Hi all,
Recently I figured out some interesting thing concerning IRP_MJ_QUERY_EA request and its buffer type convention while I was debugging some legacy FS filter driver. When I got into a handler of this request, I checked in WinDBG all possible device object and IRP flags and all possible buffer locations, and what I found out: device object had neither DO_BUFFERED_IO nor DO_DIRECT_IO flags, IRP didn’t have IRP_BUFFERED_IO flag set, so as described in the WDK docs, a buffer pointer must be in IRP->UserBuffer field. That was the case, but I also checked a pool type of that buffer, and it turned out that this buffer is allocated from a non-paged pool. But what about this statement: “…The most common case for a file system driver is that neither of these two flags is specified, in which case the buffer for … and IRP_MJ_QUERY_EA, IRP_MJ_SET_EA is a direct pointer to the caller-supplied buffer via the UserBuffer field of the IRP.” But what if I or someone else would try to build an MDL for this buffer and then call MmProbeAndLockPages()??? Nothing but a beautiful BSOD in this case is guaranteed 
I understand that IRP_MJ_QUERY_EA request should be processed synchronously, but what if…? Or maybe I’m totally wrong and miss some subtle details about this request?
Any thoughts are welcome.
WBR,
Konstantin Manurin
Hi!
But what if I or someone else would try to build an MDL for
this buffer and then call MmProbeAndLockPages()??? Nothing
but a beautiful BSOD in this case is guaranteed
What is the try/except block for then? I don’t think you will get a bugcheck. These functions raise exceptions, and i think that probing a kernel mode address raises an exception (as per the documentation of ProbeForRead). Use the try/except block!
Regards,
Ayush Gupta
http://windows-internals.blogspot.com/
Check out the all-new Messenger 9.0! Go to http://in.messenger.yahoo.com/
wrote in message news:xxxxx@ntfsd…
Hi all,
Recently I figured out some interesting thing concerning IRP_MJ_QUERY_EA request and its buffer type convention while I was debugging some legacy FS filter driver. When I got into a handler of this request, I checked in WinDBG all possible device object and IRP flags and all possible buffer locations, and what I found out: device object had neither DO_BUFFERED_IO nor DO_DIRECT_IO flags, IRP didn’t have IRP_BUFFERED_IO flag set, so as described in the WDK docs, a buffer pointer must be in IRP->UserBuffer field. That was the case, but I also checked a pool type of that buffer, and it turned out that this buffer is allocated from a non-paged pool. But what about this statement: “…The most common case for a file system driver is that neither of these two flags is specified, in which case the buffer for … and IRP_MJ_QUERY_EA, IRP_MJ_SET_EA is a direct pointer to the caller-supplied buffer via the UserBuffer field of the IRP.” But what if I or someone else would try to build an MDL for this buffer and then call MmProbeAndLockPages()??? Nothing but a beautiful BSOD in this case is guaranteed I understand that IRP_MJ_QUERY_EA request should be processed synchronously, but what if…? Or maybe I’m totally wrong and miss some subtle details about this request?
Any thoughts are welcome.
WBR,
Konstantin Manurin
>UserBuffer field of the IRP." But what if I or someone else would try to build an MDL for this buffer and
then call MmProbeAndLockPages()??? Nothing but a beautiful BSOD in this case is guaranteed
I think it is safe to call MmProbeAndLockPages on nonpaged pool, you just need to unlock it also.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Maxim!
I think it is safe to call MmProbeAndLockPages on nonpaged
pool, you just need to unlock it also.
If MmProbeAndLockPages is cool about NonPaged pool, then why do we need to pass the MDL to MmBuildMdlForNonPagedPool before passing it to MmProbeAndLockPages for NonPaged pool addresses? Is it a mere optimization?
I think the question of the original poster was “what if i try to lock the buffer pointed by Irp->UserBuffer (which is a NonPaged pool address) by allocating a MDL by IoAllocateMdl and then calling MmProbeAndLockPages WITHOUT first calling MmBuildMdlForNonPagedPool?”
Regards,
Ayush Gupta
http://windows-internals.blogspot.com/
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
>MmBuildMdlForNonPagedPool before passing it to MmProbeAndLockPages for NonPaged pool
“Instead”.
Not “before”.
Is it a mere optimization?
Yes.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>“Instead”.
Oops!
By the way Maxim, how can we find out just by looking at the Irp->UserBuffer that it is a NonPagedPool address? The documentation mentions that MmIsNonPagedSystemAddressValid is obsolete.
Regards,
Ayush Gupta
http://windows-internals.blogspot.com/
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
Thank you all guys for the quick and informative answers.
Actually it was very silly of me to ask this question. I totally forgot
about, for example, ZwReadFile/ZwWriteFile() routines which internally
of course roll up their own IRP’s and use the passed in Buffer parameter
despite the pool type for this buffer, and if a target device object
doesn’t have any of DO_XXX_IO flags, then this buffer is stored in the
IRP->UserBuffer field. In this case it’s a responsibility of a target FS
or FS filter driver to do the right things with this buffer.
Thanks a lot again for guiding me in the right direction.
WBR,
Konstantin Manurin
>By the way Maxim, how can we find out just by looking at the Irp->UserBuffer that it is a NonPagedPool
address?
Why do you need this?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Maxim!
Why do you need this?
Well, in the first post, the poster mentioned that the Irp->UserBuffer contained a NonPagedPool address. So, if we could find whether the buffer pointed by Ip->UserBuffer was from NonPagedPool, we could use MmBuildMdlForNonPagedPool instead of using MmProbeAndLockPages (though i am not sure what exactly i will gain considering that MmProbeAndLockPages works for NonPagedPool addresses too)
Regards,
Ayush Gupta
http://windows-internals.blogspot.com/
Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/