NTSTATUS
IrpCreateFile(
IN PUNICODE_STRING FileName,
IN ACCESS_MASK DesiredAccess,
__out PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PDEVICE_OBJECT DeviceObject,
IN PDEVICE_OBJECT RealDevice,
OUT PFILE_OBJECT *Object
)
{
NTSTATUS status;
KEVENT event;
PIRP irp;
PIO_STACK_LOCATION irpSp;
IO_SECURITY_CONTEXT securityContext;
ACCESS_STATE accessState;
OBJECT_ATTRIBUTES objectAttributes;
PFILE_OBJECT fileObject;
AUX_ACCESS_DATA auxData;
PAGED_CODE();
RtlZeroMemory(&auxData, sizeof(AUX_ACCESS_DATA));
InitializeObjectAttributes(&objectAttributes, NULL, OBJ_CASE_INSENSITIVE| OBJ_KERNEL_HANDLE, 0, NULL);
status = ObCreateObject(KernelMode,
*IoFileObjectType,
&objectAttributes,
KernelMode,
NULL,
sizeof(FILE_OBJECT),
0,
0,
(PVOID *)&fileObject);
if (!NT_SUCCESS(status)) {
return status;
}
RtlZeroMemory(fileObject, sizeof(FILE_OBJECT));
fileObject->Type = IO_TYPE_FILE;
fileObject->Size = sizeof(FILE_OBJECT);
fileObject->DeviceObject = RealDevice;
// fileObject->RelatedFileObject = NULL;
fileObject->Flags = FO_SYNCHRONOUS_IO;
fileObject->FileName.MaximumLength = FileName->MaximumLength;
fileObject->FileName.Buffer = (PWCH)ExAllocatePoolWithTag(NonPagedPool, FileName->MaximumLength, 'File');
//fileObject->FileObjectExtension
if (fileObject->FileName.Buffer == NULL) {
ObDereferenceObject(fileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyUnicodeString(&fileObject->FileName, FileName);
KeInitializeEvent(&fileObject->Lock, SynchronizationEvent, FALSE);
KeInitializeEvent(&fileObject->Event, NotificationEvent, FALSE);
irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
if (irp == NULL) {
ObDereferenceObject(fileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
irp->MdlAddress = NULL;
irp->Flags |= IRP_CREATE_OPERATION | IRP_SYNCHRONOUS_API;
irp->RequestorMode = KernelMode;
irp->UserIosb = IoStatusBlock;
////LCXL:CHANGE
irp->UserEvent = &event;
//irp->UserEvent = NULL;
irp->PendingReturned = FALSE;
irp->Cancel = FALSE;
irp->CancelRoutine = NULL;
irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
irp->Tail.Overlay.AuxiliaryBuffer = NULL;
irp->Tail.Overlay.OriginalFileObject = fileObject;
status = SeCreateAccessState(&accessState,
&auxData,
DesiredAccess,
IoGetFileObjectGenericMapping());
if (!NT_SUCCESS(status)) {
IoFreeIrp(irp);
ExFreePool(fileObject->FileName.Buffer);
ObDereferenceObject(fileObject);
return status;
}
securityContext.SecurityQos = NULL;
securityContext.AccessState = &accessState;
securityContext.DesiredAccess = DesiredAccess;
securityContext.FullCreateOptions = 0;
irpSp = IoGetNextIrpStackLocation(irp);
irpSp->MajorFunction = IRP_MJ_CREATE;
irpSp->DeviceObject = DeviceObject;
irpSp->FileObject = fileObject;
irpSp->Parameters.Create.SecurityContext = &securityContext;
irpSp->Parameters.Create.Options = (CreateDisposition << 24) | CreateOptions;
irpSp->Parameters.Create.FileAttributes = (USHORT)FileAttributes;
irpSp->Parameters.Create.ShareAccess = (USHORT)ShareAccess;
irpSp->Parameters.Create.EaLength = 0;
IoSetCompletionRoutine(irp, IoCompletionRoutine, NULL, TRUE, TRUE, TRUE);
status = IoCallDriver(DeviceObject, irp);
if (status == STATUS_PENDING) {
KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
}
status = IoStatusBlock->Status;
if (!NT_SUCCESS(status)) {
ExFreePool(fileObject->FileName.Buffer);
fileObject->FileName.Length = 0;
fileObject->DeviceObject = NULL;
ObDereferenceObject(fileObject);
} else {
InterlockedIncrement(&fileObject->DeviceObject->ReferenceCount);
if (fileObject->Vpb) {
InterlockedIncrement((PLONG)&fileObject->Vpb->ReferenceCount);
}
*Object = fileObject;
KdPrint(("IrpCreateFile:Open file success! object = %x\n", fileObject));
}
return status;
}
VOID
LspPollingThread(
IN PVOID Context
)
/*++
Routine Description:
This is the main thread that removes IRP from the queue
and peforms I/O on it.
Arguments:
Context -- pointer to the device object
--*/
{
PDEVICE_OBJECT DeviceObject = Context;
PDEVICE_EXTENSION DevExtension = DeviceObject->DeviceExtension;
PIRP Irp;
NTSTATUS Status;
KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY );
//
// Now enter the main IRP-processing loop
//
while( TRUE )
{
//
// Wait indefinitely for an IRP to appear in the work queue or for
// the Unload routine to stop the thread. Every successful return
// from the wait decrements the semaphore count by 1.
//
KeWaitForSingleObject(
&DevExtension->IrpQueueSemaphore,
Executive,
KernelMode,
FALSE,
NULL );
//
// See if thread was awakened because driver is unloading itself...
//
if( DevExtension->ThreadShouldStop )
{
PsTerminateSystemThread( STATUS_SUCCESS );
}
//
// Remove a pending IRP from the queue.
//
Irp = IoCsqRemoveNextIrp(&DevExtension->CancelSafeQueue, NULL);
if(!Irp)
{
LSP_KDPRINT(("Oops, a queued irp got cancelled\n"));
continue; // go back to waiting
}
while(TRUE)
{
//
// Perform I/O
//
Status = LspPollDevice(DeviceObject, Irp);
if(Status == STATUS_PENDING)
{
//
// Device is not ready, so sleep for a while and try again.
//
KeDelayExecutionThread(
KernelMode,
FALSE,
&DevExtension->PollingInterval);
}
else
{
//
// I/O is successful, so complete the Irp.
//
Irp->IoStatus.Status = Status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
break;
}
}
//
// Go back to the top of the loop to see if there's another request waiting.
//
} // end of while-loop
}
__drv_mustHoldCriticalRegion
VOID
FatStackOverflowRead (
IN PVOID Context,
IN PKEVENT Event
)
/*++
Routine Description:
This routine processes a read request that could not be processed by
the fsp thread because of stack overflow potential.
Arguments:
Context - Supplies the IrpContext being processed
Event - Supplies the event to be signaled when we are done processing this
request.
Return Value:
None.
--*/
{
PIRP_CONTEXT IrpContext = Context;
PKTHREAD SavedVerifyThread = NULL;
PVCB Vcb = NULL;
PAGED_CODE();
//
// Make it now look like we can wait for I/O to complete
//
SetFlag( IrpContext->Flags, IRP_CONTEXT_FLAG_WAIT );
//
// If this read was as the result of a verify we have to fake out the
// the Vcb->VerifyThread field.
//
if (FlagOn(IrpContext->Flags, IRP_CONTEXT_FLAG_VERIFY_READ)) {
PFCB Fcb = (PFCB)IoGetCurrentIrpStackLocation(IrpContext->OriginatingIrp)->
FileObject->FsContext;
if (NodeType( Fcb ) == FAT_NTC_VCB) {
Vcb = (PVCB) Fcb;
} else {
Vcb = Fcb->Vcb;
}
ASSERT( Vcb->VerifyThread != NULL );
SavedVerifyThread = Vcb->VerifyThread;
Vcb->VerifyThread = KeGetCurrentThread();
}
//
// Do the read operation protected by a try-except clause
//
try {
(VOID) FatCommonRead( IrpContext, IrpContext->OriginatingIrp );
} except(FatExceptionFilter( IrpContext, GetExceptionInformation() )) {
NTSTATUS ExceptionCode;
//
// We had some trouble trying to perform the requested
// operation, so we'll abort the I/O request with
// the error status that we get back from the
// execption code
//
ExceptionCode = GetExceptionCode();
if (ExceptionCode == STATUS_FILE_DELETED) {
IrpContext->ExceptionStatus = ExceptionCode = STATUS_END_OF_FILE;
IrpContext->OriginatingIrp->IoStatus.Information = 0;
}
(VOID) FatProcessException( IrpContext, IrpContext->OriginatingIrp, ExceptionCode );
}
//
// Restore the original VerifyVolumeThread
//
if (SavedVerifyThread != NULL) {
ASSERT( Vcb->VerifyThread == KeGetCurrentThread() );
Vcb->VerifyThread = SavedVerifyThread;
}
//
// Set the stack overflow item's event to tell the original
// thread that we're done.
//
KeSetEvent( Event, 0, FALSE );
}
VOID
NTAPI
MmZeroPageThread(VOID)
{
PKTHREAD Thread = KeGetCurrentThread();
PVOID StartAddress, EndAddress;
PVOID WaitObjects[2];
KIRQL OldIrql;
PVOID ZeroAddress;
PFN_NUMBER PageIndex, FreePage;
PMMPFN Pfn1;
/* Get the discardable sections to free them */
MiFindInitializationCode(&StartAddress, &EndAddress);
if (StartAddress) MiFreeInitializationCode(StartAddress, EndAddress);
DPRINT("Free non-cache pages: %lx\n", MmAvailablePages + MiMemoryConsumers[MC_CACHE].PagesUsed);
/* Set our priority to 0 */
Thread->BasePriority = 0;
KeSetPriorityThread(Thread, 0);
/* Setup the wait objects */
WaitObjects[0] = &MmZeroingPageEvent;
// WaitObjects[1] = &PoSystemIdleTimer; FIXME: Implement idle timer
while (TRUE)
{
KeWaitForMultipleObjects(1, // 2
WaitObjects,
WaitAny,
WrFreePage,
KernelMode,
FALSE,
NULL,
NULL);
OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
while (TRUE)
{
if (!MmFreePageListHead.Total)
{
MmZeroingPageThreadActive = FALSE;
KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
break;
}
PageIndex = MmFreePageListHead.Flink;
ASSERT(PageIndex != LIST_HEAD);
Pfn1 = MiGetPfnEntry(PageIndex);
MI_SET_USAGE(MI_USAGE_ZERO_LOOP);
MI_SET_PROCESS2("Kernel 0 Loop");
FreePage = MiRemoveAnyPage(MI_GET_PAGE_COLOR(PageIndex));
/* The first global free page should also be the first on its own list */
if (FreePage != PageIndex)
{
KeBugCheckEx(PFN_LIST_CORRUPT,
0x8F,
FreePage,
PageIndex,
0);
}
Pfn1->u1.Flink = LIST_HEAD;
KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
ZeroAddress = MiMapPagesInZeroSpace(Pfn1, 1);
ASSERT(ZeroAddress);
RtlZeroMemory(ZeroAddress, PAGE_SIZE);
MiUnmapPagesInZeroSpace(ZeroAddress, 1);
OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
MiInsertPageInList(&MmZeroedPageListHead, PageIndex);
}
}
}
NTSTATUS
KeUserModeCallback (
IN ULONG ApiNumber,
IN PVOID InputBuffer,
IN ULONG InputLength,
OUT PVOID *OutputBuffer,
IN PULONG OutputLength
)
/*++
Routine Description:
This function call out from kernel mode to a user mode function.
Arguments:
ApiNumber - Supplies the API number.
InputBuffer - Supplies a pointer to a structure that is copied
to the user stack.
InputLength - Supplies the length of the input structure.
Outputbuffer - Supplies a pointer to a variable that receives
the address of the output buffer.
Outputlength - Supplies a pointer to a variable that receives
the length of the output buffer.
Return Value:
If the callout cannot be executed, then an error status is
returned. Otherwise, the status returned by the callback function
is returned.
--*/
{
PUCALLOUT_FRAME CalloutFrame;
ULONG Length;
ULONGLONG OldStack;
NTSTATUS Status;
PKTRAP_FRAME TrapFrame;
PULONG UserStack;
PVOID ValueBuffer;
ULONG ValueLength;
ASSERT(KeGetPreviousMode() == UserMode);
//
// Get the user mode stack pointer and attempt to copy input buffer
// to the user stack.
//
TrapFrame = KeGetCurrentThread()->TrapFrame;
OldStack = TrapFrame->IntSp;
try {
//
// Compute new user mode stack address, probe for writability,
// and copy the input buffer to the user stack.
//
// N.B. Alpha requires stacks to be 16-byte aligned, therefore
// the input length must be rounded up to a 16-byte boundary.
//
Length = (InputLength +
16 - 1 + sizeof(UCALLOUT_FRAME)) & ~(16 - 1);
CalloutFrame = (PUCALLOUT_FRAME)(OldStack - Length);
ProbeForWrite(CalloutFrame, Length, sizeof(QUAD));
RtlCopyMemory(CalloutFrame + 1, InputBuffer, InputLength);
//
// Allocate stack frame and fill in callout arguments.
//
CalloutFrame->Buffer = (PVOID)(CalloutFrame + 1);
CalloutFrame->Length = InputLength;
CalloutFrame->ApiNumber = ApiNumber;
CalloutFrame->Sp = OldStack;
CalloutFrame->Ra = TrapFrame->IntRa;
//
// If an exception occurs during the probe of the user stack, then
// always handle the exception and return the exception code as the
// status value.
//
} except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
//
// Call user mode.
//
TrapFrame->IntSp = (ULONGLONG)(LONG)CalloutFrame;
Status = KiCallUserMode(OutputBuffer, OutputLength);
TrapFrame->IntSp = OldStack;
//
// When returning from user mode, any drawing done to the GDI TEB
// batch must be flushed.
//
if (((PTEB)KeGetCurrentThread()->Teb)->GdiBatchCount > 0) {
//
// call GDI batch flush routine
//
KeGdiFlushUserBatch();
}
return Status;
}
static VOID MainThreadProc (PVOID threadArg)
{
EncryptedIoQueue *queue = (EncryptedIoQueue *) threadArg;
PLIST_ENTRY listEntry;
EncryptedIoQueueItem *item;
LARGE_INTEGER fragmentOffset;
ULONG dataRemaining;
PUCHAR activeFragmentBuffer = queue->FragmentBufferA;
PUCHAR dataBuffer;
EncryptedIoRequest *request;
uint64 intersectStart;
uint32 intersectLength;
if (IsEncryptionThreadPoolRunning())
KeSetPriorityThread (KeGetCurrentThread(), LOW_REALTIME_PRIORITY);
while (!queue->ThreadExitRequested)
{
if (!NT_SUCCESS (KeWaitForSingleObject (&queue->MainThreadQueueNotEmptyEvent, Executive, KernelMode, FALSE, NULL)))
continue;
while ((listEntry = ExInterlockedRemoveHeadList (&queue->MainThreadQueue, &queue->MainThreadQueueLock)))
{
PIRP irp = CONTAINING_RECORD (listEntry, IRP, Tail.Overlay.ListEntry);
PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation (irp);
if (queue->Suspended)
KeWaitForSingleObject (&queue->QueueResumedEvent, Executive, KernelMode, FALSE, NULL);
item = GetPoolBuffer (queue, sizeof (EncryptedIoQueueItem));
item->Queue = queue;
item->OriginalIrp = irp;
item->Status = STATUS_SUCCESS;
IoSetCancelRoutine (irp, NULL);
if (irp->Cancel)
{
CompleteOriginalIrp (item, STATUS_CANCELLED, 0);
continue;
}
switch (irpSp->MajorFunction)
{
case IRP_MJ_READ:
item->Write = FALSE;
item->OriginalOffset = irpSp->Parameters.Read.ByteOffset;
item->OriginalLength = irpSp->Parameters.Read.Length;
break;
case IRP_MJ_WRITE:
item->Write = TRUE;
item->OriginalOffset = irpSp->Parameters.Write.ByteOffset;
item->OriginalLength = irpSp->Parameters.Write.Length;
break;
default:
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue;
}
#ifdef TC_TRACE_IO_QUEUE
item->OriginalIrpOffset = item->OriginalOffset;
#endif
// Handle misaligned read operations to work around a bug in Windows System Assessment Tool which does not follow FILE_FLAG_NO_BUFFERING requirements when benchmarking disk devices
if (queue->IsFilterDevice
&& !item->Write
&& item->OriginalLength > 0
&& (item->OriginalLength & (ENCRYPTION_DATA_UNIT_SIZE - 1)) == 0
&& (item->OriginalOffset.QuadPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0)
{
byte *buffer;
ULONG alignedLength = item->OriginalLength + ENCRYPTION_DATA_UNIT_SIZE;
LARGE_INTEGER alignedOffset;
alignedOffset.QuadPart = item->OriginalOffset.QuadPart & ~((LONGLONG) ENCRYPTION_DATA_UNIT_SIZE - 1);
buffer = TCalloc (alignedLength);
if (!buffer)
{
CompleteOriginalIrp (item, STATUS_INSUFFICIENT_RESOURCES, 0);
continue;
}
item->Status = TCReadDevice (queue->LowerDeviceObject, buffer, alignedOffset, alignedLength);
if (NT_SUCCESS (item->Status))
{
UINT64_STRUCT dataUnit;
dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority);
if (!dataBuffer)
{
TCfree (buffer);
CompleteOriginalIrp (item, STATUS_INSUFFICIENT_RESOURCES, 0);
continue;
}
if (queue->EncryptedAreaStart != -1 && queue->EncryptedAreaEnd != -1)
{
GetIntersection (alignedOffset.QuadPart, alignedLength, queue->EncryptedAreaStart, queue->EncryptedAreaEnd, &intersectStart, &intersectLength);
if (intersectLength > 0)
{
dataUnit.Value = intersectStart / ENCRYPTION_DATA_UNIT_SIZE;
DecryptDataUnits (buffer + (intersectStart - alignedOffset.QuadPart), &dataUnit, intersectLength / ENCRYPTION_DATA_UNIT_SIZE, queue->CryptoInfo);
}
}
memcpy (dataBuffer, buffer + (item->OriginalOffset.LowPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)), item->OriginalLength);
}
TCfree (buffer);
CompleteOriginalIrp (item, item->Status, NT_SUCCESS (item->Status) ? item->OriginalLength : 0);
continue;
}
// Validate offset and length
if (item->OriginalLength == 0
|| (item->OriginalLength & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0
|| (item->OriginalOffset.QuadPart & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0
|| (!queue->IsFilterDevice && item->OriginalOffset.QuadPart + item->OriginalLength > queue->VirtualDeviceLength))
{
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue;
}
#ifdef TC_TRACE_IO_QUEUE
Dump ("Q %I64d [%I64d] %c len=%d\n", item->OriginalOffset.QuadPart, GetElapsedTime (&queue->LastPerformanceCounter), item->Write ? 'W' : 'R', item->OriginalLength);
#endif
if (!queue->IsFilterDevice)
{
// Adjust the offset for host file or device
if (queue->CryptoInfo->hiddenVolume)
item->OriginalOffset.QuadPart += queue->CryptoInfo->hiddenVolumeOffset;
else
item->OriginalOffset.QuadPart += queue->CryptoInfo->volDataAreaOffset;
// Hidden volume protection
if (item->Write && queue->CryptoInfo->bProtectHiddenVolume)
{
// If there has already been a write operation denied in order to protect the
// hidden volume (since the volume mount time)
if (queue->CryptoInfo->bHiddenVolProtectionAction)
{
// Do not allow writing to this volume anymore. This is to fake a complete volume
// or system failure (otherwise certain kinds of inconsistency within the file
// system could indicate that this volume has used hidden volume protection).
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue;
}
// Verify that no byte is going to be written to the hidden volume area
if (RegionsOverlap ((unsigned __int64) item->OriginalOffset.QuadPart,
(unsigned __int64) item->OriginalOffset.QuadPart + item->OriginalLength - 1,
queue->CryptoInfo->hiddenVolumeOffset,
(unsigned __int64) queue->CryptoInfo->hiddenVolumeOffset + queue->CryptoInfo->hiddenVolumeProtectedSize - 1))
{
Dump ("Hidden volume protection triggered: write %I64d-%I64d (protected %I64d-%I64d)\n", item->OriginalOffset.QuadPart, item->OriginalOffset.QuadPart + item->OriginalLength - 1, queue->CryptoInfo->hiddenVolumeOffset, queue->CryptoInfo->hiddenVolumeOffset + queue->CryptoInfo->hiddenVolumeProtectedSize - 1);
queue->CryptoInfo->bHiddenVolProtectionAction = TRUE;
// Deny this write operation to prevent the hidden volume from being overwritten
CompleteOriginalIrp (item, STATUS_INVALID_PARAMETER, 0);
continue;
}
}
}
else if (item->Write
&& RegionsOverlap (item->OriginalOffset.QuadPart, item->OriginalOffset.QuadPart + item->OriginalLength - 1, TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET, TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET + TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE - 1))
{
// Prevent inappropriately designed software from damaging important data that may be out of sync with the backup on the Rescue Disk (such as the end of the encrypted area).
Dump ("Preventing write to the system encryption key data area\n");
CompleteOriginalIrp (item, STATUS_MEDIA_WRITE_PROTECTED, 0);
continue;
}
else if (item->Write && IsHiddenSystemRunning()
&& (RegionsOverlap (item->OriginalOffset.QuadPart, item->OriginalOffset.QuadPart + item->OriginalLength - 1, TC_SECTOR_SIZE_BIOS, TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS - 1)
|| RegionsOverlap (item->OriginalOffset.QuadPart, item->OriginalOffset.QuadPart + item->OriginalLength - 1, GetBootDriveLength(), _I64_MAX)))
{
Dump ("Preventing write to boot loader or host protected area\n");
CompleteOriginalIrp (item, STATUS_MEDIA_WRITE_PROTECTED, 0);
continue;
}
dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority);
if (dataBuffer == NULL)
{
CompleteOriginalIrp (item, STATUS_INSUFFICIENT_RESOURCES, 0);
continue;
}
// Divide data block to fragments to enable efficient overlapping of encryption and IO operations
dataRemaining = item->OriginalLength;
fragmentOffset = item->OriginalOffset;
while (dataRemaining > 0)
{
BOOL isLastFragment = dataRemaining <= TC_ENC_IO_QUEUE_MAX_FRAGMENT_SIZE;
ULONG dataFragmentLength = isLastFragment ? dataRemaining : TC_ENC_IO_QUEUE_MAX_FRAGMENT_SIZE;
activeFragmentBuffer = (activeFragmentBuffer == queue->FragmentBufferA ? queue->FragmentBufferB : queue->FragmentBufferA);
InterlockedIncrement (&queue->IoThreadPendingRequestCount);
// Create IO request
request = GetPoolBuffer (queue, sizeof (EncryptedIoRequest));
request->Item = item;
request->CompleteOriginalIrp = isLastFragment;
request->Offset = fragmentOffset;
request->Data = activeFragmentBuffer;
request->OrigDataBufferFragment = dataBuffer;
request->Length = dataFragmentLength;
if (queue->IsFilterDevice)
{
if (queue->EncryptedAreaStart == -1 || queue->EncryptedAreaEnd == -1)
{
request->EncryptedLength = 0;
}
else
{
// Get intersection of data fragment with encrypted area
GetIntersection (fragmentOffset.QuadPart, dataFragmentLength, queue->EncryptedAreaStart, queue->EncryptedAreaEnd, &intersectStart, &intersectLength);
request->EncryptedOffset = intersectStart - fragmentOffset.QuadPart;
request->EncryptedLength = intersectLength;
}
}
else
{
request->EncryptedOffset = 0;
request->EncryptedLength = dataFragmentLength;
}
AcquireFragmentBuffer (queue, activeFragmentBuffer);
if (item->Write)
{
// Encrypt data
memcpy (activeFragmentBuffer, dataBuffer, dataFragmentLength);
if (request->EncryptedLength > 0)
{
UINT64_STRUCT dataUnit;
ASSERT (request->EncryptedOffset + request->EncryptedLength <= request->Offset.QuadPart + request->Length);
dataUnit.Value = (request->Offset.QuadPart + request->EncryptedOffset) / ENCRYPTION_DATA_UNIT_SIZE;
if (queue->CryptoInfo->bPartitionInInactiveSysEncScope)
dataUnit.Value += queue->CryptoInfo->FirstDataUnitNo.Value;
else if (queue->RemapEncryptedArea)
dataUnit.Value += queue->RemappedAreaDataUnitOffset;
EncryptDataUnits (activeFragmentBuffer + request->EncryptedOffset, &dataUnit, request->EncryptedLength / ENCRYPTION_DATA_UNIT_SIZE, queue->CryptoInfo);
}
}
// Queue IO request
ExInterlockedInsertTailList (&queue->IoThreadQueue, &request->ListEntry, &queue->IoThreadQueueLock);
KeSetEvent (&queue->IoThreadQueueNotEmptyEvent, IO_DISK_INCREMENT, FALSE);
if (isLastFragment)
break;
dataRemaining -= TC_ENC_IO_QUEUE_MAX_FRAGMENT_SIZE;
dataBuffer += TC_ENC_IO_QUEUE_MAX_FRAGMENT_SIZE;
fragmentOffset.QuadPart += TC_ENC_IO_QUEUE_MAX_FRAGMENT_SIZE;
}
}
}
PsTerminateSystemThread (STATUS_SUCCESS);
}
ULONG
RtlWalkFrameChain (
OUT PVOID *Callers,
IN ULONG Count,
IN ULONG Flags)
/*++
Routine Description:
RtlWalkFrameChain
Description:
This function tries to walk the EBP chain and fill out a vector of
return addresses. The function works only on x86. It is possible that
the function cannot fill the requested number of callers because somewhere
on the stack we have a function compiled FPO (the frame register (EBP) is
used as a normal register. In this case the function will just return with
a less then requested count. In kernel mode the function should not take
any exceptions (page faults) because it can be called at all sorts of
irql levels.
The `Flags' parameter is used for future extensions. A zero value will be
compatible with new stack walking algorithms.
Note. The algorithm can be somewhat improved by unassembling the return
addresses identified. However this is impractical in kernel mode because
the function might get called at high irql levels where page faults are
not allowed.
Return value:
The number of identified return addresses on the stack. This can be less
then the Count requested if the stack ends or we encounter a FPO compiled
function.
--*/
{
#if defined(_X86_)
ULONG_PTR Fp, NewFp, ReturnAddress;
ULONG Index;
ULONG_PTR StackEnd, StackStart;
BOOLEAN Result;
//
// Get the current EBP pointer which is supposed to
// be the start of the EBP chain.
//
_asm mov Fp, EBP;
StackStart = Fp;
#if _KERNEL_MODE_STACK_TRACES_
StackEnd = (ULONG_PTR)(KeGetCurrentThread()->StackBase);
//
// bugbug: find a reliable way to get the stack limit in kernel mode.
// `StackBase' is not a reliable way to get the stack end in kernel
// mode because we might execute a DPC routine on thread's behalf.
// There are a few other reasons why we cannot trust this completely.
//
// Note. The condition `PAGE_START(StackEnd) - PAGE_START(StackStart) > PAGE_SIZE'
// is not totally safe. We can encounter a situation where in this case we
// do not have the same stack. Can we?
//
// The DPC stack is actually the stack of the idle thread corresponding to
// the current processor. Based on that we probably can figure out in almost
// all contexts what are the real limits of the stack.
//
if ((StackStart > StackEnd)
|| (PAGE_START(StackEnd) - PAGE_START(StackStart) > PAGE_SIZE)) {
StackEnd = (StackStart + PAGE_SIZE) & ~((ULONG_PTR)PAGE_SIZE - 1);
//
// Try to get one more page if possible. Note that this is not
// 100% reliable because a non faulting address can fault if
// appropriate locks are not held.
//
if (MmIsAddressValid ((PVOID)StackEnd)) {
StackEnd += PAGE_SIZE;
}
}
#else
StackEnd = (ULONG_PTR)(NtCurrentTeb()->NtTib.StackBase);
#endif // #if _KERNEL_MODE_STACK_TRACES_
try {
for (Index = 0; Index < Count; Index++) {
if (Fp + sizeof(ULONG_PTR) >= StackEnd) {
break;
}
NewFp = *((PULONG_PTR)(Fp + 0));
ReturnAddress = *((PULONG_PTR)(Fp + sizeof(ULONG_PTR)));
//
// Figure out if the new frame pointer is ok. This validation
// should avoid all exceptions in kernel mode because we always
// read within the current thread's stack and the stack is
// guaranteed to be in memory (no page faults). It is also guaranteed
// that we do not take random exceptions in user mode because we always
// keep the frame pointer within stack limits.
//
if (! (Fp < NewFp && NewFp < StackEnd)) {
break;
}
//
// Figure out if the return address is ok. If return address
// is a stack address or <64k then something is wrong. There is
// no reason to return garbage to the caller therefore we stop.
//
if (StackStart < ReturnAddress && ReturnAddress < StackEnd) {
break;
}
if (ReturnAddress < 64 * SIZE_1_KB) {
break;
}
//
// Store new fp and return address and move on.
//
Fp = NewFp;
Callers[Index] = (PVOID)ReturnAddress;
}
}
except (EXCEPTION_EXECUTE_HANDLER) {
//
// The frame traversal algorithm is written so that we should
// not get any exception. Therefore if we get some exception
// we better debug it.
//
// bugbug: enable bkpt only on checked builds
// After we get some coverage on this we should leave it active
// only on checked builds.
//
DbgPrint ("Unexpected exception in RtlWalkFrameChain ...\n");
DbgBreakPoint ();
}
//
// Return the number of return addresses identified on the stack.
//
#if _COLLECT_FRAME_WALK_STATISTICS_
CollectFrameWalkStatistics (Index);
#endif // #if _COLLECT_FRAME_WALK_STATISTICS_
return Index;
#else
return 0;
#endif // #if defined(_X86_)
}
NTSTATUS
NtQueryMutant (
IN HANDLE MutantHandle,
IN MUTANT_INFORMATION_CLASS MutantInformationClass,
OUT PVOID MutantInformation,
IN ULONG MutantInformationLength,
OUT PULONG ReturnLength OPTIONAL
)
/*++
Routine Description:
This function queries the state of a mutant object and returns the
requested information in the specified record structure.
Arguments:
MutantHandle - Supplies a handle to a mutant object.
MutantInformationClass - Supplies the class of information being
requested.
MutantInformation - Supplies a pointer to a record that is to receive
the requested information.
MutantInformationLength - Supplies the length of the record that is
to receive the requested information.
ReturnLength - Supplies an optional pointer to a variable that will
receive the actual length of the information that is returned.
Return Value:
TBS
--*/
{
BOOLEAN Abandoned;
BOOLEAN OwnedByCaller;
LONG Count;
PVOID Mutant;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
//
// Establish an exception handler, probe the output arguments, reference
// the mutant object, and return the specified information. If the probe
// fails, then return the exception code as the service status. Otherwise
// return the status value returned by the reference object by handle
// routine.
//
try {
//
// Get previous processor mode and probe output arguments if necessary.
//
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
ProbeForWrite(MutantInformation,
sizeof(MUTANT_BASIC_INFORMATION),
sizeof(ULONG));
if (ARGUMENT_PRESENT(ReturnLength)) {
ProbeForWriteUlong(ReturnLength);
}
}
//
// Check argument validity.
//
if (MutantInformationClass != MutantBasicInformation) {
return STATUS_INVALID_INFO_CLASS;
}
if (MutantInformationLength != sizeof(MUTANT_BASIC_INFORMATION)) {
return STATUS_INFO_LENGTH_MISMATCH;
}
//
// Reference mutant object by handle.
//
Status = ObReferenceObjectByHandle(MutantHandle,
MUTANT_QUERY_STATE,
ExMutantObjectType,
PreviousMode,
&Mutant,
NULL);
//
// If the reference was successful, then read the current state and
// abandoned status of the mutant object, dereference mutant object,
// fill in the information structure, and return the length of the
// information structure if specified. If the write of the mutant
// information or the return length fails, then do not report an error.
// When the caller accesses the information structure or length an
// access violation will occur.
//
if (NT_SUCCESS(Status)) {
Count = KeReadStateMutant((PKMUTANT)Mutant);
Abandoned = ((PKMUTANT)Mutant)->Abandoned;
OwnedByCaller = (BOOLEAN)((((PKMUTANT)Mutant)->OwnerThread ==
KeGetCurrentThread()));
ObDereferenceObject(Mutant);
try {
((PMUTANT_BASIC_INFORMATION)MutantInformation)->CurrentCount = Count;
((PMUTANT_BASIC_INFORMATION)MutantInformation)->OwnedByCaller = OwnedByCaller;
((PMUTANT_BASIC_INFORMATION)MutantInformation)->AbandonedState = Abandoned;
if (ARGUMENT_PRESENT(ReturnLength)) {
*ReturnLength = sizeof(MUTANT_BASIC_INFORMATION);
}
} except(ExSystemExceptionFilter()) {
}
}
//
// If an exception occurs during the probe of the output arguments, then
// always handle the exception and return the exception code as the status
// value.
//
} except(ExSystemExceptionFilter()) {
return GetExceptionCode();
}
//
// Return service status.
//
return Status;
}
VOID
NTAPI
INIT_FUNCTION
KiInitMachineDependent(VOID)
{
ULONG CpuCount;
BOOLEAN FbCaching = FALSE;
NTSTATUS Status;
ULONG ReturnLength;
ULONG i, Affinity, Sample = 0;
PFX_SAVE_AREA FxSaveArea;
ULONG MXCsrMask = 0xFFBF;
ULONG Dummy;
KI_SAMPLE_MAP Samples[4];
PKI_SAMPLE_MAP CurrentSample = Samples;
/* Check for large page support */
if (KeFeatureBits & KF_LARGE_PAGE)
{
/* FIXME: Support this */
DPRINT("Large Page support detected but not yet taken advantage of\n");
}
/* Check for global page support */
if (KeFeatureBits & KF_GLOBAL_PAGE)
{
/* Do an IPI to enable it on all CPUs */
CpuCount = KeNumberProcessors;
KeIpiGenericCall(Ki386EnableGlobalPage, (ULONG_PTR)&CpuCount);
}
/* Check for PAT and/or MTRR support */
if (KeFeatureBits & (KF_PAT | KF_MTRR))
{
/* Query the HAL to make sure we can use it */
Status = HalQuerySystemInformation(HalFrameBufferCachingInformation,
sizeof(BOOLEAN),
&FbCaching,
&ReturnLength);
if ((NT_SUCCESS(Status)) && (FbCaching))
{
/* We can't, disable it */
KeFeatureBits &= ~(KF_PAT | KF_MTRR);
}
}
/* Check for PAT support and enable it */
if (KeFeatureBits & KF_PAT) KiInitializePAT();
/* Assume no errata for now */
SharedUserData->ProcessorFeatures[PF_FLOATING_POINT_PRECISION_ERRATA] = 0;
/* Check if we have an NPX */
if (KeI386NpxPresent)
{
/* Loop every CPU */
i = KeActiveProcessors;
for (Affinity = 1; i; Affinity <<= 1)
{
/* Check if this is part of the set */
if (i & Affinity)
{
/* Run on this CPU */
i &= ~Affinity;
KeSetSystemAffinityThread(Affinity);
/* Detect FPU errata */
if (KiIsNpxErrataPresent())
{
/* Disable NPX support */
KeI386NpxPresent = FALSE;
SharedUserData->
ProcessorFeatures[PF_FLOATING_POINT_PRECISION_ERRATA] =
TRUE;
break;
}
}
}
}
/* If there's no NPX, then we're emulating the FPU */
SharedUserData->ProcessorFeatures[PF_FLOATING_POINT_EMULATED] =
!KeI386NpxPresent;
/* Check if there's no NPX, so that we can disable associated features */
if (!KeI386NpxPresent)
{
/* Remove NPX-related bits */
KeFeatureBits &= ~(KF_XMMI64 | KF_XMMI | KF_FXSR | KF_MMX);
/* Disable kernel flags */
KeI386FxsrPresent = KeI386XMMIPresent = FALSE;
/* Disable processor features that might've been set until now */
SharedUserData->ProcessorFeatures[PF_FLOATING_POINT_PRECISION_ERRATA] =
SharedUserData->ProcessorFeatures[PF_XMMI64_INSTRUCTIONS_AVAILABLE] =
SharedUserData->ProcessorFeatures[PF_XMMI_INSTRUCTIONS_AVAILABLE] =
SharedUserData->ProcessorFeatures[PF_3DNOW_INSTRUCTIONS_AVAILABLE] =
SharedUserData->ProcessorFeatures[PF_MMX_INSTRUCTIONS_AVAILABLE] = 0;
}
/* Check for CR4 support */
if (KeFeatureBits & KF_CR4)
{
/* Do an IPI call to enable the Debug Exceptions */
CpuCount = KeNumberProcessors;
KeIpiGenericCall(Ki386EnableDE, (ULONG_PTR)&CpuCount);
}
/* Check if FXSR was found */
if (KeFeatureBits & KF_FXSR)
{
/* Do an IPI call to enable the FXSR */
CpuCount = KeNumberProcessors;
KeIpiGenericCall(Ki386EnableFxsr, (ULONG_PTR)&CpuCount);
/* Check if XMM was found too */
if (KeFeatureBits & KF_XMMI)
{
/* Do an IPI call to enable XMMI exceptions */
CpuCount = KeNumberProcessors;
KeIpiGenericCall(Ki386EnableXMMIExceptions, (ULONG_PTR)&CpuCount);
/* FIXME: Implement and enable XMM Page Zeroing for Mm */
/* Patch the RtlPrefetchMemoryNonTemporal routine to enable it */
*(PCHAR)RtlPrefetchMemoryNonTemporal = 0x90;
}
}
/* Check for, and enable SYSENTER support */
KiRestoreFastSyscallReturnState();
/* Loop every CPU */
i = KeActiveProcessors;
for (Affinity = 1; i; Affinity <<= 1)
{
/* Check if this is part of the set */
if (i & Affinity)
{
/* Run on this CPU */
i &= ~Affinity;
KeSetSystemAffinityThread(Affinity);
/* Reset MHz to 0 for this CPU */
KeGetCurrentPrcb()->MHz = 0;
/* Check if we can use RDTSC */
if (KeFeatureBits & KF_RDTSC)
{
/* Start sampling loop */
for (;;)
{
/* Do a dummy CPUID to start the sample */
CPUID(0, &Dummy, &Dummy, &Dummy, &Dummy);
/* Fill out the starting data */
CurrentSample->PerfStart = KeQueryPerformanceCounter(NULL);
CurrentSample->TSCStart = __rdtsc();
CurrentSample->PerfFreq.QuadPart = -50000;
/* Sleep for this sample */
KeDelayExecutionThread(KernelMode,
FALSE,
&CurrentSample->PerfFreq);
/* Do another dummy CPUID */
CPUID(0, &Dummy, &Dummy, &Dummy, &Dummy);
/* Fill out the ending data */
CurrentSample->PerfEnd =
KeQueryPerformanceCounter(&CurrentSample->PerfFreq);
CurrentSample->TSCEnd = __rdtsc();
/* Calculate the differences */
CurrentSample->PerfDelta = CurrentSample->PerfEnd.QuadPart -
CurrentSample->PerfStart.QuadPart;
CurrentSample->TSCDelta = CurrentSample->TSCEnd -
CurrentSample->TSCStart;
/* Compute CPU Speed */
CurrentSample->MHz = (ULONG)((CurrentSample->TSCDelta *
CurrentSample->
PerfFreq.QuadPart + 500000) /
(CurrentSample->PerfDelta *
1000000));
/* Check if this isn't the first sample */
if (Sample)
{
/* Check if we got a good precision within 1MHz */
if ((CurrentSample->MHz == CurrentSample[-1].MHz) ||
(CurrentSample->MHz == CurrentSample[-1].MHz + 1) ||
(CurrentSample->MHz == CurrentSample[-1].MHz - 1))
{
/* We did, stop sampling */
break;
}
}
/* Move on */
CurrentSample++;
Sample++;
if (Sample == sizeof(Samples) / sizeof(Samples[0]))
{
/* Restart */
CurrentSample = Samples;
Sample = 0;
}
}
/* Save the CPU Speed */
KeGetCurrentPrcb()->MHz = CurrentSample[-1].MHz;
}
/* Check if we have MTRR */
if (KeFeatureBits & KF_MTRR)
{
/* Then manually initialize MTRR for the CPU */
KiInitializeMTRR(i ? FALSE : TRUE);
}
/* Check if we have AMD MTRR and initialize it for the CPU */
if (KeFeatureBits & KF_AMDK6MTRR) KiAmdK6InitializeMTRR();
/* Check if this is a buggy Pentium and apply the fixup if so */
if (KiI386PentiumLockErrataPresent) KiI386PentiumLockErrataFixup();
/* Check if the CPU supports FXSR */
if (KeFeatureBits & KF_FXSR)
{
/* Get the current thread NPX state */
FxSaveArea = KiGetThreadNpxArea(KeGetCurrentThread());
/* Clear initial MXCsr mask */
FxSaveArea->U.FxArea.MXCsrMask = 0;
/* Save the current NPX State */
Ke386SaveFpuState(FxSaveArea);
/* Check if the current mask doesn't match the reserved bits */
if (FxSaveArea->U.FxArea.MXCsrMask != 0)
{
/* Then use whatever it's holding */
MXCsrMask = FxSaveArea->U.FxArea.MXCsrMask;
}
/* Check if nobody set the kernel-wide mask */
if (!KiMXCsrMask)
{
/* Then use the one we calculated above */
KiMXCsrMask = MXCsrMask;
}
else
{
/* Was it set to the same value we found now? */
if (KiMXCsrMask != MXCsrMask)
{
/* No, something is definitely wrong */
KeBugCheckEx(MULTIPROCESSOR_CONFIGURATION_NOT_SUPPORTED,
KF_FXSR,
KiMXCsrMask,
MXCsrMask,
0);
}
}
/* Now set the kernel mask */
KiMXCsrMask &= MXCsrMask;
}
}
}
/* Return affinity back to where it was */
KeRevertToUserAffinityThread();
/* NT allows limiting the duration of an ISR with a registry key */
if (KiTimeLimitIsrMicroseconds)
{
/* FIXME: TODO */
DPRINT1("ISR Time Limit not yet supported\n");
}
/* Set CR0 features based on detected CPU */
KiSetCR0Bits();
}
NTSTATUS
NtYieldExecution (
VOID
)
/*++
Routine Description:
This function yields execution to any ready thread for up to one
quantum.
Arguments:
None.
Return Value:
None.
--*/
{
KIRQL OldIrql;
PKTHREAD NewThread;
PRKPRCB Prcb;
NTSTATUS Status;
PKTHREAD Thread;
//
// If no other threads are ready, then return immediately. Otherwise,
// attempt to yield execution.
//
// N.B. The test for ready threads is made outside any synchonization.
// Since this code cannot be perfectly synchronized under any
// conditions the lack of synchronization is of no consequence.
//
if (KiGetCurrentReadySummary() == 0) {
return STATUS_NO_YIELD_PERFORMED;
} else {
Status = STATUS_NO_YIELD_PERFORMED;
Thread = KeGetCurrentThread();
OldIrql = KeRaiseIrqlToSynchLevel();
Prcb = KeGetCurrentPrcb();
if (Prcb->ReadySummary != 0) {
//
// Acquire the thread lock and the PRCB lock.
//
// If a thread has not already been selected for execution, then
// attempt to select another thread for execution.
//
KiAcquireThreadLock(Thread);
KiAcquirePrcbLock(Prcb);
if (Prcb->NextThread == NULL) {
Prcb->NextThread = KiSelectReadyThread(1, Prcb);
}
//
// If a new thread has been selected for execution, then switch
// immediately to the selected thread.
//
if ((NewThread = Prcb->NextThread) != NULL) {
Thread->Quantum = Thread->QuantumReset;
//
// Compute the new thread priority.
//
// N.B. The new priority will never be greater than the previous
// priority.
//
Thread->Priority = KiComputeNewPriority(Thread, 1);
//
// Release the thread lock, set swap busy for the old thread,
// set the next thread to NULL, set the current thread to the
// new thread, set the new thread state to running, set the
// wait reason, queue the old running thread, and release the
// PRCB lock, and swp context to the new thread.
//
KiReleaseThreadLock(Thread);
KiSetContextSwapBusy(Thread);
Prcb->NextThread = NULL;
Prcb->CurrentThread = NewThread;
NewThread->State = Running;
Thread->WaitReason = WrYieldExecution;
KxQueueReadyThread(Thread, Prcb);
Thread->WaitIrql = APC_LEVEL;
ASSERT(OldIrql <= DISPATCH_LEVEL);
KiSwapContext(Thread, NewThread);
Status = STATUS_SUCCESS;
} else {
KiReleasePrcbLock(Prcb);
KiReleaseThreadLock(Thread);
}
}
//
// Lower IRQL to its previous level and return.
//
KeLowerIrql(OldIrql);
return Status;
}
}
VOID
Ke386SetIOPL(
IN PKPROCESS Process
)
/*++
Routine Description:
Gives IOPL to the specified process.
All threads created from this point on will get IOPL. The current
process will get IOPL. Must be called from context of thread and
process that are to have IOPL.
Iopl (to be made a boolean) in KPROCESS says all
new threads to get IOPL.
Iopl (to be made a boolean) in KTHREAD says given
thread to get IOPL.
N.B. If a kernel mode only thread calls this procedure, the
result is (a) poinless and (b) will break the system.
Arguments:
Process - Pointer to the process == IGNORED!!!
Return Value:
none
--*/
{
PKTHREAD Thread;
PKPROCESS Process2;
PKTRAP_FRAME TrapFrame;
CONTEXT Context;
//
// get current thread and Process2, set flag for IOPL in both of them
//
Thread = KeGetCurrentThread();
Process2 = Thread->ApcState.Process;
Process2->Iopl = 1;
Thread->Iopl = 1;
//
// Force IOPL to be on for current thread
//
TrapFrame = (PKTRAP_FRAME)((PUCHAR)Thread->InitialStack -
ALIGN_UP(sizeof(KTRAP_FRAME),KTRAP_FRAME_ALIGN) -
sizeof(FX_SAVE_AREA));
Context.ContextFlags = CONTEXT_CONTROL;
KeContextFromKframes(TrapFrame,
NULL,
&Context);
Context.EFlags |= (EFLAGS_IOPL_MASK & -1); // IOPL == 3
KeContextToKframes(TrapFrame,
NULL,
&Context,
CONTEXT_CONTROL,
UserMode);
return;
}
// =========================================================================
// This is the main thread that removes IRP from the queue
// and processes (peforms I/O on) it.
// Context - this is set to the device object
VOID
FreeOTFEThread(
IN PVOID Context
)
{
NTSTATUS status;
PDEVICE_OBJECT devObj;
PDEVICE_EXTENSION devExt;
PIRP Irp;
PIO_STACK_LOCATION irpSp;
DEBUGOUTHASHDRV(DEBUGLEV_ENTER, ("FreeOTFEThread\n"));
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Setting threads priority...\n"));
KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY);
devObj = (PDEVICE_OBJECT)Context;
devExt = (PDEVICE_EXTENSION)devObj->DeviceExtension;
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Entering endless loop for queued event signals...\n"));
while (TRUE)
{
// Wait until signalled that there is one or more IRP queued...
status = KeWaitForSingleObject(
&devExt->IRPQueueSemaphore,
Executive,
KernelMode,
FALSE,
NULL
);
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Queued event signalled.\n"));
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Thread is for device: %ls\n", devExt->zzDeviceName.Buffer));
// If we're supposed to terminate the thread, bail out...
if (devExt->TerminateThread)
{
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Thread has been requested to terminate!.\n"));
break; // Thread terminates after this loop terminates
}
// Remove a pending IRP from the queue.
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Thread getting next queued IRP.\n"));
Irp = IoCsqRemoveNextIrp(&devExt->CancelSafeQueue, NULL);
if (!Irp)
{
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Queued IRP was cancelled; next.\n"));
continue; // go back to waiting
}
// Default...
status = STATUS_NOT_IMPLEMENTED;
Irp->IoStatus.Information = 0;
irpSp = IoGetCurrentIrpStackLocation(Irp);
switch (irpSp->MajorFunction)
{
case IRP_MJ_DEVICE_CONTROL:
{
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("THREAD: IRP_MJ_DEVICE_CONTROL\n"));
switch (irpSp->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_FREEOTFEHASH_HASHDATA:
{
status = IOCTL_FreeOTFEHashIOCTL_Hash(devObj, Irp);
break;
}
default:
{
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("THREAD: Unrecognised IRP_MJ_DEVICE_CONTROL IRP.\n"));
}
} // switch (irpSp->Parameters.DeviceIoControl.IoControlCode)
break;
} // case IRP_MJ_DEVICE_CONTROL:
default:
{
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("THREAD: Unrecognised IRP MajorFunction.\n"));
}
} // switch (irpSp->MajorFunction)
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Thread completing IRP (%d).\n", status));
if (!(NT_SUCCESS(status)))
{
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Thread setting IoStatus.Information = 0\n"));
Irp->IoStatus.Information = 0;
}
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
} // while (TRUE)
// This part will only be reached if the thread has been signalled to
// terminate
devExt = NULL;
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Terminating thread...\n"));
status = PsTerminateSystemThread(STATUS_SUCCESS);
if (!NT_SUCCESS(status))
{
DEBUGOUTHASHDRV(DEBUGLEV_ERROR, ("Thread did NOT terminate OK\n"));
}
DEBUGOUTHASHDRV(DEBUGLEV_INFO, ("Thread dropping out.\n"));
DEBUGOUTHASHDRV(DEBUGLEV_EXIT, ("FreeOTFEThread\n"));
}
VOID
Thread (
IN PVOID Context
)
{
PDEVICE_OBJECT DeviceObject;
PDEVICE_EXTENSION deviceExtension;
PLIST_ENTRY request;
PIRP Irp;
PIO_STACK_LOCATION currentIrpStack;
PIO_STACK_LOCATION nextIrpStack;
DWORD dwStartSec;
DWORD dwLength;
PVOID pBuffer;
NTSTATUS status;
DWORD dwRetVal;
BOOL bReadSys;
PBLK_MOVER_PARAM pParam;
DIOC_REGISTERS *pRegs;
PREAD_WRITE_BUFFER pReadWriteBuffer;
KIRQL Irql;
// PAGED_CODE();
ASSERT(Context != NULL);
DeviceObject = (PDEVICE_OBJECT) Context;
deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;
KeSetPriorityThread(KeGetCurrentThread(),HIGH_PRIORITY);//LOW_REALTIME_PRIORITY);// HIGH_PRIORITY);
while(TRUE)
{
KeWaitForSingleObject(
&deviceExtension->request_event,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
if (deviceExtension->terminate_thread)
{
PsTerminateSystemThread(STATUS_SUCCESS);
}
while (request = ExInterlockedRemoveHeadList(
&deviceExtension->list_head,
&deviceExtension->list_lock
))
{
Irp = CONTAINING_RECORD(request, IRP, Tail.Overlay.ListEntry);
currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
nextIrpStack = IoGetNextIrpStackLocation(Irp);
ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
switch (currentIrpStack->MajorFunction)
{
case IRP_MJ_READ:
case IRP_MJ_WRITE:
pBuffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,NormalPagePriority);
dwLength = currentIrpStack->Parameters.Read.Length/SECTOR_SIZE;
dwStartSec = (DWORD)(currentIrpStack->Parameters.Read.ByteOffset.QuadPart/SECTOR_SIZE);
status = BlkMoverRelocateReadWrite(DeviceObject,currentIrpStack->MajorFunction,dwStartSec,dwLength,pBuffer);
//ASSERT(status == STATUS_SUCCESS);
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = dwLength*SECTOR_SIZE;
break;
case IRP_MJ_DEVICE_CONTROL:
switch (currentIrpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_YG_BLOCK_MOVER_FLUSH_BUFFER:
pRegs = (DIOC_REGISTERS *)Irp->AssociatedIrp.SystemBuffer;
pRegs->reg_EAX = TRUE;
status = FlushBuf(g_pMoverData->DeviceObject);
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = sizeof(DIOC_REGISTERS);
break;
case IOCTL_YG_BLOCK_MOVING_GROUP_CURRENT:
pRegs = (DIOC_REGISTERS *)Irp->AssociatedIrp.SystemBuffer;
g_MovingGroup.bFront = pRegs->reg_EAX;
g_MovingGroup.dwSStart = pRegs->reg_EBX;
g_MovingGroup.dwTStart = pRegs->reg_ECX;
g_MovingGroup.dwSize = pRegs->reg_EDX;
g_MovingGroup.dwMovedSize = 0;
g_dwMovedRecNum = pRegs->reg_EDI;
g_pMoverData->bWorking = TRUE;
pRegs->reg_EAX = TRUE;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = sizeof(DIOC_REGISTERS);
break;
case IOCTL_YG_GET_MOVED_SECTORS:
pRegs = (DIOC_REGISTERS *)Irp->AssociatedIrp.SystemBuffer;
pRegs->reg_EAX = g_dwMovedSecs;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = sizeof(DIOC_REGISTERS);
break;
case IOCTL_YG_READ:
pReadWriteBuffer = (PREAD_WRITE_BUFFER)Irp->AssociatedIrp.SystemBuffer;
dwLength = pReadWriteBuffer->dwLength;
pBuffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,NormalPagePriority);
dwStartSec = pReadWriteBuffer->dwStartSec;
if (pReadWriteBuffer->dwMovedRecNum == YGBLK_READ_WRITE)
{
status = BlkMoverRelocateReadWrite(DeviceObject,IRP_MJ_READ,dwStartSec,dwLength,pBuffer);
}
else
{
status = SyncReadWriteSec(DeviceObject,dwStartSec,dwLength ,pBuffer ,IRP_MJ_READ);
}
MmUnlockPages(Irp->MdlAddress);
IoFreeMdl(Irp->MdlAddress);
Irp->MdlAddress = NULL;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = sizeof(READ_WRITE_BUFFER);
break;
case IOCTL_YG_WRITE:
pReadWriteBuffer = (PREAD_WRITE_BUFFER)Irp->AssociatedIrp.SystemBuffer;
dwLength = pReadWriteBuffer->dwLength;
pBuffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,NormalPagePriority);
dwStartSec = pReadWriteBuffer->dwStartSec;
if (pReadWriteBuffer->dwMovedRecNum == YGBLK_READ_WRITE)
{
status = BlkMoverRelocateReadWrite(DeviceObject,IRP_MJ_WRITE,dwStartSec,dwLength,pBuffer);
}
else
{
status = SyncReadWriteSec(DeviceObject,dwStartSec,dwLength ,pBuffer ,IRP_MJ_WRITE);
}
MmUnlockPages(Irp->MdlAddress);
IoFreeMdl(Irp->MdlAddress);
Irp->MdlAddress = NULL;
if (pReadWriteBuffer->dwMovedRecNum != YGBLK_READ_WRITE)
{
if(!pReadWriteBuffer->bSys && g_dwDataRecNum)
{
//g_dwMovedRecNum = pReadWriteBuffer->dwMovedRecNum;
g_MovingGroup.dwMovedSize += dwLength;
}
if(g_bReLocate && pReadWriteBuffer->bSys)
g_dwRePointer = pReadWriteBuffer->dwStartSec + dwLength;
}
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = sizeof(READ_WRITE_BUFFER);
break;
default:
Irp->IoStatus.Status = STATUS_DRIVER_INTERNAL_ERROR;
Irp->IoStatus.Information = 0;
}
break;
default:
DbgPrint("BlkMover:Thread default conditions.");
Irp->IoStatus.Status = STATUS_DRIVER_INTERNAL_ERROR;
Irp->IoStatus.Information = 0;
}
IoCompleteRequest(Irp,
(CCHAR) (NT_SUCCESS(Irp->IoStatus.Status) ?
IO_DISK_INCREMENT : IO_NO_INCREMENT));
}
}
}
NTSTATUS
IrpWriteFile(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN ULONG Length,
IN PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatusBlock
)
{
NTSTATUS status;
KEVENT event;
PIRP irp;
PIO_STACK_LOCATION irpSp;
PDEVICE_OBJECT deviceObject;
if (ByteOffset == NULL)
{
if (!(FileObject->Flags & FO_SYNCHRONOUS_IO))
return STATUS_INVALID_PARAMETER;
ByteOffset = &FileObject->CurrentByteOffset;
}
if (FileObject->Vpb == 0 || FileObject->Vpb->RealDevice == NULL)
return STATUS_UNSUCCESSFUL;
deviceObject = FileObject->Vpb->DeviceObject;
irp = IoAllocateIrp(deviceObject->StackSize, FALSE);
if (irp == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
irp->MdlAddress = IoAllocateMdl(Buffer, Length, FALSE, TRUE, NULL);
if (irp->MdlAddress == NULL)
{
IoFreeIrp(irp);
return STATUS_INSUFFICIENT_RESOURCES;;
}
MmBuildMdlForNonPagedPool(irp->MdlAddress);
irp->Flags = IRP_WRITE_OPERATION;
irp->RequestorMode = KernelMode;
irp->UserIosb = IoStatusBlock;
irp->UserEvent = &event;
irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
irp->Tail.Overlay.OriginalFileObject = FileObject;
irpSp = IoGetNextIrpStackLocation(irp);
irpSp->MajorFunction = IRP_MJ_WRITE;
irpSp->MinorFunction = IRP_MN_NORMAL;
irpSp->DeviceObject = deviceObject;
irpSp->FileObject = FileObject;
irpSp->Parameters.Write.Length = Length;
irpSp->Parameters.Write.ByteOffset = *ByteOffset;
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
IoSetCompletionRoutine(irp, IoCompletionRoutine, NULL, TRUE, TRUE, TRUE);
status = IoCallDriver(deviceObject, irp);
if (status == STATUS_PENDING)
status = KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
return status;
}
NTSTATUS
Ke386CallBios (
IN ULONG BiosCommand,
IN OUT PCONTEXT BiosArguments
)
/*++
Routine Description:
This function invokes specified ROM BIOS code by executing
"INT BiosCommand." Before executing the BIOS code, this function
will setup VDM context, change stack pointer ...etc. If for some reason
the operation fails, a status code will be returned. Otherwise, this
function always returns success regardless of the result of the BIOS
call.
N.B. This implementation relies on the fact that the direct
I/O access operations between apps are serialized by win user.
Arguments:
BiosCommand - Supplies which ROM BIOS function to invoke.
BiosArguments - Supplies a pointer to the context which will be used
to invoke ROM BIOS.
Return Value:
NTSTATUS code to specify the failure.
--*/
{
PVDM_TIB VdmTib;
PUCHAR BaseAddress = (PUCHAR)V86_CODE_ADDRESS;
PTEB UserInt10Teb = (PTEB)INT_10_TEB;
PKTSS Tss;
PKPROCESS Process;
PKTHREAD Thread;
USHORT OldIopmOffset, OldIoMapBase;
PVDM_PROCESS_OBJECTS VdmObjects;
ULONG ContextLength;
UCHAR ThreadDebugActiveMask;
//
// Map in ROM BIOS area to perform the int 10 code
//
try {
RtlZeroMemory(UserInt10Teb, sizeof(TEB));
//
// Write "Int BiosCommand; bop" to reserved user space (0x1000).
// Later control will transfer to the user space to execute
// these two instructions.
//
*BaseAddress++ = INT_OPCODE;
*BaseAddress++ = (UCHAR)BiosCommand;
*(PULONG)BaseAddress = V86_BOP_OPCODE;
//
// Set up Vdm(v86) context to execute the int BiosCommand
// instruction by copying user supplied context to VdmContext
// and updating the control registers to predefined values.
//
//
// We want to use a constant number for the int10.
//
// Create a fake TEB so we can switch the thread to it while we
// do an int10
//
UserInt10Teb->Vdm = (PVOID)VDM_TIB_ADDRESS;
VdmTib = (PVDM_TIB)VDM_TIB_ADDRESS;
RtlZeroMemory(VdmTib, sizeof(VDM_TIB));
VdmTib->Size = sizeof(VDM_TIB);
*FIXED_NTVDMSTATE_LINEAR_PC_AT = 0;
//
// extended registers are never going to matter to
// an Int10 call, so only copy the old part of the
// context record.
//
ContextLength = FIELD_OFFSET(CONTEXT, ExtendedRegisters);
RtlCopyMemory(&(VdmTib->VdmContext), BiosArguments, ContextLength);
VdmTib->VdmContext.SegCs = (ULONG)BaseAddress >> 4;
VdmTib->VdmContext.SegSs = (ULONG)BaseAddress >> 4;
VdmTib->VdmContext.Eip = 0;
VdmTib->VdmContext.Esp = 2 * PAGE_SIZE - sizeof(ULONG);
VdmTib->VdmContext.EFlags |= EFLAGS_V86_MASK | EFLAGS_INTERRUPT_MASK;
VdmTib->VdmContext.ContextFlags = CONTEXT_FULL;
} except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
//
// The vdm kernel code finds the Tib by looking at a pointer cached in
// kernel memory, which was probed at Vdm creation time. Since the
// creation semantics for this vdm are peculiar, we do something similar
// here.
//
//
// We never get here on a process that is a real vdm. If we do,
// bad things will happen (pool leak, failure to execute dos and
// windows apps).
//
ASSERT(PsGetCurrentProcess()->VdmObjects == NULL);
VdmObjects = ExAllocatePoolWithTag (NonPagedPool,
sizeof(VDM_PROCESS_OBJECTS),
' eK'
);
//
// Since we are doing this on behalf of CSR not a user process, we aren't
// charging quota.
//
if (VdmObjects == NULL) {
return STATUS_NO_MEMORY;
}
//
// We are only initializing the VdmTib pointer, because that's the only
// part of the VdmObjects we use for ROM calls. We aren't set up
// to simulate interrupts, or any of the other stuff that would be done
// in a conventional vdm
//
RtlZeroMemory( VdmObjects, sizeof(VDM_PROCESS_OBJECTS));
VdmObjects->VdmTib = VdmTib;
PsGetCurrentProcess()->VdmObjects = VdmObjects;
PS_SET_BITS(&PsGetCurrentProcess()->Flags, PS_PROCESS_FLAGS_VDM_ALLOWED);
//
// Since we are going to v86 mode and accessing some I/O ports, we
// need to make sure the IopmOffset is set correctly across context
// swap and the I/O bit map has all the bits cleared.
// N.B. This implementation assumes that there is only one full
// screen DOS app and the io access between full screen DOS
// app and the server code is serialized by win user. That
// means even we change the IOPM, the full screen dos app won't
// be able to run on this IOPM.
// * In another words, IF THERE IS
// * MORE THAN ONE FULL SCREEN DOS APPS, THIS CODE IS BROKEN.*
//
// NOTE This code works on the assumption that winuser serializes
// direct I/O access operations.
//
//
// Call the bios from the processor which booted the machine.
//
Thread = KeGetCurrentThread();
KeSetSystemAffinityThread(1);
Tss = KeGetPcr()->TSS;
//
// Save away the original IOPM bit map and clear all the IOPM bits
// to allow v86 int 10 code to access ALL the io ports.
//
//
// Make sure there are at least 2 IOPM maps.
//
ASSERT(KeGetPcr()->GDT[KGDT_TSS / 8].LimitLow >= (0x2000 + IOPM_OFFSET - 1));
RtlCopyMemory (Ki386IopmSaveArea,
(PVOID)&Tss->IoMaps[0].IoMap,
PAGE_SIZE * 2
);
RtlZeroMemory ((PVOID)&Tss->IoMaps[0].IoMap, PAGE_SIZE * 2);
Process = Thread->ApcState.Process;
OldIopmOffset = Process->IopmOffset;
OldIoMapBase = Tss->IoMapBase;
Process->IopmOffset = (USHORT)(IOPM_OFFSET); // Set Process IoPmOffset before
Tss->IoMapBase = (USHORT)(IOPM_OFFSET); // updating Tss IoMapBase
//
// The context setup for the BIOS will not have valid debug registers
// in it, don't try to load them.
//
ThreadDebugActiveMask = (UCHAR) Thread->Header.DebugActive;
Thread->Header.DebugActive = (BOOLEAN) 0;
//
// Call ASM routine to switch stack to exit to v86 mode to
// run Int BiosCommand.
//
Ki386SetupAndExitToV86Code(UserInt10Teb);
//
// After we return from v86 mode, the control comes here.
//
// Restore Thread's DebugActive flag.
//
Thread->Header.DebugActive = (BOOLEAN) ThreadDebugActiveMask;
//
// Restore old IOPM
//
RtlCopyMemory ((PVOID)&Tss->IoMaps[0].IoMap,
Ki386IopmSaveArea,
PAGE_SIZE * 2
);
Process->IopmOffset = OldIopmOffset;
Tss->IoMapBase = OldIoMapBase;
//
// Restore old affinity for current thread.
//
KeRevertToUserAffinityThread();
//
// Copy 16 bit vdm context back to caller.
//
// Extended register state is not going to matter,
// so copy only the old part of the context record.
//
ContextLength = FIELD_OFFSET(CONTEXT, ExtendedRegisters);
RtlCopyMemory(BiosArguments, &(VdmTib->VdmContext), ContextLength);
BiosArguments->ContextFlags = CONTEXT_FULL;
//
// Free the pool used for the VdmTib pointer
//
PsGetCurrentProcess()->VdmObjects = NULL;
PS_CLEAR_BITS(&PsGetCurrentProcess()->Flags, PS_PROCESS_FLAGS_VDM_ALLOWED);
ExFreePool(VdmObjects);
return STATUS_SUCCESS;
}
VOID
FASTCALL
KiEnterV86Mode(IN ULONG_PTR StackFrameUnaligned)
{
PKTHREAD Thread;
PKV8086_STACK_FRAME StackFrame = (PKV8086_STACK_FRAME)(ROUND_UP(StackFrameUnaligned - 4, 16) + 4);
PKTRAP_FRAME TrapFrame = &StackFrame->TrapFrame;
PKV86_FRAME V86Frame = &StackFrame->V86Frame;
PFX_SAVE_AREA NpxFrame = &StackFrame->NpxArea;
ASSERT((ULONG_PTR)NpxFrame % 16 == 0);
/* Build fake user-mode trap frame */
TrapFrame->SegCs = KGDT_R0_CODE | RPL_MASK;
TrapFrame->SegEs = TrapFrame->SegDs = TrapFrame->SegFs = TrapFrame->SegGs = 0;
TrapFrame->ErrCode = 0;
/* Get the current thread's initial stack */
Thread = KeGetCurrentThread();
V86Frame->ThreadStack = KiGetThreadNpxArea(Thread);
/* Save TEB addresses */
V86Frame->ThreadTeb = Thread->Teb;
V86Frame->PcrTeb = KeGetPcr()->NtTib.Self;
/* Save return EIP */
TrapFrame->Eip = (ULONG_PTR)Ki386BiosCallReturnAddress;
/* Save our stack (after the frames) */
TrapFrame->Esi = StackFrameUnaligned;
TrapFrame->Edi = (ULONG_PTR)_AddressOfReturnAddress() + 4;
/* Sanitize EFlags and enable interrupts */
TrapFrame->EFlags = __readeflags() & 0x60DD7;
TrapFrame->EFlags |= EFLAGS_INTERRUPT_MASK;
/* Fill out the rest of the frame */
TrapFrame->HardwareSegSs = KGDT_R3_DATA | RPL_MASK;
TrapFrame->HardwareEsp = 0x11FFE;
TrapFrame->ExceptionList = EXCEPTION_CHAIN_END;
TrapFrame->Dr7 = 0;
/* Set some debug fields if trap debugging is enabled */
KiFillTrapFrameDebug(TrapFrame);
/* Disable interrupts */
_disable();
/* Copy the thread's NPX frame */
RtlCopyMemory(NpxFrame, V86Frame->ThreadStack, sizeof(FX_SAVE_AREA));
/* Clear exception list */
KeGetPcr()->NtTib.ExceptionList = EXCEPTION_CHAIN_END;
/* Set new ESP0 */
KeGetPcr()->TSS->Esp0 = (ULONG_PTR)&TrapFrame->V86Es;
/* Set new initial stack */
Thread->InitialStack = V86Frame;
/* Set VDM TEB */
Thread->Teb = (PTEB)TRAMPOLINE_TEB;
KiSetTebBase(KeGetPcr(), (PVOID)TRAMPOLINE_TEB);
/* Enable interrupts */
_enable();
/* Start VDM execution */
NtVdmControl(VdmStartExecution, NULL);
/* Exit to V86 mode */
KiEoiHelper(TrapFrame);
}
static VOID IoThreadProc (PVOID threadArg)
{
EncryptedIoQueue *queue = (EncryptedIoQueue *) threadArg;
PLIST_ENTRY listEntry;
EncryptedIoRequest *request;
KeSetPriorityThread (KeGetCurrentThread(), LOW_REALTIME_PRIORITY);
if (!queue->IsFilterDevice && queue->SecurityClientContext)
{
#ifdef DEBUG
NTSTATUS status =
#endif
SeImpersonateClientEx (queue->SecurityClientContext, NULL);
ASSERT (NT_SUCCESS (status));
}
while (!queue->ThreadExitRequested)
{
if (!NT_SUCCESS (KeWaitForSingleObject (&queue->IoThreadQueueNotEmptyEvent, Executive, KernelMode, FALSE, NULL)))
continue;
if (queue->ThreadExitRequested)
break;
while ((listEntry = ExInterlockedRemoveHeadList (&queue->IoThreadQueue, &queue->IoThreadQueueLock)))
{
InterlockedDecrement (&queue->IoThreadPendingRequestCount);
request = CONTAINING_RECORD (listEntry, EncryptedIoRequest, ListEntry);
#ifdef TC_TRACE_IO_QUEUE
Dump ("%c %I64d [%I64d] roff=%I64d rlen=%d\n", request->Item->Write ? 'W' : 'R', request->Item->OriginalIrpOffset.QuadPart, GetElapsedTime (&queue->LastPerformanceCounter), request->Offset.QuadPart, request->Length);
#endif
// Perform IO request if no preceding request of the item failed
if (NT_SUCCESS (request->Item->Status))
{
if (queue->IsFilterDevice)
{
if (queue->RemapEncryptedArea && request->EncryptedLength > 0)
{
if (request->EncryptedLength != request->Length)
{
// Up to three subfragments may be required to handle a partially remapped fragment
int subFragment;
byte *subFragmentData = request->Data;
for (subFragment = 0 ; subFragment < 3; ++subFragment)
{
LARGE_INTEGER subFragmentOffset;
ULONG subFragmentLength;
subFragmentOffset.QuadPart = request->Offset.QuadPart;
switch (subFragment)
{
case 0:
subFragmentLength = (ULONG) request->EncryptedOffset;
break;
case 1:
subFragmentOffset.QuadPart += request->EncryptedOffset + queue->RemappedAreaOffset;
subFragmentLength = request->EncryptedLength;
break;
case 2:
subFragmentOffset.QuadPart += request->EncryptedOffset + request->EncryptedLength;
subFragmentLength = (ULONG) (request->Length - (request->EncryptedOffset + request->EncryptedLength));
break;
}
if (subFragmentLength > 0)
{
if (request->Item->Write)
request->Item->Status = TCWriteDevice (queue->LowerDeviceObject, subFragmentData, subFragmentOffset, subFragmentLength);
else
request->Item->Status = TCCachedRead (queue, NULL, subFragmentData, subFragmentOffset, subFragmentLength);
subFragmentData += subFragmentLength;
}
}
}
else
{
// Remap the fragment
LARGE_INTEGER remappedOffset;
remappedOffset.QuadPart = request->Offset.QuadPart + queue->RemappedAreaOffset;
if (request->Item->Write)
request->Item->Status = TCWriteDevice (queue->LowerDeviceObject, request->Data, remappedOffset, request->Length);
else
request->Item->Status = TCCachedRead (queue, NULL, request->Data, remappedOffset, request->Length);
}
}
else
{
if (request->Item->Write)
request->Item->Status = TCWriteDevice (queue->LowerDeviceObject, request->Data, request->Offset, request->Length);
else
request->Item->Status = TCCachedRead (queue, NULL, request->Data, request->Offset, request->Length);
}
}
else
{
IO_STATUS_BLOCK ioStatus;
if (request->Item->Write)
request->Item->Status = ZwWriteFile (queue->HostFileHandle, NULL, NULL, NULL, &ioStatus, request->Data, request->Length, &request->Offset, NULL);
else
request->Item->Status = TCCachedRead (queue, &ioStatus, request->Data, request->Offset, request->Length);
if (NT_SUCCESS (request->Item->Status) && ioStatus.Information != request->Length)
request->Item->Status = STATUS_END_OF_FILE;
}
}
if (request->Item->Write)
{
queue->ReadAheadBufferValid = FALSE;
ReleaseFragmentBuffer (queue, request->Data);
if (request->CompleteOriginalIrp)
{
CompleteOriginalIrp (request->Item, request->Item->Status,
NT_SUCCESS (request->Item->Status) ? request->Item->OriginalLength : 0);
}
ReleasePoolBuffer (queue, request);
}
else
{
BOOL readAhead = FALSE;
if (NT_SUCCESS (request->Item->Status))
memcpy (request->OrigDataBufferFragment, request->Data, request->Length);
ReleaseFragmentBuffer (queue, request->Data);
request->Data = request->OrigDataBufferFragment;
if (request->CompleteOriginalIrp
&& queue->LastReadLength > 0
&& NT_SUCCESS (request->Item->Status)
&& InterlockedExchangeAdd (&queue->IoThreadPendingRequestCount, 0) == 0)
{
readAhead = TRUE;
InterlockedIncrement (&queue->OutstandingIoCount);
}
ExInterlockedInsertTailList (&queue->CompletionThreadQueue, &request->CompletionListEntry, &queue->CompletionThreadQueueLock);
KeSetEvent (&queue->CompletionThreadQueueNotEmptyEvent, IO_DISK_INCREMENT, FALSE);
if (readAhead)
{
queue->ReadAheadBufferValid = FALSE;
queue->ReadAheadOffset.QuadPart = queue->LastReadOffset.QuadPart + queue->LastReadLength;
queue->ReadAheadLength = queue->LastReadLength;
if (queue->ReadAheadOffset.QuadPart + queue->ReadAheadLength <= queue->MaxReadAheadOffset.QuadPart)
{
#ifdef TC_TRACE_IO_QUEUE
Dump ("A %I64d [%I64d] roff=%I64d rlen=%d\n", request->Item->OriginalIrpOffset.QuadPart, GetElapsedTime (&queue->LastPerformanceCounter), queue->ReadAheadOffset, queue->ReadAheadLength);
#endif
if (queue->IsFilterDevice)
{
queue->ReadAheadBufferValid = NT_SUCCESS (TCReadDevice (queue->LowerDeviceObject, queue->ReadAheadBuffer, queue->ReadAheadOffset, queue->ReadAheadLength));
}
else
{
IO_STATUS_BLOCK ioStatus;
queue->ReadAheadBufferValid = NT_SUCCESS (ZwReadFile (queue->HostFileHandle, NULL, NULL, NULL, &ioStatus, queue->ReadAheadBuffer, queue->ReadAheadLength, &queue->ReadAheadOffset, NULL));
queue->ReadAheadLength = (ULONG) ioStatus.Information;
}
}
DecrementOutstandingIoCount (queue);
}
}
}
}
PsTerminateSystemThread (STATUS_SUCCESS);
}
/*
* @implemented
*/
NTSTATUS
NTAPI
Ke386CallBios(IN ULONG Int,
OUT PCONTEXT Context)
{
PUCHAR Trampoline = (PUCHAR)TRAMPOLINE_BASE;
PTEB VdmTeb = (PTEB)TRAMPOLINE_TEB;
PVDM_TIB VdmTib = (PVDM_TIB)TRAMPOLINE_TIB;
ULONG ContextSize = FIELD_OFFSET(CONTEXT, ExtendedRegisters);
PKTHREAD Thread = KeGetCurrentThread();
PKTSS Tss = KeGetPcr()->TSS;
PKPROCESS Process = Thread->ApcState.Process;
PVDM_PROCESS_OBJECTS VdmProcessObjects;
USHORT OldOffset, OldBase;
/* Start with a clean TEB */
RtlZeroMemory(VdmTeb, sizeof(TEB));
/* Write the interrupt and bop */
*Trampoline++ = 0xCD;
*Trampoline++ = (UCHAR)Int;
*(PULONG)Trampoline = TRAMPOLINE_BOP;
/* Setup the VDM TEB and TIB */
VdmTeb->Vdm = (PVOID)TRAMPOLINE_TIB;
RtlZeroMemory(VdmTib, sizeof(VDM_TIB));
VdmTib->Size = sizeof(VDM_TIB);
/* Set a blank VDM state */
*VdmState = 0;
/* Copy the context */
RtlCopyMemory(&VdmTib->VdmContext, Context, ContextSize);
VdmTib->VdmContext.SegCs = (ULONG_PTR)Trampoline >> 4;
VdmTib->VdmContext.SegSs = (ULONG_PTR)Trampoline >> 4;
VdmTib->VdmContext.Eip = 0;
VdmTib->VdmContext.Esp = 2 * PAGE_SIZE - sizeof(ULONG_PTR);
VdmTib->VdmContext.EFlags |= EFLAGS_V86_MASK | EFLAGS_INTERRUPT_MASK;
VdmTib->VdmContext.ContextFlags = CONTEXT_FULL;
/* This can't be a real VDM process */
ASSERT(PsGetCurrentProcess()->VdmObjects == NULL);
/* Allocate VDM structure */
VdmProcessObjects = ExAllocatePoolWithTag(NonPagedPool,
sizeof(VDM_PROCESS_OBJECTS),
' eK');
if (!VdmProcessObjects) return STATUS_NO_MEMORY;
/* Set it up */
RtlZeroMemory(VdmProcessObjects, sizeof(VDM_PROCESS_OBJECTS));
VdmProcessObjects->VdmTib = VdmTib;
PsGetCurrentProcess()->VdmObjects = VdmProcessObjects;
/* Set the system affinity for the current thread */
KeSetSystemAffinityThread(1);
/* Make sure there's space for two IOPMs, then copy & clear the current */
ASSERT(((PKIPCR)KeGetPcr())->GDT[KGDT_TSS / 8].LimitLow >=
(0x2000 + IOPM_OFFSET - 1));
RtlCopyMemory(Ki386IopmSaveArea, &Tss->IoMaps[0].IoMap, PAGE_SIZE * 2);
RtlZeroMemory(&Tss->IoMaps[0].IoMap, PAGE_SIZE * 2);
/* Save the old offset and base, and set the new ones */
OldOffset = Process->IopmOffset;
OldBase = Tss->IoMapBase;
Process->IopmOffset = (USHORT)IOPM_OFFSET;
Tss->IoMapBase = (USHORT)IOPM_OFFSET;
/* Switch stacks and work the magic */
Ki386SetupAndExitToV86Mode(VdmTeb);
/* Restore IOPM */
RtlCopyMemory(&Tss->IoMaps[0].IoMap, Ki386IopmSaveArea, PAGE_SIZE * 2);
Process->IopmOffset = OldOffset;
Tss->IoMapBase = OldBase;
/* Restore affinity */
KeRevertToUserAffinityThread();
/* Restore context */
RtlCopyMemory(Context, &VdmTib->VdmContext, ContextSize);
Context->ContextFlags = CONTEXT_FULL;
/* Free VDM objects */
ExFreePoolWithTag(PsGetCurrentProcess()->VdmObjects, ' eK');
PsGetCurrentProcess()->VdmObjects = NULL;
/* Return status */
return STATUS_SUCCESS;
}
static
VOID
TestResourceUndocumentedShortcuts(
IN PERESOURCE Res,
IN BOOLEAN AreApcsDisabled)
{
PVOID Ret;
LONG Count = 0;
ok_bool_false(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_uint(KeAreAllApcsDisabled(), AreApcsDisabled);
/* ExEnterCriticalRegionAndAcquireResourceShared, ExEnterCriticalRegionAndAcquireSharedWaitForExclusive */
Count = 0;
Ret = ExEnterCriticalRegionAndAcquireResourceShared(Res); ++Count;
ok_eq_pointer(Ret, KeGetCurrentThread()->Win32Thread);
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, FALSE, Count, 0LU, 0LU);
Ret = ExEnterCriticalRegionAndAcquireResourceShared(Res); ++Count;
ok_eq_pointer(Ret, KeGetCurrentThread()->Win32Thread);
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, FALSE, Count, 0LU, 0LU);
ExEnterCriticalRegionAndAcquireSharedWaitForExclusive(Res); ++Count;
ok_eq_pointer(Ret, KeGetCurrentThread()->Win32Thread);
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, FALSE, Count, 0LU, 0LU);
while (Count-- > 1)
{
ExReleaseResourceAndLeaveCriticalRegion(Res);
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, FALSE, Count, 0LU, 0LU);
}
ExReleaseResourceAndLeaveCriticalRegion(Res);
ok_bool_false(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, FALSE, Count, 0LU, 0LU);
/* ExEnterCriticalRegionAndAcquireResourceExclusive */
Count = 0;
ok_bool_false(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
Ret = ExEnterCriticalRegionAndAcquireResourceExclusive(Res); ++Count;
ok_eq_pointer(Ret, KeGetCurrentThread()->Win32Thread);
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, TRUE, Count, 0LU, 0LU);
Ret = ExEnterCriticalRegionAndAcquireResourceExclusive(Res); ++Count;
ok_eq_pointer(Ret, KeGetCurrentThread()->Win32Thread);
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, TRUE, Count, 0LU, 0LU);
ExReleaseResourceAndLeaveCriticalRegion(Res); --Count;
ok_bool_true(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_bool(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, TRUE, Count, 0LU, 0LU);
ExReleaseResourceAndLeaveCriticalRegion(Res); --Count;
ok_bool_false(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
ok_eq_uint(KeAreAllApcsDisabled(), AreApcsDisabled);
CheckResourceStatus(Res, FALSE, Count, 0LU, 0LU);
}
VOID
KeBoostCurrentThread(
VOID
)
/*++
Routine Description:
This function boosts the priority of the current thread for one quantum,
then reduce the thread priority to the base priority of the thread.
Arguments:
None.
Return Value:
None.
--*/
{
KIRQL OldIrql;
PKTHREAD Thread;
//
// Get current thread address, raise IRQL to synchronization level, and
// lock the dispatcher database
//
Thread = KeGetCurrentThread();
redoboost:
KiLockDispatcherDatabase(&OldIrql);
//
// If a priority boost is not already active for the current thread
// and the thread priority is less than 14, then boost the thread
// priority to 14 and give the thread a large quantum. Otherwise,
// if a priority boost is active, then decrement the round trip
// count. If the count goes to zero, then release the dispatcher
// database lock, lower the thread priority to the base priority,
// and then attempt to boost the priority again. This will give
// other threads a chance to run. If the count does not reach zero,
// then give the thread another large qunatum.
//
// If the thread priority is above 14, then no boost is applied.
//
if ((Thread->PriorityDecrement == 0) && (Thread->Priority < 14)) {
Thread->PriorityDecrement = 14 - Thread->BasePriority;
Thread->DecrementCount = ROUND_TRIP_DECREMENT_COUNT;
Thread->Priority = 14;
Thread->Quantum = Thread->ApcState.Process->ThreadQuantum * 2;
} else if (Thread->PriorityDecrement != 0) {
Thread->DecrementCount -= 1;
if (Thread->DecrementCount == 0) {
KiUnlockDispatcherDatabase(OldIrql);
KeSetPriorityThread(Thread, Thread->BasePriority);
goto redoboost;
} else {
Thread->Quantum = Thread->ApcState.Process->ThreadQuantum * 2;
}
}
KiUnlockDispatcherDatabase(OldIrql);
return;
}
PRKTHREAD
KiQuantumEnd (
VOID
)
/*++
Routine Description:
This function is called when a quantum end event occurs on the current
processor. Its function is to determine whether the thread priority should
be decremented and whether a redispatch of the processor should occur.
Arguments:
None.
Return Value:
The next thread to be schedule on the current processor is returned as
the function value. If this value is not NULL, then the return is with
the dispatcher database locked. Otherwise, the dispatcher database is
unlocked.
--*/
{
KPRIORITY NewPriority;
KIRQL OldIrql;
PKPRCB Prcb;
KPRIORITY Priority;
PKPROCESS Process;
PRKTHREAD Thread;
PRKTHREAD NextThread;
//
// Acquire the dispatcher database lock.
//
Prcb = KeGetCurrentPrcb();
Thread = KeGetCurrentThread();
KiLockDispatcherDatabase(&OldIrql);
//
// If the quantum has expired for the current thread, then update its
// quantum and priority.
//
if (Thread->Quantum <= 0) {
//
// If quantum runout is disabled for the thread's process and
// the thread is running at a realtime priority, then set the
// thread quantum to the highest value and do not round robin
// at the thread's priority level. Otherwise, reset the thread
// quantum and decay the thread's priority as appropriate.
//
Process = Thread->ApcState.Process;
if ((Process->DisableQuantum != FALSE) &&
(Thread->Priority >= LOW_REALTIME_PRIORITY)) {
Thread->Quantum = MAXCHAR;
} else {
Thread->Quantum = Process->ThreadQuantum;
//
// Decrement the thread's current priority if the thread is not
// running in a realtime priority class and check to determine
// if the processor should be redispatched.
//
Priority = Thread->Priority;
if (Priority < LOW_REALTIME_PRIORITY) {
NewPriority = Priority - Thread->PriorityDecrement - 1;
if (NewPriority < Thread->BasePriority) {
NewPriority = Thread->BasePriority;
}
Thread->PriorityDecrement = 0;
} else {
NewPriority = Priority;
}
//
// If the new thread priority is different that the current thread
// priority, then the thread does not run at a realtime level and
// its priority should be set. Otherwise, attempt to round robin
// at the current level.
//
if (Priority != NewPriority) {
KiSetPriorityThread(Thread, NewPriority);
} else {
if (Prcb->NextThread == NULL) {
NextThread = KiFindReadyThread(Thread->NextProcessor, Priority);
if (NextThread != NULL) {
NextThread->State = Standby;
Prcb->NextThread = NextThread;
}
} else {
Thread->Preempted = FALSE;
}
}
}
}
//
// If a thread was scheduled for execution on the current processor,
// then return the address of the thread with the dispatcher database
// locked. Otherwise, return NULL with the dispatcher data unlocked.
//
NextThread = Prcb->NextThread;
if (NextThread == NULL) {
KiUnlockDispatcherDatabase(OldIrql);
}
return NextThread;
}
PCM_KEY_CONTROL_BLOCK
NTAPI
CmpCreateKeyControlBlock(IN PHHIVE Hive,
IN HCELL_INDEX Index,
IN PCM_KEY_NODE Node,
IN PCM_KEY_CONTROL_BLOCK Parent,
IN ULONG Flags,
IN PUNICODE_STRING KeyName)
{
PCM_KEY_CONTROL_BLOCK Kcb, FoundKcb = NULL;
UNICODE_STRING NodeName;
ULONG ConvKey = 0, i;
BOOLEAN IsFake, HashLock;
PWCHAR p;
/* Make sure we own this hive in case it's being unloaded */
if ((Hive->HiveFlags & HIVE_IS_UNLOADING) &&
(((PCMHIVE)Hive)->CreatorOwner != KeGetCurrentThread()))
{
/* Fail */
return NULL;
}
/* Check if this is a fake KCB */
IsFake = Flags & CMP_CREATE_FAKE_KCB ? TRUE : FALSE;
/* If we have a parent, use its ConvKey */
if (Parent) ConvKey = Parent->ConvKey;
/* Make a copy of the name */
NodeName = *KeyName;
/* Remove leading slash */
while ((NodeName.Length) && (*NodeName.Buffer == OBJ_NAME_PATH_SEPARATOR))
{
/* Move the buffer by one */
NodeName.Buffer++;
NodeName.Length -= sizeof(WCHAR);
}
/* Make sure we didn't get just a slash or something */
ASSERT(NodeName.Length > 0);
/* Now setup the hash */
p = NodeName.Buffer;
for (i = 0; i < NodeName.Length; i += sizeof(WCHAR))
{
/* Make sure it's a valid character */
if (*p != OBJ_NAME_PATH_SEPARATOR)
{
/* Add this key to the hash */
ConvKey = 37 * ConvKey + RtlUpcaseUnicodeChar(*p);
}
/* Move on */
p++;
}
/* Allocate the KCB */
Kcb = CmpAllocateKeyControlBlock();
if (!Kcb) return NULL;
/* Initailize the key list */
InitializeKCBKeyBodyList(Kcb);
/* Set it up */
Kcb->Signature = CM_KCB_SIGNATURE;
Kcb->Delete = FALSE;
Kcb->RefCount = 1;
Kcb->KeyHive = Hive;
Kcb->KeyCell = Index;
Kcb->ConvKey = ConvKey;
Kcb->DelayedCloseIndex = CmpDelayedCloseSize;
Kcb->InDelayClose = 0;
ASSERT_KCB_VALID(Kcb);
/* Check if we have two hash entires */
HashLock = Flags & CMP_LOCK_HASHES_FOR_KCB ? TRUE : FALSE;
if (!HashLock)
{
/* It's not locked, do we have a parent? */
if (Parent)
{
/* Lock the parent KCB and ourselves */
CmpAcquireTwoKcbLocksExclusiveByKey(ConvKey, Parent->ConvKey);
}
else
{
/* Lock only ourselves */
CmpAcquireKcbLockExclusive(Kcb);
}
}
/* Check if we already have a KCB */
FoundKcb = CmpInsertKeyHash(&Kcb->KeyHash, IsFake);
if (FoundKcb)
{
/* Sanity check */
ASSERT(!FoundKcb->Delete);
Kcb->Signature = CM_KCB_INVALID_SIGNATURE;
/* Free the one we allocated and reference this one */
CmpFreeKeyControlBlock(Kcb);
ASSERT_KCB_VALID(FoundKcb);
Kcb = FoundKcb;
if (!CmpReferenceKeyControlBlock(Kcb))
{
/* We got too many handles */
ASSERT(Kcb->RefCount + 1 != 0);
Kcb = NULL;
}
else
{
/* Check if we're not creating a fake one, but it used to be fake */
if ((Kcb->ExtFlags & CM_KCB_KEY_NON_EXIST) && !(IsFake))
{
/* Set the hive and cell */
Kcb->KeyHive = Hive;
Kcb->KeyCell = Index;
/* This means that our current information is invalid */
Kcb->ExtFlags = CM_KCB_INVALID_CACHED_INFO;
}
/* Check if we didn't have any valid data */
if (!(Kcb->ExtFlags & (CM_KCB_NO_SUBKEY |
CM_KCB_SUBKEY_ONE |
CM_KCB_SUBKEY_HINT)))
{
/* Calculate the index hint */
Kcb->SubKeyCount = Node->SubKeyCounts[Stable] +
Node->SubKeyCounts[Volatile];
/* Cached information is now valid */
Kcb->ExtFlags &= ~CM_KCB_INVALID_CACHED_INFO;
}
/* Setup the other data */
Kcb->KcbLastWriteTime = Node->LastWriteTime;
Kcb->KcbMaxNameLen = (USHORT)Node->MaxNameLen;
Kcb->KcbMaxValueNameLen = (USHORT)Node->MaxValueNameLen;
Kcb->KcbMaxValueDataLen = Node->MaxValueDataLen;
}
}
else
{
/* No KCB, do we have a parent? */
if (Parent)
{
/* Reference the parent */
if (((Parent->TotalLevels + 1) < 512) &&
(CmpReferenceKeyControlBlock(Parent)))
{
/* Link it */
Kcb->ParentKcb = Parent;
Kcb->TotalLevels = Parent->TotalLevels + 1;
}
else
{
/* Remove the KCB and free it */
CmpRemoveKeyControlBlock(Kcb);
Kcb->Signature = CM_KCB_INVALID_SIGNATURE;
CmpFreeKeyControlBlock(Kcb);
Kcb = NULL;
}
}
else
{
/* No parent, this is the root node */
Kcb->ParentKcb = NULL;
Kcb->TotalLevels = 1;
}
/* Check if we have a KCB */
if (Kcb)
{
/* Get the NCB */
Kcb->NameBlock = CmpGetNameControlBlock(&NodeName);
if (Kcb->NameBlock)
{
/* Fill it out */
Kcb->ValueCache.Count = Node->ValueList.Count;
Kcb->ValueCache.ValueList = Node->ValueList.List;
Kcb->Flags = Node->Flags;
Kcb->ExtFlags = 0;
Kcb->DelayedCloseIndex = CmpDelayedCloseSize;
/* Remember if this is a fake key */
if (IsFake) Kcb->ExtFlags |= CM_KCB_KEY_NON_EXIST;
/* Setup the other data */
Kcb->SubKeyCount = Node->SubKeyCounts[Stable] +
Node->SubKeyCounts[Volatile];
Kcb->KcbLastWriteTime = Node->LastWriteTime;
Kcb->KcbMaxNameLen = (USHORT)Node->MaxNameLen;
Kcb->KcbMaxValueNameLen = (USHORT)Node->MaxValueNameLen;
Kcb->KcbMaxValueDataLen = (USHORT)Node->MaxValueDataLen;
}
else
{
/* Dereference the KCB */
CmpDereferenceKeyControlBlockWithLock(Parent, FALSE);
/* Remove the KCB and free it */
CmpRemoveKeyControlBlock(Kcb);
Kcb->Signature = CM_KCB_INVALID_SIGNATURE;
CmpFreeKeyControlBlock(Kcb);
Kcb = NULL;
}
}
}
/* Check if this is a KCB inside a frozen hive */
if ((Kcb) && (((PCMHIVE)Hive)->Frozen) && (!(Kcb->Flags & KEY_SYM_LINK)))
{
/* Don't add these to the delay close */
Kcb->ExtFlags |= CM_KCB_NO_DELAY_CLOSE;
}
/* Sanity check */
ASSERT((!Kcb) || (Kcb->Delete == FALSE));
/* Check if we had locked the hashes */
if (!HashLock)
{
/* We locked them manually, do we have a parent? */
if (Parent)
{
/* Unlock the parent KCB and ourselves */
CmpReleaseTwoKcbLockByKey(ConvKey, Parent->ConvKey);
}
else
{
/* Unlock only ourselves */
CmpReleaseKcbLockByKey(ConvKey);
}
}
/* Return the KCB */
return Kcb;
}
NTSTATUS
NtW32Call (
IN ULONG ApiNumber,
IN PVOID InputBuffer,
IN ULONG InputLength,
OUT PVOID *OutputBuffer,
OUT PULONG OutputLength
)
/*++
Routine Description:
This function calls a W32 function.
Arguments:
ApiNumber - Supplies the API number.
InputBuffer - Supplies a pointer to a structure that is copied to
the user stack.
InputLength - Supplies the length of the input structure.
Outputbuffer - Supplies a pointer to a variable that recevies the
output buffer address.
Outputlength - Supplies a pointer to a variable that recevies the
output buffer length.
Return Value:
TBS.
--*/
{
PVOID ValueBuffer;
ULONG ValueLength;
NTSTATUS Status;
ASSERT(KeGetPreviousMode() == UserMode);
//
// If the current thread is not a GUI thread, then fail the service
// since the thread does not have a large stack.
//
if (KeGetCurrentThread()->Win32Thread == (PVOID)&KeServiceDescriptorTable[0]) {
return STATUS_NOT_IMPLEMENTED;
}
//
// Probe the output buffer address and length for writeability.
//
try {
ProbeForWriteUlong((PULONG)OutputBuffer);
ProbeForWriteUlong(OutputLength);
//
// If an exception occurs during the probe of the output buffer or
// length, then always handle the exception and return the exception
// code as the status value.
//
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
//
// Call out to user mode specifying the input buffer and API number.
//
Status = KeUserModeCallback(ApiNumber,
InputBuffer,
InputLength,
&ValueBuffer,
&ValueLength);
//
// If the callout is successful, then the output buffer address and
// length.
//
if (NT_SUCCESS(Status)) {
try {
*OutputBuffer = ValueBuffer;
*OutputLength = ValueLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
}
}
return Status;
}
LONG
KeReleaseSemaphore (
IN PRKSEMAPHORE Semaphore,
IN KPRIORITY Increment,
IN LONG Adjustment,
IN BOOLEAN Wait
)
/*++
Routine Description:
This function releases a semaphore by adding the specified adjustment
value to the current semaphore count and attempts to satisfy as many
Waits as possible. The previous signal state of the semaphore object
is returned as the function value.
Arguments:
Semaphore - Supplies a pointer to a dispatcher object of type
semaphore.
Increment - Supplies the priority increment that is to be applied
if releasing the semaphore causes a Wait to be satisfied.
Adjustment - Supplies value that is to be added to the current
semaphore count.
Wait - Supplies a boolean value that signifies whether the call to
KeReleaseSemaphore will be immediately followed by a call to one
of the kernel Wait functions.
Return Value:
The previous signal state of the semaphore object.
--*/
{
LONG NewState;
KIRQL OldIrql;
LONG OldState;
PRKTHREAD Thread;
ASSERT_SEMAPHORE( Semaphore );
ASSERT(KeGetCurrentIrql() <= DISPATCH_LEVEL);
//
// Raise IRQL to dispatcher level and lock dispatcher database.
//
KiLockDispatcherDatabase(&OldIrql);
//
// Capture the current signal state of the semaphore object and
// compute the new count value.
//
OldState = Semaphore->Header.SignalState;
NewState = OldState + Adjustment;
//
// If the new state value is greater than the limit or a carry occurs,
// then unlock the dispatcher database, and raise an exception.
//
if ((NewState > Semaphore->Limit) || (NewState < OldState)) {
KiUnlockDispatcherDatabase(OldIrql);
ExRaiseStatus(STATUS_SEMAPHORE_LIMIT_EXCEEDED);
}
//
// Set the new signal state of the semaphore object and set the wait
// next value. If the previous signal state was Not-Signaled (i.e.
// the count was zero), and the wait queue is not empty, then attempt
// to satisfy as many Waits as possible.
//
Semaphore->Header.SignalState = NewState;
if ((OldState == 0) && (IsListEmpty(&Semaphore->Header.WaitListHead) == FALSE)) {
KiWaitTest(Semaphore, Increment);
}
//
// If the value of the Wait argument is TRUE, then return to the
// caller with IRQL raised and the dispatcher database locked. Else
// release the dispatcher database lock and lower IRQL to its
// previous value.
//
if (Wait != FALSE) {
Thread = KeGetCurrentThread();
Thread->WaitNext = Wait;
Thread->WaitIrql = OldIrql;
} else {
KiUnlockDispatcherDatabase(OldIrql);
}
//
// Return previous signal state of sempahore object.
//
return OldState;
}
LONG
KeReleaseMutant (
IN PRKMUTANT Mutant,
IN KPRIORITY Increment,
IN BOOLEAN Abandoned,
IN BOOLEAN Wait
)
/*++
Routine Description:
This function releases a mutant object by incrementing the mutant
count. If the resultant value is one, then an attempt is made to
satisfy as many Waits as possible. The previous signal state of
the mutant is returned as the function value. If the Abandoned
parameter is TRUE, then the mutant object is released by settings
the signal state to one.
Arguments:
Mutant - Supplies a pointer to a dispatcher object of type mutant.
Increment - Supplies the priority increment that is to be applied
if setting the event causes a Wait to be satisfied.
Abandoned - Supplies a boolean value that signifies whether the
mutant object is being abandoned.
Wait - Supplies a boolean value that signifies whether the call to
KeReleaseMutant will be immediately followed by a call to one
of the kernel Wait functions.
Return Value:
The previous signal state of the mutant object.
--*/
{
KIRQL OldIrql;
LONG OldState;
PRKTHREAD Thread;
ASSERT_MUTANT(Mutant);
ASSERT(KeGetCurrentIrql() <= DISPATCH_LEVEL);
//
// Raise IRQL to dispatcher level and lock dispatcher database.
//
KiLockDispatcherDatabase(&OldIrql);
//
// Capture the current signal state of the mutant object.
//
OldState = Mutant->Header.SignalState;
//
// If the Abandoned parameter is TRUE, then force the release of the
// mutant object by setting its ownership count to one and setting its
// abandoned state to TRUE. Otherwise increment mutant ownership count.
// If the result count is one, then remove the mutant object from the
// thread's owned mutant list, set the owner thread to NULL, and attempt
// to satisfy a Wait for the mutant object if the mutant object wait
// list is not empty.
//
Thread = KeGetCurrentThread();
if (Abandoned != FALSE) {
Mutant->Header.SignalState = 1;
Mutant->Abandoned = TRUE;
} else {
//
// If the Mutant object is not owned by the current thread, then
// unlock the dispatcher data base and raise an exception. Otherwise
// increment the ownership count.
//
if (Mutant->OwnerThread != Thread) {
KiUnlockDispatcherDatabase(OldIrql);
ExRaiseStatus(Mutant->Abandoned ?
STATUS_ABANDONED : STATUS_MUTANT_NOT_OWNED);
}
Mutant->Header.SignalState += 1;
}
if (Mutant->Header.SignalState == 1) {
if (OldState <= 0) {
RemoveEntryList(&Mutant->MutantListEntry);
Thread->KernelApcDisable += Mutant->ApcDisable;
if ((Thread->KernelApcDisable == 0) &&
(IsListEmpty(&Thread->ApcState.ApcListHead[KernelMode]) == FALSE)) {
Thread->ApcState.KernelApcPending = TRUE;
KiRequestSoftwareInterrupt(APC_LEVEL);
}
}
Mutant->OwnerThread = (PKTHREAD)NULL;
if (IsListEmpty(&Mutant->Header.WaitListHead) == FALSE) {
KiWaitTest(Mutant, Increment);
}
}
//
// If the value of the Wait argument is TRUE, then return to
// caller with IRQL raised and the dispatcher database locked.
// Else release the dispatcher database lock and lower IRQL to
// its previous value.
//
if (Wait != FALSE) {
Thread->WaitNext = Wait;
Thread->WaitIrql = OldIrql;
} else {
KiUnlockDispatcherDatabase(OldIrql);
}
//
// Return previous signal state of mutant object.
//
return OldState;
}
NTSTATUS
KeUserModeCallback (
IN ULONG ApiNumber,
IN PVOID InputBuffer,
IN ULONG InputLength,
OUT PVOID *OutputBuffer,
IN PULONG OutputLength
)
/*++
Routine Description:
This function call out from kernel mode to a user mode function.
Arguments:
ApiNumber - Supplies the API number.
InputBuffer - Supplies a pointer to a structure that is copied
to the user stack.
InputLength - Supplies the length of the input structure.
Outputbuffer - Supplies a pointer to a variable that receives
the address of the output buffer.
Outputlength - Supplies a pointer to a variable that receives
the length of the output buffer.
Return Value:
If the callout cannot be executed, then an error status is returned.
Otherwise, the status returned by the callback function is returned.
--*/
{
volatile ULONG BatchCount;
PUCALLOUT_FRAME CalloutFrame;
ULONG Length;
ULONG64 OldStack;
NTSTATUS Status;
PKTRAP_FRAME TrapFrame;
ASSERT(KeGetPreviousMode() == UserMode);
//
// Check if a kernel stack expand callout is active.
//
KeCheckIfStackExpandCalloutActive();
//
// Get the user mode stack pointer and attempt to copy input buffer
// to the user stack.
//
TrapFrame = KeGetCurrentThread()->TrapFrame;
OldStack = TrapFrame->Rsp;
try {
//
// Compute new user mode stack address, probe for writability, and
// copy the input buffer to the user stack.
//
Length = ((InputLength + STACK_ROUND) & ~STACK_ROUND) + UCALLOUT_FRAME_LENGTH;
CalloutFrame = (PUCALLOUT_FRAME)((OldStack - Length) & ~STACK_ROUND);
ProbeForWrite(CalloutFrame, Length, STACK_ALIGN);
RtlCopyMemory(CalloutFrame + 1, InputBuffer, InputLength);
//
// Fill in callout arguments.
//
CalloutFrame->Buffer = (PVOID)(CalloutFrame + 1);
CalloutFrame->Length = InputLength;
CalloutFrame->ApiNumber = ApiNumber;
CalloutFrame->MachineFrame.Rsp = OldStack;
CalloutFrame->MachineFrame.Rip = TrapFrame->Rip;
//
// If an exception occurs during the probe of the user stack, then
// always handle the exception and return the exception code as the
// status value.
//
} except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
//
// Call user mode.
//
TrapFrame->Rsp = (ULONG64)CalloutFrame;
Status = KiCallUserMode(OutputBuffer, OutputLength);
//
// When returning from user mode, any drawing done to the GDI TEB
// batch must be flushed.
//
// N.B. It is possible to fault while referencing the user TEB. If
// a fault occurs, then always flush the batch count.
//
BatchCount = 1;
try {
BatchCount = ((PTEB)KeGetCurrentThread()->Teb)->GdiBatchCount;
} except (EXCEPTION_EXECUTE_HANDLER) {
NOTHING;
}
if (BatchCount > 0) {
TrapFrame->Rsp -= 256;
KeGdiFlushUserBatch();
}
TrapFrame->Rsp = OldStack;
return Status;
}
__drv_mustHoldCriticalRegion
NTSTATUS
FatPostStackOverflowRead (
IN PIRP_CONTEXT IrpContext,
IN PIRP Irp,
IN PFCB Fcb
)
/*++
Routine Description:
This routine posts a read request that could not be processed by
the fsp thread because of stack overflow potential.
Arguments:
Irp - Supplies the request to process.
Fcb - Supplies the file.
Return Value:
STATUS_PENDING.
--*/
{
KEVENT Event;
PERESOURCE Resource;
PVCB Vcb;
PAGED_CODE();
DebugTrace(0, Dbg, "Getting too close to stack limit pass request to Fsp\n", 0 );
//
// Initialize an event and get shared on the resource we will
// be later using the common read.
//
KeInitializeEvent( &Event, NotificationEvent, FALSE );
//
// Preacquire the resource the read path will require so we know the
// worker thread can proceed without waiting.
//
if (FlagOn(Irp->Flags, IRP_PAGING_IO) && (Fcb->Header.PagingIoResource != NULL)) {
Resource = Fcb->Header.PagingIoResource;
} else {
Resource = Fcb->Header.Resource;
}
//
// If there are no resources assodicated with the file (case: the virtual
// volume file), it is OK. No resources will be acquired on the other side
// as well.
//
if (Resource) {
ExAcquireResourceSharedLite( Resource, TRUE );
}
if (NodeType( Fcb ) == FAT_NTC_VCB) {
Vcb = (PVCB) Fcb;
} else {
Vcb = Fcb->Vcb;
}
try {
//
// Make the Irp just like a regular post request and
// then send the Irp to the special overflow thread.
// After the post we will wait for the stack overflow
// read routine to set the event that indicates we can
// now release the scb resource and return.
//
FatPrePostIrp( IrpContext, Irp );
//
// If this read is the result of a verify, we have to
// tell the overflow read routne to temporarily
// hijack the Vcb->VerifyThread field so that reads
// can go through.
//
if (Vcb->VerifyThread == KeGetCurrentThread()) {
SetFlag(IrpContext->Flags, IRP_CONTEXT_FLAG_VERIFY_READ);
}
FsRtlPostStackOverflow( IrpContext, &Event, FatStackOverflowRead );
//
// And wait for the worker thread to complete the item
//
KeWaitForSingleObject( &Event, Executive, KernelMode, FALSE, NULL );
} finally {
if (Resource) {
ExReleaseResourceLite( Resource );
}
}
return STATUS_PENDING;
}
/*
* @implemented
*/
NTSTATUS
NTAPI
NtYieldExecution(VOID)
{
NTSTATUS Status;
KIRQL OldIrql;
PKPRCB Prcb;
PKTHREAD Thread, NextThread;
/* NB: No instructions (other than entry code) should preceed this line */
/* Fail if there's no ready summary */
if (!KiGetCurrentReadySummary()) return STATUS_NO_YIELD_PERFORMED;
/* Now get the current thread, set the status... */
Status = STATUS_NO_YIELD_PERFORMED;
Thread = KeGetCurrentThread();
/* Raise IRQL to synch and get the KPRCB now */
OldIrql = KeRaiseIrqlToSynchLevel();
Prcb = KeGetCurrentPrcb();
/* Now check if there's still a ready summary */
if (Prcb->ReadySummary)
{
/* Acquire thread and PRCB lock */
KiAcquireThreadLock(Thread);
KiAcquirePrcbLock(Prcb);
/* Find a new thread to run if none was selected */
if (!Prcb->NextThread) Prcb->NextThread = KiSelectReadyThread(1, Prcb);
/* Make sure we still have a next thread to schedule */
NextThread = Prcb->NextThread;
if (NextThread)
{
/* Reset quantum and recalculate priority */
Thread->Quantum = Thread->QuantumReset;
Thread->Priority = KiComputeNewPriority(Thread, 1);
/* Release the thread lock */
KiReleaseThreadLock(Thread);
/* Set context swap busy */
KiSetThreadSwapBusy(Thread);
/* Set the new thread as running */
Prcb->NextThread = NULL;
Prcb->CurrentThread = NextThread;
NextThread->State = Running;
/* Setup a yield wait and queue the thread */
Thread->WaitReason = WrYieldExecution;
KxQueueReadyThread(Thread, Prcb);
/* Make it wait at APC_LEVEL */
Thread->WaitIrql = APC_LEVEL;
/* Sanity check */
ASSERT(OldIrql <= DISPATCH_LEVEL);
/* Swap to new thread */
KiSwapContext(APC_LEVEL, Thread);
Status = STATUS_SUCCESS;
}
else
{
/* Release the PRCB and thread lock */
KiReleasePrcbLock(Prcb);
KiReleaseThreadLock(Thread);
}
}
/* Lower IRQL and return */
KeLowerIrql(OldIrql);
return Status;
}
static
VOID
TestEventConcurrent(
IN PKEVENT Event,
IN EVENT_TYPE Type,
IN KIRQL OriginalIrql,
PSET_EVENT_FUNCTION SetEvent,
KPRIORITY PriorityIncrement,
LONG ExpectedState,
BOOLEAN SatisfiesAll)
{
NTSTATUS Status;
THREAD_DATA Threads[5];
const INT ThreadCount = sizeof Threads / sizeof Threads[0];
KPRIORITY Priority;
LARGE_INTEGER LongTimeout, ShortTimeout;
INT i;
KWAIT_BLOCK WaitBlock[MAXIMUM_WAIT_OBJECTS];
PVOID ThreadObjects[MAXIMUM_WAIT_OBJECTS];
LONG State;
PKTHREAD Thread = KeGetCurrentThread();
LongTimeout.QuadPart = -100 * MILLISECOND;
ShortTimeout.QuadPart = -1 * MILLISECOND;
KeInitializeEvent(Event, Type, FALSE);
for (i = 0; i < ThreadCount; ++i)
{
Threads[i].Event = Event;
Threads[i].Signal = FALSE;
Status = PsCreateSystemThread(&Threads[i].Handle, GENERIC_ALL, NULL, NULL, NULL, WaitForEventThread, &Threads[i]);
ok_eq_hex(Status, STATUS_SUCCESS);
Status = ObReferenceObjectByHandle(Threads[i].Handle, SYNCHRONIZE, PsThreadType, KernelMode, (PVOID *)&Threads[i].Thread, NULL);
ok_eq_hex(Status, STATUS_SUCCESS);
ThreadObjects[i] = Threads[i].Thread;
Priority = KeQueryPriorityThread(Threads[i].Thread);
ok_eq_long(Priority, 8L);
while (!Threads[i].Signal)
{
Status = KeDelayExecutionThread(KernelMode, FALSE, &ShortTimeout);
ok_eq_hex(Status, STATUS_SUCCESS);
}
CheckEvent(Event, Type, 0L, FALSE, OriginalIrql, ThreadObjects, i + 1);
}
/* the threads shouldn't wake up on their own */
Status = KeDelayExecutionThread(KernelMode, FALSE, &ShortTimeout);
ok_eq_hex(Status, STATUS_SUCCESS);
for (i = 0; i < ThreadCount; ++i)
{
CheckEvent(Event, Type, 0L, FALSE, OriginalIrql, ThreadObjects + i, ThreadCount - i);
State = SetEvent(Event, PriorityIncrement + i, FALSE);
ok_eq_long(State, 0L);
CheckEvent(Event, Type, ExpectedState, FALSE, OriginalIrql, ThreadObjects + i + 1, SatisfiesAll ? 0 : ThreadCount - i - 1);
Status = KeWaitForMultipleObjects(ThreadCount, ThreadObjects, SatisfiesAll ? WaitAll : WaitAny, Executive, KernelMode, FALSE, &LongTimeout, WaitBlock);
ok_eq_hex(Status, STATUS_WAIT_0 + i);
if (SatisfiesAll)
{
for (; i < ThreadCount; ++i)
{
Priority = KeQueryPriorityThread(Threads[i].Thread);
ok_eq_long(Priority, max(min(8L + PriorityIncrement, 15L), 8L));
}
break;
}
Priority = KeQueryPriorityThread(Threads[i].Thread);
ok_eq_long(Priority, max(min(8L + PriorityIncrement + i, 15L), 8L));
/* replace the thread with the current thread - which will never signal */
if (!skip((Status & 0x3F) < ThreadCount, "Index out of bounds"))
ThreadObjects[Status & 0x3F] = Thread;
Status = KeWaitForMultipleObjects(ThreadCount, ThreadObjects, WaitAny, Executive, KernelMode, FALSE, &ShortTimeout, WaitBlock);
ok_eq_hex(Status, STATUS_TIMEOUT);
}
for (i = 0; i < ThreadCount; ++i)
{
ObDereferenceObject(Threads[i].Thread);
Status = ZwClose(Threads[i].Handle);
ok_eq_hex(Status, STATUS_SUCCESS);
}
}
NTSTATUS
FatPostStackOverflowRead (
IN PIRP_CONTEXT IrpContext,
IN PIRP Irp,
IN PFCB Fcb
)
/*++
Routine Description:
This routine posts a read request that could not be processed by
the fsp thread because of stack overflow potential.
Arguments:
Irp - Supplies the request to process.
Fcb - Supplies the file.
Return Value:
STATUS_PENDING.
--*/
{
PKEVENT Event;
PERESOURCE Resource;
DebugTrace(0, Dbg, "Getting too close to stack limit pass request to Fsp\n", 0 );
//
// Allocate an event and get shared on the resource we will
// be later using the common read.
//
Event = FsRtlAllocatePool( NonPagedPool, sizeof(KEVENT) );
KeInitializeEvent( Event, NotificationEvent, FALSE );
if (FlagOn(Irp->Flags, IRP_PAGING_IO) && (Fcb->Header.PagingIoResource != NULL)) {
Resource = Fcb->Header.PagingIoResource;
} else {
Resource = Fcb->Header.Resource;
}
ExAcquireResourceShared( Resource, TRUE );
try {
//
// Make the Irp just like a regular post request and
// then send the Irp to the special overflow thread.
// After the post we will wait for the stack overflow
// read routine to set the event that indicates we can
// now release the scb resource and return.
//
FatPrePostIrp( IrpContext, Irp );
//
// If this read is the result of a verify, we have to
// tell the overflow read routne to temporarily
// hijack the Vcb->VerifyThread field so that reads
// can go through.
//
if (Fcb->Vcb->VerifyThread == KeGetCurrentThread()) {
SetFlag(IrpContext->Flags, IRP_CONTEXT_FLAG_VERIFY_READ);
}
FsRtlPostStackOverflow( IrpContext, Event, FatStackOverflowRead );
//
// And wait for the worker thread to complete the item
//
(VOID) KeWaitForSingleObject( Event, Executive, KernelMode, FALSE, NULL );
}
finally {
ExReleaseResource( Resource );
ExFreePool( Event );
}
return STATUS_PENDING;
}
