How to safely handle the user-space buffer in kernel?

Hi,

I’ve developed a driver for 2K which simulates SPTI (SCSI Pass Through Interface) for our special applications (for some reasons, we cannot use the standard SPTI). It works well on many computers.

But on the computers installed Intel Application Accelator which replaces the standard IDE driver from MS with its own driver named IdeChnDr.sys, after that new driver processes a command contains a pointer to a user-space buffer from an application and the application exits, OS crashes.

After reading many posts and documents, I know this is caused by the operation on this user-space buffer in kernel.

My driver doesn’t manipulate this buffer, so, I suppose this is done by IdeChnDr.sys. While, if I allocate another buffer in kernel and copy data from it to the user-space one after IdeChnDr.sys operated the kernel buffer, my driver works fine. But, I don’t think it’s a good solution because it wates some extra memory.

So, I try to use:
__try
{
ProbeForRead(
pAchernarSPTDWB->SPTDWB.sptd.DataBuffer,
pAchernarSPTDWB->SPTDWB.sptd.DataTransferLength,
1
);
ProbeForWrite(
pAchernarSPTDWB->SPTDWB.sptd.DataBuffer,
pAchernarSPTDWB->SPTDWB.sptd.DataTransferLength,
1
);
// Send down to lower SCSI driver, including IdeChnDr.sys
// …
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = GetExceptionCode();
ExRaiseStatus(status);
nReturn = 0;
__leave;
}
Unfortunately, OS still crashes after the application exits. :frowning:

In WinDbg, I read these messages:
*** ERROR: Module load completed but symbols could not be loaded for IdeChnDr.sys
Probably caused by : IdeChnDr.sys ( IdeChnDr+4bba )

f1852c80 804bacd8 fdb02bb0 fda561a0 00000001 nt!MmCleanProcessAddressSpace+0x419
f1852d30 804a306f 00000000 f1852d64 0012fe5c nt!PspExitThread+0x4b4
f1852d54 80461691 ffffffff 00000000 82777c58 nt!NtTerminateProcess+0x154
f1852d54 77f8c3e3 ffffffff 00000000 82777c58 nt!KiSystemService+0xc4

It seems that IdeChnDr.sys starts a thread to handle my IRP and the problem occurs when that thread terminates.

Does anybody have good idea for this problem?

Regards,
Ray Yang
xxxxx@ybwork.com

Try MmProbeAndLockPages

-Jeff

-----Original Message-----
From: Ray Yang [mailto:xxxxx@ybwork.com]
Sent: Tuesday, March 04, 2003 10:21 AM
To: NT Developers Interest List
Subject: [ntdev] How to safely handle the user-space buffer in kernel?

Hi,

I’ve developed a driver for 2K which simulates SPTI (SCSI Pass Through
Interface) for our special applications (for some reasons, we cannot use
the standard SPTI). It works well on many computers.

But on the computers installed Intel Application Accelator which replaces
the standard IDE driver from MS with its own driver named IdeChnDr.sys,
after that new driver processes a command contains a pointer to a user-space
buffer from an application and the application exits, OS crashes.

After reading many posts and documents, I know this is caused by the
operation on this user-space buffer in kernel.

My driver doesn’t manipulate this buffer, so, I suppose this is done by
IdeChnDr.sys. While, if I allocate another buffer in kernel and copy data
from it to the user-space one after IdeChnDr.sys operated the kernel
buffer, my driver works fine. But, I don’t think it’s a good solution
because it wates some extra memory.

So, I try to use:
__try
{
ProbeForRead(
pAchernarSPTDWB->SPTDWB.sptd.DataBuffer,
pAchernarSPTDWB->SPTDWB.sptd.DataTransferLength,
1
);
ProbeForWrite(
pAchernarSPTDWB->SPTDWB.sptd.DataBuffer,
pAchernarSPTDWB->SPTDWB.sptd.DataTransferLength,
1
);
// Send down to lower SCSI driver, including IdeChnDr.sys
// …
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = GetExceptionCode();
ExRaiseStatus(status);
nReturn = 0;
__leave;
}
Unfortunately, OS still crashes after the application exits. :frowning:

In WinDbg, I read these messages:
*** ERROR: Module load completed but symbols could not be loaded for
IdeChnDr.sys
Probably caused by : IdeChnDr.sys ( IdeChnDr+4bba )

f1852c80 804bacd8 fdb02bb0 fda561a0 00000001
nt!MmCleanProcessAddressSpace+0x419
f1852d30 804a306f 00000000 f1852d64 0012fe5c nt!PspExitThread+0x4b4
f1852d54 80461691 ffffffff 00000000 82777c58 nt!NtTerminateProcess+0x154
f1852d54 77f8c3e3 ffffffff 00000000 82777c58 nt!KiSystemService+0xc4

It seems that IdeChnDr.sys starts a thread to handle my IRP and the problem
occurs when that thread terminates.

Does anybody have good idea for this problem?

Regards,
Ray Yang
xxxxx@ybwork.com mailto:xxxxx

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
</mailto:xxxxx>