[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XENCONS PATCH] Do not call IoMarkIrpPending on queued R/W IRPs

  • To: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx>, "win-pv-devel@xxxxxxxxxxxxxxxxxxxx" <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Owen Smith <owen.smith@xxxxxxxxxx>
  • Date: Wed, 22 Oct 2025 10:04:57 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IgvlCAgP0mSMyxD0gTGYVmoBR/Ho6cXGnc5zu2WEeMM=; b=CIln7ayCPGoLGMk0BYJyIHIOm9xZ+jWDsZIjaWmuEuvtANXWRf98pyN0SMRApbuoPvb6jJDFWHDp24ByDfTZhHpFjXDpIyS54hGySNzFwhmB6Vfjkk7Pyt+o4yzregIs1ryC3EXxisyRSG32u+qnRC6bWBjlvOwPjuLPrezwHYHbKQRfU+Wp1b7Vhn01bwf+Ux2Y5gTr2m/AUcXJQuHVa5b1qVTXQLrTGetJ4A6O+E5/FO/nEM9y/E/uDqLYB8ypcKWewClkHdT6daowzAVaqkZdX49PGbWUVtKzISLrwm8Emhha2G3SolfgWaJVJLHxM5Ura0ZzBgdL/mCZ1naeMw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EFvdVP952IvOMoKcpKowEjsJzvOuTiQg1xlfocNXYTwXapdZlAOCNuUFSpsG54eOfOnvj7wvkYdxeNnROLpurzjUMm0bvR8xIo4zEWKYodHFGnDEmj2a7YFG3RHAN1R/xZr9GnUj5ewFWtdhZtEA9An2+z0TwunilM1asKjnvV6h28VzQN0y2rNZrgGpD1g/iDEUAp64O9d4t38xBXsm1jK51wzehBw7qbZlETh3Ab8UlUvauWzGTAGpn/ux3ru+6D3a+aD2cjNr0wfdGFgfFKa5l1HmyzPPcS9WbDZ1mZ+94Tzc7g+MSVuTMF9Avb3V5bC+IZCeIEcT+ORcKCLD2Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Delivery-date: Wed, 22 Oct 2025 10:05:06 +0000
  • List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>
  • Msip_labels:
  • Thread-index: AQHcQplL7d/BprTMKUGpXPZKPVdPArTN8CAd
  • Thread-topic: [XENCONS PATCH] Do not call IoMarkIrpPending on queued R/W IRPs
Ah! IoCsqInsertIrpEx will handle marking the IRP as pending.

Reviewed-by: Owen Smith <owen.smith@xxxxxxxxx>

________________________________________
From: win-pv-devel <win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx> on behalf of Tu 
Dinh <ngoc-tu.dinh@xxxxxxxxxx>
Sent: 21 October 2025 3:44 PM
To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Cc: Tu Dinh
Subject: [XENCONS PATCH] Do not call IoMarkIrpPending on queued R/W IRPs

ConsoleAbiPutQueue eventually calls IoCsqInsertIrpEx, which may complete
the IRP if it's already being canceled.

Calling IoMarkIrpPending on such IRPs will cause a crash:

     # Child-SP          RetAddr               Call Site
    00 ffffd100`df0ad498 fffff803`36573569     nt!KeBugCheckEx
    01 ffffd100`df0ad4a0 fffff803`365727fc     nt!KiBugCheckDispatch+0x69
    02 ffffd100`df0ad5e0 fffff803`3656b00d     nt!KiSystemServiceHandler+0x7c
    03 ffffd100`df0ad620 fffff803`36448ba1     
nt!RtlpExecuteHandlerForException+0xd
    04 ffffd100`df0ad650 fffff803`364479c4     nt!RtlDispatchException+0x421
    05 ffffd100`df0add50 fffff803`36573642     nt!KiDispatchException+0x1e4
    06 ffffd100`df0ae400 fffff803`36571edc     nt!KiExceptionDispatch+0xc2
    07 ffffd100`df0ae5e0 fffff80c`f0691a47     nt!KiRaiseAssertion+0x2dc
    08 ffffd100`df0ae770 fffff80c`f0697b63     
xencons!IoGetCurrentIrpStackLocation(
                        struct _IRP * Irp = 0xffffc082`64dc5170)+0x37 
[10.0.26100.0\km\wdm.h @ 34677]
    09 ffffd100`df0ae790 fffff80c`f069ca13     xencons!IoMarkIrpPending(
                        struct _IRP * Irp = 0xffffc082`64dc5170)+0x13 
[10.0.26100.0\km\wdm.h @ 35091]
    0a ffffd100`df0ae7d0 fffff80c`f069c45c     
xencons!PdoDispatchReadWriteControl(
                        struct _XENCONS_PDO * Pdo = 0xffffc082`645bc690,
                        struct _IRP * Irp = 0xffffc082`64dc5170)+0x53 
[src\xencons\pdo.c @ 1801]
    0b ffffd100`df0ae810 fffff80c`f06913c9     xencons!PdoDispatch(
                        struct _XENCONS_PDO * Pdo = 0xffffc082`645bc690,
                        struct _IRP * Irp = 0xffffc082`64dc5170)+0xcc 
[src\xencons\pdo.c @ 1863]
    0c ffffd100`df0ae850 fffff803`36919aa0     xencons!Dispatch(
                        struct _DEVICE_OBJECT * DeviceObject = 
0xffffc082`6468fd30 Device for "\Driver\xencons",
                        struct _IRP * Irp = 0xffffc082`64dc5170)+0x249 
[src\xencons\driver.c @ 230]
    0d ffffd100`df0ae8d0 fffff803`3691adbd     
nt!IopSynchronousServiceTail+0x1a0
    0e ffffd100`df0ae990 fffff803`36572d93     nt!NtWriteFile+0x66d
    0f ffffd100`df0aea90 00007ffb`e6756194     nt!KiSystemServiceCopyEnd+0x13
    10 000000a5`140ff318 00000000`00000000     0x00007ffb`e6756194

IRP object:

    (*((xencons!_IRP *)0xffffc08264dc5170))                 [Type: _IRP]
    [+0x000] Type             : 2288 [Type: short]
    [+0x002] Size             : 0x64c2 [Type: unsigned short]
    [+0x008] MdlAddress       : 0x0 [Type: _MDL *]
    [+0x010] Flags            : 0x60a00 [Type: unsigned long]
    [+0x018] AssociatedIrp    [Type: <unnamed-tag>]
    [+0x020] ThreadListEntry  [Type: _LIST_ENTRY]
    [+0x030] IoStatus         [Type: _IO_STATUS_BLOCK]
    [+0x040] RequestorMode    : 1 [Type: char]
    [+0x041] PendingReturned  : 0x1 [Type: unsigned char]
    [+0x042] StackCount       : 1 [Type: char]
    [+0x043] CurrentLocation  : 3 [Type: char]
    [+0x044] Cancel           : 0x0 [Type: unsigned char]
    [+0x045] CancelIrql       : 0x0 [Type: unsigned char]
    [+0x046] ApcEnvironment   : 0 [Type: char]
    [+0x047] AllocationFlags  : 0x6 [Type: unsigned char]
    [+0x048] UserIosb         : 0xa5140ff370 [Type: _IO_STATUS_BLOCK *]
    [+0x048] IoRingContext    : 0xa5140ff370 [Type: void *]
    [+0x050] UserEvent        : 0x0 [Type: _KEVENT *]
    [+0x058] Overlay          [Type: <unnamed-tag>]
    [+0x068] CancelRoutine    : 0x0 : 0x0 [Type: void (__cdecl*)(_DEVICE_OBJECT 
*,_IRP *)]
    [+0x070] UserBuffer       : 0x0 [Type: void *]
    [+0x078] Tail             [Type: <unnamed-tag>]

Signed-off-by: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx>
---
 src/xencons/pdo.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/xencons/pdo.c b/src/xencons/pdo.c
index 7e42862..87b3230 100644
--- a/src/xencons/pdo.c
+++ b/src/xencons/pdo.c
@@ -1797,15 +1797,11 @@ PdoDispatchReadWriteControl(
     status = XENCONS_CONSOLE_ABI(PutQueue,
                                  &Pdo->Abi,
                                  Irp);
-    if (status == STATUS_PENDING) {
-        IoMarkIrpPending(Irp);
-        goto done;
+    if (status != STATUS_PENDING) {
+        Irp->IoStatus.Status = status;
+        IoCompleteRequest(Irp, IO_NO_INCREMENT);
     }

-    Irp->IoStatus.Status = status;
-    IoCompleteRequest(Irp, IO_NO_INCREMENT);
-
-done:
     return status;
 }

--
2.51.0.windows.2



--
Ngoc Tu Dinh | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.