aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rozman <simon@rozman.si>2019-11-21 14:09:34 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2019-12-10 14:23:05 +0100
commitf7a8c113196c68c74bedf5f96810923a3c5529a1 (patch)
tree402925c54540cfff79254ff9d468c01ad4ebcf12
parentProcess send NBLs in batches (diff)
downloadwintun-sr/unmap-before-free.tar.xz
wintun-sr/unmap-before-free.zip
Unmap memory before unlocksr/unmap-before-free
Signed-off-by: Simon Rozman <simon@rozman.si>
-rw-r--r--wintun.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/wintun.c b/wintun.c
index 05babe4..084330e 100644
--- a/wintun.c
+++ b/wintun.c
@@ -598,13 +598,13 @@ TunRegisterBuffers(_Inout_ TUN_CTX *Ctx, _Inout_ IRP *Irp)
Ctx->Device.Send.RingTail = InterlockedGetU(&Ctx->Device.Send.Ring->Tail);
if (Status = STATUS_INVALID_PARAMETER, Ctx->Device.Send.RingTail >= Ctx->Device.Send.Capacity)
- goto cleanupSendUnlockPages;
+ goto cleanupSendUnmapPages;
Ctx->Device.Receive.Capacity = TUN_RING_CAPACITY(Rrb->Receive.RingSize);
if (Status = STATUS_INVALID_PARAMETER,
(Ctx->Device.Receive.Capacity < TUN_MIN_RING_CAPACITY || Ctx->Device.Receive.Capacity > TUN_MAX_RING_CAPACITY ||
!IS_POW2(Ctx->Device.Receive.Capacity) || !Rrb->Receive.TailMoved || !Rrb->Receive.Ring))
- goto cleanupSendUnlockPages;
+ goto cleanupSendUnmapPages;
if (!NT_SUCCESS(
Status = ObReferenceObjectByHandle(
@@ -615,7 +615,7 @@ TunRegisterBuffers(_Inout_ TUN_CTX *Ctx, _Inout_ IRP *Irp)
UserMode,
&Ctx->Device.Receive.TailMoved,
NULL)))
- goto cleanupSendUnlockPages;
+ goto cleanupSendUnmapPages;
Ctx->Device.Receive.Mdl = IoAllocateMdl(Rrb->Receive.Ring, Rrb->Receive.RingSize, FALSE, FALSE, NULL);
if (Status = STATUS_INSUFFICIENT_RESOURCES, !Ctx->Device.Receive.Mdl)
@@ -656,12 +656,15 @@ cleanupFlagsConnected:
ExReleaseSpinLockExclusive(
&Ctx->TransitionLock,
ExAcquireSpinLockExclusive(&Ctx->TransitionLock)); /* Ensure above change is visible to all readers. */
+ MmUnmapLockedPages(Ctx->Device.Receive.Ring, Ctx->Device.Receive.Mdl);
cleanupReceiveUnlockPages:
MmUnlockPages(Ctx->Device.Receive.Mdl);
cleanupReceiveMdl:
IoFreeMdl(Ctx->Device.Receive.Mdl);
cleanupReceiveTailMoved:
ObDereferenceObject(Ctx->Device.Receive.TailMoved);
+cleanupSendUnmapPages:
+ MmUnmapLockedPages(Ctx->Device.Send.Ring, Ctx->Device.Send.Mdl);
cleanupSendUnlockPages:
MmUnlockPages(Ctx->Device.Send.Mdl);
cleanupSendMdl:
@@ -713,9 +716,11 @@ TunUnregisterBuffers(_Inout_ TUN_CTX *Ctx, _In_ FILE_OBJECT *Owner)
InterlockedSetU(&Ctx->Device.Send.Ring->Tail, MAXULONG);
KeSetEvent(Ctx->Device.Send.TailMoved, IO_NO_INCREMENT, FALSE);
+ MmUnmapLockedPages(Ctx->Device.Receive.Ring, Ctx->Device.Receive.Mdl);
MmUnlockPages(Ctx->Device.Receive.Mdl);
IoFreeMdl(Ctx->Device.Receive.Mdl);
ObDereferenceObject(Ctx->Device.Receive.TailMoved);
+ MmUnmapLockedPages(Ctx->Device.Send.Ring, Ctx->Device.Send.Mdl);
MmUnlockPages(Ctx->Device.Send.Mdl);
IoFreeMdl(Ctx->Device.Send.Mdl);
ObDereferenceObject(Ctx->Device.Send.TailMoved);