[NTOSKRNL] Add extra sanity checks for VACB lists.

We now always initialize list members from the VACB and make sure the list entry has properly been removed from the list before free. CORE-14349
2025-04-26 00:20:34 +00:00 · 2018-04-08 18:34:00 +02:00 · 2018-04-08 18:34:00 +02:00 · 42df4683d7
commit 42df4683d7
parent b54e5c689c
2 changed files with 13 additions and 2 deletions
--- a/ntoskrnl/cc/fs.c
+++ b/ntoskrnl/cc/fs.c
@ -238,6 +238,7 @@ CcPurgeCacheSection (
        /* This VACB is in range, so unlink it and mark for free */
        ASSERT(Refs == 1 || Vacb->Dirty);
        RemoveEntryList(&Vacb->VacbLruListEntry);
+        InitializeListHead(&Vacb->VacbLruListEntry);
        if (Vacb->Dirty)
        {
            CcRosUnmarkDirtyVacb(Vacb, FALSE);
@ -253,6 +254,7 @@ CcPurgeCacheSection (
        Vacb = CONTAINING_RECORD(RemoveHeadList(&FreeList),
                                 ROS_VACB,
                                 CacheMapVacbListEntry);
+        InitializeListHead(&Vacb->CacheMapVacbListEntry);
        CcRosVacbDecRefCount(Vacb);
        CcRosInternalFreeVacb(Vacb);
    }
--- a/ntoskrnl/cc/view.c
+++ b/ntoskrnl/cc/view.c
@ -375,6 +375,7 @@ retry:

            RemoveEntryList(&current->CacheMapVacbListEntry);
            RemoveEntryList(&current->VacbLruListEntry);
+            InitializeListHead(&current->VacbLruListEntry);
            InsertHeadList(&FreeList, &current->CacheMapVacbListEntry);

            /* Calculate how many pages we freed for Mm */
@ -413,6 +414,7 @@ retry:
        current = CONTAINING_RECORD(current_entry,
                                    ROS_VACB,
                                    CacheMapVacbListEntry);
+        InitializeListHead(&current->CacheMapVacbListEntry);
        CcRosVacbDecRefCount(current);
        CcRosInternalFreeVacb(current);
    }
@ -567,6 +569,7 @@ CcRosUnmarkDirtyVacb (
    Vacb->Dirty = FALSE;

    RemoveEntryList(&Vacb->DirtyVacbListEntry);
+    InitializeListHead(&Vacb->DirtyVacbListEntry);
    CcTotalDirtyPages -= VACB_MAPPING_GRANULARITY / PAGE_SIZE;
    Vacb->SharedCacheMap->DirtyPages -= VACB_MAPPING_GRANULARITY / PAGE_SIZE;
    CcRosVacbDecRefCount(Vacb);
@ -743,11 +746,12 @@ CcRosCreateVacb (
    }
 #endif
    current->MappedCount = 0;
-    current->DirtyVacbListEntry.Flink = NULL;
-    current->DirtyVacbListEntry.Blink = NULL;
    current->ReferenceCount = 0;
    current->PinCount = 0;
    KeInitializeMutex(&current->Mutex, 0);
+    InitializeListHead(&current->CacheMapVacbListEntry);
+    InitializeListHead(&current->DirtyVacbListEntry);
+    InitializeListHead(&current->VacbLruListEntry);
    CcRosAcquireVacbLock(current, NULL);
    KeAcquireGuardedMutex(&ViewLock);

@ -988,6 +992,9 @@ CcRosInternalFreeVacb (

    ASSERT(Vacb->PinCount == 0);
    ASSERT(Vacb->ReferenceCount == 0);
+    ASSERT(IsListEmpty(&Vacb->CacheMapVacbListEntry));
+    ASSERT(IsListEmpty(&Vacb->DirtyVacbListEntry));
+    ASSERT(IsListEmpty(&Vacb->VacbLruListEntry));
    RtlFillMemory(Vacb, sizeof(Vacb), 0xfd);
    ExFreeToNPagedLookasideList(&VacbLookasideList, Vacb);
    return STATUS_SUCCESS;
@ -1109,6 +1116,7 @@ CcRosDeleteFileCache (
            current = CONTAINING_RECORD(current_entry, ROS_VACB, CacheMapVacbListEntry);
            CcRosAcquireVacbLock(current, NULL);
            RemoveEntryList(&current->VacbLruListEntry);
+            InitializeListHead(&current->VacbLruListEntry);
            if (current->Dirty)
            {
                KeAcquireSpinLock(&SharedCacheMap->CacheMapLock, &oldIrql);
@ -1133,6 +1141,7 @@ CcRosDeleteFileCache (
        {
            current_entry = RemoveTailList(&FreeList);
            current = CONTAINING_RECORD(current_entry, ROS_VACB, CacheMapVacbListEntry);
+            InitializeListHead(&current->CacheMapVacbListEntry);
            CcRosVacbDecRefCount(current);
            CcRosInternalFreeVacb(current);
        }