Validate SecRegion password cache offsets before use.
Wipe decrypted SecRegion password-cache data even when cache validation fails.
Clamp encrypted I/O work item counts and check allocation sizing.
Reject invalid boot drive sector writes and initialize decoy wipe data unit.
Validate hidden-system boot offsets and remap arithmetic before use.
Make /aux-device-info readable for SMB, verify that FUSE records hdiutil device info after mount and recover missing virtual devices from hdiutil before dismounting auxiliary mounts.
Add statfs metadata for the auxiliary FUSE mount, keep /control read-only by sending hdiutil device data through /aux-device-info and tolerate delayed SMB rediscovery during mount completion. Log final control-file retry failures for diagnostics.
* Fix hibernation crash on fresh Windows 11 25H2 (BSOD Event 41)
* follow up on the hibernation fix review: fix MDL check order and drop the risky sleep.
Introduce MapIrpDataBuffer to handle Direct/Buffered/Neither I/O, probing & locking pages and allocating a temp MDL when needed.
Replace blind MmGetSystemAddressForMdlSafe usage. clean up TempUserMdl in OnItemCompleted to avoid crashes when MdlAddress is NULL.
Issue reported at https://sourceforge.net/p/veracrypt/discussion/technical/thread/e43bde8d86/
Replace timer-based TCSleep (which allocated a KTIMER and waited on it) with an
implementation that calls KeDelayExecutionThread. This removes dynamic allocation
and kernel timer usage to simplify the code and reduce resource overhead.
Adds an IRQL <= APC_LEVEL assertion and documents the requirement.
This is safe because TCSleep is always called from code that runs at PASSIVE_LEVEL
Added InterlockedDecrement in the error path when GetPoolBuffer fails for EncryptedIoRequest to ensure accurate tracking of pending IO requests and prevent potential resource leaks.
Major changes:
- Added pooled + elastic work item model with retry/backoff (MAX_WI_RETRIES). removed semaphore usage.
- Introduced two completion threads to reduce contention and latency under heavy IO.
- Added BytesCompleted (per IRP) and ActualBytes (per fragment) for correct short read/write accounting. total read/write stats now reflect real transferred bytes instead of requested length.
- Moved decryption of read fragments into IO thread. completion threads now only finalize IRPs (reduces race window and simplifies flow).
- Deferred final IRP completion via FinalizeOriginalIrp to avoid inline IoCompleteRequest re-entrancy. added safe OOM inline fallback.
- Implemented work item pool drain & orderly shutdown (ActiveWorkItems + NoActiveWorkItemsEvent) with robust stop protocol.
- Replaced semaphore-based work item acquisition with spin lock + free list + event (WorkItemAvailableEvent). added exponential backoff for transient exhaustion.
- Added elastic (on-demand) work item allocation with pool vs dynamic origin tracking (FromPool).
- Added FreeCompletionWorkItemPool() for symmetric cleanup; ensured all threads are explicitly awakened during stop.
- Added second completion thread replacing single CompletionThread.
- Hardened UpdateBuffer: fixed parameter name typo, added bounds/overflow checks using IntSafe (ULongLongAdd), validated Count, guarded sector end computation.
- Fixed GPT/system region write protection logic to pass correct length instead of end offset.
- Ensured ASSERTs use fragment‑relative bounds (cast + length) and avoided mixed 64/32 comparisons.
- Added MAX_WI_RETRIES constant. added WiRetryCount field in EncryptedIoRequest.
- Ensured RemoveLock is released only after all queue/accounting updates (OnItemCompleted).
- Reset/read-ahead logic preserved. read-ahead trigger now based on actual completion & zero pending fragment count.
- General refactoring, clearer separation of concerns (TryAcquireCompletionWorkItem / FinalizeOriginalIrp / HandleCompleteOriginalIrp).
Safety / correctness improvements:
- Accurate short read handling (STATUS_END_OF_FILE with true byte count).
- Eliminated risk of double free or premature RemoveLock release on completion paths.
- Prevented potential overflow in sector end arithmetic.
- Reduced contention and potential deadlock scenarios present with previous semaphore wait path.
- Document HIGH_LEVEL constraints and rationale for pre-building a nonpaged scratch MDL.
- Allocate contiguous scratch buffer with conservative PFN cap (0x7FFFFFFFFFF) and fall back to unlimited cap if needed.
- Replace ASSERT with TC_BUG_CHECK for validation of write MDL mapping at HIGH_LEVEL.
- Safely copy PFNs from prebuilt MDL into caller MDL: compute dst/src page counts, check capacity, copy exact PFNs and retarget MDL header fields (preserve MdlFlags).
- Make DumpData cleanup defensive in unload path.
- comments improvements for clarity and maintainability.
* Prefer allocations to be non-executable
* Remove and reimplement DDIs inappropriately called inside HIGH_LEVEL IRQL routines
* Refactor hibernate context to be passed around in the passed FILTER_EXTENSION pointer rather than global
Replaced hardcoded 0x56455241 ('VERA') with TC_HEADER_MAGIC for better readability and maintainability.
Also replaced 0x5645524142455854 with TC_BOOT_DRIVE_FILTER_EXTENSION_MAGIC and added 'ULL' suffix for 64-bit safety.
Now we properly honor the AllowDefrag configuration.
This regression introduced other issues because, in order to allow defragmentation, we must provide Windows with an actual physical disk number. As a result, we assign the number of the physical disk where the VeraCrypt volume resides. This, in turn, causes Windows to send IOCTLs directly to this disk instead of to VeraCrypt. If these IOCTLs return values and properties not supported by VeraCrypt, inconsistencies arise, leading to failures.
* refactor: use UNMOUNT instead of DISMOUNT in code
This change updates the term DISMOUNT in constants to UNMOUNT.
Other occurrences (e.g. variable names) are left alone for now.
* refactor(ui): use unmount instead of dismount
This change updates the GUI text and replaces dismount with unmount.
* docs: update term dismount -> unmount
* refactor(cmdline): add unmount
This change adds an argument 'unmount' for command line usage, while
trying to deprecate the old disnount argument.
The current dismount argument/flag will still work to not introduce
a breaking change.
* docs: mention that /dismount is deprecated
This change fixes the shorthand version of the argument /unmount
It also adds back the info for /dismount and that it is deprecated.
