Hi,
I encountered a weird DeviceIoControl Bug. I wrote a driver that I have a
special need to send large chuck of data to kernel mode driver but receive
some small piggy-pack data in return. The driver is opened with GENERIC_READ
| GENERIC_WRITE flag.
I use
#define APPSD_IOCTL_DIRECTTOUT_REQ CTL_CODE(FILE_DEVICE_UNKNOWN,
APPS_DEVICE_1STFUNC + 3, METHOD_OUT_DIRECT, FILE_READ_DATA|FILE_WRITE_DATA)
^^^^^^^^^^^^^^^^^
as the ioctl code.
In my code
DWORD cbRet = 0;
BOOL bRet = DeviceIoControl(m_hDriver, APPSD_IOCTL_DIRECTTOUT_REQ,
request, cbreq, reply, cbrep, &cbRet, pOvlapped);
However, in my driver, I found out that IO Manager always MmPageProbeAndLock
the “reply” and set
Irp->MdlAddress to that memory.
Then I try the other way around even though DDK doc says otherwise, I change
the ioctl code to
#define APPSD_IOCTL_DIRECTTOUT_REQ CTL_CODE(FILE_DEVICE_UNKNOWN,
APPS_DEVICE_1STFUNC + 3, METHOD_IN_DIRECT, FILE_READ_DATA|FILE_WRITE_DATA)
^^^^^^^^^^^^^^^^
The result is the same. Irp->MdlAddress still points to the reply.
The I revised input buffer and output buffer role
bRet = DeviceIoControl(m_hDriver, APPSD_IOCTL_DIRECTTOUT_REQ,
reply, cbrep, request, cbreq, &cbRet, pOvlapped);
Now Irp->MdlAddress points to where I want. The problem is, whatever I worte
in the
Irp->AssociatedIrp.SystemBuffer in the driver is not copied to the reply
buffer in user mode.
Uh…, either I was working to hard to become dizzy headed or Microsoft
kernel guy did something really weird, something like
if(ioctl&3)
{
mdl = IoAllocateMdl(…);
MmPageProbeAndLock(mdl, UserMode, IoModifyAcess);
}
I believe it could be beause my head is dizzy and spining. First time use
DeviceIoControl to pass large data. I could not believe Io Manager has such
a bug.
Thanks.
Bi