sys: MustSucceed requests

src/sys/cleanup.c

@@ -75,29 +75,21 @@ static NTSTATUS FspFsvolCleanup(
         FspFsvolDeviceUnlockContextTable(FsvolDeviceObject);
     }
 
-    /* create the user-mode file system request */
+    /* create the user-mode file system request; MustSucceed because IRP_MJ_CLEANUP cannot fail */
-    Result = FspIopCreateRequest(Irp, FileNameRequired ? &FsContext->FileName : 0, 0, &Request);
+    Result = FspIopCreateRequestMustSucceed(Irp,
-    if (!NT_SUCCESS(Result))
+        FileNameRequired ? &FsContext->FileName : 0, 0, &Request);
-    {
-        /*
-         * This really should NOT fail, but can theoretically happen. One way around it would
-         * be to preallocate the Request at IRP_MJ_CREATE time. Unfortunately this becomes
-         * expensive (and complicated) because of the FileNameRequired functionality.
-         */
-#if DBG
-        DEBUGLOG("FileObject=%p, UserContext=%llx, UserContext2=%llx: "
-            "error: the user-mode file system handle will be leaked!",
-            FileObject, UserContext, UserContext2);
-#endif
-        Irp->IoStatus.Information = 0;
-        return STATUS_SUCCESS;
-    }
 
     /* populate the Cleanup request */
     Request->Kind = FspFsctlTransactCleanupKind;
     Request->Req.Cleanup.UserContext = UserContext;
     Request->Req.Cleanup.UserContext2 = UserContext2;
 
+    /*
+     * Note that it is still possible for this request to not be delivered,
+     * if the volume device Ioq is stopped. But such failures are benign
+     * from our perspective, because they mean that the file system is going
+     * away and should correctly tear things down.
+     */
     return STATUS_PENDING;
 }
 

src/sys/close.c

@@ -62,39 +62,27 @@ static NTSTATUS FspFsvolClose(
     /* dereference the FsContext (and delete if no more references) */
     FspFileContextRelease(FsContext);
 
-    /* create the user-mode file system request */
+    /* create the user-mode file system request; MustSucceed because IRP_MJ_CLOSE cannot fail */
-    Result = FspIopCreateRequest(Irp, FileNameRequired ? &FsContext->FileName : 0, 0, &Request);
+    Result = FspIopCreateRequestMustSucceed(Irp,
-    if (!NT_SUCCESS(Result))
+        FileNameRequired ? &FsContext->FileName : 0, 0, &Request);
-    {
-        /*
-         * This really should NOT fail, but can theoretically happen. One way around it would
-         * be to preallocate the Request at IRP_MJ_CREATE time. Unfortunately this becomes
-         * expensive (and complicated) because of the FileNameRequired functionality.
-         */
-#if DBG
-        DEBUGLOG("FileObject=%p, UserContext=%llx, UserContext2=%llx: "
-            "error: the user-mode file system handle will be leaked!",
-            FileObject, UserContext, UserContext2);
-#endif
-        Irp->IoStatus.Information = 0;
-        return STATUS_SUCCESS;
-    }
 
     /* populate the Close request */
     Request->Kind = FspFsctlTransactCloseKind;
     Request->Req.Close.UserContext = UserContext;
     Request->Req.Close.UserContext2 = UserContext2;
 
-    /* post as a work request; this allows us to complete our own IRP and return immediately! */
+    /*
-    if (!FspIopPostWorkRequest(FsvolDeviceObject, Request))
+     * Post as a MustSucceed work request. This allows us to complete our own IRP
-    {
+     * and return immediately.
-#if DBG
+     */
-        DEBUGLOG("FileObject=%p, UserContext=%llx, UserContext2=%llx: "
+    FspIopPostWorkRequestMustSucceed(FsvolDeviceObject, Request);
-            "error: the user-mode file system handle will be leaked!",
-            FileObject, UserContext, UserContext2);
-#endif
-    }
 
+    /*
+     * Note that it is still possible for this request to not be delivered,
+     * if the volume device Ioq is stopped. But such failures are benign
+     * from our perspective, because they mean that the file system is going
+     * away and should correctly tear things down.
+     */
     Irp->IoStatus.Information = 0;
     return STATUS_SUCCESS;
 }

src/sys/driver.h

@@ -363,21 +363,27 @@ PIRP FspIoqEndProcessingIrp(FSP_IOQ *Ioq, UINT_PTR IrpHint);
 /* I/O processing */
 #define FSP_FSCTL_WORK                  \
     CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x800 + 'W', METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FspIopCreateRequest(I, F, E, P) \
+    FspIopCreateRequestFunnel(I, F, E, 0, FALSE, P)
+#define FspIopCreateRequestMustSucceed(I, F, E, P)\
+    FspIopCreateRequestFunnel(I, F, E, 0, TRUE, P)
+#define FspIopCreateRequestEx(I, F, E, RF, P)\
+    FspIopCreateRequestFunnel(I, F, E, RF, FALSE, P)
 #define FspIopRequestContext(Request, I)\
     (*FspIopRequestContextAddress(Request, I))
-#define FspIopCreateRequest(I, F, E, P) FspIopCreateRequestEx(I, F, E, 0, P)
+#define FspIopPostWorkRequest(D, R)     FspIopPostWorkRequestFunnel(D, R, FALSE)
+#define FspIopPostWorkRequestMustSucceed(D, R)\
+    FspIopPostWorkRequestFunnel(D, R, TRUE)
+#define FspIopCompleteIrp(I, R)         FspIopCompleteIrpEx(I, R, TRUE)
 typedef VOID FSP_IOP_REQUEST_FINI(PVOID Context[3]);
-NTSTATUS FspIopCreateRequestEx(
+NTSTATUS FspIopCreateRequestFunnel(
     PIRP Irp, PUNICODE_STRING FileName, ULONG ExtraSize, FSP_IOP_REQUEST_FINI *RequestFini,
+    BOOLEAN MustSucceed,
     FSP_FSCTL_TRANSACT_REQ **PRequest);
 PVOID *FspIopRequestContextAddress(FSP_FSCTL_TRANSACT_REQ *Request, ULONG I);
-NTSTATUS FspIopPostWorkRequest(PDEVICE_OBJECT DeviceObject, FSP_FSCTL_TRANSACT_REQ *Request);
+NTSTATUS FspIopPostWorkRequestFunnel(PDEVICE_OBJECT DeviceObject,
+    FSP_FSCTL_TRANSACT_REQ *Request, BOOLEAN AllocateIrpMustSucceed);
 VOID FspIopCompleteIrpEx(PIRP Irp, NTSTATUS Result, BOOLEAN DeviceRelease);
-static inline
-VOID FspIopCompleteIrp(PIRP Irp, NTSTATUS Result)
-{
-    FspIopCompleteIrpEx(Irp, Result, TRUE);
-}
 VOID FspIopCompleteCanceledIrp(PIRP Irp);
 NTSTATUS FspIopDispatchPrepare(PIRP Irp, FSP_FSCTL_TRANSACT_REQ *Request);
 VOID FspIopDispatchComplete(PIRP Irp, const FSP_FSCTL_TRANSACT_RSP *Response);

src/sys/iop.c

@@ -6,27 +6,73 @@
 
 #include <sys/driver.h>
 
-NTSTATUS FspIopCreateRequestEx(
+NTSTATUS FspIopCreateRequestFunnel(
     PIRP Irp, PUNICODE_STRING FileName, ULONG ExtraSize, FSP_IOP_REQUEST_FINI *RequestFini,
+    BOOLEAN MustSucceed,
     FSP_FSCTL_TRANSACT_REQ **PRequest);
 static VOID FspIopDeleteRequest(FSP_FSCTL_TRANSACT_REQ *Request);
 PVOID *FspIopRequestContextAddress(FSP_FSCTL_TRANSACT_REQ *Request, ULONG I);
-NTSTATUS FspIopPostWorkRequest(PDEVICE_OBJECT DeviceObject, FSP_FSCTL_TRANSACT_REQ *Request);
+NTSTATUS FspIopPostWorkRequestFunnel(PDEVICE_OBJECT DeviceObject,
+    FSP_FSCTL_TRANSACT_REQ *Request, BOOLEAN AllocateIrpMustSucceed);
 static IO_COMPLETION_ROUTINE FspIopPostWorkRequestCompletion;
 VOID FspIopCompleteIrpEx(PIRP Irp, NTSTATUS Result, BOOLEAN DeviceRelease);
+VOID FspIopCompleteCanceledIrp(PIRP Irp);
 NTSTATUS FspIopDispatchPrepare(PIRP Irp, FSP_FSCTL_TRANSACT_REQ *Request);
 VOID FspIopDispatchComplete(PIRP Irp, const FSP_FSCTL_TRANSACT_RSP *Response);
 
 #ifdef ALLOC_PRAGMA
-#pragma alloc_text(PAGE, FspIopCreateRequestEx)
+#pragma alloc_text(PAGE, FspIopCreateRequestFunnel)
 #pragma alloc_text(PAGE, FspIopDeleteRequest)
 #pragma alloc_text(PAGE, FspIopRequestContextAddress)
-#pragma alloc_text(PAGE, FspIopPostWorkRequest)
+#pragma alloc_text(PAGE, FspIopPostWorkRequestFunnel)
 #pragma alloc_text(PAGE, FspIopCompleteIrpEx)
+#pragma alloc_text(PAGE, FspIopCompleteCanceledIrp)
 #pragma alloc_text(PAGE, FspIopDispatchPrepare)
 #pragma alloc_text(PAGE, FspIopDispatchComplete)
 #endif
 
+static const LONG Delays[] =
+{
+    -100,
+    -200,
+    -300,
+    -400,
+    -500,
+    -1000,
+};
+
+static PVOID FspAllocMustSucceed(SIZE_T Size)
+{
+    PVOID Result;
+    LARGE_INTEGER Delay;
+
+    for (ULONG i = 0, n = sizeof(Delays) / sizeof(Delays[0]);; i++)
+    {
+        Result = FspAlloc(Size);
+        if (0 != Result)
+            return Result;
+
+        Delay.QuadPart = n > i ? Delays[i] : Delays[n - 1];
+        KeDelayExecutionThread(KernelMode, FALSE, &Delay);
+    }
+}
+
+static PVOID FspAllocateIrpMustSucceed(CCHAR StackSize)
+{
+    PIRP Result;
+    LARGE_INTEGER Delay;
+
+    for (ULONG i = 0, n = sizeof(Delays) / sizeof(Delays[0]);; i++)
+    {
+        Result = IoAllocateIrp(StackSize, FALSE);
+        if (0 != Result)
+            return Result;
+
+        Delay.QuadPart = n > i ? Delays[i] : Delays[n - 1];
+        KeDelayExecutionThread(KernelMode, FALSE, &Delay);
+    }
+}
+
 typedef struct
 {
     FSP_IOP_REQUEST_FINI *RequestFini;
@@ -34,8 +80,9 @@ typedef struct
     __declspec(align(MEMORY_ALLOCATION_ALIGNMENT)) UINT8 RequestBuf[];
 } FSP_FSCTL_TRANSACT_REQ_HEADER;
 
-NTSTATUS FspIopCreateRequestEx(
+NTSTATUS FspIopCreateRequestFunnel(
     PIRP Irp, PUNICODE_STRING FileName, ULONG ExtraSize, FSP_IOP_REQUEST_FINI *RequestFini,
+    BOOLEAN MustSucceed,
     FSP_FSCTL_TRANSACT_REQ **PRequest)
 {
     PAGED_CODE();
@@ -51,9 +98,14 @@ NTSTATUS FspIopCreateRequestEx(
     if (FSP_FSCTL_TRANSACT_REQ_SIZEMAX < sizeof *Request + ExtraSize)
         return STATUS_INVALID_PARAMETER;
 
-    RequestHeader = FspAlloc(sizeof *RequestHeader + sizeof *Request + ExtraSize);
+    if (MustSucceed)
-    if (0 == RequestHeader)
+        RequestHeader = FspAllocMustSucceed(sizeof *RequestHeader + sizeof *Request + ExtraSize);
-        return STATUS_INSUFFICIENT_RESOURCES;
+    else
+    {
+        RequestHeader = FspAlloc(sizeof *RequestHeader + sizeof *Request + ExtraSize);
+        if (0 == RequestHeader)
+            return STATUS_INSUFFICIENT_RESOURCES;
+    }
 
     RtlZeroMemory(RequestHeader, sizeof *RequestHeader + sizeof *Request + ExtraSize);
     RequestHeader->RequestFini = RequestFini;
@@ -98,18 +150,26 @@ PVOID *FspIopRequestContextAddress(FSP_FSCTL_TRANSACT_REQ *Request, ULONG I)
     return &RequestHeader->Context[I];
 }
 
-NTSTATUS FspIopPostWorkRequest(PDEVICE_OBJECT DeviceObject, FSP_FSCTL_TRANSACT_REQ *Request)
+NTSTATUS FspIopPostWorkRequestFunnel(PDEVICE_OBJECT DeviceObject,
+    FSP_FSCTL_TRANSACT_REQ *Request, BOOLEAN AllocateIrpMustSucceed)
 {
     PAGED_CODE();
 
     ASSERT(0 == Request->Hint);
 
     NTSTATUS Result;
-    PIRP Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
+    PIRP Irp;
-    if (0 == Irp)
+
+    if (AllocateIrpMustSucceed)
+        Irp = FspAllocateIrpMustSucceed(DeviceObject->StackSize);
+    else
     {
-        Result = STATUS_INSUFFICIENT_RESOURCES;
+        Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
-        goto exit;
+        if (0 == Irp)
+        {
+            Result = STATUS_INSUFFICIENT_RESOURCES;
+            goto exit;
+        }
     }
 
     PIO_STACK_LOCATION IrpSp = IoGetNextIrpStackLocation(Irp);
@@ -174,6 +234,8 @@ VOID FspIopCompleteIrpEx(PIRP Irp, NTSTATUS Result, BOOLEAN DeviceRelease)
 
 VOID FspIopCompleteCanceledIrp(PIRP Irp)
 {
+    PAGED_CODE();
+
     FspIopCompleteIrpEx(Irp, STATUS_CANCELLED, TRUE);
 }