIrpSync failed = 0x%x\n", ntStatus));
}
DbgPrint("1394CMDR: UpdateGenerationCount (%p) -> 0x%x",Context,deviceExtension->GenerationCount);
Exit_UpdateGenerationCountWorkItem:
if (Irp)
{
IoFreeIrp(Irp);
}
if (Irb)
{
ExFreePool (Irb);
}
if (ioWorkItem)
{
IoFreeWorkItem(ioWorkItem);
}
EXIT("t1394_UpdateGenerationCountWorkItem", ntStatus);
return;
}
NTSTATUS
t1394_SetLocalHostProperties(
/*IN*/ WDFDEVICE Device,
/*IN*/ WDFREQUEST Request,
/*IN*/ ULONG nLevel,
/*IN*/ PVOID Information
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PDEVICE_EXTENSION deviceExtension = GetDeviceContext(Device);
PIRB pIrb = NULL;
PSET_LOCAL_HOST_PROPS3 R0_SetLocalHostProps3 = NULL;
PCROM_DATA CromData = NULL;
PLIST_ENTRY listHead, thisEntry;
//ENTER("t1394_SetLocalHostProperties");
// allocate irb
pIrb = ExAllocatePoolWithTag(NonPagedPool, sizeof(IRB), POOLTAG_1394);
if (!pIrb) {
// TRACE(TL_ERROR, ("Failed to allocate pIrb!\n"));
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
goto Exit_SetLocalHostProperties;
} // if
RtlZeroMemory (pIrb, sizeof (IRB));
pIrb->FunctionNumber = REQUEST_SET_LOCAL_HOST_PROPERTIES;
pIrb->Flags = 0;
// SI: writes to union broken
// pIrb->u.SetLocalHostProperties.nLevel = nLevel;
// TRACE(TL_TRACE, ("nLevel = 0x%x\n", nLevel));
// TRACE(TL_TRACE, ("Information = 0x%x\n", Information));
if (nLevel == SET_LOCAL_HOST_PROPERTIES_GAP_COUNT) {
PSET_LOCAL_HOST_PROPS2 SetLocalHostProps2;
SetLocalHostProps2 = (PSET_LOCAL_HOST_PROPS2)Information;
// TRACE(TL_TRACE, ("GapCountLowerBound = 0x%x\n", SetLocalHostProps2->GapCountLowerBound));
// SI: writes to union broken
// pIrb->u.SetLocalHostProperties.Information = Information;
}
else if (nLevel == SET_LOCAL_HOST_PROPERTIES_MODIFY_CROM) {
PSET_LOCAL_HOST_PROPS3 SetLocalHostProps3;
SetLocalHostProps3 = (PSET_LOCAL_HOST_PROPS3)Information;
// TRACE(TL_TRACE, ("fulFlags = 0x%x\n", SetLocalHostProps3->fulFlags));
// TRACE(TL_TRACE, ("hCromData = 0x%x\n", SetLocalHostProps3->hCromData));
// TRACE(TL_TRACE, ("nLength = 0x%x\n", SetLocalHostProps3->nLength));
// since we need to create a mdl, we'll create another setlocalhostprops3
// and pass that down to the bus driver
R0_SetLocalHostProps3 = ExAllocatePoolWithTag(NonPagedPool,
sizeof(SET_LOCAL_HOST_PROPS3),
POOLTAG_1394);
if (!R0_SetLocalHostProps3) {
// TRACE(TL_ERROR, ("Failed to allocate R0_SetLocalHostProps3!\n"));
if (pIrb)
ExFreePool(pIrb);
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
goto Exit_SetLocalHostProperties;
} // if
// TRACE(TL_TRACE, ("R0_SetLocalHostProps3 = 0x%x\n", R0_SetLocalHostProps3));
// copy over the contents...
RtlCopyMemory( R0_SetLocalHostProps3,
SetLocalHostProps3,
sizeof(SET_LOCAL_HOST_PROPS3)
);
// branch, depending if we are adding or removing
if (R0_SetLocalHostProps3->fulFlags == SLHP_FLAG_ADD_CROM_DATA) {
// we are adding an entry. let's get our crom data struct...
CromData = ExAllocatePoolWithTag(NonPagedPool,
sizeof(CROM_DATA),
POOLTAG_1394);
if (!CromData) {
// TRACE(TL_ERROR, ("Failed to allocate CromData!\n"));
if (pIrb)
ExFreePool(pIrb);
if (R0_SetLocalHostProps3)
ExFreePool(R0_SetLocalHostProps3);
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
goto Exit_SetLocalHostProperties;
}
// let's allocate our buffer...
CromData->Buffer = ExAllocatePoolWithTag(NonPagedPool,
R0_SetLocalHostProps3->nLength,
POOLTAG_1394);
// TRACE(TL_TRACE, ("CromData->Buffer = 0x%x\n", CromData->Buffer));
if (!CromData->Buffer) {
// TRACE(TL_ERROR, ("Failed to allocate CromData->Buffer!\n"));
if (pIrb)
ExFreePool(pIrb);
if (R0_SetLocalHostProps3)
ExFreePool(R0_SetLocalHostProps3);
if (CromData)
ExFreePool(CromData);
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
goto Exit_SetLocalHostProperties;
}
// copy over contents (mdl == ring 3 buffer)
RtlCopyMemory(CromData->Buffer,
&SetLocalHostProps3->Mdl,
SetLocalHostProps3->nLength);
R0_SetLocalHostProps3->Mdl = IoAllocateMdl (CromData->Buffer,
R0_SetLocalHostProps3->nLength,
FALSE,
FALSE,
NULL);
if(R0_SetLocalHostProps3->Mdl == NULL) {
// TRACE(TL_ERROR, ("Failed to allocate mdl for CromData->Buffer!\n"));
if (pIrb)
ExFreePool(pIrb);
if (R0_SetLocalHostProps3)
ExFreePool(R0_SetLocalHostProps3);
if (CromData)
ExFreePool(CromData);
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
goto Exit_SetLocalHostProperties;
}
MmBuildMdlForNonPagedPool(R0_SetLocalHostProps3->Mdl);
// TRACE(TL_TRACE, ("Mdl = 0x%x\n", R0_SetLocalHostProps3->Mdl));
}
else if (SetLocalHostProps3->fulFlags == SLHP_FLAG_REMOVE_CROM_DATA) {
// TRACE(TL_TRACE, ("hCromData = 0x%x\n", R0_SetLocalHostProps3->hCromData));
}
// SI: writes to union broken
// pIrb->u.SetLocalHostProperties.Information = (PVOID)R0_SetLocalHostProps3;
}
ntStatus = t1394_SubmitIrpSynch(deviceExtension->StackIoTarget, Request, pIrb);
if (!NT_SUCCESS(ntStatus)) {
if (nLevel == SET_LOCAL_HOST_PROPERTIES_MODIFY_CROM) {
if (R0_SetLocalHostProps3 &&
R0_SetLocalHostProps3->fulFlags == SLHP_FLAG_ADD_CROM_DATA) {
if (R0_SetLocalHostProps3->Mdl)
IoFreeMdl(R0_SetLocalHostProps3->Mdl);
if (CromData) {
if (CromData->Buffer) {
ExFreePool(CromData->Buffer);
}
ExFreePool(CromData);
}
}
if (R0_SetLocalHostProps3)
ExFreePool(R0_SetLocalHostProps3);
}
// TRACE(TL_ERROR, ("SubmitIrpSync failed = 0x%x\n", ntStatus));
}
else {
if (nLevel == SET_LOCAL_HOST_PROPERTIES_MODIFY_CROM) {
//
// branch, depending if we are adding or removing
//
if (R0_SetLocalHostProps3 &&
R0_SetLocalHostProps3->fulFlags == SLHP_FLAG_ADD_CROM_DATA) {
PSET_LOCAL_HOST_PROPS3 SetLocalHostProps3;
SetLocalHostProps3 = Information;
SetLocalHostProps3->hCromData = R0_SetLocalHostProps3->hCromData;
// TRACE(TL_TRACE, ("hCromData = 0x%x\n", SetLocalHostProps3->hCromData));
if (CromData) {
CromData->hCromData = SetLocalHostProps3->hCromData;
CromData->pMdl = R0_SetLocalHostProps3->Mdl;
// need to add to our list...
WdfSpinLockAcquire(deviceExtension->CromSpinLock);
InsertHeadList(&deviceExtension->CromData, &CromData->CromList);
WdfSpinLockRelease(deviceExtension->CromSpinLock);
}
}
else if (R0_SetLocalHostProps3 &&
R0_SetLocalHostProps3->fulFlags == SLHP_FLAG_REMOVE_CROM_DATA) {
// have to find our struct...
WdfSpinLockAcquire(deviceExtension->CromSpinLock);
listHead = &deviceExtension->CromData;
for(thisEntry = listHead->Flink;
thisEntry != listHead;
CromData = NULL, thisEntry = thisEntry->Flink)
{
CromData = CONTAINING_RECORD(thisEntry, CROM_DATA, CromList);
if (CromData->hCromData == R0_SetLocalHostProps3->hCromData) {
RemoveEntryList(&CromData->CromList);
break;
}
}
WdfSpinLockRelease(deviceExtension->CromSpinLock);
if (CromData) {
if (CromData->Buffer)
ExFreePool(CromData->Buffer);
if (CromData->pMdl)
IoFreeMdl(CromData->pMdl);
ExFreePool(CromData);
}
}
if (R0_SetLocalHostProps3)
ExFreePool(R0_SetLocalHostProps3);
}
}
Exit_SetLocalHostProperties:
if (pIrb)
{
ExFreePool(pIrb);
}
//EXIT("t1394_SetLocalHostProperties", ntStatus);
return(ntStatus);
} // t1394_SetLocalHostProperties