[NTOSKRNL] Map the VACB in kernel space before inserting it in lists.

HeisSpiter · HeisSpiter · commit 1b672981e2d2 · 2018-04-15T22:52:53.000+02:00
The avoids race conditions where attempts to read from disk to
not fully initialized VACB were performed.
Also, added more debug prints in such situations.

CORE-14349
diff --git a/ntoskrnl/cc/copy.c b/ntoskrnl/cc/copy.c
@@ -110,6 +110,7 @@ CcReadVirtualAddress (
     _SEH2_EXCEPT (EXCEPTION_EXECUTE_HANDLER)
     {
         Status = _SEH2_GetExceptionCode();
+        DPRINT1("MmProbeAndLockPages failed with: %lx for %p (%p, %p)\n", Status, Mdl, Vacb, Vacb->BaseAddress);
         KeBugCheck(CACHE_MANAGER);
     } _SEH2_END;
 
@@ -186,6 +187,7 @@ CcWriteVirtualAddress (
     _SEH2_EXCEPT (EXCEPTION_EXECUTE_HANDLER)
     {
         Status = _SEH2_GetExceptionCode();
+        DPRINT1("MmProbeAndLockPages failed with: %lx for %p (%p, %p)\n", Status, Mdl, Vacb, Vacb->BaseAddress);
         KeBugCheck(CACHE_MANAGER);
     } _SEH2_END;
 
diff --git a/ntoskrnl/cc/view.c b/ntoskrnl/cc/view.c
@@ -752,6 +752,17 @@ CcRosCreateVacb (
     InitializeListHead(&current->CacheMapVacbListEntry);
     InitializeListHead(&current->DirtyVacbListEntry);
     InitializeListHead(&current->VacbLruListEntry);
+
+    CcRosVacbIncRefCount(current);
+
+    Status = CcRosMapVacbInKernelSpace(current);
+    if (!NT_SUCCESS(Status))
+    {
+        CcRosVacbDecRefCount(current);
+        ExFreeToNPagedLookasideList(&VacbLookasideList, current);
+        return Status;
+    }
+
     CcRosAcquireVacbLock(current, NULL);
     KeAcquireGuardedMutex(&ViewLock);
 
@@ -784,9 +795,10 @@ CcRosCreateVacb (
                         current);
             }
 #endif
+            CcRosVacbDecRefCount(*Vacb);
             CcRosReleaseVacbLock(*Vacb);
             KeReleaseGuardedMutex(&ViewLock);
-            ExFreeToNPagedLookasideList(&VacbLookasideList, *Vacb);
+            CcRosInternalFreeVacb(*Vacb);
             *Vacb = current;
             CcRosAcquireVacbLock(current, NULL);
             return STATUS_SUCCESS;
@@ -813,7 +825,6 @@ CcRosCreateVacb (
     }
     KeReleaseSpinLock(&SharedCacheMap->CacheMapLock, oldIrql);
     InsertTailList(&VacbLruListHead, &current->VacbLruListEntry);
-    CcRosVacbIncRefCount(current);
     KeReleaseGuardedMutex(&ViewLock);
 
     MI_SET_USAGE(MI_USAGE_CACHE);
@@ -838,17 +849,6 @@ CcRosCreateVacb (
     /* Reference it to allow release */
     CcRosVacbIncRefCount(current);
 
-    Status = CcRosMapVacbInKernelSpace(current);
-    if (!NT_SUCCESS(Status))
-    {
-        RemoveEntryList(&current->CacheMapVacbListEntry);
-        RemoveEntryList(&current->VacbLruListEntry);
-        CcRosReleaseVacb(SharedCacheMap, current, FALSE,
-                         FALSE, FALSE);
-        CcRosVacbDecRefCount(current);
-        ExFreeToNPagedLookasideList(&VacbLookasideList, current);
-    }
-
     return Status;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ CcReadVirtualAddress (`
`110`	`110`	`_SEH2_EXCEPT (EXCEPTION_EXECUTE_HANDLER)`
`111`	`111`	`{`
`112`	`112`	`Status = _SEH2_GetExceptionCode();`
	`113`	`+ DPRINT1("MmProbeAndLockPages failed with: %lx for %p (%p, %p)\n", Status, Mdl, Vacb, Vacb->BaseAddress);`
`113`	`114`	`KeBugCheck(CACHE_MANAGER);`
`114`	`115`	`} _SEH2_END;`
`115`	`116`
`@@ -186,6 +187,7 @@ CcWriteVirtualAddress (`
`186`	`187`	`_SEH2_EXCEPT (EXCEPTION_EXECUTE_HANDLER)`
`187`	`188`	`{`
`188`	`189`	`Status = _SEH2_GetExceptionCode();`
	`190`	`+ DPRINT1("MmProbeAndLockPages failed with: %lx for %p (%p, %p)\n", Status, Mdl, Vacb, Vacb->BaseAddress);`
`189`	`191`	`KeBugCheck(CACHE_MANAGER);`
`190`	`192`	`} _SEH2_END;`
`191`	`193`