[HAL]

Fix a catastrophic bug in S/G DMA. There is a subtle difference between the S/G DMA APIs and the old AllocateAdapterChannel API when it comes to having multiple requests in flight. Callers of (Io)AllocateAdapterChannel CANNOT queue another request until the AdapterControlRoutine is called. S/G DMA allows multiple concurrent DMA requests, but ROS was using IoAllocateAdapterChannel in the S/G API. As a result, the wait block stored in the device object was unexpectedly reinitalized and queued again. This results in a leak of the originally queued request context, potentially performing the new DMA operation twice while dropping the old request, and use after free of the context passed to HalpScatterGatherAdapterControl.

svn path=/trunk/; revision=63898

reactos/hal/halx86/generic/dma.c

@@ -919,6 +919,7 @@ typedef struct _SCATTER_GATHER_CONTEXT {
 	PVOID AdapterListControlContext, MapRegisterBase;
 	ULONG MapRegisterCount;
 	BOOLEAN WriteToDevice;
+	WAIT_CONTEXT_BLOCK Wcb;
 } SCATTER_GATHER_CONTEXT, *PSCATTER_GATHER_CONTEXT;
 
 
@@ -1041,11 +1042,14 @@ HalpScatterGatherAdapterControl(IN PDEVICE_OBJECT DeviceObject,
 	AdapterControlContext->AdapterListControlContext = Context;
 	AdapterControlContext->WriteToDevice = WriteToDevice;
 
-	return IoAllocateAdapterChannel(AdapterObject,
-	                                DeviceObject,
-									AdapterControlContext->MapRegisterCount,
-									HalpScatterGatherAdapterControl,
-									AdapterControlContext);
+	AdapterControlContext->Wcb.DeviceObject = DeviceObject;
+	AdapterControlContext->Wcb.DeviceContext = AdapterControlContext;
+	AdapterControlContext->Wcb.CurrentIrp = DeviceObject->CurrentIrp;
+
+	return HalAllocateAdapterChannel(AdapterObject,
+		&AdapterControlContext->Wcb,
+		AdapterControlContext->MapRegisterCount,
+		HalpScatterGatherAdapterControl);
 }
 
 /**