[Bug 44622] New: winebus.sys crashes in IoCompleteRequest() for IRPs of unloaded hidclass.sys driver (race condition)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Feb 27 05:01:00 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=44622

            Bug ID: 44622
           Summary: winebus.sys crashes in IoCompleteRequest() for IRPs of
                    unloaded hidclass.sys driver (race condition)
           Product: Wine
           Version: 3.2
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: joseph.kucia at gmail.com
      Distribution: ---

hidclass.sys can be unloaded when winebus.sys irp_queue is not empty.
IoCompleteRequest() crashes when CompletionRoutine is called for the unloaded
driver. ntoskrnl should probably handle this case better.

WINEDEBUG=+hid,+winebus,+ntoskrnl,+hid_report:

0030:trace:ntoskrnl:IoBuildDeviceIoControlRequest b000b, 0x33940, (nil), 0,
0x38b30, 52, 1, (nil), 0x9afcd0
0030:trace:ntoskrnl:IoAllocateIrp 2, 0                                          
0030:trace:ntoskrnl:ExAllocatePoolWithTag 784 pool 0 -> 0x9f630                 
0030:trace:ntoskrnl:IoInitializeIrp 0x9f630, 784, 2                             
0030:trace:hid_report:hid_internal_dispatch IOCTL_HID_READ_REPORT               
0031:trace:hid_report:process_hid_report Processing Request                     
0031:trace:ntoskrnl:IoCompleteRequest 0x9f630 0                                 
0031:trace:ntoskrnl:IoCompleteRequest calling 0x7f76c7df85a0( 0x33940, 0x9f630,
0x84 )
0031:trace:ntoskrnl:IoCompleteRequest CompletionRoutine returned c0000016

0030:trace:ntoskrnl:IoCompleteRequest 0x9f630 0                                 
0030:trace:ntoskrnl:IoFreeIrp 0x9f630                                           
0030:trace:ntoskrnl:ExFreePoolWithTag 0x9f630                                   

0030:trace:ntoskrnl:IoBuildDeviceIoControlRequest b000b, 0x33940, (nil), 0,
0x38b30, 52, 1, (nil), 0x9afcd0
0030:trace:ntoskrnl:IoAllocateIrp 2, 0                                          
0030:trace:ntoskrnl:ExAllocatePoolWithTag 784 pool 0 -> 0x1aba0                 
0030:trace:ntoskrnl:IoInitializeIrp 0x1aba0, 784, 2                             
0030:trace:hid_report:hid_internal_dispatch IOCTL_HID_READ_REPORT               

006d:trace:ntoskrnl:ObDereferenceObject (0x18e80): stub                         
006a:trace:hid:UnloadDriver Driver Unload                                       
006a:trace:ntoskrnl:IoDeleteDriver (0x31bd0)                                    
006a:trace:ntoskrnl:ObDereferenceObject (0x31bd0): stub                         
006a:trace:ntoskrnl:ObDereferenceObject (0x18ef0): stub

0031:trace:hid_report:process_hid_report Processing Request                     
0031:trace:ntoskrnl:IoCompleteRequest 0x1aba0 0                                 
0031:trace:ntoskrnl:IoCompleteRequest calling 0x7f76c7df85a0( 0x33940, 0x1aba0,
0x84 )
wine: Unhandled page fault on read access to 0x7f76c7df85a0 at address
0x7f76d88cdf43 (thread 0031), starting debugger...

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list