[Bug 44588] Many kernel drivers need support for kernel synchronization objects ( event, semaphore, mutex) (BattleEye's 'bedaisy.sys', Franson VSerial service 'bizvserialnt.sys')

21 Sep 2018


      https://bugs.winehq.org/show_bug.cgi?id=44588
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Multiple kernel drivers     |Many kernel drivers need
                   |need                        |support for kernel
                   |ntoskrnl.exe.KeWaitForMulti |synchronization objects
                   |pleObjects semi-stub        |(event, semaphore, mutex)
                   |(Franson VSerial service    |(BattleEye's 'bedaisy.sys',
                   |'bizvserialnt.sys')         |Franson VSerial service
                   |                            |'bizvserialnt.sys')
--- Comment #2 from Anastasius Focht focht@gmx.net ---
Hello Zebediah,
thanks for the work. Looking forward to have this upstreamed - hopefully it
doesn't take years ;-)
The support for synchronization objects is required by all drivers that use
secondary threads. For BattleEye's 'bedaisy.sys' suffers a crash in unload
phase:
--- snip ---
...
0057:Call
ntoskrnl.exe.PsCreateSystemThread(0043e964,001fffff,0043e968,00000000,00000000,005632de,00000000)
ret=005f346a
0057:Call
ntdll.RtlCreateUserThread(ffffffff,00000000,00000000,00000000,00000000,00000000,005632de,00000000,0043e964,00000000)
ret=7e985936
0057:Ret  ntdll.RtlCreateUserThread() retval=00000000 ret=7e985936
0057:Ret  ntoskrnl.exe.PsCreateSystemThread() retval=00000000 ret=005f346a
0057:Call
ntoskrnl.exe.ObReferenceObjectByHandle(0000003c,001fffff,00000000,00000000,0056c554,00000000)
ret=0060b15f
0057:fixme:ntoskrnl:ObReferenceObjectByHandle stub: 0x3c 1fffff (nil) 0
0x56c554 (nil)
0057:Ret  ntoskrnl.exe.ObReferenceObjectByHandle() retval=00000000 ret=0060b15f
0057:Call ntoskrnl.exe.ZwClose(0000003c) ret=005bfa82
0057:Call ntdll.NtClose(0000003c) ret=7bc815f7
0057:Ret  ntdll.NtClose() retval=00000000 ret=7bc815f7
0059:Call PE DLL (proc=0xf7b1c1ce,module=0xf7ad0000
L"rpcrt4.dll",reason=THREAD_ATTACH,res=(nil)) 
....
0057:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutineEx stub: 0x5611dc 0
0057:Ret  ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx() retval=00000000
ret=0059901a
0059:Starting thread proc 0x5632de (arg=(nil))
...
0057:Call driver unload 0x56174c (obj=0x11cc08)
0057:Call ntoskrnl.exe.KeSetEvent(0056c4f8,00000000,00000000) ret=005becc8
0057:fixme:ntoskrnl:KeSetEvent (0x56c4f8, 0, 0): stub
0057:Ret  ntoskrnl.exe.KeSetEvent() retval=00000000 ret=005becc8
0057:Call
ntoskrnl.exe.KeWaitForSingleObject(deadbeaf,00000000,00000000,00000000,00000000)
ret=005b49c8
0057:fixme:ntoskrnl:KeWaitForSingleObject stub: 0xdeadbeaf, 0, 0, 0, (nil)
0057:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005b49c8
0057:trace:ntoskrnl:ObDereferenceObject (0xdeadbeaf): stub
0057:Call ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx(005611dc,00000001)
ret=005ad28f
0057:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutineEx stub: 0x5611dc 1
0057:Ret  ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx() retval=00000000
ret=005ad28f
0057:Call fltmgr.sys.FltUnregisterFilter(deadbeaf) ret=0065b677
0057:fixme:fltmgr:FltUnregisterFilter (0xdeadbeaf): stub
0057:Ret  fltmgr.sys.FltUnregisterFilter() retval=00000039 ret=0065b677
0057:Call ntoskrnl.exe.PsRemoveCreateThreadNotifyRoutine(0056145e) ret=00662852
0057:fixme:ntoskrnl:PsRemoveCreateThreadNotifyRoutine stub: 0x56145e
0057:Ret  ntoskrnl.exe.PsRemoveCreateThreadNotifyRoutine() retval=00000000
ret=00662852
0057:Call ntoskrnl.exe.PsRemoveLoadImageNotifyRoutine(00561f16) ret=005aeee4
0057:fixme:ntoskrnl:PsRemoveLoadImageNotifyRoutine stub: 0x561f16
0057:Ret  ntoskrnl.exe.PsRemoveLoadImageNotifyRoutine() retval=00000000
ret=005aeee4 
...
0057:Ret  ntoskrnl.exe.IoDeleteSymbolicLink() retval=00000000 ret=005c1278
0057:Call ntoskrnl.exe.IoDeleteDevice(001202f8) ret=005689a6
0057:trace:ntoskrnl:IoDeleteDevice 0x1202f8
...
0057:Ret  ntoskrnl.exe.IoDeleteDevice() retval=00000001 ret=005689a6
0057:Ret  driver unload 0x56174c (obj=0x11cc08)
0057:Call KERNEL32.FreeLibrary(00560000) ret=7e980f00
0057:Call PE DLL (proc=0xf7d2e27c,module=0xf7d20000
L"hal.dll",reason=PROCESS_DETACH,res=(nil))
0057:Ret  PE DLL (proc=0xf7d2e27c,module=0xf7d20000
L"hal.dll",reason=PROCESS_DETACH,res=(nil)) retval=1
0057:Ret  KERNEL32.FreeLibrary() retval=00000001 ret=7e980f00
0057:trace:ntoskrnl:IoDeleteDriver (0x11cc08)
...
0057:Call advapi32.SetServiceStatus(0011caf8,0043fc74) ret=7e980d5a
...
0059:Call
ntoskrnl.exe.ZwQuerySystemInformation(00000005,00121fe8,0000132c,0087fed8)
ret=005635a3
0059:Call ntdll.NtQuerySystemInformation(00000005,00121fe8,0000132c,0087fed8)
ret=7bc815f7
0059:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=7bc815f7
0059:Ret  ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=005635a3
0059:Call ntoskrnl.exe.PsGetProcessId(90909090) ret=0066d51a
0059:fixme:ntoskrnl:PsGetProcessId stub: 0x90909090
0059:Ret  ntoskrnl.exe.PsGetProcessId() retval=00000000 ret=0066d51a
0059:Call
ntoskrnl.exe.KeWaitForSingleObject(0056c4f8,00000000,00000000,00000000,0087fecc)
ret=005ee4e5
0059:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x56c4f8, 0, 0, 0, 0x87fecc
0059:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005ee4e5
0059:Call
ntoskrnl.exe.KeWaitForSingleObject(0056c528,00000000,00000000,00000000,00000000)
ret=005779cc
0059:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x56c528, 0, 0, 0, (nil)
0059:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005779cc
0059:Call ntoskrnl.exe.KeReleaseMutex(0056c528,00000000) ret=005755da
0059:fixme:ntoskrnl:KeReleaseMutex stub: 0x56c528, 0
0059:Ret  ntoskrnl.exe.KeReleaseMutex() retval=c0000002 ret=005755da
0059:Call
ntoskrnl.exe.ZwQuerySystemInformation(00000005,00121fe8,0000132c,0087fed8)
ret=005635a3
0059:Call ntdll.NtQuerySystemInformation(00000005,00121fe8,0000132c,0087fed8)
ret=7bc815f7
0059:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=7bc815f7
0059:Ret  ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=005635a3
0059:Call ntoskrnl.exe.PsGetProcessId(90909090) ret=0066d51a
0059:fixme:ntoskrnl:PsGetProcessId stub: 0x90909090
0059:Ret  ntoskrnl.exe.PsGetProcessId() retval=00000000 ret=0066d51a
0059:Call
ntoskrnl.exe.KeWaitForSingleObject(0056c4f8,00000000,00000000,00000000,0087fecc)
ret=005ee4e5
0059:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x56c4f8, 0, 0, 0, 0x87fecc
0059:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005ee4e5
0059:Call
ntoskrnl.exe.KeWaitForSingleObject(0056c528,00000000,00000000,00000000,00000000)
ret=005779cc
0059:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x56c528, 0, 0, 0, (nil)
0059:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005779cc
0059:Call ntoskrnl.exe.KeReleaseMutex(0056c528,00000000) ret=005755da
0059:fixme:ntoskrnl:KeReleaseMutex stub: 0x56c528, 0
0059:Ret  ntoskrnl.exe.KeReleaseMutex() retval=c0000002 ret=005755da
0059:Call
ntoskrnl.exe.ZwQuerySystemInformation(00000005,00121fe8,0000132c,0087fed8)
ret=005635a3
0059:Call ntdll.NtQuerySystemInformation(00000005,00121fe8,0000132c,0087fed8)
ret=7bc815f7
0059:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=7bc815f7
0059:Ret  ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=005635a3
0059:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5635a3 ip=005635a3
tid=0059
0059:trace:seh:raise_exception  info[0]=00000008
0059:trace:seh:raise_exception  info[1]=005635a3
0059:trace:seh:raise_exception  eax=00000000 ebx=00000000 ecx=0000132c
edx=00000f2c esi=00000007 edi=00000000
0059:trace:seh:raise_exception  ebp=0087fedc esp=0087fec0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0059:trace:seh:call_vectored_handlers calling handler at 0x7e97ecb1
code=c0000005 flags=0 
0059:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7e97e567
ip=7e97e567 tid=0059
0059:trace:seh:raise_exception  info[0]=00000000
0059:trace:seh:raise_exception  info[1]=005635a3
0059:trace:seh:raise_exception  eax=005635a3 ebx=00000023 ecx=0087fa30
edx=0087fe68 esi=0000002b edi=0000002b
0059:trace:seh:raise_exception  ebp=0087f9e8 esp=0087f970 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0059:trace:seh:call_vectored_handlers calling handler at 0x7e97ecb1
code=c0000005 flags=0
0059:trace:seh:call_vectored_handlers handler at 0x7e97ecb1 returned 0
0059:trace:seh:call_stack_handlers calling handler at 0x7bcb3cc3 code=c0000005
flags=0
0059:Call KERNEL32.UnhandledExceptionFilter(0087f474) ret=7bcb3cfe
--- snip ---
The kernel module gets unmapped on unload while a secondary thread is still
running. Upon return from API call, it crashes in secondary thread because the
page is no longer mapped.
I'm refining the summary to be a bit more generic to track the drivers
suffering from lack of synchronization object support here. I know it's kinda
turning into a meta-bug then but unlike many other bugs, targeting a single
stub is not really useful as it requires more infrastructure.
The timer object parts could be split off in an own ticket with dependency to
this one. Not all drivers require this hence I only mentioned the basic sync
objects.
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 44588] Many kernel drivers need support for kernel synchronization objects ( event, semaphore, mutex) (BattleEye's 'bedaisy.sys', Franson VSerial service 'bizvserialnt.sys')