write to user buffer in kernel driver

madaboo · May 24, 2011, 3:07am

Hello guys.

I’m new in windows kernel developement, so it’s possible that my questions will be stupid or very easy for you, but please be patient - thanks!

OK, now:

I’ve prepared IOCTL request that is sending (METHOD_OUT_DIRECT) to driver.
In this request I’m also sending PCHAR with user-space allocated memory (This is in Input buffer). Output buffer contains only result of driver operation.
Now what I want to achieve is to enforce on driver to save this PCHAR, and write to it asynchronously (I mean many times, (for simplicity let’s leave synchronization issues) as response to hardware action) - but i don’t want to response once after IoComplete.

As I understand I can’t just write to this PCHAR since this is virtual address of user space - I understand i should somehow map va of user space buffer to kernel space.
I’ve googled a lot and see some functions like ProbeForWrite and so on… but don;'t know how to use it … how to get MDL for this address?
Can you please point me any tutorial (WITH EXAMPLES) that is doing this? Maybe my undestanding is wrong - I don’t know …

Anyway Thanks a lot for Ur help!!!

Gary_Little-3 · May 24, 2011, 7:13am

Ok, what your giving us is your solution, which obviously is a result of lack of experience in the kernel. My first question, and others on this list is, “What do you really want to do? What’s the actual task?” Don’t tell us how you WANT to solve the problem but rather tell us what it is that you need and or want to do.

Passing pointers to user memory within either the IN or OUT buffer for METHOD_?_DIRECT is possible; I’ve done it as have others on the list. However, it is a larger cause for system instability if done incorrectly. So … what is it you are trying to do?

Gary G. Little
C 952-454-4629
H 952-223-1349

On May 24, 2011, at 2:07, xxxxx@gmail.com wrote:

Hello guys.

I’m new in windows kernel developement, so it’s possible that my questions will be stupid or very easy for you, but please be patient - thanks!

OK, now:

I’ve prepared IOCTL request that is sending (METHOD_OUT_DIRECT) to driver.
In this request I’m also sending PCHAR with user-space allocated memory (This is in Input buffer). Output buffer contains only result of driver operation.

Now what I want to achieve is to enforce on driver to save this PCHAR, and write to it asynchronously (I mean many times, (for simplicity let’s leave synchronization issues) as response to hardware action) - but i don’t want to response once after IoComplete.

As I understand I can’t just write to this PCHAR since this is virtual address of user space - I understand i should somehow map va of user space buffer to kernel space.
I’ve googled a lot and see some functions like ProbeForWrite and so on… but don;'t know how to use it … how to get MDL for this address?
Can you please point me any tutorial (WITH EXAMPLES) that is doing this? Maybe my undestanding is wrong - I don’t know …

Anyway Thanks a lot for Ur help!!!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

madaboo · May 24, 2011, 7:48am

First of all : thanks for reply!

Ok. Driver is waiting for asynchronous events that may happen at any time. I’ve got a callback in this driver that is call each time event occurs and inside this callback driver should WRITE to user app buffer that is sent inside IOCTL that is registering this application.

What is more, register IOCTL shoudl not pending… just complete request after registration. So if I understand problem correctly - driver should write to user buffer AFTER IRPs completion - is it correct?

One of solutions I’ve found is to:

userapp is allocating buffer in user space
userapp is passing address of this buffer in IOCTL
driver is doing IoAllocateMdl to get MDL
driver is doing MmProbeAndLockPages
…

But someone in this fourm said taht this is improper way… so I’m conused now. Can U help me guys by gving me an example?

Thanks!

Mark_Roddy · May 24, 2011, 9:13am

The simpler solution is to use asynchronous IO, queueing many IOCTLs
to your driver, which then completes one of those IOCTls as needed,
each completion signaling your application to process the contents of
that IO request. This is the NORMAL windows IO model. You are off
inventing a new and rather buggy mechanism to accomplish the very same
thing.

Mark Roddy

On Tue, May 24, 2011 at 7:49 AM, wrote:
> First of all : thanks for reply!
>
> Ok. Driver is waiting for asynchronous events that may happen at any time. I’ve got a callback in this driver that is call each time event occurs and inside this callback driver should WRITE to user app buffer that is sent inside IOCTL that is registering this application.
>
> What is more, register IOCTL shoudl not pending… just complete request after registration. So if I understand problem correctly - driver should write to user buffer AFTER IRPs completion - is it correct?
>
> One of solutions I’ve found is to:
> 1. userapp is allocating buffer in user space
> 2. userapp is passing address of this buffer in IOCTL
> 3. driver is doing ?IoAllocateMdl ?to get MDL
> 4. driver is doing MmProbeAndLockPages
> 5. …
>
> But someone in this fourm said taht this is improper way… so I’m conused now. Can U help me guys by gving me an example?
>
> Thanks!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · May 24, 2011, 1:47pm

xxxxx@gmail.com wrote:

Ok. Driver is waiting for asynchronous events that may happen at any time. I’ve got a callback in this driver that is call each time event occurs and inside this callback driver should WRITE to user app buffer that is sent inside IOCTL that is registering this application.

What is more, register IOCTL shoudl not pending… just complete request after registration.

THAT is your design flaw. You should have the application submit
several ioctls, and have them sit pending in the driver. When new data
comes in, you copy the data to the next request in line and complete
it. That is a robust design.

Otherwise, how will your application learn that new data has arrived?
You will need some kind of notification scheme. The pending ioctl
scheme provides a way to both return the data and provide a notification.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

madaboo · May 24, 2011, 2:59pm

Thanks for responses.

Tim. Driver can notify app with shared event asynchronously.

What do you think about following:

define IOCTL METHOD_NEITHER - pass user space address.
Driver: ProbeForRead
Driver: IoAllocateMdl
Driver: MmProbeAndLockPages
Driver: MmGetSystemAddressForMdlSafe()
Driver: complete request - don’t free mdl and don’t unlock pages for now.
Driver callback is called: write to buffer.
when app is gone - free mdl and unlock pages.

how about that? The only thing I’m wondering is if during IoCompleteRequest something is happening with mdls and lockedPages? If I understand correct METHOD_NEITHER shoudl works in this case (I meas nothing is freed) - is it correct?

OSR_Community_User · May 24, 2011, 3:18pm

The previous posters who have encouraged you to use the “Inverted Call”
model are giving you very good advice. What you want is easily achieved
with the “Inverted Call” model, requires much less code, the code is
simpler, and will, with a very high probability, perform better than any
alternative you can cook up.

This has been discussed on this list many times, search the list archive for
the term I quoted above to see those discussions.

Phil

Philip D. Barila??? (303) 776-1264

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, May 24, 2011 12:59 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] write to user buffer in kernel driver

Thanks for responses.

Tim. Driver can notify app with shared event asynchronously.

What do you think about following:

define IOCTL METHOD_NEITHER - pass user space address.
Driver: ProbeForRead
Driver: IoAllocateMdl
Driver: MmProbeAndLockPages
Driver: MmGetSystemAddressForMdlSafe()
Driver: complete request - don’t free mdl and don’t unlock pages for now.
Driver callback is called: write to buffer.
when app is gone - free mdl and unlock pages.

how about that? The only thing I’m wondering is if during IoCompleteRequest
something is happening with mdls and lockedPages? If I understand correct
METHOD_NEITHER shoudl works in this case (I meas nothing is freed) - is it
correct?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Gary_Little-3 · May 24, 2011, 3:20pm

I can tell you what Tim’ll say:

Define IOCTL METHOD_IN/OUT_DIRECT
Send to driver
Driver completes the IRP and returns the data in the transfer buffer defined by OutBuffer

Gary G. Little

----- Original Message -----
From: xxxxx@gmail.com
To: “Windows System Software Devs Interest List”
Sent: Tuesday, May 24, 2011 1:59:10 PM
Subject: RE:[ntdev] write to user buffer in kernel driver

Thanks for responses.

Tim. Driver can notify app with shared event asynchronously.

What do you think about following:
1. define IOCTL METHOD_NEITHER - pass user space address.
2. Driver: ProbeForRead
3. Driver: IoAllocateMdl
4. Driver: MmProbeAndLockPages
5. Driver: MmGetSystemAddressForMdlSafe()
6. Driver: complete request - don’t free mdl and don’t unlock pages for now.
7. Driver callback is called: write to buffer.
8. when app is gone - free mdl and unlock pages.

how about that? The only thing I’m wondering is if during IoCompleteRequest something is happening with mdls and lockedPages? If I understand correct METHOD_NEITHER shoudl works in this case (I meas nothing is freed) - is it correct?

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · May 24, 2011, 3:34pm

xxxxx@gmail.com wrote:

Thanks for responses.

Tim. Driver can notify app with shared event asynchronously.

Gary is exactly right about what I’m going to say. Your design has no
advantages. Your app would need to have to have a thread waiting on an
event anyway, so why not just have the thread wait on the list of
pending ioctls? The HUGE advantage for you is that you can stop
worrying about probing, locking, and address safety. The I/O manager
will worry about all of that for you.

Seriously – we’ve all been through this kind of thing before, and in
the end, what I’m describing is always the most reliable and
maintainable solution. There are strange corner cases when you do the
mapping yourself. What happens when the app explodes? Apps have a
nasty habit of exploding at the most inopportune moments, even between
ProbeForWrite and MmProbeAndLock. Can you handle that?

how about that? The only thing I’m wondering is if during IoCompleteRequest something is happening with mdls and lockedPages? If I understand correct METHOD_NEITHER shoudl works in this case (I meas nothing is freed) - is it correct?

If you are passing an address in a buffer, no one is going to free that
memory anyway. To the I/O system, that’s just four bytes of random data.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

madaboo · May 24, 2011, 3:36pm

Guys - can you point me any example of ‘inverted cal’ model? how to achieve this?
And can you also answer to my last post? is it possible to achieve it like this and if mdl is not destructed in neither method?

Thanks a lot for your patience.

Don_Burn_1 · May 24, 2011, 3:41pm

On the inverted call see http://www.osronline.com/article.cfm?id=94
Using METHOD_NEITHER is almost always a really bad idea.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:

> Guys - can you point me any example of ‘inverted cal’ model? how to achieve this?
> And can you also answer to my last post? is it possible to achieve it like this and if mdl is not destructed in neither method?
>
> Thanks a lot for your patience.

Maxim_S_Shatskih · May 25, 2011, 5:20am

> 6. Driver: complete request - don’t free mdl and don’t unlock pages for now.

Impossible. Do not complete the request, pend it till it will be cancelled.

how about that? The only thing I’m wondering is if during IoCompleteRequest something is happening with mdls
and lockedPages?

Yes, they are destroyed.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com