How to Notify user mode application from windows ndislwf driver?

Question

I took the sample ndislwf 6.0 sample and made some changes like putting unique-incoming ARP packets in a linked list. I can fetch all of the data from user space via IOCTL command. This much is fine.

Now, I want to have a running application; and as soon as my driver receives an ARP packet, it should send some notification or signal to the client application. Client application then will issue another request which will fetch latest data.

I found three methods:

1. Have an event and wait for it in client application
2. Have an pending IRP, and
3. Use named pipe.

I implemented first one by copying ..winddk...\src\general\event project's implementation verbatim.

now, since I am not using a timer, I am confused. Problem is this:

Event and waiting for it, requires IOCTL command. ARP cache is updated as new ARP packet reaches and added to the list. Only when it is added to the list, I need to signal. But this is interrupt based.

So, how do I combine these two so that on interrupt from NDIS, I notify client application.

I did this:

in the function where I am handling incoming IOCTL request that puts current request in DPC

    registerEvent->DueTime.QuadPart = -30;
    KeInitializeDpc(&notifyRecord->Dpc, // Dpc
                    CustomTimerDPC,     // DeferredRoutine
                    notifyRecord        // DeferredContext
                   );
    KeAcquireSpinLock(&deviceExtension->QueueLock, &oldIrql);

    InsertTailList(&deviceExtension->EventQueueHead,
                   &notifyRecord->ListEntry);

    KeReleaseSpinLock(&deviceExtension->QueueLock, oldIrql);
    // check. Arp cache changed or not since last time.
    // timer: 0 = delay
    if(IsARPCacheModified()){
//if ARP cache is modified, it will return true and end up here.
        DbgPrint("ARP Cache modified. Signal.");
        // due time is -30. is it relative 30*100ns = 3 secs?
    } else{
// if ARP Cache is not modified, it will end up here.
        registerEvent->DueTime.QuadPart = -1000;
    }
     KeSetTimer(&notifyRecord->Timer,   // Timer
                    registerEvent->DueTime, // DueTime
                    &notifyRecord->Dpc      // Dpc
              );
    return STATUS_SUCCESS;

Now, what's happening is that first request from user space client application sometimes succeeds but subsequent requests result in error.

While debugging, I found that it is pointing to my code that I have added, i.e. if else and KeSetTimer() call. and error is related to IRQL being not less or equal.

I have no clue, how to do this and what's crashing. Code doesn't crash anywhere else, but in this function only.

Thanks.

Answer 1

It sounds like you need to notify usermode when a new item is added to your data queue. That is a common need, and the generally-accepted solution is referred to as the "inverted call" model. I think this is option #2 in your list. Search the web for "inverted call" to get an idea of what this is and how to use it.

As to the crash that you're seeing -- I don't know why your code uses timers or DPCs. You should be able to get this done without either timers or DPCs.

Note that DueTime.QuadPart is measured in 100 nano‍second units, so a relative time of -30 means 3 micro‍seconds.

I suggest you get rid of the timer and implement an inverted call. If you really want somebody to help you with the crash in your timer, you should:

1. Enable Driver Verifier on your driver and try again. Verifier will often give a better error message.
2. If you tried verifier and it still doesn't make sense, post the output of "!analyze -v" with proper symbols loaded. Include relevant parts of your code. (E.g., where is notifyRecord allocated? What happens in CustomTimerDPC?)