[NTOS:KE/x64] Loop in KiInitiateUserApc

This is required since while interrupts are enabled, another user APC could get queued and we want to guarantee that those are all delivered before returning to user mode.
2025-04-27 09:00:27 +00:00 · 2024-03-25 22:23:19 +02:00 · 2024-03-25 22:23:19 +02:00 · 36fa628605
commit 36fa628605
parent e3bfcdf9e2
1 changed files with 11 additions and 5 deletions
--- a/ntoskrnl/ke/amd64/trap.S
+++ b/ntoskrnl/ke/amd64/trap.S
@ -416,7 +416,7 @@ FUNC KiPageFault
    /* Save page fault address */
    mov rdx, cr2
    mov [rbp  + KTRAP_FRAME_FaultAddress], rdx
-    
+
    /* If interrupts are off, do not enable them */
    test dword ptr [rbp + KTRAP_FRAME_EFlags], EFLAGS_IF_MASK
    jz IntsDisabled
@ -1150,21 +1150,27 @@ PUBLIC KiInitiateUserApc
    mov rax, APC_LEVEL
    mov cr8, rax

+    /* Get the current thread */
+    mov rbp, gs:[PcCurrentThread]
+
+deliver_apcs:
+
    /* Enable interrupts */
    sti

-    /* Get the current trap frame */
-    mov rax, gs:[PcCurrentThread]
-    mov r8, [rax + KTHREAD_TrapFrame]
-
    /* Call the C function */
    mov ecx, 1
    mov rdx, rsp
+    mov r8, [rbp + ThTrapFrame]
    call KiDeliverApc

    /* Disable interrupts again */
    cli

+    /* Check if there are more APCs to deliver */
+    cmp byte ptr [rbp + ThApcState + AsUserApcPending], 0
+    jne deliver_apcs
+
    /* Go back to PASSIVE_LEVEL */
    mov rax, PASSIVE_LEVEL
    mov cr8, rax