UserBuffer access violation

Hello Experts,
I have a simple question - is there any restrictions on accessing user
buffer from worker thread ?
when i do the following steps the system crashes:

DISPATCH ROUTINE
{
mark IRP as pending
push it in the interlocked list
wake up the waiting thread
return STATUS_PENDING
}
THREAD PROC
{
extract IRP from the list
RtlCopyMemory(irp->UserBuffer, “data”, n)
set irp->IoStaus params
IoCompleteRequest(… NO_INC)
}
when i modify irp->userbuffer from the dispatch routine there is no
problem.

Thanks for Your Help.

One thing I notice in this pseudo code, is the lack of IoMarkIrpPending
this will cause the problem you describe.

Don Burn
Egenera, Inc.

----- Original Message -----
From: “Daniel”
To: “File Systems Developers”
Sent: Wednesday, August 07, 2002 6:13 AM
Subject: [ntfsd] UserBuffer access violation

> Hello Experts,
> I have a simple question - is there any restrictions on accessing user
> buffer from worker thread ?
> when i do the following steps the system crashes:
>
> DISPATCH ROUTINE
> {
> mark IRP as pending
> push it in the interlocked list
> wake up the waiting thread
> return STATUS_PENDING
> }
> THREAD PROC
> {
> extract IRP from the list
> RtlCopyMemory(irp->UserBuffer, “data”, n)
> set irp->IoStaus params
> IoCompleteRequest(… NO_INC)
> }
> when i modify irp->userbuffer from the dispatch routine there is no
> problem.
>
> Thanks for Your Help.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to %%email.unsub%%

A worker thread generally runs in context of system process. Pay attention
to memory contexts. Any user mode pointer must be considered valid only in
the context of the requestor process.

----- Original Message -----
From: “Daniel”
To: “File Systems Developers”
Sent: Wednesday, August 07, 2002 1:13 PM
Subject: [ntfsd] UserBuffer access violation

> Hello Experts,
> I have a simple question - is there any restrictions on accessing user
> buffer from worker thread ?
> when i do the following steps the system crashes:
>
> DISPATCH ROUTINE
> {
> mark IRP as pending
> push it in the interlocked list
> wake up the waiting thread
> return STATUS_PENDING
> }
> THREAD PROC
> {
> extract IRP from the list
> RtlCopyMemory(irp->UserBuffer, “data”, n)
> set irp->IoStaus params
> IoCompleteRequest(… NO_INC)
> }
> when i modify irp->userbuffer from the dispatch routine there is no
> problem.
>
> Thanks for Your Help.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Daniel -
User buffers are user-originated requests are virtual addresses which
are valid (to be accessed) only in the process that originated the
request.
A system worker thread runs in a different (System) process context. I
presume when you said ‘a worker thread’, you meant a system worker
thread below.
There are 2 problems in the code below hence. 1 is what I mentioned
here: to access the user buffer, you will need to probe and lock it
down, and use a system virtual address in the worker thread to access
it. Or you can stack-attach to the original process, and access the user
buffer - this can be more expensive or not even correct, depending on
your situation.

The 2nd problem is that the access to the user buffer is not protected:
you should always wrap access to the raw user buffer in an exception
handler. I’d really suggest looking at sample source (such as FastFat)
to see how to get this right, and read relevant sections in the
DDK/IFSKit
I’ve included a sample link.

(Please make an effort to make sure probe/capture of user buffer is
right - this is something I see many drivers get wrong)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/iputoput_3cbr.asp
Ravi

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Daniel [mailto:xxxxx@emblaze.com]
Sent: Wednesday, August 07, 2002 3:13 AM
To: File Systems Developers
Subject: [ntfsd] UserBuffer access violation

Hello Experts,
I have a simple question - is there any restrictions on accessing user
buffer from worker thread ? when i do the following steps the system
crashes:

DISPATCH ROUTINE
{
mark IRP as pending
push it in the interlocked list
wake up the waiting thread
return STATUS_PENDING
}
THREAD PROC
{
extract IRP from the list
RtlCopyMemory(irp->UserBuffer, “data”, n)
set irp->IoStaus params
IoCompleteRequest(… NO_INC)
}
when i modify irp->userbuffer from the dispatch routine there is no
problem.

Thanks for Your Help.


You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

Danik privet,
Eto Grisha :slight_smile:

U tebya system worker thread bejit v system process context, a buffer
navernoe v user memory space. Vot ono i rushitsa.
Poprobuy ExAllocatePool(NonPagedPool, n);
Esli ne ruhnet, znachit problema ta, chto ya skazal.

A chto eto ti vdrug v drivers polez kopatsa?
Take care.
Pishi.

We would apreciate ENGLISH in messages on this mailist. Its unpolite toward
other users of the list to post in other languages.

Dan

----- Original Message -----
From: “Gregory”
To: “File Systems Developers”
Sent: Thursday, August 08, 2002 8:01 PM
Subject: [ntfsd] Re: UserBuffer access violation

> Danik privet,
> Eto Grisha :slight_smile:
>
> U tebya system worker thread bejit v system process context, a buffer
> navernoe v user memory space. Vot ono i rushitsa.
> Poprobuy ExAllocatePool(NonPagedPool, n);
> Esli ne ruhnet, znachit problema ta, chto ya skazal.
>
> A chto eto ti vdrug v drivers polez kopatsa?
> Take care.
> Pishi.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Daniel£¬

Before queuing irp, you should lock the user buffer via creating a MDL.

Best wishes,

Matt
http://sys.xiloo.com

On 2002-08-07, you wrote:
= = = = = = = = = = = = = = = = = = = =

>Hello Experts,
>I have a simple question - is there any restrictions on accessing user
>buffer from worker thread ?
>when i do the following steps the system crashes:
>
>DISPATCH ROUTINE
>{
>mark IRP as pending
>push it in the interlocked list
>wake up the waiting thread
>return STATUS_PENDING
>}
>THREAD PROC
>{
>extract IRP from the list
>RtlCopyMemory(irp->UserBuffer, “data”, n)
>set irp->IoStaus params
>IoCompleteRequest(… NO_INC)
>}
>when i modify irp->userbuffer from the dispatch routine there is no
>problem.
>
>Thanks for Your Help.
>
>—
>You are currently subscribed to ntfsd as: mattwu@163.com
>To unsubscribe send a blank email to %%email.unsub%%
>.

= = = = = = = = = = = = = = = = = = = =

Thank You for the inputs,
Based on it i did the following and it works:

Dispatch(…)
{
pMdl = IoAllocateMdl (pIrp->UserBuffer,
pIrpStack->Parameters.Read.Length,
0, 0, pIrp);
if (pMdl)
{
try
{
MmProbeAndLockPages (pMdl, pIrp->RequestorMode, IoWriteAccess);
}
except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
}
IoMarkIrpPending (pIrp);
pIrp->IoStatus.Information = 0;

return STATUS_PENDING;
}

ThreadProc(…)
{
LPVOID pBuf;

pBuf = MmGetSystemAddressForMdl(pIrp->MdlAddress);

RtlCopyMemory(pBuf, “data”, 4);

pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 4;

IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}

“Daniel” wrote in message news:xxxxx@ntfsd…
>
> Thank You for the inputs,
> Based on it i did the following and it works:
>
> Dispatch(…)
> {
> …

I know you just provided a fragment, but please be sure that you’re checking
for zero length reads/writes before you execute the code you show.

Zero length operations are perfectly legal on NT, and the cause of MANY
driver problems…

Peter
OSR