archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/base/ntos/io/iomgr/ioverifier.c

1111 lines
30 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. ioverifier.c
  9. Abstract:
  11. This module contains the routines to verify suspect drivers.
  13. Author:
  15. Narayanan Ganapathy (narg) 8-Jan-1999
  17. Revision History:
  19. Adrian J. Oney (AdriaO) 28-Feb-1999
  20. - merge in special irp code.
  22. --*/
  24. #include "iomgr.h"
  25. #include "malloc.h"
  26. #include "..\verifier\vfdeadlock.h"
  28. #if (( defined(_X86_) ) && ( FPO ))
  29. #pragma optimize( "y", off ) // disable FPO for consistent stack traces
  30. #endif
  33. #define IO_FREE_IRP_TYPE_INVALID 1
  34. #define IO_FREE_IRP_NOT_ASSOCIATED_WITH_THREAD 2
  35. #define IO_CALL_DRIVER_IRP_TYPE_INVALID 3
  36. #define IO_CALL_DRIVER_INVALID_DEVICE_OBJECT 4
  37. #define IO_CALL_DRIVER_IRQL_NOT_EQUAL 5
  38. #define IO_COMPLETE_REQUEST_INVALID_STATUS 6
  39. #define IO_COMPLETE_REQUEST_CANCEL_ROUTINE_SET 7
  40. #define IO_BUILD_FSD_REQUEST_EXCEPTION 8
  41. #define IO_BUILD_IOCTL_REQUEST_EXCEPTION 9
  42. #define IO_REINITIALIZING_TIMER_OBJECT 10
  43. #define IO_INVALID_HANDLE 11
  44. #define IO_INVALID_STACK_IOSB 12
  45. #define IO_INVALID_STACK_EVENT 13
  46. #define IO_COMPLETE_REQUEST_INVALID_IRQL 14
  48. //
  49. // 0x200 and up are defined in ioassert.c
  50. //
  53. #ifdef IOV_KD_PRINT
  54. #define IovpKdPrint(x) KdPrint(x)
  55. #else
  56. #define IovpKdPrint(x)
  57. #endif
  59. BOOLEAN
  60. IovpValidateDeviceObject(
  61. IN PDEVICE_OBJECT DeviceObject
  62. );
  63. VOID
  64. IovFreeIrpPrivate(
  65. IN PIRP Irp
  66. );
  68. NTSTATUS
  69. IovpUnloadDriver(
  70. PDRIVER_OBJECT DriverObject
  71. );
  73. BOOLEAN
  74. IovpBuildDriverObjectList(
  75. IN PVOID Object,
  76. IN PUNICODE_STRING ObjectName,
  77. IN ULONG HandleCount,
  78. IN ULONG PointerCount,
  79. IN PVOID Parameter
  80. );
  82. NTSTATUS
  83. IovpLocalCompletionRoutine(
  84. IN PDEVICE_OBJECT DeviceObject,
  85. IN PIRP Irp,
  86. IN PVOID Context
  87. );
  90. typedef struct _IOV_COMPLETION_CONTEXT {
  91. PIO_STACK_LOCATION StackPointer;
  92. PVOID IrpContext;
  93. PVOID GlobalContext;
  94. PIO_COMPLETION_ROUTINE CompletionRoutine;
  95. IO_STACK_LOCATION OldStackContents;
  96. } IOV_COMPLETION_CONTEXT, *PIOV_COMPLETION_CONTEXT;
  99. #ifdef ALLOC_PRAGMA
  100. #pragma alloc_text(INIT, IoVerifierInit)
  101. #pragma alloc_text(PAGEVRFY,IovAllocateIrp)
  102. #pragma alloc_text(PAGEVRFY,IovFreeIrp)
  103. #pragma alloc_text(PAGEVRFY,IovCallDriver)
  104. #pragma alloc_text(PAGEVRFY,IovCompleteRequest)
  105. #pragma alloc_text(PAGEVRFY,IovpValidateDeviceObject)
  106. #pragma alloc_text(PAGEVRFY,IovFreeIrpPrivate)
  107. #pragma alloc_text(PAGEVRFY,IovUnloadDrivers)
  108. #pragma alloc_text(PAGEVRFY,IovpUnloadDriver)
  109. #pragma alloc_text(PAGEVRFY,IovBuildDeviceIoControlRequest)
  110. #pragma alloc_text(PAGEVRFY,IovBuildAsynchronousFsdRequest)
  111. #pragma alloc_text(PAGEVRFY,IovpCompleteRequest)
  112. #pragma alloc_text(PAGEVRFY,IovpBuildDriverObjectList)
  113. #pragma alloc_text(PAGEVRFY,IovInitializeIrp)
  114. #pragma alloc_text(PAGEVRFY,IovCancelIrp)
  115. #pragma alloc_text(PAGEVRFY,IovAttachDeviceToDeviceStack)
  116. #pragma alloc_text(PAGEVRFY,IovInitializeTimer)
  117. #pragma alloc_text(PAGEVRFY,IovDetachDevice)
  118. #pragma alloc_text(PAGEVRFY,IovDeleteDevice)
  119. #pragma alloc_text(PAGEVRFY,IovpLocalCompletionRoutine)
  120. #endif
  122. BOOLEAN IopVerifierOn = FALSE;
  123. ULONG IovpVerifierLevel = (ULONG)0;
  124. LONG IovpInitCalled = 0;
  125. ULONG IovpVerifierFlags = 0; // Stashes the verifier flags passed at init.
  127. #ifdef ALLOC_DATA_PRAGMA
  128. #pragma data_seg("INITDATA")
  129. #endif
  130. BOOLEAN IoVerifierOnByDefault = TRUE;
  131. #ifdef ALLOC_DATA_PRAGMA
  132. #pragma data_seg()
  133. #endif
  135. VOID
  136. IoVerifierInit(
  137. IN ULONG VerifierFlags
  138. )
  139. {
  140. IovpVerifierLevel = 2;
  142. if (IoVerifierOnByDefault) {
  143. VerifierFlags |= DRIVER_VERIFIER_IO_CHECKING;
  144. }
  146. VfInitVerifier(VerifierFlags);
  148. if (!VerifierFlags) {
  149. return;
  150. }
  152. pIoAllocateIrp = IovAllocateIrp;
  154. if (!(VerifierFlags & DRIVER_VERIFIER_IO_CHECKING)) {
  156. if (!(VerifierFlags & DRIVER_VERIFIER_DEADLOCK_DETECTION) &&
  157. !(VerifierFlags & DRIVER_VERIFIER_DMA_VERIFIER)) {
  159. return;
  161. } else {
  163. //
  164. // If deadlock or DMA verifier are on we need to let the function
  165. // continue to install the hooks but we will set the
  166. // I/O verifier level to minimal checks.
  167. //
  168. IovpVerifierLevel = 0;
  169. }
  170. }
  172. //
  173. // Enable and hook in the verifier.
  174. //
  175. IopVerifierOn = TRUE;
  176. IovpInitCalled = 1;
  177. IovpVerifierFlags = VerifierFlags;
  179. //
  180. // Initialize the special IRP code as appropriate.
  181. //
  182. InterlockedExchangePointer((PVOID *)&pIofCallDriver, (PVOID) IovCallDriver);
  183. InterlockedExchangePointer((PVOID *)&pIofCompleteRequest, (PVOID) IovCompleteRequest);
  184. InterlockedExchangePointer((PVOID *)&pIoFreeIrp, (PVOID) IovFreeIrpPrivate);
  186. ASSERT(KeGetCurrentIrql() <= APC_LEVEL);
  187. }
  190. BOOLEAN
  191. IovpValidateDeviceObject(
  192. IN PDEVICE_OBJECT DeviceObject
  193. )
  194. {
  195. if ((DeviceObject->Type != IO_TYPE_DEVICE) ||
  196. (DeviceObject->DriverObject == NULL) ||
  197. (DeviceObject->ReferenceCount < 0 )) {
  198. return FALSE;
  199. } else {
  200. return TRUE;
  201. }
  202. }
  204. VOID
  205. IovFreeIrp(
  206. IN PIRP Irp
  207. )
  208. {
  209. IovFreeIrpPrivate(Irp);
  210. }
  212. VOID
  213. IovFreeIrpPrivate(
  214. IN PIRP Irp
  215. )
  216. {
  217. BOOLEAN freeHandled ;
  219. if (IopVerifierOn) {
  220. if (Irp->Type != IO_TYPE_IRP) {
  221. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  222. IO_FREE_IRP_TYPE_INVALID,
  223. (ULONG_PTR)Irp,
  224. 0,
  225. 0);
  226. }
  227. if (!IsListEmpty(&(Irp)->ThreadListEntry)) {
  228. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  229. IO_FREE_IRP_NOT_ASSOCIATED_WITH_THREAD,
  230. (ULONG_PTR)Irp,
  231. 0,
  232. 0);
  233. }
  234. }
  236. VerifierIoFreeIrp(Irp, &freeHandled);
  238. if (freeHandled) {
  240. return;
  241. }
  243. IopFreeIrp(Irp);
  244. }
  246. NTSTATUS
  247. FASTCALL
  248. IovCallDriver(
  249. IN PDEVICE_OBJECT DeviceObject,
  250. IN OUT PIRP Irp
  251. )
  252. {
  253. KIRQL saveIrql;
  254. NTSTATUS status;
  255. PIOFCALLDRIVER_STACKDATA iofCallDriverStackData;
  256. BOOLEAN pagingIrp;
  258. if (!IopVerifierOn) {
  260. return IopfCallDriver(DeviceObject, Irp);
  261. }
  263. if (Irp->Type != IO_TYPE_IRP) {
  264. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  265. IO_CALL_DRIVER_IRP_TYPE_INVALID,
  266. (ULONG_PTR)Irp,
  267. 0,
  268. 0);
  269. }
  270. if (!IovpValidateDeviceObject(DeviceObject)) {
  271. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  272. IO_CALL_DRIVER_INVALID_DEVICE_OBJECT,
  273. (ULONG_PTR)DeviceObject,
  274. 0,
  275. 0);
  276. }
  278. saveIrql = KeGetCurrentIrql();
  280. //
  281. // Deadlock verifier functions are called before and after the
  282. // real IoCallDriver() call. If deadlock verifier is not enabled
  283. // this functions will return immediately.
  284. //
  285. pagingIrp = VfDeadlockBeforeCallDriver(DeviceObject, Irp);
  287. //
  288. // VfIrpCallDriverPreprocess is a macro function that may do an alloca as
  289. // part of it's operation. As such callers must be careful not to use
  290. // variable lengthed arrays in a scope that encompasses
  291. // VfIrpCallDriverPreProcess but not VfIrpCallDriverPostProcess.
  292. //
  293. VfIrpCallDriverPreProcess(DeviceObject, &Irp, &iofCallDriverStackData);
  295. VfStackSeedStack(0xFFFFFFFF);
  297. status = IopfCallDriver(DeviceObject, Irp);
  299. VfIrpCallDriverPostProcess(DeviceObject, &status, iofCallDriverStackData);
  301. VfDeadlockAfterCallDriver(DeviceObject, Irp, pagingIrp);
  303. if (saveIrql != KeGetCurrentIrql()) {
  304. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  305. IO_CALL_DRIVER_IRQL_NOT_EQUAL,
  306. (ULONG_PTR)DeviceObject,
  307. saveIrql,
  308. KeGetCurrentIrql());
  310. }
  312. return status;
  313. }
  318. //
  319. // Wrapper for IovAllocateIrp. Use special pool to allocate the IRP.
  320. // This is directly called from IoAllocateIrp.
  321. //
  322. PIRP
  323. IovAllocateIrp(
  324. IN CCHAR StackSize,
  325. IN BOOLEAN ChargeQuota
  326. )
  327. {
  328. USHORT allocateSize;
  329. UCHAR fixedSize;
  330. PIRP irp;
  331. USHORT packetSize;
  333. //
  334. // Should we override normal lookaside caching so that we may catch
  335. // more bugs?
  336. //
  337. VerifierIoAllocateIrp1(StackSize, ChargeQuota, &irp);
  339. if (irp) {
  341. return irp;
  342. }
  344. //
  345. // If special pool is not turned on lets just call the standard
  346. // irp allocator.
  347. //
  349. if (!(IovpVerifierFlags & DRIVER_VERIFIER_SPECIAL_POOLING )) {
  350. irp = IopAllocateIrpPrivate(StackSize, ChargeQuota);
  351. return irp;
  352. }
  355. irp = NULL;
  356. fixedSize = 0;
  357. packetSize = IoSizeOfIrp(StackSize);
  358. allocateSize = packetSize;
  360. //
  361. // There are no free packets on the lookaside list, or the packet is
  362. // too large to be allocated from one of the lists, so it must be
  363. // allocated from nonpaged pool. If quota is to be charged, charge it
  364. // against the current process. Otherwise, allocate the pool normally.
  365. //
  367. if (ChargeQuota) {
  368. try {
  369. irp = ExAllocatePoolWithTagPriority(
  370. NonPagedPool,
  371. allocateSize,
  372. ' prI',
  373. HighPoolPrioritySpecialPoolOverrun);
  374. } except(EXCEPTION_EXECUTE_HANDLER) {
  375. NOTHING;
  376. }
  378. } else {
  380. //
  381. // Attempt to allocate the pool from non-paged pool. If this
  382. // fails, and the caller's previous mode was kernel then allocate
  383. // the pool as must succeed.
  384. //
  386. irp = ExAllocatePoolWithTagPriority(
  387. NonPagedPool,
  388. allocateSize,
  389. ' prI',
  390. HighPoolPrioritySpecialPoolOverrun);
  391. }
  393. if (!irp) {
  394. return NULL;
  395. }
  397. //
  398. // Initialize the packet.
  399. //
  401. IopInitializeIrp(irp, packetSize, StackSize);
  402. if (ChargeQuota) {
  403. irp->AllocationFlags |= IRP_QUOTA_CHARGED;
  404. }
  406. VerifierIoAllocateIrp2(irp);
  407. return irp;
  408. }
  410. PIRP
  411. IovBuildAsynchronousFsdRequest(
  412. IN ULONG MajorFunction,
  413. IN PDEVICE_OBJECT DeviceObject,
  414. IN OUT PVOID Buffer OPTIONAL,
  415. IN ULONG Length OPTIONAL,
  416. IN PLARGE_INTEGER StartingOffset OPTIONAL,
  417. IN PIO_STATUS_BLOCK IoStatusBlock OPTIONAL
  418. )
  419. {
  420. PIRP Irp;
  422. try {
  423. Irp = IoBuildAsynchronousFsdRequest(
  424. MajorFunction,
  425. DeviceObject,
  426. Buffer,
  427. Length,
  428. StartingOffset,
  429. IoStatusBlock
  430. );
  431. } except(EXCEPTION_EXECUTE_HANDLER) {
  432. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  433. IO_BUILD_FSD_REQUEST_EXCEPTION,
  434. (ULONG_PTR)DeviceObject,
  435. (ULONG_PTR)MajorFunction,
  436. GetExceptionCode());
  437. }
  438. return (Irp);
  439. }
  441. PIRP
  442. IovBuildDeviceIoControlRequest(
  443. IN ULONG IoControlCode,
  444. IN PDEVICE_OBJECT DeviceObject,
  445. IN PVOID InputBuffer OPTIONAL,
  446. IN ULONG InputBufferLength,
  447. OUT PVOID OutputBuffer OPTIONAL,
  448. IN ULONG OutputBufferLength,
  449. IN BOOLEAN InternalDeviceIoControl,
  450. IN PKEVENT Event,
  451. OUT PIO_STATUS_BLOCK IoStatusBlock
  452. )
  453. {
  454. PIRP Irp;
  456. try {
  457. Irp = IoBuildDeviceIoControlRequest(
  458. IoControlCode,
  459. DeviceObject,
  460. InputBuffer,
  461. InputBufferLength,
  462. OutputBuffer,
  463. OutputBufferLength,
  464. InternalDeviceIoControl,
  465. Event,
  466. IoStatusBlock
  467. );
  468. } except(EXCEPTION_EXECUTE_HANDLER) {
  469. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  470. IO_BUILD_IOCTL_REQUEST_EXCEPTION,
  471. (ULONG_PTR)DeviceObject,
  472. (ULONG_PTR)IoControlCode,
  473. GetExceptionCode());
  474. }
  476. return (Irp);
  477. }
  479. NTSTATUS
  480. IovInitializeTimer(
  481. IN PDEVICE_OBJECT DeviceObject,
  482. IN PIO_TIMER_ROUTINE TimerRoutine,
  483. IN PVOID Context
  484. )
  485. {
  486. if (DeviceObject->Timer) {
  487. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  488. IO_REINITIALIZING_TIMER_OBJECT,
  489. (ULONG_PTR)DeviceObject,
  490. 0,
  491. 0);
  492. }
  493. return (IoInitializeTimer(DeviceObject, TimerRoutine, Context));
  494. }
  497. VOID
  498. IovpCompleteRequest(
  499. IN PKAPC Apc,
  500. IN PVOID *SystemArgument1,
  501. IN PVOID *SystemArgument2
  502. )
  503. {
  504. PIRP irp;
  505. PUCHAR addr;
  506. ULONG BestStackOffset;
  508. irp = CONTAINING_RECORD( Apc, IRP, Tail.Apc );
  510. #if defined(_X86_)
  513. addr = (PUCHAR)irp->UserIosb;
  514. if ((addr > (PUCHAR)KeGetCurrentThread()->StackLimit) &&
  515. (addr <= (PUCHAR)&BestStackOffset)) {
  516. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  517. IO_INVALID_STACK_IOSB,
  518. (ULONG_PTR)addr,
  519. 0,
  520. 0);
  522. }
  524. addr = (PUCHAR)irp->UserEvent;
  525. if ((addr > (PUCHAR)KeGetCurrentThread()->StackLimit) &&
  526. (addr <= (PUCHAR)&BestStackOffset)) {
  527. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  528. IO_INVALID_STACK_EVENT,
  529. (ULONG_PTR)addr,
  530. 0,
  531. 0);
  533. }
  534. #endif
  535. }
  538. /*-------------------------- SPECIALIRP HOOKS -------------------------------*/
  540. VOID
  541. FASTCALL
  542. IovCompleteRequest(
  543. IN PIRP Irp,
  544. IN CCHAR PriorityBoost
  545. )
  546. {
  547. ULONG stackContextIndex = 0;
  548. IOV_COMPLETION_CONTEXT StackContext;
  549. PIOV_COMPLETION_CONTEXT pStackContext;
  550. IOFCOMPLETEREQUEST_STACKDATA completionPacket;
  551. LONG currentLocation;
  552. PIO_STACK_LOCATION stackPointer;
  555. if (!IopVerifierOn) {
  556. IopfCompleteRequest(Irp, PriorityBoost);
  557. return;
  558. }
  560. if (Irp->CurrentLocation > (CCHAR) (Irp->StackCount + 1) ||
  561. Irp->Type != IO_TYPE_IRP) {
  562. KeBugCheckEx( MULTIPLE_IRP_COMPLETE_REQUESTS,
  563. (ULONG_PTR) Irp,
  564. __LINE__,
  565. 0,
  566. 0);
  567. }
  569. if (Irp->CancelRoutine) {
  570. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  571. IO_COMPLETE_REQUEST_CANCEL_ROUTINE_SET,
  572. (ULONG_PTR)Irp->CancelRoutine,
  573. (ULONG_PTR)Irp,
  574. 0);
  575. }
  577. if (Irp->IoStatus.Status == STATUS_PENDING || Irp->IoStatus.Status == 0xffffffff) {
  578. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  579. IO_COMPLETE_REQUEST_INVALID_STATUS,
  580. Irp->IoStatus.Status,
  581. (ULONG_PTR)Irp,
  582. 0);
  583. }
  585. if (KeGetCurrentIrql() > DISPATCH_LEVEL) {
  586. KeBugCheckEx(DRIVER_VERIFIER_IOMANAGER_VIOLATION,
  587. IO_COMPLETE_REQUEST_INVALID_IRQL,
  588. KeGetCurrentIrql(),
  589. (ULONG_PTR)Irp,
  590. 0);
  592. }
  594. if (IovpVerifierLevel <= 1) {
  596. IopfCompleteRequest(Irp, PriorityBoost);
  597. return;
  598. }
  600. SPECIALIRP_IOF_COMPLETE_1(Irp, PriorityBoost, &completionPacket);
  602. if ((Irp->CurrentLocation) > (CCHAR) (Irp->StackCount)) {
  603. IopfCompleteRequest(Irp, PriorityBoost);
  604. return;
  605. }
  607. currentLocation = Irp->CurrentLocation;
  608. pStackContext = &StackContext;
  609. stackPointer = IoGetCurrentIrpStackLocation(Irp);
  611. //
  612. // Replace the completion routines with verifier completion routines so that
  613. // verifier gets control.
  614. //
  616. IovpKdPrint(("Hook:Irp 0x%x StackCount %d currentlocation %d stackpointer 0%x\n",
  617. Irp,
  618. Irp->StackCount,
  619. currentLocation,
  620. IoGetCurrentIrpStackLocation(Irp)));
  623. pStackContext->CompletionRoutine = NULL;
  624. pStackContext->GlobalContext = &completionPacket;
  625. pStackContext->IrpContext = stackPointer->Context;
  626. pStackContext->StackPointer = stackPointer;
  627. pStackContext->OldStackContents = *(stackPointer); // Save the stack contents
  629. IovpKdPrint(("Seeding completion Rtn 0x%x currentLocation %d stackpointer 0x%x pStackContext 0x%x \n",
  630. stackPointer->CompletionRoutine,
  631. currentLocation,
  632. stackPointer,
  633. pStackContext
  634. ));
  636. if ( (NT_SUCCESS( Irp->IoStatus.Status ) &&
  637. stackPointer->Control & SL_INVOKE_ON_SUCCESS) ||
  638. (!NT_SUCCESS( Irp->IoStatus.Status ) &&
  639. stackPointer->Control & SL_INVOKE_ON_ERROR) ||
  640. (Irp->Cancel &&
  641. stackPointer->Control & SL_INVOKE_ON_CANCEL)
  642. ) {
  644. pStackContext->CompletionRoutine = stackPointer->CompletionRoutine;
  645. pStackContext->IrpContext = stackPointer->Context;
  646. } else {
  648. //
  649. // Force the completion routine to be called.
  650. // Store the old control flag value.
  651. //
  653. stackPointer->Control |= SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR;
  655. }
  657. stackPointer->CompletionRoutine = IovpLocalCompletionRoutine;
  658. stackPointer->Context = pStackContext;
  661. IopfCompleteRequest(Irp, PriorityBoost);
  663. }
  665. #define ZeroAndDopeIrpStackLocation( IrpSp ) { \
  666. (IrpSp)->MinorFunction = 0; \
  667. (IrpSp)->Flags = 0; \
  668. (IrpSp)->Control = SL_NOTCOPIED; \
  669. (IrpSp)->Parameters.Others.Argument1 = 0; \
  670. (IrpSp)->Parameters.Others.Argument2 = 0; \
  671. (IrpSp)->Parameters.Others.Argument3 = 0; \
  672. (IrpSp)->Parameters.Others.Argument4 = 0; \
  673. (IrpSp)->FileObject = (PFILE_OBJECT) NULL; }
  676. NTSTATUS
  677. IovpLocalCompletionRoutine(
  678. IN PDEVICE_OBJECT DeviceObject,
  679. IN PIRP Irp,
  680. IN PVOID Context
  681. )
  682. {
  683. PIOV_COMPLETION_CONTEXT pStackContext = Context;
  684. NTSTATUS status;
  685. PIO_STACK_LOCATION stackPointer = pStackContext->StackPointer;
  686. BOOLEAN lastStackLocation = FALSE;
  688. //
  689. // Copy back all parameters that were zeroed out.
  690. //
  691. //
  692. stackPointer->MinorFunction = pStackContext->OldStackContents.MinorFunction;
  693. stackPointer->Flags = pStackContext->OldStackContents.Flags;
  694. stackPointer->Control = pStackContext->OldStackContents.Control;
  695. stackPointer->Parameters.Others.Argument1 = pStackContext->OldStackContents.Parameters.Others.Argument1;
  696. stackPointer->Parameters.Others.Argument2 = pStackContext->OldStackContents.Parameters.Others.Argument2;
  697. stackPointer->Parameters.Others.Argument3 = pStackContext->OldStackContents.Parameters.Others.Argument3;
  698. stackPointer->Parameters.Others.Argument4 = pStackContext->OldStackContents.Parameters.Others.Argument4;
  699. stackPointer->FileObject = pStackContext->OldStackContents.FileObject;
  701. //
  702. // Put these back too.
  703. //
  704. stackPointer->CompletionRoutine = pStackContext->CompletionRoutine;
  705. stackPointer->Context = pStackContext->IrpContext;
  707. //
  708. // Get this before the IRP is freed.
  709. //
  710. lastStackLocation = (Irp->CurrentLocation == (CCHAR) (Irp->StackCount + 1));
  712. //
  713. // Simulated completion routine.
  714. //
  715. SPECIALIRP_IOF_COMPLETE_2(Irp, pStackContext->GlobalContext);
  716. ZeroAndDopeIrpStackLocation( stackPointer );
  718. if (!stackPointer->CompletionRoutine) {
  720. IovpKdPrint(("Local completion routine null stackpointer 0x%x \n", stackPointer));
  722. //
  723. // Handle things as if no completion routine existed.
  724. //
  725. if (Irp->PendingReturned && Irp->CurrentLocation <= Irp->StackCount) {
  726. IoMarkIrpPending( Irp );
  727. }
  729. status = STATUS_SUCCESS;
  731. } else {
  733. IovpKdPrint(("Local completion routine 0x%x stackpointer 0x%x \n", routine, stackPointer));
  735. //
  736. // A completion routine exists, call it now.
  737. //
  738. SPECIALIRP_IOF_COMPLETE_3(Irp, stackPointer->CompletionRoutine, pStackContext->GlobalContext);
  739. status = stackPointer->CompletionRoutine(DeviceObject, Irp, stackPointer->Context);
  740. SPECIALIRP_IOF_COMPLETE_4(Irp, status, pStackContext->GlobalContext);
  741. }
  743. SPECIALIRP_IOF_COMPLETE_5(Irp, pStackContext->GlobalContext);
  745. if (status != STATUS_MORE_PROCESSING_REQUIRED && !lastStackLocation) {
  747. //
  748. // Seed the next location. We can touch the stack as the IRP is still valid
  749. //
  751. stackPointer++;
  753. pStackContext->StackPointer = stackPointer;
  754. pStackContext->CompletionRoutine = NULL;
  755. pStackContext->IrpContext = stackPointer->Context;
  756. pStackContext->StackPointer = stackPointer;
  757. pStackContext->OldStackContents = *(stackPointer); // Save the stack contents
  759. if ( (NT_SUCCESS( Irp->IoStatus.Status ) &&
  760. stackPointer->Control & SL_INVOKE_ON_SUCCESS) ||
  761. (!NT_SUCCESS( Irp->IoStatus.Status ) &&
  762. stackPointer->Control & SL_INVOKE_ON_ERROR) ||
  763. (Irp->Cancel &&
  764. stackPointer->Control & SL_INVOKE_ON_CANCEL)
  765. ) {
  767. pStackContext->CompletionRoutine = stackPointer->CompletionRoutine;
  768. pStackContext->IrpContext = stackPointer->Context;
  770. } else {
  772. //
  773. // Force the completion routine to be called.
  774. // Store the old control flag value.
  775. //
  777. stackPointer->Control |= SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR;
  779. }
  781. stackPointer->CompletionRoutine = IovpLocalCompletionRoutine;
  782. stackPointer->Context = pStackContext;
  784. IovpKdPrint(("Seeding completion Rtn 0x%x currentLocation %d stackpointer 0x%x pStackContext 0x%x \n",
  785. stackPointer->CompletionRoutine,
  786. Irp->CurrentLocation,
  787. stackPointer,
  788. pStackContext
  789. ));
  790. }
  792. return status;
  793. }
  796. VOID
  797. IovInitializeIrp(
  798. PIRP Irp,
  799. USHORT PacketSize,
  800. CCHAR StackSize
  801. )
  802. {
  803. BOOLEAN initializeHandled ;
  805. if (IovpVerifierLevel < 2) {
  806. return;
  807. }
  809. VerifierIoInitializeIrp(Irp, PacketSize, StackSize, &initializeHandled);
  810. }
  812. VOID
  813. IovAttachDeviceToDeviceStack(
  814. PDEVICE_OBJECT SourceDevice,
  815. PDEVICE_OBJECT TargetDevice
  816. )
  817. {
  818. if (IovpVerifierLevel < 2) {
  819. return;
  820. }
  822. VerifierIoAttachDeviceToDeviceStack(SourceDevice, TargetDevice);
  823. }
  825. VOID
  826. IovDeleteDevice(
  827. PDEVICE_OBJECT DeleteDevice
  828. )
  829. {
  830. if (IovpVerifierFlags & DRIVER_VERIFIER_DMA_VERIFIER) {
  831. VfHalDeleteDevice(DeleteDevice);
  832. }
  834. if (IovpVerifierLevel < 2) {
  835. return;
  836. }
  838. VerifierIoDeleteDevice(DeleteDevice);
  839. }
  841. VOID
  842. IovDetachDevice(
  843. PDEVICE_OBJECT TargetDevice
  844. )
  845. {
  846. if (IovpVerifierLevel < 2) {
  847. return;
  848. }
  850. VerifierIoDetachDevice(TargetDevice);
  851. }
  853. BOOLEAN
  854. IovCancelIrp(
  855. PIRP Irp,
  856. BOOLEAN *returnValue
  857. )
  858. {
  859. BOOLEAN cancelHandled;
  861. SPECIALIRP_IO_CANCEL_IRP(Irp, &cancelHandled, returnValue) ;
  863. return cancelHandled;
  864. }
  866. typedef struct _IOV_DRIVER_LIST_ENTRY {
  867. SINGLE_LIST_ENTRY listEntry;
  868. PDRIVER_OBJECT DriverObject;
  869. } IOV_DRIVER_LIST_ENTRY, *PIOV_DRIVER_LIST_ENTRY;
  871. SINGLE_LIST_ENTRY IovDriverListHead;
  875. BOOLEAN
  876. IovpBuildDriverObjectList(
  877. IN PVOID Object,
  878. IN PUNICODE_STRING ObjectName,
  879. IN ULONG HandleCount,
  880. IN ULONG PointerCount,
  881. IN PVOID Parameter
  882. )
  883. {
  884. PIOV_DRIVER_LIST_ENTRY driverListEntry;
  885. PDRIVER_OBJECT driverObject;
  887. driverObject = (PDRIVER_OBJECT)Object;
  889. if (IopIsLegacyDriver(driverObject)) {
  890. driverListEntry = ExAllocatePoolWithTag(
  891. NonPagedPool,
  892. sizeof(IOV_DRIVER_LIST_ENTRY),
  893. 'ovI'
  894. );
  895. if (!driverListEntry) {
  896. return FALSE;
  897. }
  899. if (ObReferenceObjectSafe(driverObject)) {
  900. driverListEntry->DriverObject = driverObject;
  901. PushEntryList(&IovDriverListHead, &driverListEntry->listEntry);
  902. } else {
  903. ExFreePool (driverListEntry);
  904. }
  905. } else {
  906. IovpKdPrint (("Rejected non-legacy driver %wZ (%p)\n", &driverObject->DriverName, driverObject));
  907. }
  909. return TRUE;
  910. }
  912. NTSTATUS
  913. IovpUnloadDriver(
  914. PDRIVER_OBJECT DriverObject
  915. )
  916. {
  917. NTSTATUS status;
  918. BOOLEAN unloadDriver;
  920. //
  921. // Check to see whether or not this driver implements unload.
  922. //
  924. if (DriverObject->DriverUnload == (PDRIVER_UNLOAD) NULL) {
  925. IovpKdPrint (("No unload routine for driver %wZ (%p)\n", &DriverObject->DriverName, DriverObject));
  926. return STATUS_INVALID_DEVICE_REQUEST;
  927. }
  929. //
  930. // Check to see whether the driver has already been marked for an unload
  931. // operation by anyone in the past.
  932. //
  934. ObReferenceObject (DriverObject);
  936. status = IopCheckUnloadDriver(DriverObject,&unloadDriver);
  938. if ( NT_SUCCESS(status) ) {
  939. return STATUS_PENDING;
  940. }
  942. ObDereferenceObject (DriverObject);
  945. if (unloadDriver) {
  948. //
  949. // If the current thread is not executing in the context of the system
  950. // process, which is required in order to invoke the driver's unload
  951. // routine. Queue a worker item to one of the worker threads to
  952. // get into the appropriate process context and then invoke the
  953. // routine.
  954. //
  955. if (PsGetCurrentProcess() == PsInitialSystemProcess) {
  956. //
  957. // The current thread is alrady executing in the context of the
  958. // system process, so simply invoke the driver's unload routine.
  959. //
  960. IovpKdPrint (("Calling unload for driver %wZ (%p)\n",
  961. &DriverObject->DriverName, DriverObject));
  962. DriverObject->DriverUnload( DriverObject );
  963. IovpKdPrint (("Unload returned for driver %wZ (%p)\n",
  964. &DriverObject->DriverName, DriverObject));
  966. } else {
  967. LOAD_PACKET loadPacket;
  969. KeInitializeEvent( &loadPacket.Event, NotificationEvent, FALSE );
  970. loadPacket.DriverObject = DriverObject;
  971. ExInitializeWorkItem( &loadPacket.WorkQueueItem,
  972. IopLoadUnloadDriver,
  973. &loadPacket );
  974. ExQueueWorkItem( &loadPacket.WorkQueueItem, DelayedWorkQueue );
  975. (VOID) KeWaitForSingleObject( &loadPacket.Event,
  976. Executive,
  977. KernelMode,
  978. FALSE,
  979. (PLARGE_INTEGER) NULL );
  980. }
  981. ObMakeTemporaryObject( DriverObject );
  982. ObDereferenceObject( DriverObject );
  983. return STATUS_SUCCESS;
  984. } else {
  985. return STATUS_PENDING;
  986. }
  988. }
  990. NTSTATUS
  991. IovUnloadDrivers(
  992. VOID
  993. )
  994. {
  995. NTSTATUS status;
  996. PSINGLE_LIST_ENTRY listEntry;
  997. PIOV_DRIVER_LIST_ENTRY driverListEntry;
  998. SINGLE_LIST_ENTRY NonUnloadedDrivers, NonUnloadedDriversTmp;
  999. BOOLEAN DoneSomething, NeedWait, Break;
  1001. if (!PoCleanShutdownEnabled ())
  1002. return STATUS_UNSUCCESSFUL;
  1004. IovDriverListHead.Next = NULL;
  1005. NonUnloadedDrivers.Next = NULL;
  1007. //
  1008. // Prepare a list of all driver objects.
  1009. //
  1011. status = ObEnumerateObjectsByType(
  1012. IoDriverObjectType,
  1013. IovpBuildDriverObjectList,
  1014. NULL
  1015. );
  1017. //
  1018. // Walk through the list and unload each driver.
  1019. //
  1020. while (TRUE) {
  1021. listEntry = PopEntryList(&IovDriverListHead);
  1022. if (listEntry == NULL) {
  1023. break;
  1024. }
  1025. driverListEntry = CONTAINING_RECORD(listEntry, IOV_DRIVER_LIST_ENTRY, listEntry);
  1026. IovpKdPrint (("Trying to unload %wZ (%p)\n",
  1027. &driverListEntry->DriverObject->DriverName, driverListEntry->DriverObject));
  1028. if (IovpUnloadDriver(driverListEntry->DriverObject) != STATUS_PENDING) {
  1029. ObDereferenceObject(driverListEntry->DriverObject);
  1030. ExFreePool(driverListEntry);
  1031. } else {
  1032. IovpKdPrint (("Unload of driver %wZ (%p) pended\n",
  1033. &driverListEntry->DriverObject->DriverName, driverListEntry->DriverObject));
  1034. PushEntryList(&NonUnloadedDrivers, &driverListEntry->listEntry);
  1035. }
  1036. }
  1038. //
  1039. // Walk the drivers that didn't unload straight away and see if any have had their unloads called yet
  1040. //
  1041. do {
  1042. NeedWait = DoneSomething = FALSE;
  1043. NonUnloadedDriversTmp.Next = NULL;
  1045. while (TRUE) {
  1047. listEntry = PopEntryList(&NonUnloadedDrivers);
  1049. if (listEntry == NULL) {
  1050. break;
  1051. }
  1053. driverListEntry = CONTAINING_RECORD(listEntry, IOV_DRIVER_LIST_ENTRY, listEntry);
  1055. //
  1056. // If driver unload is queued to be invoked then
  1057. //
  1059. if (driverListEntry->DriverObject->Flags & DRVO_UNLOAD_INVOKED) {
  1061. IovpKdPrint (("Pending unload of driver %wZ (%p) is being invoked\n",
  1062. &driverListEntry->DriverObject->DriverName, driverListEntry->DriverObject));
  1063. ObDereferenceObject(driverListEntry->DriverObject);
  1064. ExFreePool(driverListEntry);
  1065. NeedWait = TRUE;
  1067. } else {
  1069. PushEntryList(&NonUnloadedDriversTmp, &driverListEntry->listEntry);
  1070. }
  1071. }
  1073. if (NeedWait) {
  1074. LARGE_INTEGER tmo = {(ULONG)(-10 * 1000 * 1000 * 10), -1};
  1075. ZwDelayExecution (FALSE, &tmo);
  1076. DoneSomething = TRUE;
  1077. }
  1079. NonUnloadedDrivers = NonUnloadedDriversTmp;
  1081. } while (DoneSomething == TRUE && NonUnloadedDrivers.Next != NULL);
  1083. //
  1084. // All the drivers left didn't have unload called becuase they had files open etc
  1085. //
  1087. Break = FALSE;
  1089. while (TRUE) {
  1091. listEntry = PopEntryList(&NonUnloadedDrivers);
  1093. if (listEntry == NULL) {
  1094. break;
  1095. }
  1097. driverListEntry = CONTAINING_RECORD(listEntry, IOV_DRIVER_LIST_ENTRY, listEntry);
  1099. IovpKdPrint (("Unload never got called for driver %wZ (%p)\n",
  1100. &driverListEntry->DriverObject->DriverName, driverListEntry->DriverObject));
  1102. ObDereferenceObject(driverListEntry->DriverObject);
  1103. ExFreePool(driverListEntry);
  1105. Break = TRUE;
  1106. }
  1107. if (Break == TRUE) {
  1108. // DbgBreakPoint ();
  1109. }
  1110. return status;
  1111. }