2 * PROJECT: ReactOS Kernel
3 * LICENSE: BSD - See COPYING.ARM in the top level directory
4 * FILE: ntoskrnl/mm/ARM3/virtual.c
5 * PURPOSE: ARM Memory Manager Virtual Memory Management
6 * PROGRAMMERS: ReactOS Portable Systems Group
9 /* INCLUDES *******************************************************************/
10 /* So long, and Thanks for All the Fish */
16 #define MODULE_INVOLVED_IN_ARM3
17 #include "../ARM3/miarm.h"
19 #define MI_MAPPED_COPY_PAGES 14
20 #define MI_POOL_COPY_BYTES 512
21 #define MI_MAX_TRANSFER_SIZE 64 * 1024
24 MiProtectVirtualMemory(IN PEPROCESS Process
,
25 IN OUT PVOID
*BaseAddress
,
26 IN OUT PSIZE_T NumberOfBytesToProtect
,
27 IN ULONG NewAccessProtection
,
28 OUT PULONG OldAccessProtection OPTIONAL
);
32 MiFlushTbAndCapture(IN PMMVAD FoundVad
,
34 IN ULONG ProtectionMask
,
36 IN BOOLEAN CaptureDirtyBit
);
39 /* PRIVATE FUNCTIONS **********************************************************/
43 MiCalculatePageCommitment(IN ULONG_PTR StartingAddress
,
44 IN ULONG_PTR EndingAddress
,
48 PMMPTE PointerPte
, LastPte
, PointerPde
;
51 /* Compute starting and ending PTE and PDE addresses */
52 PointerPde
= MiAddressToPde(StartingAddress
);
53 PointerPte
= MiAddressToPte(StartingAddress
);
54 LastPte
= MiAddressToPte(EndingAddress
);
56 /* Handle commited pages first */
57 if (Vad
->u
.VadFlags
.MemCommit
== 1)
59 /* This is a committed VAD, so Assume the whole range is committed */
60 CommittedPages
= (ULONG
)BYTES_TO_PAGES(EndingAddress
- StartingAddress
);
62 /* Is the PDE demand-zero? */
63 PointerPde
= MiAddressToPte(PointerPte
);
64 if (PointerPde
->u
.Long
!= 0)
66 /* It is not. Is it valid? */
67 if (PointerPde
->u
.Hard
.Valid
== 0)
70 PointerPte
= MiPteToAddress(PointerPde
);
71 MiMakeSystemAddressValid(PointerPte
, Process
);
76 /* It is, skip it and move to the next PDE, unless we're done */
78 PointerPte
= MiPteToAddress(PointerPde
);
79 if (PointerPte
> LastPte
) return CommittedPages
;
82 /* Now loop all the PTEs in the range */
83 while (PointerPte
<= LastPte
)
85 /* Have we crossed a PDE boundary? */
86 if (MiIsPteOnPdeBoundary(PointerPte
))
88 /* Is this PDE demand zero? */
89 PointerPde
= MiAddressToPte(PointerPte
);
90 if (PointerPde
->u
.Long
!= 0)
92 /* It isn't -- is it valid? */
93 if (PointerPde
->u
.Hard
.Valid
== 0)
95 /* Nope, fault it in */
96 PointerPte
= MiPteToAddress(PointerPde
);
97 MiMakeSystemAddressValid(PointerPte
, Process
);
102 /* It is, skip it and move to the next PDE */
104 PointerPte
= MiPteToAddress(PointerPde
);
109 /* Is this PTE demand zero? */
110 if (PointerPte
->u
.Long
!= 0)
112 /* It isn't -- is it a decommited, invalid, or faulted PTE? */
113 if ((PointerPte
->u
.Soft
.Protection
== MM_DECOMMIT
) &&
114 (PointerPte
->u
.Hard
.Valid
== 0) &&
115 ((PointerPte
->u
.Soft
.Prototype
== 0) ||
116 (PointerPte
->u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)))
118 /* It is, so remove it from the count of commited pages */
123 /* Move to the next PTE */
127 /* Return how many committed pages there still are */
128 return CommittedPages
;
131 /* This is a non-commited VAD, so assume none of it is committed */
134 /* Is the PDE demand-zero? */
135 PointerPde
= MiAddressToPte(PointerPte
);
136 if (PointerPde
->u
.Long
!= 0)
138 /* It isn't -- is it invalid? */
139 if (PointerPde
->u
.Hard
.Valid
== 0)
141 /* It is, so page it in */
142 PointerPte
= MiPteToAddress(PointerPde
);
143 MiMakeSystemAddressValid(PointerPte
, Process
);
148 /* It is, so skip it and move to the next PDE */
150 PointerPte
= MiPteToAddress(PointerPde
);
151 if (PointerPte
> LastPte
) return CommittedPages
;
154 /* Loop all the PTEs in this PDE */
155 while (PointerPte
<= LastPte
)
157 /* Have we crossed a PDE boundary? */
158 if (MiIsPteOnPdeBoundary(PointerPte
))
160 /* Is this new PDE demand-zero? */
161 PointerPde
= MiAddressToPte(PointerPte
);
162 if (PointerPde
->u
.Long
!= 0)
164 /* It isn't. Is it valid? */
165 if (PointerPde
->u
.Hard
.Valid
== 0)
167 /* It isn't, so make it valid */
168 PointerPte
= MiPteToAddress(PointerPde
);
169 MiMakeSystemAddressValid(PointerPte
, Process
);
174 /* It is, so skip it and move to the next one */
176 PointerPte
= MiPteToAddress(PointerPde
);
181 /* Is this PTE demand-zero? */
182 if (PointerPte
->u
.Long
!= 0)
184 /* Nope. Is it a valid, non-decommited, non-paged out PTE? */
185 if ((PointerPte
->u
.Soft
.Protection
!= MM_DECOMMIT
) ||
186 (PointerPte
->u
.Hard
.Valid
== 1) ||
187 ((PointerPte
->u
.Soft
.Prototype
== 1) &&
188 (PointerPte
->u
.Soft
.PageFileHigh
!= MI_PTE_LOOKUP_NEEDED
)))
190 /* It is! So we'll treat this as a committed page */
195 /* Move to the next PTE */
199 /* Return how many committed pages we found in this VAD */
200 return CommittedPages
;
205 MiMakeSystemAddressValid(IN PVOID PageTableVirtualAddress
,
206 IN PEPROCESS CurrentProcess
)
209 BOOLEAN WsShared
= FALSE
, WsSafe
= FALSE
, LockChange
= FALSE
;
210 PETHREAD CurrentThread
= PsGetCurrentThread();
212 /* Must be a non-pool page table, since those are double-mapped already */
213 ASSERT(PageTableVirtualAddress
> MM_HIGHEST_USER_ADDRESS
);
214 ASSERT((PageTableVirtualAddress
< MmPagedPoolStart
) ||
215 (PageTableVirtualAddress
> MmPagedPoolEnd
));
217 /* Working set lock or PFN lock should be held */
218 ASSERT(KeAreAllApcsDisabled() == TRUE
);
220 /* Check if the page table is valid */
221 while (!MmIsAddressValid(PageTableVirtualAddress
))
223 /* Release the working set lock */
224 MiUnlockProcessWorkingSetForFault(CurrentProcess
,
230 Status
= MmAccessFault(FALSE
, PageTableVirtualAddress
, KernelMode
, NULL
);
231 if (!NT_SUCCESS(Status
))
233 /* This should not fail */
234 KeBugCheckEx(KERNEL_DATA_INPAGE_ERROR
,
237 (ULONG_PTR
)CurrentProcess
,
238 (ULONG_PTR
)PageTableVirtualAddress
);
241 /* Lock the working set again */
242 MiLockProcessWorkingSetForFault(CurrentProcess
,
247 /* This flag will be useful later when we do better locking */
251 /* Let caller know what the lock state is */
257 MiMakeSystemAddressValidPfn(IN PVOID VirtualAddress
,
261 BOOLEAN LockChange
= FALSE
;
263 /* Must be e kernel address */
264 ASSERT(VirtualAddress
> MM_HIGHEST_USER_ADDRESS
);
266 /* Check if the page is valid */
267 while (!MmIsAddressValid(VirtualAddress
))
269 /* Release the PFN database */
270 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
273 Status
= MmAccessFault(FALSE
, VirtualAddress
, KernelMode
, NULL
);
274 if (!NT_SUCCESS(Status
))
276 /* This should not fail */
277 KeBugCheckEx(KERNEL_DATA_INPAGE_ERROR
,
281 (ULONG_PTR
)VirtualAddress
);
284 /* This flag will be useful later when we do better locking */
287 /* Lock the PFN database */
288 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
291 /* Let caller know what the lock state is */
297 MiDeleteSystemPageableVm(IN PMMPTE PointerPte
,
298 IN PFN_NUMBER PageCount
,
300 OUT PPFN_NUMBER ValidPages
)
302 PFN_COUNT ActualPages
= 0;
303 PETHREAD CurrentThread
= PsGetCurrentThread();
305 PFN_NUMBER PageFrameIndex
, PageTableIndex
;
307 ASSERT(KeGetCurrentIrql() <= APC_LEVEL
);
309 /* Lock the system working set */
310 MiLockWorkingSet(CurrentThread
, &MmSystemCacheWs
);
315 /* Make sure there's some data about the page */
316 if (PointerPte
->u
.Long
)
318 /* As always, only handle current ARM3 scenarios */
319 ASSERT(PointerPte
->u
.Soft
.Prototype
== 0);
320 ASSERT(PointerPte
->u
.Soft
.Transition
== 0);
322 /* Normally this is one possibility -- freeing a valid page */
323 if (PointerPte
->u
.Hard
.Valid
)
325 /* Get the page PFN */
326 PageFrameIndex
= PFN_FROM_PTE(PointerPte
);
327 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
329 /* Should not have any working set data yet */
330 ASSERT(Pfn1
->u1
.WsIndex
== 0);
332 /* Actual valid, legitimate, pages */
333 if (ValidPages
) (*ValidPages
)++;
335 /* Get the page table entry */
336 PageTableIndex
= Pfn1
->u4
.PteFrame
;
337 Pfn2
= MiGetPfnEntry(PageTableIndex
);
339 /* Lock the PFN database */
340 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
342 /* Delete it the page */
343 MI_SET_PFN_DELETED(Pfn1
);
344 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
346 /* Decrement the page table too */
347 MiDecrementShareCount(Pfn2
, PageTableIndex
);
349 /* Release the PFN database */
350 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
352 /* Destroy the PTE */
353 MI_ERASE_PTE(PointerPte
);
358 * The only other ARM3 possibility is a demand zero page, which would
359 * mean freeing some of the paged pool pages that haven't even been
360 * touched yet, as part of a larger allocation.
362 * Right now, we shouldn't expect any page file information in the PTE
364 ASSERT(PointerPte
->u
.Soft
.PageFileHigh
== 0);
366 /* Destroy the PTE */
367 MI_ERASE_PTE(PointerPte
);
370 /* Actual legitimate pages */
379 /* Release the working set */
380 MiUnlockWorkingSet(CurrentThread
, &MmSystemCacheWs
);
382 /* Flush the entire TLB */
383 KeFlushEntireTb(TRUE
, TRUE
);
391 MiDeletePte(IN PMMPTE PointerPte
,
392 IN PVOID VirtualAddress
,
393 IN PEPROCESS CurrentProcess
,
394 IN PMMPTE PrototypePte
)
398 PFN_NUMBER PageFrameIndex
;
401 /* PFN lock must be held */
402 ASSERT(KeGetCurrentIrql() == DISPATCH_LEVEL
);
404 /* Capture the PTE */
405 TempPte
= *PointerPte
;
407 /* See if the PTE is valid */
408 if (TempPte
.u
.Hard
.Valid
== 0)
410 /* Prototype and paged out PTEs not supported yet */
411 ASSERT(TempPte
.u
.Soft
.Prototype
== 0);
412 ASSERT(TempPte
.u
.Soft
.PageFileHigh
== 0);
414 if (TempPte
.u
.Soft
.Transition
)
416 /* Get the PFN entry */
417 PageFrameIndex
= PFN_FROM_PTE(&TempPte
);
418 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
420 DPRINT("Pte %p is transitional!\n", PointerPte
);
422 /* Destroy the PTE */
423 MI_ERASE_PTE(PointerPte
);
425 /* Drop the reference on the page table. */
426 MiDecrementShareCount(MiGetPfnEntry(Pfn1
->u4
.PteFrame
), Pfn1
->u4
.PteFrame
);
428 ASSERT(Pfn1
->u3
.e1
.PrototypePte
== 0);
430 /* Make the page free. For prototypes, it will be made free when deleting the section object */
431 if (Pfn1
->u2
.ShareCount
== 0)
433 NT_ASSERT(Pfn1
->u3
.e2
.ReferenceCount
== 0);
435 /* And it should be in standby or modified list */
436 ASSERT((Pfn1
->u3
.e1
.PageLocation
== ModifiedPageList
) || (Pfn1
->u3
.e1
.PageLocation
== StandbyPageList
));
438 /* Unlink it and temporarily mark it as active */
439 MiUnlinkPageFromList(Pfn1
);
440 Pfn1
->u3
.e2
.ReferenceCount
++;
441 Pfn1
->u3
.e1
.PageLocation
= ActiveAndValid
;
443 /* This will put it back in free list and clean properly up */
444 MI_SET_PFN_DELETED(Pfn1
);
445 MiDecrementReferenceCount(Pfn1
, PageFrameIndex
);
451 /* Get the PFN entry */
452 PageFrameIndex
= PFN_FROM_PTE(&TempPte
);
453 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
455 /* Check if this is a valid, prototype PTE */
456 if (Pfn1
->u3
.e1
.PrototypePte
== 1)
458 /* Get the PDE and make sure it's faulted in */
459 PointerPde
= MiPteToPde(PointerPte
);
460 if (PointerPde
->u
.Hard
.Valid
== 0)
462 #if (_MI_PAGING_LEVELS == 2)
463 /* Could be paged pool access from a new process -- synchronize the page directories */
464 if (!NT_SUCCESS(MiCheckPdeForPagedPool(VirtualAddress
)))
467 /* The PDE must be valid at this point */
468 KeBugCheckEx(MEMORY_MANAGEMENT
,
470 (ULONG_PTR
)PointerPte
,
472 (ULONG_PTR
)VirtualAddress
);
474 #if (_MI_PAGING_LEVELS == 2)
477 /* Drop the share count on the page table */
478 PointerPde
= MiPteToPde(PointerPte
);
479 MiDecrementShareCount(MiGetPfnEntry(PointerPde
->u
.Hard
.PageFrameNumber
),
480 PointerPde
->u
.Hard
.PageFrameNumber
);
482 /* Drop the share count */
483 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
485 /* Either a fork, or this is the shared user data page */
486 if ((PointerPte
<= MiHighestUserPte
) && (PrototypePte
!= Pfn1
->PteAddress
))
488 /* If it's not the shared user page, then crash, since there's no fork() yet */
489 if ((PAGE_ALIGN(VirtualAddress
) != (PVOID
)USER_SHARED_DATA
) ||
490 (MmHighestUserAddress
<= (PVOID
)USER_SHARED_DATA
))
492 /* Must be some sort of memory corruption */
493 KeBugCheckEx(MEMORY_MANAGEMENT
,
495 (ULONG_PTR
)PointerPte
,
496 (ULONG_PTR
)PrototypePte
,
497 (ULONG_PTR
)Pfn1
->PteAddress
);
502 MI_ERASE_PTE(PointerPte
);
506 /* Make sure the saved PTE address is valid */
507 if ((PMMPTE
)((ULONG_PTR
)Pfn1
->PteAddress
& ~0x1) != PointerPte
)
509 /* The PFN entry is illegal, or invalid */
510 KeBugCheckEx(MEMORY_MANAGEMENT
,
512 (ULONG_PTR
)PointerPte
,
514 (ULONG_PTR
)Pfn1
->PteAddress
);
518 MI_ERASE_PTE(PointerPte
);
520 /* There should only be 1 shared reference count */
521 ASSERT(Pfn1
->u2
.ShareCount
== 1);
523 /* Drop the reference on the page table. */
524 MiDecrementShareCount(MiGetPfnEntry(Pfn1
->u4
.PteFrame
), Pfn1
->u4
.PteFrame
);
526 /* Mark the PFN for deletion and dereference what should be the last ref */
527 MI_SET_PFN_DELETED(Pfn1
);
528 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
530 /* We should eventually do this */
531 //CurrentProcess->NumberOfPrivatePages--;
540 MiDeleteVirtualAddresses(IN ULONG_PTR Va
,
541 IN ULONG_PTR EndingAddress
,
544 PMMPTE PointerPte
, PrototypePte
, LastPrototypePte
;
547 PEPROCESS CurrentProcess
;
549 BOOLEAN AddressGap
= FALSE
;
550 PSUBSECTION Subsection
;
552 /* Get out if this is a fake VAD, RosMm will free the marea pages */
553 if ((Vad
) && (Vad
->u
.VadFlags
.Spare
== 1)) return;
555 /* Grab the process and PTE/PDE for the address being deleted */
556 CurrentProcess
= PsGetCurrentProcess();
557 PointerPde
= MiAddressToPde(Va
);
558 PointerPte
= MiAddressToPte(Va
);
560 /* Check if this is a section VAD or a VM VAD */
561 if (!(Vad
) || (Vad
->u
.VadFlags
.PrivateMemory
) || !(Vad
->FirstPrototypePte
))
563 /* Don't worry about prototypes */
564 PrototypePte
= LastPrototypePte
= NULL
;
568 /* Get the prototype PTE */
569 PrototypePte
= Vad
->FirstPrototypePte
;
570 LastPrototypePte
= Vad
->FirstPrototypePte
+ 1;
573 /* In all cases, we don't support fork() yet */
574 ASSERT(CurrentProcess
->CloneRoot
== NULL
);
576 /* Loop the PTE for each VA */
579 /* First keep going until we find a valid PDE */
580 while (!PointerPde
->u
.Long
)
582 /* There are gaps in the address space */
585 /* Still no valid PDE, try the next 4MB (or whatever) */
588 /* Update the PTE on this new boundary */
589 PointerPte
= MiPteToAddress(PointerPde
);
591 /* Check if all the PDEs are invalid, so there's nothing to free */
592 Va
= (ULONG_PTR
)MiPteToAddress(PointerPte
);
593 if (Va
> EndingAddress
) return;
596 /* Now check if the PDE is mapped in */
597 if (!PointerPde
->u
.Hard
.Valid
)
599 /* It isn't, so map it in */
600 PointerPte
= MiPteToAddress(PointerPde
);
601 MiMakeSystemAddressValid(PointerPte
, CurrentProcess
);
604 /* Now we should have a valid PDE, mapped in, and still have some VA */
605 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
606 ASSERT(Va
<= EndingAddress
);
608 /* Check if this is a section VAD with gaps in it */
609 if ((AddressGap
) && (LastPrototypePte
))
611 /* We need to skip to the next correct prototype PTE */
612 PrototypePte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad
, Va
>> PAGE_SHIFT
);
614 /* And we need the subsection to skip to the next last prototype PTE */
615 Subsection
= MiLocateSubsection(Vad
, Va
>> PAGE_SHIFT
);
619 LastPrototypePte
= &Subsection
->SubsectionBase
[Subsection
->PtesInSubsection
];
623 /* No more subsections, we are done with prototype PTEs */
628 /* Lock the PFN Database while we delete the PTEs */
629 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
632 /* Capture the PDE and make sure it exists */
633 TempPte
= *PointerPte
;
636 MiDecrementPageTableReferences((PVOID
)Va
);
638 /* Check if the PTE is actually mapped in */
639 if (MI_IS_MAPPED_PTE(&TempPte
))
641 /* Are we dealing with section VAD? */
642 if ((LastPrototypePte
) && (PrototypePte
> LastPrototypePte
))
644 /* We need to skip to the next correct prototype PTE */
645 PrototypePte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad
, Va
>> PAGE_SHIFT
);
647 /* And we need the subsection to skip to the next last prototype PTE */
648 Subsection
= MiLocateSubsection(Vad
, Va
>> PAGE_SHIFT
);
652 LastPrototypePte
= &Subsection
->SubsectionBase
[Subsection
->PtesInSubsection
];
656 /* No more subsections, we are done with prototype PTEs */
661 /* Check for prototype PTE */
662 if ((TempPte
.u
.Hard
.Valid
== 0) &&
663 (TempPte
.u
.Soft
.Prototype
== 1))
666 MI_ERASE_PTE(PointerPte
);
670 /* Delete the PTE proper */
671 MiDeletePte(PointerPte
,
679 /* The PTE was never mapped, just nuke it here */
680 MI_ERASE_PTE(PointerPte
);
684 /* Update the address and PTE for it */
689 /* Making sure the PDE is still valid */
690 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
692 while ((Va
& (PDE_MAPPED_VA
- 1)) && (Va
<= EndingAddress
));
694 /* The PDE should still be valid at this point */
695 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
697 /* Check remaining PTE count (go back 1 page due to above loop) */
698 if (MiQueryPageTableReferences((PVOID
)(Va
- PAGE_SIZE
)) == 0)
700 if (PointerPde
->u
.Long
!= 0)
702 /* Delete the PTE proper */
703 MiDeletePte(PointerPde
,
704 MiPteToAddress(PointerPde
),
710 /* Release the lock and get out if we're done */
711 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
712 if (Va
> EndingAddress
) return;
714 /* Otherwise, we exited because we hit a new PDE boundary, so start over */
715 PointerPde
= MiAddressToPde(Va
);
721 MiGetExceptionInfo(IN PEXCEPTION_POINTERS ExceptionInfo
,
722 OUT PBOOLEAN HaveBadAddress
,
723 OUT PULONG_PTR BadAddress
)
725 PEXCEPTION_RECORD ExceptionRecord
;
731 *HaveBadAddress
= FALSE
;
734 // Get the exception record
736 ExceptionRecord
= ExceptionInfo
->ExceptionRecord
;
739 // Look at the exception code
741 if ((ExceptionRecord
->ExceptionCode
== STATUS_ACCESS_VIOLATION
) ||
742 (ExceptionRecord
->ExceptionCode
== STATUS_GUARD_PAGE_VIOLATION
) ||
743 (ExceptionRecord
->ExceptionCode
== STATUS_IN_PAGE_ERROR
))
746 // We can tell the address if we have more than one parameter
748 if (ExceptionRecord
->NumberParameters
> 1)
751 // Return the address
753 *HaveBadAddress
= TRUE
;
754 *BadAddress
= ExceptionRecord
->ExceptionInformation
[1];
759 // Continue executing the next handler
761 return EXCEPTION_EXECUTE_HANDLER
;
766 MiDoMappedCopy(IN PEPROCESS SourceProcess
,
767 IN PVOID SourceAddress
,
768 IN PEPROCESS TargetProcess
,
769 OUT PVOID TargetAddress
,
770 IN SIZE_T BufferSize
,
771 IN KPROCESSOR_MODE PreviousMode
,
772 OUT PSIZE_T ReturnSize
)
774 PFN_NUMBER MdlBuffer
[(sizeof(MDL
) / sizeof(PFN_NUMBER
)) + MI_MAPPED_COPY_PAGES
+ 1];
775 PMDL Mdl
= (PMDL
)MdlBuffer
;
776 SIZE_T TotalSize
, CurrentSize
, RemainingSize
;
777 volatile BOOLEAN FailedInProbe
= FALSE
, FailedInMapping
= FALSE
, FailedInMoving
;
778 volatile BOOLEAN PagesLocked
;
779 PVOID CurrentAddress
= SourceAddress
, CurrentTargetAddress
= TargetAddress
;
780 volatile PVOID MdlAddress
;
782 BOOLEAN HaveBadAddress
;
783 ULONG_PTR BadAddress
;
784 NTSTATUS Status
= STATUS_SUCCESS
;
788 // Calculate the maximum amount of data to move
790 TotalSize
= MI_MAPPED_COPY_PAGES
* PAGE_SIZE
;
791 if (BufferSize
<= TotalSize
) TotalSize
= BufferSize
;
792 CurrentSize
= TotalSize
;
793 RemainingSize
= BufferSize
;
796 // Loop as long as there is still data
798 while (RemainingSize
> 0)
801 // Check if this transfer will finish everything off
803 if (RemainingSize
< CurrentSize
) CurrentSize
= RemainingSize
;
806 // Attach to the source address space
808 KeStackAttachProcess(&SourceProcess
->Pcb
, &ApcState
);
811 // Reset state for this pass
815 FailedInMoving
= FALSE
;
816 ASSERT(FailedInProbe
== FALSE
);
819 // Protect user-mode copy
824 // If this is our first time, probe the buffer
826 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
829 // Catch a failure here
831 FailedInProbe
= TRUE
;
836 ProbeForRead(SourceAddress
, BufferSize
, sizeof(CHAR
));
841 FailedInProbe
= FALSE
;
845 // Initialize and probe and lock the MDL
847 MmInitializeMdl(Mdl
, CurrentAddress
, CurrentSize
);
848 MmProbeAndLockPages(Mdl
, PreviousMode
, IoReadAccess
);
854 MdlAddress
= MmMapLockedPagesSpecifyCache(Mdl
,
863 // Use our SEH handler to pick this up
865 FailedInMapping
= TRUE
;
866 ExRaiseStatus(STATUS_INSUFFICIENT_RESOURCES
);
870 // Now let go of the source and grab to the target process
872 KeUnstackDetachProcess(&ApcState
);
873 KeStackAttachProcess(&TargetProcess
->Pcb
, &ApcState
);
876 // Check if this is our first time through
878 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
881 // Catch a failure here
883 FailedInProbe
= TRUE
;
888 ProbeForWrite(TargetAddress
, BufferSize
, sizeof(CHAR
));
893 FailedInProbe
= FALSE
;
897 // Now do the actual move
899 FailedInMoving
= TRUE
;
900 RtlCopyMemory(CurrentTargetAddress
, MdlAddress
, CurrentSize
);
902 _SEH2_EXCEPT(MiGetExceptionInfo(_SEH2_GetExceptionInformation(),
907 // Detach from whoever we may be attached to
909 KeUnstackDetachProcess(&ApcState
);
912 // Check if we had mapped the pages
914 if (MdlAddress
) MmUnmapLockedPages(MdlAddress
, Mdl
);
917 // Check if we had locked the pages
919 if (PagesLocked
) MmUnlockPages(Mdl
);
922 // Check if we hit working set quota
924 if (_SEH2_GetExceptionCode() == STATUS_WORKING_SET_QUOTA
)
929 _SEH2_YIELD(return STATUS_WORKING_SET_QUOTA
);
933 // Check if we failed during the probe or mapping
935 if ((FailedInProbe
) || (FailedInMapping
))
940 Status
= _SEH2_GetExceptionCode();
941 _SEH2_YIELD(return Status
);
945 // Otherwise, we failed probably during the move
947 *ReturnSize
= BufferSize
- RemainingSize
;
951 // Check if we know exactly where we stopped copying
956 // Return the exact number of bytes copied
958 *ReturnSize
= BadAddress
- (ULONG_PTR
)SourceAddress
;
963 // Return partial copy
965 Status
= STATUS_PARTIAL_COPY
;
970 // Check for SEH status
972 if (Status
!= STATUS_SUCCESS
) return Status
;
975 // Detach from target
977 KeUnstackDetachProcess(&ApcState
);
982 MmUnmapLockedPages(MdlAddress
, Mdl
);
986 // Update location and size
988 RemainingSize
-= CurrentSize
;
989 CurrentAddress
= (PVOID
)((ULONG_PTR
)CurrentAddress
+ CurrentSize
);
990 CurrentTargetAddress
= (PVOID
)((ULONG_PTR
)CurrentTargetAddress
+ CurrentSize
);
996 *ReturnSize
= BufferSize
;
997 return STATUS_SUCCESS
;
1002 MiDoPoolCopy(IN PEPROCESS SourceProcess
,
1003 IN PVOID SourceAddress
,
1004 IN PEPROCESS TargetProcess
,
1005 OUT PVOID TargetAddress
,
1006 IN SIZE_T BufferSize
,
1007 IN KPROCESSOR_MODE PreviousMode
,
1008 OUT PSIZE_T ReturnSize
)
1010 UCHAR StackBuffer
[MI_POOL_COPY_BYTES
];
1011 SIZE_T TotalSize
, CurrentSize
, RemainingSize
;
1012 volatile BOOLEAN FailedInProbe
= FALSE
, FailedInMoving
, HavePoolAddress
= FALSE
;
1013 PVOID CurrentAddress
= SourceAddress
, CurrentTargetAddress
= TargetAddress
;
1015 KAPC_STATE ApcState
;
1016 BOOLEAN HaveBadAddress
;
1017 ULONG_PTR BadAddress
;
1018 NTSTATUS Status
= STATUS_SUCCESS
;
1022 // Calculate the maximum amount of data to move
1024 TotalSize
= MI_MAX_TRANSFER_SIZE
;
1025 if (BufferSize
<= MI_MAX_TRANSFER_SIZE
) TotalSize
= BufferSize
;
1026 CurrentSize
= TotalSize
;
1027 RemainingSize
= BufferSize
;
1030 // Check if we can use the stack
1032 if (BufferSize
<= MI_POOL_COPY_BYTES
)
1037 PoolAddress
= (PVOID
)StackBuffer
;
1044 PoolAddress
= ExAllocatePoolWithTag(NonPagedPool
, TotalSize
, 'VmRw');
1045 if (!PoolAddress
) ASSERT(FALSE
);
1046 HavePoolAddress
= TRUE
;
1050 // Loop as long as there is still data
1052 while (RemainingSize
> 0)
1055 // Check if this transfer will finish everything off
1057 if (RemainingSize
< CurrentSize
) CurrentSize
= RemainingSize
;
1060 // Attach to the source address space
1062 KeStackAttachProcess(&SourceProcess
->Pcb
, &ApcState
);
1065 // Reset state for this pass
1067 FailedInMoving
= FALSE
;
1068 ASSERT(FailedInProbe
== FALSE
);
1071 // Protect user-mode copy
1076 // If this is our first time, probe the buffer
1078 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
1081 // Catch a failure here
1083 FailedInProbe
= TRUE
;
1088 ProbeForRead(SourceAddress
, BufferSize
, sizeof(CHAR
));
1093 FailedInProbe
= FALSE
;
1099 RtlCopyMemory(PoolAddress
, CurrentAddress
, CurrentSize
);
1102 // Now let go of the source and grab to the target process
1104 KeUnstackDetachProcess(&ApcState
);
1105 KeStackAttachProcess(&TargetProcess
->Pcb
, &ApcState
);
1108 // Check if this is our first time through
1110 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
1113 // Catch a failure here
1115 FailedInProbe
= TRUE
;
1120 ProbeForWrite(TargetAddress
, BufferSize
, sizeof(CHAR
));
1125 FailedInProbe
= FALSE
;
1129 // Now do the actual move
1131 FailedInMoving
= TRUE
;
1132 RtlCopyMemory(CurrentTargetAddress
, PoolAddress
, CurrentSize
);
1134 _SEH2_EXCEPT(MiGetExceptionInfo(_SEH2_GetExceptionInformation(),
1139 // Detach from whoever we may be attached to
1141 KeUnstackDetachProcess(&ApcState
);
1144 // Check if we had allocated pool
1146 if (HavePoolAddress
) ExFreePoolWithTag(PoolAddress
, 'VmRw');
1149 // Check if we failed during the probe
1156 Status
= _SEH2_GetExceptionCode();
1157 _SEH2_YIELD(return Status
);
1161 // Otherwise, we failed, probably during the move
1163 *ReturnSize
= BufferSize
- RemainingSize
;
1167 // Check if we know exactly where we stopped copying
1172 // Return the exact number of bytes copied
1174 *ReturnSize
= BadAddress
- (ULONG_PTR
)SourceAddress
;
1179 // Return partial copy
1181 Status
= STATUS_PARTIAL_COPY
;
1186 // Check for SEH status
1188 if (Status
!= STATUS_SUCCESS
) return Status
;
1191 // Detach from target
1193 KeUnstackDetachProcess(&ApcState
);
1196 // Update location and size
1198 RemainingSize
-= CurrentSize
;
1199 CurrentAddress
= (PVOID
)((ULONG_PTR
)CurrentAddress
+ CurrentSize
);
1200 CurrentTargetAddress
= (PVOID
)((ULONG_PTR
)CurrentTargetAddress
+
1205 // Check if we had allocated pool
1207 if (HavePoolAddress
) ExFreePoolWithTag(PoolAddress
, 'VmRw');
1212 *ReturnSize
= BufferSize
;
1213 return STATUS_SUCCESS
;
1218 MmCopyVirtualMemory(IN PEPROCESS SourceProcess
,
1219 IN PVOID SourceAddress
,
1220 IN PEPROCESS TargetProcess
,
1221 OUT PVOID TargetAddress
,
1222 IN SIZE_T BufferSize
,
1223 IN KPROCESSOR_MODE PreviousMode
,
1224 OUT PSIZE_T ReturnSize
)
1227 PEPROCESS Process
= SourceProcess
;
1230 // Don't accept zero-sized buffers
1232 if (!BufferSize
) return STATUS_SUCCESS
;
1235 // If we are copying from ourselves, lock the target instead
1237 if (SourceProcess
== PsGetCurrentProcess()) Process
= TargetProcess
;
1240 // Acquire rundown protection
1242 if (!ExAcquireRundownProtection(&Process
->RundownProtect
))
1247 return STATUS_PROCESS_IS_TERMINATING
;
1251 // See if we should use the pool copy
1253 if (BufferSize
> MI_POOL_COPY_BYTES
)
1258 Status
= MiDoMappedCopy(SourceProcess
,
1271 Status
= MiDoPoolCopy(SourceProcess
,
1283 ExReleaseRundownProtection(&Process
->RundownProtect
);
1289 MmFlushVirtualMemory(IN PEPROCESS Process
,
1290 IN OUT PVOID
*BaseAddress
,
1291 IN OUT PSIZE_T RegionSize
,
1292 OUT PIO_STATUS_BLOCK IoStatusBlock
)
1300 return STATUS_SUCCESS
;
1305 MiGetPageProtection(IN PMMPTE PointerPte
)
1309 PEPROCESS CurrentProcess
;
1310 PETHREAD CurrentThread
;
1311 BOOLEAN WsSafe
, WsShared
;
1316 /* Copy this PTE's contents */
1317 TempPte
= *PointerPte
;
1319 /* Assure it's not totally zero */
1320 ASSERT(TempPte
.u
.Long
);
1322 /* Check for a special prototype format */
1323 if ((TempPte
.u
.Soft
.Valid
== 0) &&
1324 (TempPte
.u
.Soft
.Prototype
== 1))
1326 /* Check if the prototype PTE is not yet pointing to a PTE */
1327 if (TempPte
.u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)
1329 /* The prototype PTE contains the protection */
1330 return MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1333 /* Get a pointer to the underlying shared PTE */
1334 PointerPte
= MiProtoPteToPte(&TempPte
);
1336 /* Since the PTE we want to read can be paged out at any time, we need
1337 to release the working set lock first, so that it can be paged in */
1338 CurrentThread
= PsGetCurrentThread();
1339 CurrentProcess
= PsGetCurrentProcess();
1340 MiUnlockProcessWorkingSetForFault(CurrentProcess
,
1345 /* Now read the PTE value */
1346 TempPte
= *PointerPte
;
1348 /* Check if that one is invalid */
1349 if (!TempPte
.u
.Hard
.Valid
)
1351 /* We get the protection directly from this PTE */
1352 Protect
= MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1356 /* The PTE is valid, so we might need to get the protection from
1357 the PFN. Lock the PFN database */
1358 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
1360 /* Check if the PDE is still valid */
1361 if (MiAddressToPte(PointerPte
)->u
.Hard
.Valid
== 0)
1363 /* It's not, make it valid */
1364 MiMakeSystemAddressValidPfn(PointerPte
, OldIrql
);
1367 /* Now it's safe to read the PTE value again */
1368 TempPte
= *PointerPte
;
1369 ASSERT(TempPte
.u
.Long
!= 0);
1371 /* Check again if the PTE is invalid */
1372 if (!TempPte
.u
.Hard
.Valid
)
1374 /* The PTE is not valid, so we can use it's protection field */
1375 Protect
= MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1379 /* The PTE is valid, so we can find the protection in the
1380 OriginalPte field of the PFN */
1381 Pfn
= MI_PFN_ELEMENT(TempPte
.u
.Hard
.PageFrameNumber
);
1382 Protect
= MmProtectToValue
[Pfn
->OriginalPte
.u
.Soft
.Protection
];
1385 /* Release the PFN database */
1386 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
1389 /* Lock the working set again */
1390 MiLockProcessWorkingSetForFault(CurrentProcess
,
1398 /* In the easy case of transition or demand zero PTE just return its protection */
1399 if (!TempPte
.u
.Hard
.Valid
) return MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1401 /* If we get here, the PTE is valid, so look up the page in PFN database */
1402 Pfn
= MiGetPfnEntry(TempPte
.u
.Hard
.PageFrameNumber
);
1403 if (!Pfn
->u3
.e1
.PrototypePte
)
1405 /* Return protection of the original pte */
1406 ASSERT(Pfn
->u4
.AweAllocation
== 0);
1407 return MmProtectToValue
[Pfn
->OriginalPte
.u
.Soft
.Protection
];
1410 /* This is software PTE */
1411 DPRINT("Prototype PTE: %lx %p\n", TempPte
.u
.Hard
.PageFrameNumber
, Pfn
);
1412 DPRINT("VA: %p\n", MiPteToAddress(&TempPte
));
1413 DPRINT("Mask: %lx\n", TempPte
.u
.Soft
.Protection
);
1414 DPRINT("Mask2: %lx\n", Pfn
->OriginalPte
.u
.Soft
.Protection
);
1415 return MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1420 MiQueryAddressState(IN PVOID Va
,
1422 IN PEPROCESS TargetProcess
,
1423 OUT PULONG ReturnedProtect
,
1427 PMMPTE PointerPte
, ProtoPte
;
1429 #if (_MI_PAGING_LEVELS >= 3)
1432 #if (_MI_PAGING_LEVELS >= 4)
1435 MMPTE TempPte
, TempProtoPte
;
1436 BOOLEAN DemandZeroPte
= TRUE
, ValidPte
= FALSE
;
1437 ULONG State
= MEM_RESERVE
, Protect
= 0;
1438 ASSERT((Vad
->StartingVpn
<= ((ULONG_PTR
)Va
>> PAGE_SHIFT
)) &&
1439 (Vad
->EndingVpn
>= ((ULONG_PTR
)Va
>> PAGE_SHIFT
)));
1441 /* Only normal VADs supported */
1442 ASSERT(Vad
->u
.VadFlags
.VadType
== VadNone
);
1444 /* Get the PDE and PTE for the address */
1445 PointerPde
= MiAddressToPde(Va
);
1446 PointerPte
= MiAddressToPte(Va
);
1447 #if (_MI_PAGING_LEVELS >= 3)
1448 PointerPpe
= MiAddressToPpe(Va
);
1450 #if (_MI_PAGING_LEVELS >= 4)
1451 PointerPxe
= MiAddressToPxe(Va
);
1454 /* Return the next range */
1455 *NextVa
= (PVOID
)((ULONG_PTR
)Va
+ PAGE_SIZE
);
1459 #if (_MI_PAGING_LEVELS >= 4)
1460 /* Does the PXE exist? */
1461 if (PointerPxe
->u
.Long
== 0)
1463 /* It does not, next range starts at the next PXE */
1464 *NextVa
= MiPxeToAddress(PointerPxe
+ 1);
1468 /* Is the PXE valid? */
1469 if (PointerPxe
->u
.Hard
.Valid
== 0)
1471 /* Is isn't, fault it in (make the PPE accessible) */
1472 MiMakeSystemAddressValid(PointerPpe
, TargetProcess
);
1475 #if (_MI_PAGING_LEVELS >= 3)
1476 /* Does the PPE exist? */
1477 if (PointerPpe
->u
.Long
== 0)
1479 /* It does not, next range starts at the next PPE */
1480 *NextVa
= MiPpeToAddress(PointerPpe
+ 1);
1484 /* Is the PPE valid? */
1485 if (PointerPpe
->u
.Hard
.Valid
== 0)
1487 /* Is isn't, fault it in (make the PDE accessible) */
1488 MiMakeSystemAddressValid(PointerPde
, TargetProcess
);
1492 /* Does the PDE exist? */
1493 if (PointerPde
->u
.Long
== 0)
1495 /* It does not, next range starts at the next PDE */
1496 *NextVa
= MiPdeToAddress(PointerPde
+ 1);
1500 /* Is the PDE valid? */
1501 if (PointerPde
->u
.Hard
.Valid
== 0)
1503 /* Is isn't, fault it in (make the PTE accessible) */
1504 MiMakeSystemAddressValid(PointerPte
, TargetProcess
);
1507 /* We have a PTE that we can access now! */
1512 /* Is it safe to try reading the PTE? */
1515 /* FIXME: watch out for large pages */
1516 ASSERT(PointerPde
->u
.Hard
.LargePage
== FALSE
);
1518 /* Capture the PTE */
1519 TempPte
= *PointerPte
;
1520 if (TempPte
.u
.Long
!= 0)
1522 /* The PTE is valid, so it's not zeroed out */
1523 DemandZeroPte
= FALSE
;
1525 /* Is it a decommited, invalid, or faulted PTE? */
1526 if ((TempPte
.u
.Soft
.Protection
== MM_DECOMMIT
) &&
1527 (TempPte
.u
.Hard
.Valid
== 0) &&
1528 ((TempPte
.u
.Soft
.Prototype
== 0) ||
1529 (TempPte
.u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)))
1531 /* Otherwise our defaults should hold */
1532 ASSERT(Protect
== 0);
1533 ASSERT(State
== MEM_RESERVE
);
1537 /* This means it's committed */
1540 /* We don't support these */
1541 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadDevicePhysicalMemory
);
1542 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadRotatePhysical
);
1543 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadAwe
);
1545 /* Get protection state of this page */
1546 Protect
= MiGetPageProtection(PointerPte
);
1548 /* Check if this is an image-backed VAD */
1549 if ((TempPte
.u
.Soft
.Valid
== 0) &&
1550 (TempPte
.u
.Soft
.Prototype
== 1) &&
1551 (Vad
->u
.VadFlags
.PrivateMemory
== 0) &&
1554 DPRINT1("Not supported\n");
1561 /* Check if this was a demand-zero PTE, since we need to find the state */
1564 /* Not yet handled */
1565 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadDevicePhysicalMemory
);
1566 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadAwe
);
1568 /* Check if this is private commited memory, or an section-backed VAD */
1569 if ((Vad
->u
.VadFlags
.PrivateMemory
== 0) && (Vad
->ControlArea
))
1571 /* Tell caller about the next range */
1572 *NextVa
= (PVOID
)((ULONG_PTR
)Va
+ PAGE_SIZE
);
1574 /* Get the prototype PTE for this VAD */
1575 ProtoPte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad
,
1576 (ULONG_PTR
)Va
>> PAGE_SHIFT
);
1579 /* We should unlock the working set, but it's not being held! */
1581 /* Is the prototype PTE actually valid (committed)? */
1582 TempProtoPte
= *ProtoPte
;
1583 if (TempProtoPte
.u
.Long
)
1585 /* Unless this is a memory-mapped file, handle it like private VAD */
1587 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadImageMap
);
1588 Protect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
1591 /* We should re-lock the working set */
1594 else if (Vad
->u
.VadFlags
.MemCommit
)
1596 /* This is committed memory */
1599 /* Convert the protection */
1600 Protect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
1604 /* Return the protection code */
1605 *ReturnedProtect
= Protect
;
1611 MiQueryMemoryBasicInformation(IN HANDLE ProcessHandle
,
1612 IN PVOID BaseAddress
,
1613 OUT PVOID MemoryInformation
,
1614 IN SIZE_T MemoryInformationLength
,
1615 OUT PSIZE_T ReturnLength
)
1617 PEPROCESS TargetProcess
;
1618 NTSTATUS Status
= STATUS_SUCCESS
;
1620 PVOID Address
, NextAddress
;
1621 BOOLEAN Found
= FALSE
;
1622 ULONG NewProtect
, NewState
;
1624 MEMORY_BASIC_INFORMATION MemoryInfo
;
1625 KAPC_STATE ApcState
;
1626 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
1627 PMEMORY_AREA MemoryArea
;
1628 SIZE_T ResultLength
;
1630 /* Check for illegal addresses in user-space, or the shared memory area */
1631 if ((BaseAddress
> MM_HIGHEST_VAD_ADDRESS
) ||
1632 (PAGE_ALIGN(BaseAddress
) == (PVOID
)MM_SHARED_USER_DATA_VA
))
1634 Address
= PAGE_ALIGN(BaseAddress
);
1636 /* Make up an info structure describing this range */
1637 MemoryInfo
.BaseAddress
= Address
;
1638 MemoryInfo
.AllocationProtect
= PAGE_READONLY
;
1639 MemoryInfo
.Type
= MEM_PRIVATE
;
1641 /* Special case for shared data */
1642 if (Address
== (PVOID
)MM_SHARED_USER_DATA_VA
)
1644 MemoryInfo
.AllocationBase
= (PVOID
)MM_SHARED_USER_DATA_VA
;
1645 MemoryInfo
.State
= MEM_COMMIT
;
1646 MemoryInfo
.Protect
= PAGE_READONLY
;
1647 MemoryInfo
.RegionSize
= PAGE_SIZE
;
1651 MemoryInfo
.AllocationBase
= (PCHAR
)MM_HIGHEST_VAD_ADDRESS
+ 1;
1652 MemoryInfo
.State
= MEM_RESERVE
;
1653 MemoryInfo
.Protect
= PAGE_NOACCESS
;
1654 MemoryInfo
.RegionSize
= (ULONG_PTR
)MM_HIGHEST_USER_ADDRESS
+ 1 - (ULONG_PTR
)Address
;
1657 /* Return the data, NtQueryInformation already probed it*/
1658 if (PreviousMode
!= KernelMode
)
1662 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1663 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1665 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
1667 Status
= _SEH2_GetExceptionCode();
1673 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1674 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1680 /* Check if this is for a local or remote process */
1681 if (ProcessHandle
== NtCurrentProcess())
1683 TargetProcess
= PsGetCurrentProcess();
1687 /* Reference the target process */
1688 Status
= ObReferenceObjectByHandle(ProcessHandle
,
1689 PROCESS_QUERY_INFORMATION
,
1691 ExGetPreviousMode(),
1692 (PVOID
*)&TargetProcess
,
1694 if (!NT_SUCCESS(Status
)) return Status
;
1696 /* Attach to it now */
1697 KeStackAttachProcess(&TargetProcess
->Pcb
, &ApcState
);
1700 /* Lock the address space and make sure the process isn't already dead */
1701 MmLockAddressSpace(&TargetProcess
->Vm
);
1702 if (TargetProcess
->VmDeleted
)
1704 /* Unlock the address space of the process */
1705 MmUnlockAddressSpace(&TargetProcess
->Vm
);
1707 /* Check if we were attached */
1708 if (ProcessHandle
!= NtCurrentProcess())
1710 /* Detach and dereference the process */
1711 KeUnstackDetachProcess(&ApcState
);
1712 ObDereferenceObject(TargetProcess
);
1716 DPRINT1("Process is dying\n");
1717 return STATUS_PROCESS_IS_TERMINATING
;
1721 ASSERT(TargetProcess
->VadRoot
.NumberGenericTableElements
);
1722 if (TargetProcess
->VadRoot
.NumberGenericTableElements
)
1724 /* Scan on the right */
1725 Vad
= (PMMVAD
)TargetProcess
->VadRoot
.BalancedRoot
.RightChild
;
1726 BaseVpn
= (ULONG_PTR
)BaseAddress
>> PAGE_SHIFT
;
1729 /* Check if this VAD covers the allocation range */
1730 if ((BaseVpn
>= Vad
->StartingVpn
) &&
1731 (BaseVpn
<= Vad
->EndingVpn
))
1738 /* Check if this VAD is too high */
1739 if (BaseVpn
< Vad
->StartingVpn
)
1741 /* Stop if there is no left child */
1742 if (!Vad
->LeftChild
) break;
1744 /* Search on the left next */
1745 Vad
= Vad
->LeftChild
;
1749 /* Then this VAD is too low, keep searching on the right */
1750 ASSERT(BaseVpn
> Vad
->EndingVpn
);
1752 /* Stop if there is no right child */
1753 if (!Vad
->RightChild
) break;
1755 /* Search on the right next */
1756 Vad
= Vad
->RightChild
;
1761 /* Was a VAD found? */
1764 Address
= PAGE_ALIGN(BaseAddress
);
1766 /* Calculate region size */
1769 if (Vad
->StartingVpn
>= BaseVpn
)
1771 /* Region size is the free space till the start of that VAD */
1772 MemoryInfo
.RegionSize
= (ULONG_PTR
)(Vad
->StartingVpn
<< PAGE_SHIFT
) - (ULONG_PTR
)Address
;
1776 /* Get the next VAD */
1777 Vad
= (PMMVAD
)MiGetNextNode((PMMADDRESS_NODE
)Vad
);
1780 /* Region size is the free space till the start of that VAD */
1781 MemoryInfo
.RegionSize
= (ULONG_PTR
)(Vad
->StartingVpn
<< PAGE_SHIFT
) - (ULONG_PTR
)Address
;
1785 /* Maximum possible region size with that base address */
1786 MemoryInfo
.RegionSize
= (PCHAR
)MM_HIGHEST_VAD_ADDRESS
+ 1 - (PCHAR
)Address
;
1792 /* Maximum possible region size with that base address */
1793 MemoryInfo
.RegionSize
= (PCHAR
)MM_HIGHEST_VAD_ADDRESS
+ 1 - (PCHAR
)Address
;
1796 /* Unlock the address space of the process */
1797 MmUnlockAddressSpace(&TargetProcess
->Vm
);
1799 /* Check if we were attached */
1800 if (ProcessHandle
!= NtCurrentProcess())
1802 /* Detach and derefernece the process */
1803 KeUnstackDetachProcess(&ApcState
);
1804 ObDereferenceObject(TargetProcess
);
1807 /* Build the rest of the initial information block */
1808 MemoryInfo
.BaseAddress
= Address
;
1809 MemoryInfo
.AllocationBase
= NULL
;
1810 MemoryInfo
.AllocationProtect
= 0;
1811 MemoryInfo
.State
= MEM_FREE
;
1812 MemoryInfo
.Protect
= PAGE_NOACCESS
;
1813 MemoryInfo
.Type
= 0;
1815 /* Return the data, NtQueryInformation already probed it*/
1816 if (PreviousMode
!= KernelMode
)
1820 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1821 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1823 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
1825 Status
= _SEH2_GetExceptionCode();
1831 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1832 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1838 /* Set the correct memory type based on what kind of VAD this is */
1839 if ((Vad
->u
.VadFlags
.PrivateMemory
) ||
1840 (Vad
->u
.VadFlags
.VadType
== VadRotatePhysical
))
1842 MemoryInfo
.Type
= MEM_PRIVATE
;
1844 else if (Vad
->u
.VadFlags
.VadType
== VadImageMap
)
1846 MemoryInfo
.Type
= MEM_IMAGE
;
1850 MemoryInfo
.Type
= MEM_MAPPED
;
1853 /* Find the memory area the specified address belongs to */
1854 MemoryArea
= MmLocateMemoryAreaByAddress(&TargetProcess
->Vm
, BaseAddress
);
1855 ASSERT(MemoryArea
!= NULL
);
1857 /* Determine information dependent on the memory area type */
1858 if (MemoryArea
->Type
== MEMORY_AREA_SECTION_VIEW
)
1860 Status
= MmQuerySectionView(MemoryArea
, BaseAddress
, &MemoryInfo
, &ResultLength
);
1861 if (!NT_SUCCESS(Status
))
1863 DPRINT1("MmQuerySectionView failed. MemoryArea=%p (%p-%p), BaseAddress=%p\n",
1864 MemoryArea
, MemoryArea
->StartingAddress
, MemoryArea
->EndingAddress
, BaseAddress
);
1865 NT_ASSERT(NT_SUCCESS(Status
));
1870 /* Build the initial information block */
1871 Address
= PAGE_ALIGN(BaseAddress
);
1872 MemoryInfo
.BaseAddress
= Address
;
1873 MemoryInfo
.AllocationBase
= (PVOID
)(Vad
->StartingVpn
<< PAGE_SHIFT
);
1874 MemoryInfo
.AllocationProtect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
1875 MemoryInfo
.Type
= MEM_PRIVATE
;
1877 /* Acquire the working set lock (shared is enough) */
1878 MiLockProcessWorkingSetShared(TargetProcess
, PsGetCurrentThread());
1880 /* Find the largest chunk of memory which has the same state and protection mask */
1881 MemoryInfo
.State
= MiQueryAddressState(Address
,
1884 &MemoryInfo
.Protect
,
1886 Address
= NextAddress
;
1887 while (((ULONG_PTR
)Address
>> PAGE_SHIFT
) <= Vad
->EndingVpn
)
1889 /* Keep going unless the state or protection mask changed */
1890 NewState
= MiQueryAddressState(Address
, Vad
, TargetProcess
, &NewProtect
, &NextAddress
);
1891 if ((NewState
!= MemoryInfo
.State
) || (NewProtect
!= MemoryInfo
.Protect
)) break;
1892 Address
= NextAddress
;
1895 /* Release the working set lock */
1896 MiUnlockProcessWorkingSetShared(TargetProcess
, PsGetCurrentThread());
1898 /* Check if we went outside of the VAD */
1899 if (((ULONG_PTR
)Address
>> PAGE_SHIFT
) > Vad
->EndingVpn
)
1901 /* Set the end of the VAD as the end address */
1902 Address
= (PVOID
)((Vad
->EndingVpn
+ 1) << PAGE_SHIFT
);
1905 /* Now that we know the last VA address, calculate the region size */
1906 MemoryInfo
.RegionSize
= ((ULONG_PTR
)Address
- (ULONG_PTR
)MemoryInfo
.BaseAddress
);
1909 /* Unlock the address space of the process */
1910 MmUnlockAddressSpace(&TargetProcess
->Vm
);
1912 /* Check if we were attached */
1913 if (ProcessHandle
!= NtCurrentProcess())
1915 /* Detach and derefernece the process */
1916 KeUnstackDetachProcess(&ApcState
);
1917 ObDereferenceObject(TargetProcess
);
1920 /* Return the data, NtQueryInformation already probed it */
1921 if (PreviousMode
!= KernelMode
)
1925 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1926 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1928 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
1930 Status
= _SEH2_GetExceptionCode();
1936 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1937 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1941 DPRINT("Base: %p AllocBase: %p AllocProtect: %lx Protect: %lx "
1942 "State: %lx Type: %lx Size: %lx\n",
1943 MemoryInfo
.BaseAddress
, MemoryInfo
.AllocationBase
,
1944 MemoryInfo
.AllocationProtect
, MemoryInfo
.Protect
,
1945 MemoryInfo
.State
, MemoryInfo
.Type
, MemoryInfo
.RegionSize
);
1952 MiIsEntireRangeCommitted(IN ULONG_PTR StartingAddress
,
1953 IN ULONG_PTR EndingAddress
,
1955 IN PEPROCESS Process
)
1957 PMMPTE PointerPte
, LastPte
, PointerPde
;
1958 BOOLEAN OnBoundary
= TRUE
;
1961 /* Get the PDE and PTE addresses */
1962 PointerPde
= MiAddressToPde(StartingAddress
);
1963 PointerPte
= MiAddressToPte(StartingAddress
);
1964 LastPte
= MiAddressToPte(EndingAddress
);
1966 /* Loop all the PTEs */
1967 while (PointerPte
<= LastPte
)
1969 /* Check if we've hit an new PDE boundary */
1972 /* Is this PDE demand zero? */
1973 PointerPde
= MiAddressToPte(PointerPte
);
1974 if (PointerPde
->u
.Long
!= 0)
1976 /* It isn't -- is it valid? */
1977 if (PointerPde
->u
.Hard
.Valid
== 0)
1979 /* Nope, fault it in */
1980 PointerPte
= MiPteToAddress(PointerPde
);
1981 MiMakeSystemAddressValid(PointerPte
, Process
);
1986 /* The PTE was already valid, so move to the next one */
1988 PointerPte
= MiPteToAddress(PointerPde
);
1990 /* Is the entire VAD committed? If not, fail */
1991 if (!Vad
->u
.VadFlags
.MemCommit
) return FALSE
;
1993 /* Everything is committed so far past the range, return true */
1994 if (PointerPte
> LastPte
) return TRUE
;
1998 /* Is the PTE demand zero? */
1999 if (PointerPte
->u
.Long
== 0)
2001 /* Is the entire VAD committed? If not, fail */
2002 if (!Vad
->u
.VadFlags
.MemCommit
) return FALSE
;
2006 /* It isn't -- is it a decommited, invalid, or faulted PTE? */
2007 if ((PointerPte
->u
.Soft
.Protection
== MM_DECOMMIT
) &&
2008 (PointerPte
->u
.Hard
.Valid
== 0) &&
2009 ((PointerPte
->u
.Soft
.Prototype
== 0) ||
2010 (PointerPte
->u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)))
2012 /* Then part of the range is decommitted, so fail */
2017 /* Move to the next PTE */
2019 OnBoundary
= MiIsPteOnPdeBoundary(PointerPte
);
2022 /* All PTEs seem valid, and no VAD checks failed, the range is okay */
2028 MiRosProtectVirtualMemory(IN PEPROCESS Process
,
2029 IN OUT PVOID
*BaseAddress
,
2030 IN OUT PSIZE_T NumberOfBytesToProtect
,
2031 IN ULONG NewAccessProtection
,
2032 OUT PULONG OldAccessProtection OPTIONAL
)
2034 PMEMORY_AREA MemoryArea
;
2035 PMMSUPPORT AddressSpace
;
2036 ULONG OldAccessProtection_
;
2039 *NumberOfBytesToProtect
= PAGE_ROUND_UP((ULONG_PTR
)(*BaseAddress
) + (*NumberOfBytesToProtect
)) - PAGE_ROUND_DOWN(*BaseAddress
);
2040 *BaseAddress
= (PVOID
)PAGE_ROUND_DOWN(*BaseAddress
);
2042 AddressSpace
= &Process
->Vm
;
2043 MmLockAddressSpace(AddressSpace
);
2044 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, *BaseAddress
);
2045 if (MemoryArea
== NULL
|| MemoryArea
->DeleteInProgress
)
2047 MmUnlockAddressSpace(AddressSpace
);
2048 return STATUS_UNSUCCESSFUL
;
2051 if (OldAccessProtection
== NULL
) OldAccessProtection
= &OldAccessProtection_
;
2053 ASSERT(MemoryArea
->Type
== MEMORY_AREA_SECTION_VIEW
);
2054 Status
= MmProtectSectionView(AddressSpace
,
2057 *NumberOfBytesToProtect
,
2058 NewAccessProtection
,
2059 OldAccessProtection
);
2061 MmUnlockAddressSpace(AddressSpace
);
2068 MiProtectVirtualMemory(IN PEPROCESS Process
,
2069 IN OUT PVOID
*BaseAddress
,
2070 IN OUT PSIZE_T NumberOfBytesToProtect
,
2071 IN ULONG NewAccessProtection
,
2072 OUT PULONG OldAccessProtection OPTIONAL
)
2074 PMEMORY_AREA MemoryArea
;
2076 PMMSUPPORT AddressSpace
;
2077 ULONG_PTR StartingAddress
, EndingAddress
;
2078 PMMPTE PointerPde
, PointerPte
, LastPte
;
2081 ULONG ProtectionMask
, OldProtect
;
2083 NTSTATUS Status
= STATUS_SUCCESS
;
2084 PETHREAD Thread
= PsGetCurrentThread();
2085 TABLE_SEARCH_RESULT Result
;
2087 /* Calculate base address for the VAD */
2088 StartingAddress
= (ULONG_PTR
)PAGE_ALIGN((*BaseAddress
));
2089 EndingAddress
= (((ULONG_PTR
)*BaseAddress
+ *NumberOfBytesToProtect
- 1) | (PAGE_SIZE
- 1));
2091 /* Calculate the protection mask and make sure it's valid */
2092 ProtectionMask
= MiMakeProtectionMask(NewAccessProtection
);
2093 if (ProtectionMask
== MM_INVALID_PROTECTION
)
2095 DPRINT1("Invalid protection mask\n");
2096 return STATUS_INVALID_PAGE_PROTECTION
;
2099 /* Check for ROS specific memory area */
2100 MemoryArea
= MmLocateMemoryAreaByAddress(&Process
->Vm
, *BaseAddress
);
2101 if ((MemoryArea
) && (MemoryArea
->Type
!= MEMORY_AREA_OWNED_BY_ARM3
))
2104 return MiRosProtectVirtualMemory(Process
,
2106 NumberOfBytesToProtect
,
2107 NewAccessProtection
,
2108 OldAccessProtection
);
2111 /* Lock the address space and make sure the process isn't already dead */
2112 AddressSpace
= MmGetCurrentAddressSpace();
2113 MmLockAddressSpace(AddressSpace
);
2114 if (Process
->VmDeleted
)
2116 DPRINT1("Process is dying\n");
2117 Status
= STATUS_PROCESS_IS_TERMINATING
;
2121 /* Get the VAD for this address range, and make sure it exists */
2122 Result
= MiCheckForConflictingNode(StartingAddress
>> PAGE_SHIFT
,
2123 EndingAddress
>> PAGE_SHIFT
,
2125 (PMMADDRESS_NODE
*)&Vad
);
2126 if (Result
!= TableFoundNode
)
2128 DPRINT("Could not find a VAD for this allocation\n");
2129 Status
= STATUS_CONFLICTING_ADDRESSES
;
2133 /* Make sure the address is within this VAD's boundaries */
2134 if ((((ULONG_PTR
)StartingAddress
>> PAGE_SHIFT
) < Vad
->StartingVpn
) ||
2135 (((ULONG_PTR
)EndingAddress
>> PAGE_SHIFT
) > Vad
->EndingVpn
))
2137 Status
= STATUS_CONFLICTING_ADDRESSES
;
2141 /* These kinds of VADs are not supported atm */
2142 if ((Vad
->u
.VadFlags
.VadType
== VadAwe
) ||
2143 (Vad
->u
.VadFlags
.VadType
== VadDevicePhysicalMemory
) ||
2144 (Vad
->u
.VadFlags
.VadType
== VadLargePages
))
2146 DPRINT1("Illegal VAD for attempting to set protection\n");
2147 Status
= STATUS_CONFLICTING_ADDRESSES
;
2151 /* Check for a VAD whose protection can't be changed */
2152 if (Vad
->u
.VadFlags
.NoChange
== 1)
2154 DPRINT1("Trying to change protection of a NoChange VAD\n");
2155 Status
= STATUS_INVALID_PAGE_PROTECTION
;
2159 /* Is this section, or private memory? */
2160 if (Vad
->u
.VadFlags
.PrivateMemory
== 0)
2162 /* Not yet supported */
2163 if (Vad
->u
.VadFlags
.VadType
== VadLargePageSection
)
2165 DPRINT1("Illegal VAD for attempting to set protection\n");
2166 Status
= STATUS_CONFLICTING_ADDRESSES
;
2170 /* Rotate VADs are not yet supported */
2171 if (Vad
->u
.VadFlags
.VadType
== VadRotatePhysical
)
2173 DPRINT1("Illegal VAD for attempting to set protection\n");
2174 Status
= STATUS_CONFLICTING_ADDRESSES
;
2178 /* Not valid on section files */
2179 if (NewAccessProtection
& (PAGE_NOCACHE
| PAGE_WRITECOMBINE
))
2182 DPRINT1("Invalid protection flags for section\n");
2183 Status
= STATUS_INVALID_PARAMETER_4
;
2187 /* Check if data or page file mapping protection PTE is compatible */
2188 if (!Vad
->ControlArea
->u
.Flags
.Image
)
2191 DPRINT1("Fixme: Not checking for valid protection\n");
2194 /* This is a section, and this is not yet supported */
2195 DPRINT1("Section protection not yet supported\n");
2200 /* Private memory, check protection flags */
2201 if ((NewAccessProtection
& PAGE_WRITECOPY
) ||
2202 (NewAccessProtection
& PAGE_EXECUTE_WRITECOPY
))
2204 DPRINT1("Invalid protection flags for private memory\n");
2205 Status
= STATUS_INVALID_PARAMETER_4
;
2209 /* Lock the working set */
2210 MiLockProcessWorkingSetUnsafe(Process
, Thread
);
2212 /* Check if all pages in this range are committed */
2213 Committed
= MiIsEntireRangeCommitted(StartingAddress
,
2220 DPRINT1("The entire range is not committed\n");
2221 Status
= STATUS_NOT_COMMITTED
;
2222 MiUnlockProcessWorkingSetUnsafe(Process
, Thread
);
2226 /* Compute starting and ending PTE and PDE addresses */
2227 PointerPde
= MiAddressToPde(StartingAddress
);
2228 PointerPte
= MiAddressToPte(StartingAddress
);
2229 LastPte
= MiAddressToPte(EndingAddress
);
2231 /* Make this PDE valid */
2232 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2234 /* Save protection of the first page */
2235 if (PointerPte
->u
.Long
!= 0)
2237 /* Capture the page protection and make the PDE valid */
2238 OldProtect
= MiGetPageProtection(PointerPte
);
2239 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2243 /* Grab the old protection from the VAD itself */
2244 OldProtect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
2247 /* Loop all the PTEs now */
2248 while (PointerPte
<= LastPte
)
2250 /* Check if we've crossed a PDE boundary and make the new PDE valid too */
2251 if (MiIsPteOnPdeBoundary(PointerPte
))
2253 PointerPde
= MiAddressToPte(PointerPte
);
2254 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2257 /* Capture the PTE and check if it was empty */
2258 PteContents
= *PointerPte
;
2259 if (PteContents
.u
.Long
== 0)
2261 /* This used to be a zero PTE and it no longer is, so we must add a
2262 reference to the pagetable. */
2263 MiIncrementPageTableReferences(MiPteToAddress(PointerPte
));
2266 /* Check what kind of PTE we are dealing with */
2267 if (PteContents
.u
.Hard
.Valid
== 1)
2269 /* Get the PFN entry */
2270 Pfn1
= MiGetPfnEntry(PFN_FROM_PTE(&PteContents
));
2272 /* We don't support this yet */
2273 ASSERT(Pfn1
->u3
.e1
.PrototypePte
== 0);
2275 /* Check if the page should not be accessible at all */
2276 if ((NewAccessProtection
& PAGE_NOACCESS
) ||
2277 (NewAccessProtection
& PAGE_GUARD
))
2279 KIRQL OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
2281 /* Mark the PTE as transition and change its protection */
2282 PteContents
.u
.Hard
.Valid
= 0;
2283 PteContents
.u
.Soft
.Transition
= 1;
2284 PteContents
.u
.Trans
.Protection
= ProtectionMask
;
2285 /* Decrease PFN share count and write the PTE */
2286 MiDecrementShareCount(Pfn1
, PFN_FROM_PTE(&PteContents
));
2287 // FIXME: remove the page from the WS
2288 MI_WRITE_INVALID_PTE(PointerPte
, PteContents
);
2290 // FIXME: Should invalidate entry in every CPU TLB
2293 KeInvalidateTlbEntry(MiPteToAddress(PointerPte
));
2295 /* We are done for this PTE */
2296 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
2300 /* Write the protection mask and write it with a TLB flush */
2301 Pfn1
->OriginalPte
.u
.Soft
.Protection
= ProtectionMask
;
2302 MiFlushTbAndCapture(Vad
,
2311 /* We don't support these cases yet */
2312 ASSERT(PteContents
.u
.Soft
.Prototype
== 0);
2313 //ASSERT(PteContents.u.Soft.Transition == 0);
2315 /* The PTE is already demand-zero, just update the protection mask */
2316 PteContents
.u
.Soft
.Protection
= ProtectionMask
;
2317 MI_WRITE_INVALID_PTE(PointerPte
, PteContents
);
2318 ASSERT(PointerPte
->u
.Long
!= 0);
2321 /* Move to the next PTE */
2325 /* Unlock the working set */
2326 MiUnlockProcessWorkingSetUnsafe(Process
, Thread
);
2329 /* Unlock the address space */
2330 MmUnlockAddressSpace(AddressSpace
);
2332 /* Return parameters and success */
2333 *NumberOfBytesToProtect
= EndingAddress
- StartingAddress
+ 1;
2334 *BaseAddress
= (PVOID
)StartingAddress
;
2335 *OldAccessProtection
= OldProtect
;
2336 return STATUS_SUCCESS
;
2339 /* Unlock the address space and return the failure code */
2340 MmUnlockAddressSpace(AddressSpace
);
2346 MiMakePdeExistAndMakeValid(IN PMMPTE PointerPde
,
2347 IN PEPROCESS TargetProcess
,
2350 PMMPTE PointerPte
, PointerPpe
, PointerPxe
;
2353 // Sanity checks. The latter is because we only use this function with the
2354 // PFN lock not held, so it may go away in the future.
2356 ASSERT(KeAreAllApcsDisabled() == TRUE
);
2357 ASSERT(OldIrql
== MM_NOIRQL
);
2360 // Also get the PPE and PXE. This is okay not to #ifdef because they will
2361 // return the same address as the PDE on 2-level page table systems.
2363 // If everything is already valid, there is nothing to do.
2365 PointerPpe
= MiAddressToPte(PointerPde
);
2366 PointerPxe
= MiAddressToPde(PointerPde
);
2367 if ((PointerPxe
->u
.Hard
.Valid
) &&
2368 (PointerPpe
->u
.Hard
.Valid
) &&
2369 (PointerPde
->u
.Hard
.Valid
))
2375 // At least something is invalid, so begin by getting the PTE for the PDE itself
2376 // and then lookup each additional level. We must do it in this precise order
2377 // because the pagfault.c code (as well as in Windows) depends that the next
2378 // level up (higher) must be valid when faulting a lower level
2380 PointerPte
= MiPteToAddress(PointerPde
);
2384 // Make sure APCs continued to be disabled
2386 ASSERT(KeAreAllApcsDisabled() == TRUE
);
2389 // First, make the PXE valid if needed
2391 if (!PointerPxe
->u
.Hard
.Valid
)
2393 MiMakeSystemAddressValid(PointerPpe
, TargetProcess
);
2394 ASSERT(PointerPxe
->u
.Hard
.Valid
== 1);
2400 if (!PointerPpe
->u
.Hard
.Valid
)
2402 MiMakeSystemAddressValid(PointerPde
, TargetProcess
);
2403 ASSERT(PointerPpe
->u
.Hard
.Valid
== 1);
2407 // And finally, make the PDE itself valid.
2409 MiMakeSystemAddressValid(PointerPte
, TargetProcess
);
2412 // This should've worked the first time so the loop is really just for
2413 // show -- ASSERT that we're actually NOT going to be looping.
2415 ASSERT(PointerPxe
->u
.Hard
.Valid
== 1);
2416 ASSERT(PointerPpe
->u
.Hard
.Valid
== 1);
2417 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
2418 } while (!(PointerPxe
->u
.Hard
.Valid
) ||
2419 !(PointerPpe
->u
.Hard
.Valid
) ||
2420 !(PointerPde
->u
.Hard
.Valid
));
2425 MiProcessValidPteList(IN PMMPTE
*ValidPteList
,
2431 PFN_NUMBER PageFrameIndex
;
2435 // Acquire the PFN lock and loop all the PTEs in the list
2437 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
2438 for (i
= 0; i
!= Count
; i
++)
2441 // The PTE must currently be valid
2443 TempPte
= *ValidPteList
[i
];
2444 ASSERT(TempPte
.u
.Hard
.Valid
== 1);
2447 // Get the PFN entry for the page itself, and then for its page table
2449 PageFrameIndex
= PFN_FROM_PTE(&TempPte
);
2450 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
2451 Pfn2
= MiGetPfnEntry(Pfn1
->u4
.PteFrame
);
2454 // Decrement the share count on the page table, and then on the page
2457 MiDecrementShareCount(Pfn2
, Pfn1
->u4
.PteFrame
);
2458 MI_SET_PFN_DELETED(Pfn1
);
2459 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
2462 // Make the page decommitted
2464 MI_WRITE_INVALID_PTE(ValidPteList
[i
], MmDecommittedPte
);
2468 // All the PTEs have been dereferenced and made invalid, flush the TLB now
2469 // and then release the PFN lock
2472 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
2477 MiDecommitPages(IN PVOID StartingAddress
,
2478 IN PMMPTE EndingPte
,
2479 IN PEPROCESS Process
,
2482 PMMPTE PointerPde
, PointerPte
, CommitPte
= NULL
;
2483 ULONG CommitReduction
= 0;
2484 PMMPTE ValidPteList
[256];
2488 PETHREAD CurrentThread
= PsGetCurrentThread();
2491 // Get the PTE and PTE for the address, and lock the working set
2492 // If this was a VAD for a MEM_COMMIT allocation, also figure out where the
2493 // commited range ends so that we can do the right accounting.
2495 PointerPde
= MiAddressToPde(StartingAddress
);
2496 PointerPte
= MiAddressToPte(StartingAddress
);
2497 if (Vad
->u
.VadFlags
.MemCommit
) CommitPte
= MiAddressToPte(Vad
->EndingVpn
<< PAGE_SHIFT
);
2498 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
2501 // Make the PDE valid, and now loop through each page's worth of data
2503 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2504 while (PointerPte
<= EndingPte
)
2507 // Check if we've crossed a PDE boundary
2509 if (MiIsPteOnPdeBoundary(PointerPte
))
2512 // Get the new PDE and flush the valid PTEs we had built up until
2513 // now. This helps reduce the amount of TLB flushing we have to do.
2514 // Note that Windows does a much better job using timestamps and
2515 // such, and does not flush the entire TLB all the time, but right
2516 // now we have bigger problems to worry about than TLB flushing.
2518 PointerPde
= MiAddressToPde(StartingAddress
);
2521 MiProcessValidPteList(ValidPteList
, PteCount
);
2526 // Make this PDE valid
2528 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2532 // Read this PTE. It might be active or still demand-zero.
2534 PteContents
= *PointerPte
;
2535 if (PteContents
.u
.Long
)
2538 // The PTE is active. It might be valid and in a working set, or
2539 // it might be a prototype PTE or paged out or even in transition.
2541 if (PointerPte
->u
.Long
== MmDecommittedPte
.u
.Long
)
2544 // It's already decommited, so there's nothing for us to do here
2551 // Remove it from the counters, and check if it was valid or not
2553 //Process->NumberOfPrivatePages--;
2554 if (PteContents
.u
.Hard
.Valid
)
2557 // It's valid. At this point make sure that it is not a ROS
2558 // PFN. Also, we don't support ProtoPTEs in this code path.
2560 Pfn1
= MiGetPfnEntry(PteContents
.u
.Hard
.PageFrameNumber
);
2561 ASSERT(MI_IS_ROS_PFN(Pfn1
) == FALSE
);
2562 ASSERT(Pfn1
->u3
.e1
.PrototypePte
== FALSE
);
2565 // Flush any pending PTEs that we had not yet flushed, if our
2566 // list has gotten too big, then add this PTE to the flush list.
2568 if (PteCount
== 256)
2570 MiProcessValidPteList(ValidPteList
, PteCount
);
2573 ValidPteList
[PteCount
++] = PointerPte
;
2578 // We do not support any of these other scenarios at the moment
2580 ASSERT(PteContents
.u
.Soft
.Prototype
== 0);
2581 ASSERT(PteContents
.u
.Soft
.Transition
== 0);
2582 ASSERT(PteContents
.u
.Soft
.PageFileHigh
== 0);
2585 // So the only other possibility is that it is still a demand
2586 // zero PTE, in which case we undo the accounting we did
2587 // earlier and simply make the page decommitted.
2589 //Process->NumberOfPrivatePages++;
2590 MI_WRITE_INVALID_PTE(PointerPte
, MmDecommittedPte
);
2597 // This used to be a zero PTE and it no longer is, so we must add a
2598 // reference to the pagetable.
2600 MiIncrementPageTableReferences(StartingAddress
);
2603 // Next, we account for decommitted PTEs and make the PTE as such
2605 if (PointerPte
> CommitPte
) CommitReduction
++;
2606 MI_WRITE_INVALID_PTE(PointerPte
, MmDecommittedPte
);
2610 // Move to the next PTE and the next address
2613 StartingAddress
= (PVOID
)((ULONG_PTR
)StartingAddress
+ PAGE_SIZE
);
2617 // Flush any dangling PTEs from the loop in the last page table, and then
2618 // release the working set and return the commit reduction accounting.
2620 if (PteCount
) MiProcessValidPteList(ValidPteList
, PteCount
);
2621 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
2622 return CommitReduction
;
2625 /* PUBLIC FUNCTIONS ***********************************************************/
2632 MmGetVirtualForPhysical(IN PHYSICAL_ADDRESS PhysicalAddress
)
2643 MmSecureVirtualMemory(IN PVOID Address
,
2647 static BOOLEAN Warn
; if (!Warn
++) UNIMPLEMENTED
;
2656 MmUnsecureVirtualMemory(IN PVOID SecureMem
)
2658 static BOOLEAN Warn
; if (!Warn
++) UNIMPLEMENTED
;
2661 /* SYSTEM CALLS ***************************************************************/
2665 NtReadVirtualMemory(IN HANDLE ProcessHandle
,
2666 IN PVOID BaseAddress
,
2668 IN SIZE_T NumberOfBytesToRead
,
2669 OUT PSIZE_T NumberOfBytesRead OPTIONAL
)
2671 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2673 NTSTATUS Status
= STATUS_SUCCESS
;
2674 SIZE_T BytesRead
= 0;
2678 // Check if we came from user mode
2680 if (PreviousMode
!= KernelMode
)
2683 // Validate the read addresses
2685 if ((((ULONG_PTR
)BaseAddress
+ NumberOfBytesToRead
) < (ULONG_PTR
)BaseAddress
) ||
2686 (((ULONG_PTR
)Buffer
+ NumberOfBytesToRead
) < (ULONG_PTR
)Buffer
) ||
2687 (((ULONG_PTR
)BaseAddress
+ NumberOfBytesToRead
) > MmUserProbeAddress
) ||
2688 (((ULONG_PTR
)Buffer
+ NumberOfBytesToRead
) > MmUserProbeAddress
))
2691 // Don't allow to write into kernel space
2693 return STATUS_ACCESS_VIOLATION
;
2697 // Enter SEH for probe
2702 // Probe the output value
2704 if (NumberOfBytesRead
) ProbeForWriteSize_t(NumberOfBytesRead
);
2706 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2709 // Get exception code
2711 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2717 // Don't do zero-byte transfers
2719 if (NumberOfBytesToRead
)
2722 // Reference the process
2724 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2730 if (NT_SUCCESS(Status
))
2735 Status
= MmCopyVirtualMemory(Process
,
2737 PsGetCurrentProcess(),
2739 NumberOfBytesToRead
,
2744 // Dereference the process
2746 ObDereferenceObject(Process
);
2751 // Check if the caller sent this parameter
2753 if (NumberOfBytesRead
)
2756 // Enter SEH to guard write
2761 // Return the number of bytes read
2763 *NumberOfBytesRead
= BytesRead
;
2765 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2779 NtWriteVirtualMemory(IN HANDLE ProcessHandle
,
2780 IN PVOID BaseAddress
,
2782 IN SIZE_T NumberOfBytesToWrite
,
2783 OUT PSIZE_T NumberOfBytesWritten OPTIONAL
)
2785 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2787 NTSTATUS Status
= STATUS_SUCCESS
;
2788 SIZE_T BytesWritten
= 0;
2792 // Check if we came from user mode
2794 if (PreviousMode
!= KernelMode
)
2797 // Validate the read addresses
2799 if ((((ULONG_PTR
)BaseAddress
+ NumberOfBytesToWrite
) < (ULONG_PTR
)BaseAddress
) ||
2800 (((ULONG_PTR
)Buffer
+ NumberOfBytesToWrite
) < (ULONG_PTR
)Buffer
) ||
2801 (((ULONG_PTR
)BaseAddress
+ NumberOfBytesToWrite
) > MmUserProbeAddress
) ||
2802 (((ULONG_PTR
)Buffer
+ NumberOfBytesToWrite
) > MmUserProbeAddress
))
2805 // Don't allow to write into kernel space
2807 return STATUS_ACCESS_VIOLATION
;
2811 // Enter SEH for probe
2816 // Probe the output value
2818 if (NumberOfBytesWritten
) ProbeForWriteSize_t(NumberOfBytesWritten
);
2820 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2823 // Get exception code
2825 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2831 // Don't do zero-byte transfers
2833 if (NumberOfBytesToWrite
)
2836 // Reference the process
2838 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2844 if (NT_SUCCESS(Status
))
2849 Status
= MmCopyVirtualMemory(PsGetCurrentProcess(),
2853 NumberOfBytesToWrite
,
2858 // Dereference the process
2860 ObDereferenceObject(Process
);
2865 // Check if the caller sent this parameter
2867 if (NumberOfBytesWritten
)
2870 // Enter SEH to guard write
2875 // Return the number of bytes written
2877 *NumberOfBytesWritten
= BytesWritten
;
2879 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2893 NtProtectVirtualMemory(IN HANDLE ProcessHandle
,
2894 IN OUT PVOID
*UnsafeBaseAddress
,
2895 IN OUT SIZE_T
*UnsafeNumberOfBytesToProtect
,
2896 IN ULONG NewAccessProtection
,
2897 OUT PULONG UnsafeOldAccessProtection
)
2900 ULONG OldAccessProtection
;
2902 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
2903 PVOID BaseAddress
= NULL
;
2904 SIZE_T NumberOfBytesToProtect
= 0;
2905 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2907 BOOLEAN Attached
= FALSE
;
2908 KAPC_STATE ApcState
;
2912 // Check for valid protection flags
2914 Protection
= NewAccessProtection
& ~(PAGE_GUARD
|PAGE_NOCACHE
);
2915 if (Protection
!= PAGE_NOACCESS
&&
2916 Protection
!= PAGE_READONLY
&&
2917 Protection
!= PAGE_READWRITE
&&
2918 Protection
!= PAGE_WRITECOPY
&&
2919 Protection
!= PAGE_EXECUTE
&&
2920 Protection
!= PAGE_EXECUTE_READ
&&
2921 Protection
!= PAGE_EXECUTE_READWRITE
&&
2922 Protection
!= PAGE_EXECUTE_WRITECOPY
)
2927 return STATUS_INVALID_PAGE_PROTECTION
;
2931 // Check if we came from user mode
2933 if (PreviousMode
!= KernelMode
)
2936 // Enter SEH for probing
2941 // Validate all outputs
2943 ProbeForWritePointer(UnsafeBaseAddress
);
2944 ProbeForWriteSize_t(UnsafeNumberOfBytesToProtect
);
2945 ProbeForWriteUlong(UnsafeOldAccessProtection
);
2950 BaseAddress
= *UnsafeBaseAddress
;
2951 NumberOfBytesToProtect
= *UnsafeNumberOfBytesToProtect
;
2953 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2956 // Get exception code
2958 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2967 BaseAddress
= *UnsafeBaseAddress
;
2968 NumberOfBytesToProtect
= *UnsafeNumberOfBytesToProtect
;
2972 // Catch illegal base address
2974 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER_2
;
2977 // Catch illegal region size
2979 if ((MmUserProbeAddress
- (ULONG_PTR
)BaseAddress
) < NumberOfBytesToProtect
)
2984 return STATUS_INVALID_PARAMETER_3
;
2988 // 0 is also illegal
2990 if (!NumberOfBytesToProtect
) return STATUS_INVALID_PARAMETER_3
;
2993 // Get a reference to the process
2995 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2996 PROCESS_VM_OPERATION
,
3001 if (!NT_SUCCESS(Status
)) return Status
;
3004 // Check if we should attach
3006 if (CurrentProcess
!= Process
)
3011 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
3016 // Do the actual work
3018 Status
= MiProtectVirtualMemory(Process
,
3020 &NumberOfBytesToProtect
,
3021 NewAccessProtection
,
3022 &OldAccessProtection
);
3027 if (Attached
) KeUnstackDetachProcess(&ApcState
);
3030 // Release reference
3032 ObDereferenceObject(Process
);
3035 // Enter SEH to return data
3040 // Return data to user
3042 *UnsafeOldAccessProtection
= OldAccessProtection
;
3043 *UnsafeBaseAddress
= BaseAddress
;
3044 *UnsafeNumberOfBytesToProtect
= NumberOfBytesToProtect
;
3046 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3063 // HACK until we have proper WSLIST support
3064 PMMWSLE Wsle
= &Pfn1
->Wsle
;
3066 if ((LockType
& MAP_PROCESS
) && (Wsle
->u1
.e1
.LockedInWs
))
3068 if ((LockType
& MAP_SYSTEM
) && (Wsle
->u1
.e1
.LockedInMemory
))
3080 // HACK until we have proper WSLIST support
3081 PMMWSLE Wsle
= &Pfn1
->Wsle
;
3083 if (!Wsle
->u1
.e1
.LockedInWs
&&
3084 !Wsle
->u1
.e1
.LockedInMemory
)
3086 MiReferenceProbedPageAndBumpLockCount(Pfn1
);
3089 if (LockType
& MAP_PROCESS
)
3090 Wsle
->u1
.e1
.LockedInWs
= 1;
3091 if (LockType
& MAP_SYSTEM
)
3092 Wsle
->u1
.e1
.LockedInMemory
= 1;
3101 // HACK until we have proper WSLIST support
3102 PMMWSLE Wsle
= &Pfn1
->Wsle
;
3104 if (LockType
& MAP_PROCESS
)
3105 Wsle
->u1
.e1
.LockedInWs
= 0;
3106 if (LockType
& MAP_SYSTEM
)
3107 Wsle
->u1
.e1
.LockedInMemory
= 0;
3109 if (!Wsle
->u1
.e1
.LockedInWs
&&
3110 !Wsle
->u1
.e1
.LockedInMemory
)
3112 MiDereferencePfnAndDropLockCount(Pfn1
);
3118 MiCheckVadsForLockOperation(
3119 _Inout_ PVOID
*BaseAddress
,
3120 _Inout_ PSIZE_T RegionSize
,
3121 _Inout_ PVOID
*EndAddress
)
3127 /* Get the base address and align the start address */
3128 *EndAddress
= (PUCHAR
)*BaseAddress
+ *RegionSize
;
3129 *EndAddress
= ALIGN_UP_POINTER_BY(*EndAddress
, PAGE_SIZE
);
3130 *BaseAddress
= ALIGN_DOWN_POINTER_BY(*BaseAddress
, PAGE_SIZE
);
3132 /* First loop and check all VADs */
3133 CurrentVa
= *BaseAddress
;
3134 while (CurrentVa
< *EndAddress
)
3137 Vad
= MiLocateAddress(CurrentVa
);
3140 /// FIXME: this might be a memory area for a section view...
3141 return STATUS_ACCESS_VIOLATION
;
3144 /* Check VAD type */
3145 if ((Vad
->u
.VadFlags
.VadType
!= VadNone
) &&
3146 (Vad
->u
.VadFlags
.VadType
!= VadImageMap
) &&
3147 (Vad
->u
.VadFlags
.VadType
!= VadWriteWatch
))
3149 *EndAddress
= CurrentVa
;
3150 *RegionSize
= (PUCHAR
)*EndAddress
- (PUCHAR
)*BaseAddress
;
3151 return STATUS_INCOMPATIBLE_FILE_MAP
;
3154 CurrentVa
= (PVOID
)((Vad
->EndingVpn
+ 1) << PAGE_SHIFT
);
3157 *RegionSize
= (PUCHAR
)*EndAddress
- (PUCHAR
)*BaseAddress
;
3158 return STATUS_SUCCESS
;
3163 MiLockVirtualMemory(
3164 IN OUT PVOID
*BaseAddress
,
3165 IN OUT PSIZE_T RegionSize
,
3168 PEPROCESS CurrentProcess
;
3169 PMMSUPPORT AddressSpace
;
3170 PVOID CurrentVa
, EndAddress
;
3171 PMMPTE PointerPte
, LastPte
;
3173 #if (_MI_PAGING_LEVELS >= 3)
3176 #if (_MI_PAGING_LEVELS == 4)
3180 NTSTATUS Status
, TempStatus
;
3182 /* Lock the address space */
3183 AddressSpace
= MmGetCurrentAddressSpace();
3184 MmLockAddressSpace(AddressSpace
);
3186 /* Make sure we still have an address space */
3187 CurrentProcess
= PsGetCurrentProcess();
3188 if (CurrentProcess
->VmDeleted
)
3190 Status
= STATUS_PROCESS_IS_TERMINATING
;
3194 /* Check the VADs in the requested range */
3195 Status
= MiCheckVadsForLockOperation(BaseAddress
, RegionSize
, &EndAddress
);
3196 if (!NT_SUCCESS(Status
))
3201 /* Enter SEH for probing */
3204 /* Loop all pages and probe them */
3205 CurrentVa
= *BaseAddress
;
3206 while (CurrentVa
< EndAddress
)
3208 (void)(*(volatile CHAR
*)CurrentVa
);
3209 CurrentVa
= (PUCHAR
)CurrentVa
+ PAGE_SIZE
;
3212 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3214 Status
= _SEH2_GetExceptionCode();
3219 /* All pages were accessible, since we hold the address space lock, nothing
3220 can be de-committed. Assume success for now. */
3221 Status
= STATUS_SUCCESS
;
3223 /* Get the PTE and PDE */
3224 PointerPte
= MiAddressToPte(*BaseAddress
);
3225 PointerPde
= MiAddressToPde(*BaseAddress
);
3226 #if (_MI_PAGING_LEVELS >= 3)
3227 PointerPpe
= MiAddressToPpe(*BaseAddress
);
3229 #if (_MI_PAGING_LEVELS == 4)
3230 PointerPxe
= MiAddressToPxe(*BaseAddress
);
3233 /* Get the last PTE */
3234 LastPte
= MiAddressToPte((PVOID
)((ULONG_PTR
)EndAddress
- 1));
3236 /* Lock the process working set */
3237 MiLockProcessWorkingSet(CurrentProcess
, PsGetCurrentThread());
3239 /* Loop the pages */
3242 /* Check for a page that is not accessible */
3244 #if (_MI_PAGING_LEVELS == 4)
3245 (PointerPxe
->u
.Hard
.Valid
== 0) ||
3247 #if (_MI_PAGING_LEVELS >= 3)
3248 (PointerPpe
->u
.Hard
.Valid
== 0) ||
3250 (PointerPde
->u
.Hard
.Valid
== 0) ||
3251 (PointerPte
->u
.Hard
.Valid
== 0))
3253 /* Release process working set */
3254 MiUnlockProcessWorkingSet(CurrentProcess
, PsGetCurrentThread());
3256 /* Access the page */
3257 CurrentVa
= MiPteToAddress(PointerPte
);
3259 //HACK: Pass a placeholder TrapInformation so the fault handler knows we're unlocked
3260 TempStatus
= MmAccessFault(TRUE
, CurrentVa
, KernelMode
, (PVOID
)0xBADBADA3);
3261 if (!NT_SUCCESS(TempStatus
))
3263 // This should only happen, when remote backing storage is not accessible
3265 Status
= TempStatus
;
3269 /* Lock the process working set */
3270 MiLockProcessWorkingSet(CurrentProcess
, PsGetCurrentThread());
3274 Pfn1
= MiGetPfnEntry(PFN_FROM_PTE(PointerPte
));
3275 ASSERT(Pfn1
!= NULL
);
3277 /* Check the previous lock status */
3278 if (MI_IS_LOCKED_VA(Pfn1
, MapType
))
3280 Status
= STATUS_WAS_LOCKED
;
3284 MI_LOCK_VA(Pfn1
, MapType
);
3286 /* Go to the next PTE */
3289 /* Check if we're on a PDE boundary */
3290 if (MiIsPteOnPdeBoundary(PointerPte
)) PointerPde
++;
3291 #if (_MI_PAGING_LEVELS >= 3)
3292 if (MiIsPteOnPpeBoundary(PointerPte
)) PointerPpe
++;
3294 #if (_MI_PAGING_LEVELS == 4)
3295 if (MiIsPteOnPxeBoundary(PointerPte
)) PointerPxe
++;
3297 } while (PointerPte
<= LastPte
);
3299 /* Release process working set */
3300 MiUnlockProcessWorkingSet(CurrentProcess
, PsGetCurrentThread());
3303 /* Unlock address space */
3304 MmUnlockAddressSpace(AddressSpace
);
3311 NtLockVirtualMemory(IN HANDLE ProcessHandle
,
3312 IN OUT PVOID
*BaseAddress
,
3313 IN OUT PSIZE_T NumberOfBytesToLock
,
3317 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
3319 BOOLEAN Attached
= FALSE
;
3320 KAPC_STATE ApcState
;
3321 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3322 PVOID CapturedBaseAddress
;
3323 SIZE_T CapturedBytesToLock
;
3329 if ((MapType
& ~(MAP_PROCESS
| MAP_SYSTEM
)))
3332 // Invalid set of flags
3334 return STATUS_INVALID_PARAMETER
;
3338 // At least one flag must be specified
3340 if (!(MapType
& (MAP_PROCESS
| MAP_SYSTEM
)))
3345 return STATUS_INVALID_PARAMETER
;
3349 // Enter SEH for probing
3354 // Validate output data
3356 ProbeForWritePointer(BaseAddress
);
3357 ProbeForWriteSize_t(NumberOfBytesToLock
);
3362 CapturedBaseAddress
= *BaseAddress
;
3363 CapturedBytesToLock
= *NumberOfBytesToLock
;
3365 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3368 // Get exception code
3370 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3375 // Catch illegal base address
3377 if (CapturedBaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
3380 // Catch illegal region size
3382 if ((MmUserProbeAddress
- (ULONG_PTR
)CapturedBaseAddress
) < CapturedBytesToLock
)
3387 return STATUS_INVALID_PARAMETER
;
3391 // 0 is also illegal
3393 if (!CapturedBytesToLock
) return STATUS_INVALID_PARAMETER
;
3396 // Get a reference to the process
3398 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3399 PROCESS_VM_OPERATION
,
3404 if (!NT_SUCCESS(Status
)) return Status
;
3407 // Check if this is is system-mapped
3409 if (MapType
& MAP_SYSTEM
)
3412 // Check for required privilege
3414 if (!SeSinglePrivilegeCheck(SeLockMemoryPrivilege
, PreviousMode
))
3417 // Fail: Don't have it
3419 ObDereferenceObject(Process
);
3420 return STATUS_PRIVILEGE_NOT_HELD
;
3425 // Check if we should attach
3427 if (CurrentProcess
!= Process
)
3432 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
3437 // Call the internal function
3439 Status
= MiLockVirtualMemory(&CapturedBaseAddress
,
3440 &CapturedBytesToLock
,
3446 if (Attached
) KeUnstackDetachProcess(&ApcState
);
3449 // Release reference
3451 ObDereferenceObject(Process
);
3454 // Enter SEH to return data
3459 // Return data to user
3461 *BaseAddress
= CapturedBaseAddress
;
3462 *NumberOfBytesToLock
= CapturedBytesToLock
;
3464 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3467 // Get exception code
3469 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3482 MiUnlockVirtualMemory(
3483 IN OUT PVOID
*BaseAddress
,
3484 IN OUT PSIZE_T RegionSize
,
3487 PEPROCESS CurrentProcess
;
3488 PMMSUPPORT AddressSpace
;
3490 PMMPTE PointerPte
, LastPte
;
3492 #if (_MI_PAGING_LEVELS >= 3)
3495 #if (_MI_PAGING_LEVELS == 4)
3501 /* Lock the address space */
3502 AddressSpace
= MmGetCurrentAddressSpace();
3503 MmLockAddressSpace(AddressSpace
);
3505 /* Make sure we still have an address space */
3506 CurrentProcess
= PsGetCurrentProcess();
3507 if (CurrentProcess
->VmDeleted
)
3509 Status
= STATUS_PROCESS_IS_TERMINATING
;
3513 /* Check the VADs in the requested range */
3514 Status
= MiCheckVadsForLockOperation(BaseAddress
, RegionSize
, &EndAddress
);
3516 /* Note: only bail out, if we hit an area without a VAD. If we hit an
3517 incompatible VAD we continue, like Windows does */
3518 if (Status
== STATUS_ACCESS_VIOLATION
)
3520 Status
= STATUS_NOT_LOCKED
;
3524 /* Get the PTE and PDE */
3525 PointerPte
= MiAddressToPte(*BaseAddress
);
3526 PointerPde
= MiAddressToPde(*BaseAddress
);
3527 #if (_MI_PAGING_LEVELS >= 3)
3528 PointerPpe
= MiAddressToPpe(*BaseAddress
);
3530 #if (_MI_PAGING_LEVELS == 4)
3531 PointerPxe
= MiAddressToPxe(*BaseAddress
);
3534 /* Get the last PTE */
3535 LastPte
= MiAddressToPte((PVOID
)((ULONG_PTR
)EndAddress
- 1));
3537 /* Lock the process working set */
3538 MiLockProcessWorkingSet(CurrentProcess
, PsGetCurrentThread());
3540 /* Loop the pages */
3543 /* Check for a page that is not present */
3545 #if (_MI_PAGING_LEVELS == 4)
3546 (PointerPxe
->u
.Hard
.Valid
== 0) ||
3548 #if (_MI_PAGING_LEVELS >= 3)
3549 (PointerPpe
->u
.Hard
.Valid
== 0) ||
3551 (PointerPde
->u
.Hard
.Valid
== 0) ||
3552 (PointerPte
->u
.Hard
.Valid
== 0))
3554 /* Remember it, but keep going */
3555 Status
= STATUS_NOT_LOCKED
;
3560 Pfn1
= MiGetPfnEntry(PFN_FROM_PTE(PointerPte
));
3561 ASSERT(Pfn1
!= NULL
);
3563 /* Check if all of the requested locks are present */
3564 if (((MapType
& MAP_SYSTEM
) && !MI_IS_LOCKED_VA(Pfn1
, MAP_SYSTEM
)) ||
3565 ((MapType
& MAP_PROCESS
) && !MI_IS_LOCKED_VA(Pfn1
, MAP_PROCESS
)))
3567 /* Remember it, but keep going */
3568 Status
= STATUS_NOT_LOCKED
;
3570 /* Check if no lock is present */
3571 if (!MI_IS_LOCKED_VA(Pfn1
, MAP_PROCESS
| MAP_SYSTEM
))
3573 DPRINT1("FIXME: Should remove the page from WS\n");
3578 /* Go to the next PTE */
3581 /* Check if we're on a PDE boundary */
3582 if (MiIsPteOnPdeBoundary(PointerPte
)) PointerPde
++;
3583 #if (_MI_PAGING_LEVELS >= 3)
3584 if (MiIsPteOnPpeBoundary(PointerPte
)) PointerPpe
++;
3586 #if (_MI_PAGING_LEVELS == 4)
3587 if (MiIsPteOnPxeBoundary(PointerPte
)) PointerPxe
++;
3589 } while (PointerPte
<= LastPte
);
3591 /* Check if we hit a page that was not locked */
3592 if (Status
== STATUS_NOT_LOCKED
)
3594 goto CleanupWithWsLock
;
3597 /* All pages in the region were locked, so unlock them all */
3599 /* Get the PTE and PDE */
3600 PointerPte
= MiAddressToPte(*BaseAddress
);
3601 PointerPde
= MiAddressToPde(*BaseAddress
);
3602 #if (_MI_PAGING_LEVELS >= 3)
3603 PointerPpe
= MiAddressToPpe(*BaseAddress
);
3605 #if (_MI_PAGING_LEVELS == 4)
3606 PointerPxe
= MiAddressToPxe(*BaseAddress
);
3609 /* Loop the pages */
3613 Pfn1
= MiGetPfnEntry(PFN_FROM_PTE(PointerPte
));
3614 MI_UNLOCK_VA(Pfn1
, MapType
);
3616 /* Go to the next PTE */
3619 /* Check if we're on a PDE boundary */
3620 if (MiIsPteOnPdeBoundary(PointerPte
)) PointerPde
++;
3621 #if (_MI_PAGING_LEVELS >= 3)
3622 if (MiIsPteOnPpeBoundary(PointerPte
)) PointerPpe
++;
3624 #if (_MI_PAGING_LEVELS == 4)
3625 if (MiIsPteOnPxeBoundary(PointerPte
)) PointerPxe
++;
3627 } while (PointerPte
<= LastPte
);
3629 /* Everything is done */
3630 Status
= STATUS_SUCCESS
;
3634 /* Release process working set */
3635 MiUnlockProcessWorkingSet(CurrentProcess
, PsGetCurrentThread());
3638 /* Unlock address space */
3639 MmUnlockAddressSpace(AddressSpace
);
3647 NtUnlockVirtualMemory(IN HANDLE ProcessHandle
,
3648 IN OUT PVOID
*BaseAddress
,
3649 IN OUT PSIZE_T NumberOfBytesToUnlock
,
3653 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
3655 BOOLEAN Attached
= FALSE
;
3656 KAPC_STATE ApcState
;
3657 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3658 PVOID CapturedBaseAddress
;
3659 SIZE_T CapturedBytesToUnlock
;
3665 if ((MapType
& ~(MAP_PROCESS
| MAP_SYSTEM
)))
3668 // Invalid set of flags
3670 return STATUS_INVALID_PARAMETER
;
3674 // At least one flag must be specified
3676 if (!(MapType
& (MAP_PROCESS
| MAP_SYSTEM
)))
3681 return STATUS_INVALID_PARAMETER
;
3685 // Enter SEH for probing
3690 // Validate output data
3692 ProbeForWritePointer(BaseAddress
);
3693 ProbeForWriteSize_t(NumberOfBytesToUnlock
);
3698 CapturedBaseAddress
= *BaseAddress
;
3699 CapturedBytesToUnlock
= *NumberOfBytesToUnlock
;
3701 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3704 // Get exception code
3706 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3711 // Catch illegal base address
3713 if (CapturedBaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
3716 // Catch illegal region size
3718 if ((MmUserProbeAddress
- (ULONG_PTR
)CapturedBaseAddress
) < CapturedBytesToUnlock
)
3723 return STATUS_INVALID_PARAMETER
;
3727 // 0 is also illegal
3729 if (!CapturedBytesToUnlock
) return STATUS_INVALID_PARAMETER
;
3732 // Get a reference to the process
3734 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3735 PROCESS_VM_OPERATION
,
3740 if (!NT_SUCCESS(Status
)) return Status
;
3743 // Check if this is is system-mapped
3745 if (MapType
& MAP_SYSTEM
)
3748 // Check for required privilege
3750 if (!SeSinglePrivilegeCheck(SeLockMemoryPrivilege
, PreviousMode
))
3753 // Fail: Don't have it
3755 ObDereferenceObject(Process
);
3756 return STATUS_PRIVILEGE_NOT_HELD
;
3761 // Check if we should attach
3763 if (CurrentProcess
!= Process
)
3768 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
3773 // Call the internal function
3775 Status
= MiUnlockVirtualMemory(&CapturedBaseAddress
,
3776 &CapturedBytesToUnlock
,
3782 if (Attached
) KeUnstackDetachProcess(&ApcState
);
3785 // Release reference
3787 ObDereferenceObject(Process
);
3790 // Enter SEH to return data
3795 // Return data to user
3797 *BaseAddress
= CapturedBaseAddress
;
3798 *NumberOfBytesToUnlock
= CapturedBytesToUnlock
;
3800 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3803 // Get exception code
3805 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3812 return STATUS_SUCCESS
;
3817 NtFlushVirtualMemory(IN HANDLE ProcessHandle
,
3818 IN OUT PVOID
*BaseAddress
,
3819 IN OUT PSIZE_T NumberOfBytesToFlush
,
3820 OUT PIO_STATUS_BLOCK IoStatusBlock
)
3824 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3825 PVOID CapturedBaseAddress
;
3826 SIZE_T CapturedBytesToFlush
;
3827 IO_STATUS_BLOCK LocalStatusBlock
;
3831 // Check if we came from user mode
3833 if (PreviousMode
!= KernelMode
)
3836 // Enter SEH for probing
3841 // Validate all outputs
3843 ProbeForWritePointer(BaseAddress
);
3844 ProbeForWriteSize_t(NumberOfBytesToFlush
);
3845 ProbeForWriteIoStatusBlock(IoStatusBlock
);
3850 CapturedBaseAddress
= *BaseAddress
;
3851 CapturedBytesToFlush
= *NumberOfBytesToFlush
;
3853 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3856 // Get exception code
3858 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3867 CapturedBaseAddress
= *BaseAddress
;
3868 CapturedBytesToFlush
= *NumberOfBytesToFlush
;
3872 // Catch illegal base address
3874 if (CapturedBaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
3877 // Catch illegal region size
3879 if ((MmUserProbeAddress
- (ULONG_PTR
)CapturedBaseAddress
) < CapturedBytesToFlush
)
3884 return STATUS_INVALID_PARAMETER
;
3888 // Get a reference to the process
3890 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3891 PROCESS_VM_OPERATION
,
3896 if (!NT_SUCCESS(Status
)) return Status
;
3901 Status
= MmFlushVirtualMemory(Process
,
3902 &CapturedBaseAddress
,
3903 &CapturedBytesToFlush
,
3907 // Release reference
3909 ObDereferenceObject(Process
);
3912 // Enter SEH to return data
3917 // Return data to user
3919 *BaseAddress
= PAGE_ALIGN(CapturedBaseAddress
);
3920 *NumberOfBytesToFlush
= 0;
3921 *IoStatusBlock
= LocalStatusBlock
;
3923 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3939 NtGetWriteWatch(IN HANDLE ProcessHandle
,
3941 IN PVOID BaseAddress
,
3942 IN SIZE_T RegionSize
,
3943 IN PVOID
*UserAddressArray
,
3944 OUT PULONG_PTR EntriesInUserAddressArray
,
3945 OUT PULONG Granularity
)
3950 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3951 ULONG_PTR CapturedEntryCount
;
3955 // Check if we came from user mode
3957 if (PreviousMode
!= KernelMode
)
3960 // Enter SEH for probing
3965 // Catch illegal base address
3967 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) _SEH2_YIELD(return STATUS_INVALID_PARAMETER_2
);
3970 // Catch illegal region size
3972 if ((MmUserProbeAddress
- (ULONG_PTR
)BaseAddress
) < RegionSize
)
3977 _SEH2_YIELD(return STATUS_INVALID_PARAMETER_3
);
3981 // Validate all data
3983 ProbeForWriteSize_t(EntriesInUserAddressArray
);
3984 ProbeForWriteUlong(Granularity
);
3989 CapturedEntryCount
= *EntriesInUserAddressArray
;
3992 // Must have a count
3994 if (CapturedEntryCount
== 0) _SEH2_YIELD(return STATUS_INVALID_PARAMETER_5
);
3997 // Can't be larger than the maximum
3999 if (CapturedEntryCount
> (MAXULONG_PTR
/ sizeof(ULONG_PTR
)))
4004 _SEH2_YIELD(return STATUS_INVALID_PARAMETER_5
);
4008 // Probe the actual array
4010 ProbeForWrite(UserAddressArray
,
4011 CapturedEntryCount
* sizeof(PVOID
),
4014 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4017 // Get exception code
4019 _SEH2_YIELD(return _SEH2_GetExceptionCode());
4028 CapturedEntryCount
= *EntriesInUserAddressArray
;
4029 ASSERT(CapturedEntryCount
!= 0);
4033 // Check if this is a local request
4035 if (ProcessHandle
== NtCurrentProcess())
4038 // No need to reference the process
4040 Process
= PsGetCurrentProcess();
4045 // Reference the target
4047 Status
= ObReferenceObjectByHandle(ProcessHandle
,
4048 PROCESS_VM_OPERATION
,
4053 if (!NT_SUCCESS(Status
)) return Status
;
4057 // Compute the last address and validate it
4059 EndAddress
= (PVOID
)((ULONG_PTR
)BaseAddress
+ RegionSize
- 1);
4060 if (BaseAddress
> EndAddress
)
4065 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4066 return STATUS_INVALID_PARAMETER_4
;
4075 // Dereference if needed
4077 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4080 // Enter SEH to return data
4085 // Return data to user
4087 *EntriesInUserAddressArray
= 0;
4088 *Granularity
= PAGE_SIZE
;
4090 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4093 // Get exception code
4095 Status
= _SEH2_GetExceptionCode();
4102 return STATUS_SUCCESS
;
4110 NtResetWriteWatch(IN HANDLE ProcessHandle
,
4111 IN PVOID BaseAddress
,
4112 IN SIZE_T RegionSize
)
4117 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
4118 ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL
);
4121 // Catch illegal base address
4123 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER_2
;
4126 // Catch illegal region size
4128 if ((MmUserProbeAddress
- (ULONG_PTR
)BaseAddress
) < RegionSize
)
4133 return STATUS_INVALID_PARAMETER_3
;
4137 // Check if this is a local request
4139 if (ProcessHandle
== NtCurrentProcess())
4142 // No need to reference the process
4144 Process
= PsGetCurrentProcess();
4149 // Reference the target
4151 Status
= ObReferenceObjectByHandle(ProcessHandle
,
4152 PROCESS_VM_OPERATION
,
4157 if (!NT_SUCCESS(Status
)) return Status
;
4161 // Compute the last address and validate it
4163 EndAddress
= (PVOID
)((ULONG_PTR
)BaseAddress
+ RegionSize
- 1);
4164 if (BaseAddress
> EndAddress
)
4169 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4170 return STATUS_INVALID_PARAMETER_3
;
4179 // Dereference if needed
4181 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4186 return STATUS_SUCCESS
;
4191 NtQueryVirtualMemory(IN HANDLE ProcessHandle
,
4192 IN PVOID BaseAddress
,
4193 IN MEMORY_INFORMATION_CLASS MemoryInformationClass
,
4194 OUT PVOID MemoryInformation
,
4195 IN SIZE_T MemoryInformationLength
,
4196 OUT PSIZE_T ReturnLength
)
4198 NTSTATUS Status
= STATUS_SUCCESS
;
4199 KPROCESSOR_MODE PreviousMode
;
4201 DPRINT("Querying class %d about address: %p\n", MemoryInformationClass
, BaseAddress
);
4203 /* Bail out if the address is invalid */
4204 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
4206 /* Probe return buffer */
4207 PreviousMode
= ExGetPreviousMode();
4208 if (PreviousMode
!= KernelMode
)
4212 ProbeForWrite(MemoryInformation
,
4213 MemoryInformationLength
,
4216 if (ReturnLength
) ProbeForWriteSize_t(ReturnLength
);
4218 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4220 Status
= _SEH2_GetExceptionCode();
4224 if (!NT_SUCCESS(Status
))
4230 switch(MemoryInformationClass
)
4232 case MemoryBasicInformation
:
4233 /* Validate the size information of the class */
4234 if (MemoryInformationLength
< sizeof(MEMORY_BASIC_INFORMATION
))
4236 /* The size is invalid */
4237 return STATUS_INFO_LENGTH_MISMATCH
;
4239 Status
= MiQueryMemoryBasicInformation(ProcessHandle
,
4242 MemoryInformationLength
,
4246 case MemorySectionName
:
4247 /* Validate the size information of the class */
4248 if (MemoryInformationLength
< sizeof(MEMORY_SECTION_NAME
))
4250 /* The size is invalid */
4251 return STATUS_INFO_LENGTH_MISMATCH
;
4253 Status
= MiQueryMemorySectionName(ProcessHandle
,
4256 MemoryInformationLength
,
4259 case MemoryWorkingSetList
:
4260 case MemoryBasicVlmInformation
:
4262 DPRINT1("Unhandled memory information class %d\n", MemoryInformationClass
);
4274 NtAllocateVirtualMemory(IN HANDLE ProcessHandle
,
4275 IN OUT PVOID
* UBaseAddress
,
4276 IN ULONG_PTR ZeroBits
,
4277 IN OUT PSIZE_T URegionSize
,
4278 IN ULONG AllocationType
,
4282 PMEMORY_AREA MemoryArea
;
4283 PFN_NUMBER PageCount
;
4284 PMMVAD Vad
= NULL
, FoundVad
;
4286 PMMSUPPORT AddressSpace
;
4288 ULONG_PTR PRegionSize
, StartingAddress
, EndingAddress
, HighestAddress
;
4289 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
4290 KPROCESSOR_MODE PreviousMode
= KeGetPreviousMode();
4291 PETHREAD CurrentThread
= PsGetCurrentThread();
4292 KAPC_STATE ApcState
;
4293 ULONG ProtectionMask
, QuotaCharge
= 0, QuotaFree
= 0;
4294 BOOLEAN Attached
= FALSE
, ChangeProtection
= FALSE
;
4296 PMMPTE PointerPte
, PointerPde
, LastPte
;
4297 TABLE_SEARCH_RESULT Result
;
4298 PMMADDRESS_NODE Parent
;
4301 /* Check for valid Zero bits */
4302 if (ZeroBits
> MI_MAX_ZERO_BITS
)
4304 DPRINT1("Too many zero bits\n");
4305 return STATUS_INVALID_PARAMETER_3
;
4308 /* Check for valid Allocation Types */
4309 if ((AllocationType
& ~(MEM_COMMIT
| MEM_RESERVE
| MEM_RESET
| MEM_PHYSICAL
|
4310 MEM_TOP_DOWN
| MEM_WRITE_WATCH
| MEM_LARGE_PAGES
)))
4312 DPRINT1("Invalid Allocation Type\n");
4313 return STATUS_INVALID_PARAMETER_5
;
4316 /* Check for at least one of these Allocation Types to be set */
4317 if (!(AllocationType
& (MEM_COMMIT
| MEM_RESERVE
| MEM_RESET
)))
4319 DPRINT1("No memory allocation base type\n");
4320 return STATUS_INVALID_PARAMETER_5
;
4323 /* MEM_RESET is an exclusive flag, make sure that is valid too */
4324 if ((AllocationType
& MEM_RESET
) && (AllocationType
!= MEM_RESET
))
4326 DPRINT1("Invalid use of MEM_RESET\n");
4327 return STATUS_INVALID_PARAMETER_5
;
4330 /* Check if large pages are being used */
4331 if (AllocationType
& MEM_LARGE_PAGES
)
4333 /* Large page allocations MUST be committed */
4334 if (!(AllocationType
& MEM_COMMIT
))
4336 DPRINT1("Must supply MEM_COMMIT with MEM_LARGE_PAGES\n");
4337 return STATUS_INVALID_PARAMETER_5
;
4340 /* These flags are not allowed with large page allocations */
4341 if (AllocationType
& (MEM_PHYSICAL
| MEM_RESET
| MEM_WRITE_WATCH
))
4343 DPRINT1("Using illegal flags with MEM_LARGE_PAGES\n");
4344 return STATUS_INVALID_PARAMETER_5
;
4348 /* MEM_WRITE_WATCH can only be used if MEM_RESERVE is also used */
4349 if ((AllocationType
& MEM_WRITE_WATCH
) && !(AllocationType
& MEM_RESERVE
))
4351 DPRINT1("MEM_WRITE_WATCH used without MEM_RESERVE\n");
4352 return STATUS_INVALID_PARAMETER_5
;
4355 /* Check for valid MEM_PHYSICAL usage */
4356 if (AllocationType
& MEM_PHYSICAL
)
4358 /* MEM_PHYSICAL can only be used if MEM_RESERVE is also used */
4359 if (!(AllocationType
& MEM_RESERVE
))
4361 DPRINT1("MEM_PHYSICAL used without MEM_RESERVE\n");
4362 return STATUS_INVALID_PARAMETER_5
;
4365 /* Only these flags are allowed with MEM_PHYSIAL */
4366 if (AllocationType
& ~(MEM_RESERVE
| MEM_TOP_DOWN
| MEM_PHYSICAL
))
4368 DPRINT1("Using illegal flags with MEM_PHYSICAL\n");
4369 return STATUS_INVALID_PARAMETER_5
;
4372 /* Then make sure PAGE_READWRITE is used */
4373 if (Protect
!= PAGE_READWRITE
)
4375 DPRINT1("MEM_PHYSICAL used without PAGE_READWRITE\n");
4376 return STATUS_INVALID_PARAMETER_6
;
4380 /* Calculate the protection mask and make sure it's valid */
4381 ProtectionMask
= MiMakeProtectionMask(Protect
);
4382 if (ProtectionMask
== MM_INVALID_PROTECTION
)
4384 DPRINT1("Invalid protection mask\n");
4385 return STATUS_INVALID_PAGE_PROTECTION
;
4391 /* Check for user-mode parameters */
4392 if (PreviousMode
!= KernelMode
)
4394 /* Make sure they are writable */
4395 ProbeForWritePointer(UBaseAddress
);
4396 ProbeForWriteSize_t(URegionSize
);
4399 /* Capture their values */
4400 PBaseAddress
= *UBaseAddress
;
4401 PRegionSize
= *URegionSize
;
4403 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4405 /* Return the exception code */
4406 _SEH2_YIELD(return _SEH2_GetExceptionCode());
4410 /* Make sure the allocation isn't past the VAD area */
4411 if (PBaseAddress
> MM_HIGHEST_VAD_ADDRESS
)
4413 DPRINT1("Virtual allocation base above User Space\n");
4414 return STATUS_INVALID_PARAMETER_2
;
4417 /* Make sure the allocation wouldn't overflow past the VAD area */
4418 if ((((ULONG_PTR
)MM_HIGHEST_VAD_ADDRESS
+ 1) - (ULONG_PTR
)PBaseAddress
) < PRegionSize
)
4420 DPRINT1("Region size would overflow into kernel-memory\n");
4421 return STATUS_INVALID_PARAMETER_4
;
4424 /* Make sure there's a size specified */
4427 DPRINT1("Region size is invalid (zero)\n");
4428 return STATUS_INVALID_PARAMETER_4
;
4432 // If this is for the current process, just use PsGetCurrentProcess
4434 if (ProcessHandle
== NtCurrentProcess())
4436 Process
= CurrentProcess
;
4441 // Otherwise, reference the process with VM rights and attach to it if
4442 // this isn't the current process. We must attach because we'll be touching
4443 // PTEs and PDEs that belong to user-mode memory, and also touching the
4444 // Working Set which is stored in Hyperspace.
4446 Status
= ObReferenceObjectByHandle(ProcessHandle
,
4447 PROCESS_VM_OPERATION
,
4452 if (!NT_SUCCESS(Status
)) return Status
;
4453 if (CurrentProcess
!= Process
)
4455 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
4460 DPRINT("NtAllocateVirtualMemory: Process 0x%p, Address 0x%p, Zerobits %lu , RegionSize 0x%x, Allocation type 0x%x, Protect 0x%x.\n",
4461 Process
, PBaseAddress
, ZeroBits
, PRegionSize
, AllocationType
, Protect
);
4464 // Check for large page allocations and make sure that the required privilege
4465 // is being held, before attempting to handle them.
4467 if ((AllocationType
& MEM_LARGE_PAGES
) &&
4468 !(SeSinglePrivilegeCheck(SeLockMemoryPrivilege
, PreviousMode
)))
4470 /* Fail without it */
4471 DPRINT1("Privilege not held for MEM_LARGE_PAGES\n");
4472 Status
= STATUS_PRIVILEGE_NOT_HELD
;
4473 goto FailPathNoLock
;
4477 // Fail on the things we don't yet support
4479 if ((AllocationType
& MEM_LARGE_PAGES
) == MEM_LARGE_PAGES
)
4481 DPRINT1("MEM_LARGE_PAGES not supported\n");
4482 Status
= STATUS_INVALID_PARAMETER
;
4483 goto FailPathNoLock
;
4485 if ((AllocationType
& MEM_PHYSICAL
) == MEM_PHYSICAL
)
4487 DPRINT1("MEM_PHYSICAL not supported\n");
4488 Status
= STATUS_INVALID_PARAMETER
;
4489 goto FailPathNoLock
;
4491 if ((AllocationType
& MEM_WRITE_WATCH
) == MEM_WRITE_WATCH
)
4493 DPRINT1("MEM_WRITE_WATCH not supported\n");
4494 Status
= STATUS_INVALID_PARAMETER
;
4495 goto FailPathNoLock
;
4499 // Check if the caller is reserving memory, or committing memory and letting
4500 // us pick the base address
4502 if (!(PBaseAddress
) || (AllocationType
& MEM_RESERVE
))
4505 // Do not allow COPY_ON_WRITE through this API
4507 if (Protect
& (PAGE_WRITECOPY
| PAGE_EXECUTE_WRITECOPY
))
4509 DPRINT1("Copy on write not allowed through this path\n");
4510 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4511 goto FailPathNoLock
;
4515 // Does the caller have an address in mind, or is this a blind commit?
4520 // This is a blind commit, all we need is the region size
4522 PRegionSize
= ROUND_TO_PAGES(PRegionSize
);
4523 PageCount
= BYTES_TO_PAGES(PRegionSize
);
4525 StartingAddress
= 0;
4528 // Check if ZeroBits were specified
4533 // Calculate the highest address and check if it's valid
4535 HighestAddress
= MAXULONG_PTR
>> ZeroBits
;
4536 if (HighestAddress
> (ULONG_PTR
)MM_HIGHEST_VAD_ADDRESS
)
4538 Status
= STATUS_INVALID_PARAMETER_3
;
4539 goto FailPathNoLock
;
4545 // Use the highest VAD address as maximum
4547 HighestAddress
= (ULONG_PTR
)MM_HIGHEST_VAD_ADDRESS
;
4553 // This is a reservation, so compute the starting address on the
4554 // expected 64KB granularity, and see where the ending address will
4555 // fall based on the aligned address and the passed in region size
4557 EndingAddress
= ((ULONG_PTR
)PBaseAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1);
4558 StartingAddress
= ROUND_DOWN((ULONG_PTR
)PBaseAddress
, _64K
);
4559 PageCount
= BYTES_TO_PAGES(EndingAddress
- StartingAddress
);
4563 // Allocate and initialize the VAD
4565 Vad
= ExAllocatePoolWithTag(NonPagedPool
, sizeof(MMVAD_LONG
), 'SdaV');
4568 DPRINT1("Failed to allocate a VAD!\n");
4569 Status
= STATUS_INSUFFICIENT_RESOURCES
;
4570 goto FailPathNoLock
;
4573 Vad
->u
.LongFlags
= 0;
4574 if (AllocationType
& MEM_COMMIT
) Vad
->u
.VadFlags
.MemCommit
= 1;
4575 Vad
->u
.VadFlags
.Protection
= ProtectionMask
;
4576 Vad
->u
.VadFlags
.PrivateMemory
= 1;
4577 Vad
->u
.VadFlags
.CommitCharge
= AllocationType
& MEM_COMMIT
? PageCount
: 0;
4580 // Lock the address space and make sure the process isn't already dead
4582 AddressSpace
= MmGetCurrentAddressSpace();
4583 MmLockAddressSpace(AddressSpace
);
4584 if (Process
->VmDeleted
)
4586 Status
= STATUS_PROCESS_IS_TERMINATING
;
4591 // Did we have a base address? If no, find a valid address that is 64KB
4592 // aligned in the VAD tree. Otherwise, make sure that the address range
4593 // which was passed in isn't already conflicting with an existing address
4598 /* Which way should we search? */
4599 if ((AllocationType
& MEM_TOP_DOWN
) || Process
->VmTopDown
)
4601 /* Find an address top-down */
4602 Result
= MiFindEmptyAddressRangeDownTree(PRegionSize
,
4611 /* Find an address bottom-up */
4612 Result
= MiFindEmptyAddressRangeInTree(PRegionSize
,
4619 if (Result
== TableFoundNode
)
4621 Status
= STATUS_NO_MEMORY
;
4626 // Now we know where the allocation ends. Make sure it doesn't end up
4627 // somewhere in kernel mode.
4629 ASSERT(StartingAddress
!= 0);
4630 ASSERT(StartingAddress
< (ULONG_PTR
)MM_HIGHEST_USER_ADDRESS
);
4631 EndingAddress
= (StartingAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1);
4632 ASSERT(EndingAddress
> StartingAddress
);
4633 if (EndingAddress
> HighestAddress
)
4635 Status
= STATUS_NO_MEMORY
;
4641 /* Make sure it doesn't conflict with an existing allocation */
4642 Result
= MiCheckForConflictingNode(StartingAddress
>> PAGE_SHIFT
,
4643 EndingAddress
>> PAGE_SHIFT
,
4646 if (Result
== TableFoundNode
)
4649 // The address specified is in conflict!
4651 Status
= STATUS_CONFLICTING_ADDRESSES
;
4657 // Write out the VAD fields for this allocation
4659 Vad
->StartingVpn
= StartingAddress
>> PAGE_SHIFT
;
4660 Vad
->EndingVpn
= EndingAddress
>> PAGE_SHIFT
;
4663 // FIXME: Should setup VAD bitmap
4665 Status
= STATUS_SUCCESS
;
4668 // Lock the working set and insert the VAD into the process VAD tree
4670 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4671 Vad
->ControlArea
= NULL
; // For Memory-Area hack
4672 Process
->VadRoot
.NodeHint
= Vad
;
4673 MiInsertNode(&Process
->VadRoot
, (PVOID
)Vad
, Parent
, Result
);
4674 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4677 // Make sure the actual region size is at least as big as the
4678 // requested region size and update the value
4680 ASSERT(PRegionSize
<= (EndingAddress
+ 1 - StartingAddress
));
4681 PRegionSize
= (EndingAddress
+ 1 - StartingAddress
);
4684 // Update the virtual size of the process, and if this is now the highest
4685 // virtual size we have ever seen, update the peak virtual size to reflect
4688 Process
->VirtualSize
+= PRegionSize
;
4689 if (Process
->VirtualSize
> Process
->PeakVirtualSize
)
4691 Process
->PeakVirtualSize
= Process
->VirtualSize
;
4695 // Release address space and detach and dereference the target process if
4696 // it was different from the current process
4698 MmUnlockAddressSpace(AddressSpace
);
4699 if (Attached
) KeUnstackDetachProcess(&ApcState
);
4700 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4703 // Use SEH to write back the base address and the region size. In the case
4704 // of an exception, we do not return back the exception code, as the memory
4705 // *has* been allocated. The caller would now have to call VirtualQuery
4706 // or do some other similar trick to actually find out where its memory
4707 // allocation ended up
4711 *URegionSize
= PRegionSize
;
4712 *UBaseAddress
= (PVOID
)StartingAddress
;
4714 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4717 // Ignore exception!
4721 DPRINT("Reserved %x bytes at %p.\n", PRegionSize
, StartingAddress
);
4722 return STATUS_SUCCESS
;
4726 // This is a MEM_COMMIT on top of an existing address which must have been
4727 // MEM_RESERVED already. Compute the start and ending base addresses based
4728 // on the user input, and then compute the actual region size once all the
4729 // alignments have been done.
4731 EndingAddress
= (((ULONG_PTR
)PBaseAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1));
4732 StartingAddress
= (ULONG_PTR
)PAGE_ALIGN(PBaseAddress
);
4733 PRegionSize
= EndingAddress
- StartingAddress
+ 1;
4736 // Lock the address space and make sure the process isn't already dead
4738 AddressSpace
= MmGetCurrentAddressSpace();
4739 MmLockAddressSpace(AddressSpace
);
4740 if (Process
->VmDeleted
)
4742 DPRINT1("Process is dying\n");
4743 Status
= STATUS_PROCESS_IS_TERMINATING
;
4748 // Get the VAD for this address range, and make sure it exists
4750 Result
= MiCheckForConflictingNode(StartingAddress
>> PAGE_SHIFT
,
4751 EndingAddress
>> PAGE_SHIFT
,
4753 (PMMADDRESS_NODE
*)&FoundVad
);
4754 if (Result
!= TableFoundNode
)
4756 DPRINT1("Could not find a VAD for this allocation\n");
4757 Status
= STATUS_CONFLICTING_ADDRESSES
;
4761 if ((AllocationType
& MEM_RESET
) == MEM_RESET
)
4763 /// @todo HACK: pretend success
4764 DPRINT("MEM_RESET not supported\n");
4765 Status
= STATUS_SUCCESS
;
4770 // These kinds of VADs are illegal for this Windows function when trying to
4771 // commit an existing range
4773 if ((FoundVad
->u
.VadFlags
.VadType
== VadAwe
) ||
4774 (FoundVad
->u
.VadFlags
.VadType
== VadDevicePhysicalMemory
) ||
4775 (FoundVad
->u
.VadFlags
.VadType
== VadLargePages
))
4777 DPRINT1("Illegal VAD for attempting a MEM_COMMIT\n");
4778 Status
= STATUS_CONFLICTING_ADDRESSES
;
4783 // Make sure that this address range actually fits within the VAD for it
4785 if (((StartingAddress
>> PAGE_SHIFT
) < FoundVad
->StartingVpn
) ||
4786 ((EndingAddress
>> PAGE_SHIFT
) > FoundVad
->EndingVpn
))
4788 DPRINT1("Address range does not fit into the VAD\n");
4789 Status
= STATUS_CONFLICTING_ADDRESSES
;
4794 // Make sure this is an ARM3 section
4796 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, (PVOID
)PAGE_ROUND_DOWN(PBaseAddress
));
4797 if (MemoryArea
->Type
!= MEMORY_AREA_OWNED_BY_ARM3
)
4799 DPRINT1("Illegal commit of non-ARM3 section!\n");
4800 Status
= STATUS_ALREADY_COMMITTED
;
4804 // Is this a previously reserved section being committed? If so, enter the
4805 // special section path
4807 if (FoundVad
->u
.VadFlags
.PrivateMemory
== FALSE
)
4810 // You cannot commit large page sections through this API
4812 if (FoundVad
->u
.VadFlags
.VadType
== VadLargePageSection
)
4814 DPRINT1("Large page sections cannot be VirtualAlloc'd\n");
4815 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4820 // You can only use caching flags on a rotate VAD
4822 if ((Protect
& (PAGE_NOCACHE
| PAGE_WRITECOMBINE
)) &&
4823 (FoundVad
->u
.VadFlags
.VadType
!= VadRotatePhysical
))
4825 DPRINT1("Cannot use caching flags with anything but rotate VADs\n");
4826 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4831 // We should make sure that the section's permissions aren't being
4834 if (FoundVad
->u
.VadFlags
.NoChange
)
4837 // Make sure it's okay to touch it
4838 // Note: The Windows 2003 kernel has a bug here, passing the
4839 // unaligned base address together with the aligned size,
4840 // potentially covering a region larger than the actual allocation.
4841 // Might be exposed through NtGdiCreateDIBSection w/ section handle
4842 // For now we keep this behavior.
4843 // TODO: analyze possible implications, create test case
4845 Status
= MiCheckSecuredVad(FoundVad
,
4849 if (!NT_SUCCESS(Status
))
4851 DPRINT1("Secured VAD being messed around with\n");
4857 // ARM3 does not support file-backed sections, only shared memory
4859 ASSERT(FoundVad
->ControlArea
->FilePointer
== NULL
);
4862 // Rotate VADs cannot be guard pages or inaccessible, nor copy on write
4864 if ((FoundVad
->u
.VadFlags
.VadType
== VadRotatePhysical
) &&
4865 (Protect
& (PAGE_WRITECOPY
| PAGE_EXECUTE_WRITECOPY
| PAGE_NOACCESS
| PAGE_GUARD
)))
4867 DPRINT1("Invalid page protection for rotate VAD\n");
4868 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4873 // Compute PTE addresses and the quota charge, then grab the commit lock
4875 PointerPte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(FoundVad
, StartingAddress
>> PAGE_SHIFT
);
4876 LastPte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(FoundVad
, EndingAddress
>> PAGE_SHIFT
);
4877 QuotaCharge
= (ULONG
)(LastPte
- PointerPte
+ 1);
4878 KeAcquireGuardedMutexUnsafe(&MmSectionCommitMutex
);
4881 // Get the segment template PTE and start looping each page
4883 TempPte
= FoundVad
->ControlArea
->Segment
->SegmentPteTemplate
;
4884 ASSERT(TempPte
.u
.Long
!= 0);
4885 while (PointerPte
<= LastPte
)
4888 // For each non-already-committed page, write the invalid template PTE
4890 if (PointerPte
->u
.Long
== 0)
4892 MI_WRITE_INVALID_PTE(PointerPte
, TempPte
);
4902 // Now do the commit accounting and release the lock
4904 ASSERT(QuotaCharge
>= QuotaFree
);
4905 QuotaCharge
-= QuotaFree
;
4906 FoundVad
->ControlArea
->Segment
->NumberOfCommittedPages
+= QuotaCharge
;
4907 KeReleaseGuardedMutexUnsafe(&MmSectionCommitMutex
);
4910 // We are done with committing the section pages
4912 Status
= STATUS_SUCCESS
;
4917 // This is a specific ReactOS check because we only use normal VADs
4919 ASSERT(FoundVad
->u
.VadFlags
.VadType
== VadNone
);
4922 // While this is an actual Windows check
4924 ASSERT(FoundVad
->u
.VadFlags
.VadType
!= VadRotatePhysical
);
4927 // Throw out attempts to use copy-on-write through this API path
4929 if ((Protect
& PAGE_WRITECOPY
) || (Protect
& PAGE_EXECUTE_WRITECOPY
))
4931 DPRINT1("Write copy attempted when not allowed\n");
4932 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4937 // Initialize a demand-zero PTE
4940 TempPte
.u
.Soft
.Protection
= ProtectionMask
;
4941 NT_ASSERT(TempPte
.u
.Long
!= 0);
4944 // Get the PTE, PDE and the last PTE for this address range
4946 PointerPde
= MiAddressToPde(StartingAddress
);
4947 PointerPte
= MiAddressToPte(StartingAddress
);
4948 LastPte
= MiAddressToPte(EndingAddress
);
4951 // Update the commit charge in the VAD as well as in the process, and check
4952 // if this commit charge was now higher than the last recorded peak, in which
4953 // case we also update the peak
4955 FoundVad
->u
.VadFlags
.CommitCharge
+= (1 + LastPte
- PointerPte
);
4956 Process
->CommitCharge
+= (1 + LastPte
- PointerPte
);
4957 if (Process
->CommitCharge
> Process
->CommitChargePeak
)
4959 Process
->CommitChargePeak
= Process
->CommitCharge
;
4963 // Lock the working set while we play with user pages and page tables
4965 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4968 // Make the current page table valid, and then loop each page within it
4970 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
4971 while (PointerPte
<= LastPte
)
4974 // Have we crossed into a new page table?
4976 if (MiIsPteOnPdeBoundary(PointerPte
))
4979 // Get the PDE and now make it valid too
4981 PointerPde
= MiAddressToPte(PointerPte
);
4982 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
4986 // Is this a zero PTE as expected?
4988 if (PointerPte
->u
.Long
== 0)
4991 // First increment the count of pages in the page table for this
4994 MiIncrementPageTableReferences(MiPteToAddress(PointerPte
));
4997 // And now write the invalid demand-zero PTE as requested
4999 MI_WRITE_INVALID_PTE(PointerPte
, TempPte
);
5001 else if (PointerPte
->u
.Long
== MmDecommittedPte
.u
.Long
)
5004 // If the PTE was already decommitted, there is nothing else to do
5005 // but to write the new demand-zero PTE
5007 MI_WRITE_INVALID_PTE(PointerPte
, TempPte
);
5009 else if (!(ChangeProtection
) && (Protect
!= MiGetPageProtection(PointerPte
)))
5012 // We don't handle these scenarios yet
5014 if (PointerPte
->u
.Soft
.Valid
== 0)
5016 ASSERT(PointerPte
->u
.Soft
.Prototype
== 0);
5017 ASSERT(PointerPte
->u
.Soft
.PageFileHigh
== 0);
5021 // There's a change in protection, remember this for later, but do
5022 // not yet handle it.
5024 ChangeProtection
= TRUE
;
5028 // Move to the next PTE
5034 // Release the working set lock, unlock the address space, and detach from
5035 // the target process if it was not the current process. Also dereference the
5036 // target process if this wasn't the case.
5038 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
5039 Status
= STATUS_SUCCESS
;
5041 MmUnlockAddressSpace(AddressSpace
);
5043 if (!NT_SUCCESS(Status
))
5047 ExFreePoolWithTag(Vad
, 'SdaV');
5052 // Check if we need to update the protection
5054 if (ChangeProtection
)
5056 PVOID ProtectBaseAddress
= (PVOID
)StartingAddress
;
5057 SIZE_T ProtectSize
= PRegionSize
;
5058 ULONG OldProtection
;
5061 // Change the protection of the region
5063 MiProtectVirtualMemory(Process
,
5064 &ProtectBaseAddress
,
5071 if (Attached
) KeUnstackDetachProcess(&ApcState
);
5072 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
5075 // Only write back results on success
5077 if (NT_SUCCESS(Status
))
5080 // Use SEH to write back the base address and the region size. In the case
5081 // of an exception, we strangely do return back the exception code, even
5082 // though the memory *has* been allocated. This mimics Windows behavior and
5083 // there is not much we can do about it.
5087 *URegionSize
= PRegionSize
;
5088 *UBaseAddress
= (PVOID
)StartingAddress
;
5090 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
5092 Status
= _SEH2_GetExceptionCode();
5105 NtFreeVirtualMemory(IN HANDLE ProcessHandle
,
5106 IN PVOID
* UBaseAddress
,
5107 IN PSIZE_T URegionSize
,
5110 PMEMORY_AREA MemoryArea
;
5113 LONG_PTR CommitReduction
= 0;
5114 ULONG_PTR StartingAddress
, EndingAddress
;
5118 PMMSUPPORT AddressSpace
;
5119 PETHREAD CurrentThread
= PsGetCurrentThread();
5120 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
5121 KPROCESSOR_MODE PreviousMode
= KeGetPreviousMode();
5122 KAPC_STATE ApcState
;
5123 BOOLEAN Attached
= FALSE
;
5127 // Only two flags are supported
5129 if (!(FreeType
& (MEM_RELEASE
| MEM_DECOMMIT
)))
5131 DPRINT1("Invalid FreeType\n");
5132 return STATUS_INVALID_PARAMETER_4
;
5136 // Check if no flag was used, or if both flags were used
5138 if (!((FreeType
& (MEM_DECOMMIT
| MEM_RELEASE
))) ||
5139 ((FreeType
& (MEM_DECOMMIT
| MEM_RELEASE
)) == (MEM_DECOMMIT
| MEM_RELEASE
)))
5141 DPRINT1("Invalid FreeType combination\n");
5142 return STATUS_INVALID_PARAMETER_4
;
5146 // Enter SEH for probe and capture. On failure, return back to the caller
5147 // with an exception violation.
5152 // Check for user-mode parameters and make sure that they are writeable
5154 if (PreviousMode
!= KernelMode
)
5156 ProbeForWritePointer(UBaseAddress
);
5157 ProbeForWriteUlong(URegionSize
);
5161 // Capture the current values
5163 PBaseAddress
= *UBaseAddress
;
5164 PRegionSize
= *URegionSize
;
5166 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
5168 _SEH2_YIELD(return _SEH2_GetExceptionCode());
5173 // Make sure the allocation isn't past the user area
5175 if (PBaseAddress
>= MM_HIGHEST_USER_ADDRESS
)
5177 DPRINT1("Virtual free base above User Space\n");
5178 return STATUS_INVALID_PARAMETER_2
;
5182 // Make sure the allocation wouldn't overflow past the user area
5184 if (((ULONG_PTR
)MM_HIGHEST_USER_ADDRESS
- (ULONG_PTR
)PBaseAddress
) < PRegionSize
)
5186 DPRINT1("Region size would overflow into kernel-memory\n");
5187 return STATUS_INVALID_PARAMETER_3
;
5191 // If this is for the current process, just use PsGetCurrentProcess
5193 if (ProcessHandle
== NtCurrentProcess())
5195 Process
= CurrentProcess
;
5200 // Otherwise, reference the process with VM rights and attach to it if
5201 // this isn't the current process. We must attach because we'll be touching
5202 // PTEs and PDEs that belong to user-mode memory, and also touching the
5203 // Working Set which is stored in Hyperspace.
5205 Status
= ObReferenceObjectByHandle(ProcessHandle
,
5206 PROCESS_VM_OPERATION
,
5211 if (!NT_SUCCESS(Status
)) return Status
;
5212 if (CurrentProcess
!= Process
)
5214 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
5219 DPRINT("NtFreeVirtualMemory: Process 0x%p, Adress 0x%p, size 0x%x, FreeType %x.\n",
5220 Process
, PBaseAddress
, PRegionSize
, FreeType
);
5223 // Lock the address space
5225 AddressSpace
= MmGetCurrentAddressSpace();
5226 MmLockAddressSpace(AddressSpace
);
5229 // If the address space is being deleted, fail the de-allocation since it's
5230 // too late to do anything about it
5232 if (Process
->VmDeleted
)
5234 DPRINT1("Process is dead\n");
5235 Status
= STATUS_PROCESS_IS_TERMINATING
;
5240 // Compute start and end addresses, and locate the VAD
5242 StartingAddress
= (ULONG_PTR
)PAGE_ALIGN(PBaseAddress
);
5243 EndingAddress
= ((ULONG_PTR
)PBaseAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1);
5244 Vad
= MiLocateAddress((PVOID
)StartingAddress
);
5247 DPRINT1("Unable to find VAD for address 0x%p\n", StartingAddress
);
5248 Status
= STATUS_MEMORY_NOT_ALLOCATED
;
5253 // If the range exceeds the VAD's ending VPN, fail this request
5255 if (Vad
->EndingVpn
< (EndingAddress
>> PAGE_SHIFT
))
5257 DPRINT1("Address 0x%p is beyond the VAD\n", EndingAddress
);
5258 Status
= STATUS_UNABLE_TO_FREE_VM
;
5263 // Only private memory (except rotate VADs) can be freed through here */
5265 if ((!(Vad
->u
.VadFlags
.PrivateMemory
) &&
5266 (Vad
->u
.VadFlags
.VadType
!= VadRotatePhysical
)) ||
5267 (Vad
->u
.VadFlags
.VadType
== VadDevicePhysicalMemory
))
5269 DPRINT1("Attempt to free section memory\n");
5270 Status
= STATUS_UNABLE_TO_DELETE_SECTION
;
5275 // ARM3 does not yet handle protected VM
5277 ASSERT(Vad
->u
.VadFlags
.NoChange
== 0);
5280 // Finally, make sure there is a ReactOS Mm MEMORY_AREA for this allocation
5281 // and that is is an ARM3 memory area, and not a section view, as we currently
5282 // don't support freeing those though this interface.
5284 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, (PVOID
)StartingAddress
);
5286 ASSERT(MemoryArea
->Type
== MEMORY_AREA_OWNED_BY_ARM3
);
5289 // Now we can try the operation. First check if this is a RELEASE or a DECOMMIT
5291 if (FreeType
& MEM_RELEASE
)
5294 // ARM3 only supports this VAD in this path
5296 ASSERT(Vad
->u
.VadFlags
.VadType
== VadNone
);
5299 // Is the caller trying to remove the whole VAD, or remove only a portion
5300 // of it? If no region size is specified, then the assumption is that the
5301 // whole VAD is to be destroyed
5306 // The caller must specify the base address identically to the range
5307 // that is stored in the VAD.
5309 if (((ULONG_PTR
)PBaseAddress
>> PAGE_SHIFT
) != Vad
->StartingVpn
)
5311 DPRINT1("Address 0x%p does not match the VAD\n", PBaseAddress
);
5312 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
5317 // Now compute the actual start/end addresses based on the VAD
5319 StartingAddress
= Vad
->StartingVpn
<< PAGE_SHIFT
;
5320 EndingAddress
= (Vad
->EndingVpn
<< PAGE_SHIFT
) | (PAGE_SIZE
- 1);
5323 // Finally lock the working set and remove the VAD from the VAD tree
5325 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
5326 ASSERT(Process
->VadRoot
.NumberGenericTableElements
>= 1);
5327 MiRemoveNode((PMMADDRESS_NODE
)Vad
, &Process
->VadRoot
);
5332 // This means the caller wants to release a specific region within
5333 // the range. We have to find out which range this is -- the following
5334 // possibilities exist plus their union (CASE D):
5336 // STARTING ADDRESS ENDING ADDRESS
5337 // [<========][========================================][=========>]
5338 // CASE A CASE B CASE C
5341 // First, check for case A or D
5343 if ((StartingAddress
>> PAGE_SHIFT
) == Vad
->StartingVpn
)
5348 if ((EndingAddress
>> PAGE_SHIFT
) == Vad
->EndingVpn
)
5351 // This is the easiest one to handle -- it is identical to
5352 // the code path above when the caller sets a zero region size
5353 // and the whole VAD is destroyed
5355 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
5356 ASSERT(Process
->VadRoot
.NumberGenericTableElements
>= 1);
5357 MiRemoveNode((PMMADDRESS_NODE
)Vad
, &Process
->VadRoot
);
5362 // This case is pretty easy too -- we compute a bunch of
5363 // pages to decommit, and then push the VAD's starting address
5364 // a bit further down, then decrement the commit charge
5366 // NOT YET IMPLEMENTED IN ARM3.
5368 DPRINT1("Case A not handled\n");
5369 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
5373 // After analyzing the VAD, set it to NULL so that we don't
5374 // free it in the exit path
5382 // This is case B or case C. First check for case C
5384 if ((EndingAddress
>> PAGE_SHIFT
) == Vad
->EndingVpn
)
5386 PMEMORY_AREA MemoryArea
;
5389 // This is pretty easy and similar to case A. We compute the
5390 // amount of pages to decommit, update the VAD's commit charge
5391 // and then change the ending address of the VAD to be a bit
5394 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
5395 CommitReduction
= MiCalculatePageCommitment(StartingAddress
,
5399 Vad
->u
.VadFlags
.CommitCharge
-= CommitReduction
;
5400 // For ReactOS: shrink the corresponding memory area
5401 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, (PVOID
)StartingAddress
);
5402 ASSERT(Vad
->StartingVpn
<< PAGE_SHIFT
== (ULONG_PTR
)MemoryArea
->StartingAddress
);
5403 ASSERT((Vad
->EndingVpn
+ 1) << PAGE_SHIFT
== (ULONG_PTR
)MemoryArea
->EndingAddress
);
5404 Vad
->EndingVpn
= ((ULONG_PTR
)StartingAddress
- 1) >> PAGE_SHIFT
;
5405 MemoryArea
->EndingAddress
= (PVOID
)(StartingAddress
);
5410 // This is case B and the hardest one. Because we are removing
5411 // a chunk of memory from the very middle of the VAD, we must
5412 // actually split the VAD into two new VADs and compute the
5413 // commit charges for each of them, and reinsert new charges.
5415 // NOT YET IMPLEMENTED IN ARM3.
5417 DPRINT1("Case B not handled\n");
5418 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
5423 // After analyzing the VAD, set it to NULL so that we don't
5424 // free it in the exit path
5431 // Now we have a range of pages to dereference, so call the right API
5432 // to do that and then release the working set, since we're done messing
5433 // around with process pages.
5435 MiDeleteVirtualAddresses(StartingAddress
, EndingAddress
, NULL
);
5436 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
5437 Status
= STATUS_SUCCESS
;
5441 // Update the process counters
5443 PRegionSize
= EndingAddress
- StartingAddress
+ 1;
5444 Process
->CommitCharge
-= CommitReduction
;
5445 if (FreeType
& MEM_RELEASE
) Process
->VirtualSize
-= PRegionSize
;
5448 // Unlock the address space and free the VAD in failure cases. Next,
5449 // detach from the target process so we can write the region size and the
5450 // base address to the correct source process, and dereference the target
5453 MmUnlockAddressSpace(AddressSpace
);
5454 if (Vad
) ExFreePool(Vad
);
5455 if (Attached
) KeUnstackDetachProcess(&ApcState
);
5456 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
5459 // Use SEH to safely return the region size and the base address of the
5460 // deallocation. If we get an access violation, don't return a failure code
5461 // as the deallocation *has* happened. The caller will just have to figure
5462 // out another way to find out where it is (such as VirtualQuery).
5466 *URegionSize
= PRegionSize
;
5467 *UBaseAddress
= (PVOID
)StartingAddress
;
5469 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
5477 // This is the decommit path. You cannot decommit from the following VADs in
5478 // Windows, so fail the vall
5480 if ((Vad
->u
.VadFlags
.VadType
== VadAwe
) ||
5481 (Vad
->u
.VadFlags
.VadType
== VadLargePages
) ||
5482 (Vad
->u
.VadFlags
.VadType
== VadRotatePhysical
))
5484 DPRINT1("Trying to decommit from invalid VAD\n");
5485 Status
= STATUS_MEMORY_NOT_ALLOCATED
;
5490 // If the caller did not specify a region size, first make sure that this
5491 // region is actually committed. If it is, then compute the ending address
5492 // based on the VAD.
5496 if (((ULONG_PTR
)PBaseAddress
>> PAGE_SHIFT
) != Vad
->StartingVpn
)
5498 DPRINT1("Decomitting non-committed memory\n");
5499 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
5502 EndingAddress
= (Vad
->EndingVpn
<< PAGE_SHIFT
) | (PAGE_SIZE
- 1);
5506 // Decommit the PTEs for the range plus the actual backing pages for the
5507 // range, then reduce that amount from the commit charge in the VAD
5509 CommitReduction
= MiAddressToPte(EndingAddress
) -
5510 MiAddressToPte(StartingAddress
) +
5512 MiDecommitPages((PVOID
)StartingAddress
,
5513 MiAddressToPte(EndingAddress
),
5516 ASSERT(CommitReduction
>= 0);
5517 Vad
->u
.VadFlags
.CommitCharge
-= CommitReduction
;
5518 ASSERT(Vad
->u
.VadFlags
.CommitCharge
>= 0);
5521 // We are done, go to the exit path without freeing the VAD as it remains
5522 // valid since we have not released the allocation.
5525 Status
= STATUS_SUCCESS
;
5529 // In the failure path, we detach and derefernece the target process, and
5530 // return whatever failure code was sent.
5533 MmUnlockAddressSpace(AddressSpace
);
5534 if (Attached
) KeUnstackDetachProcess(&ApcState
);
5535 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
5542 MmGetPhysicalAddress(PVOID Address
)
5544 PHYSICAL_ADDRESS PhysicalAddress
;
5548 /* Check if the PXE/PPE/PDE is valid */
5550 #if (_MI_PAGING_LEVELS == 4)
5551 (MiAddressToPxe(Address
)->u
.Hard
.Valid
) &&
5553 #if (_MI_PAGING_LEVELS >= 3)
5554 (MiAddressToPpe(Address
)->u
.Hard
.Valid
) &&
5556 (MiAddressToPde(Address
)->u
.Hard
.Valid
))
5558 /* Check for large pages */
5559 TempPde
= *MiAddressToPde(Address
);
5560 if (TempPde
.u
.Hard
.LargePage
)
5562 /* Physical address is base page + large page offset */
5563 PhysicalAddress
.QuadPart
= (ULONG64
)TempPde
.u
.Hard
.PageFrameNumber
<< PAGE_SHIFT
;
5564 PhysicalAddress
.QuadPart
+= ((ULONG_PTR
)Address
& (PAGE_SIZE
* PTE_PER_PAGE
- 1));
5565 return PhysicalAddress
;
5568 /* Check if the PTE is valid */
5569 TempPte
= *MiAddressToPte(Address
);
5570 if (TempPte
.u
.Hard
.Valid
)
5572 /* Physical address is base page + page offset */
5573 PhysicalAddress
.QuadPart
= (ULONG64
)TempPte
.u
.Hard
.PageFrameNumber
<< PAGE_SHIFT
;
5574 PhysicalAddress
.QuadPart
+= ((ULONG_PTR
)Address
& (PAGE_SIZE
- 1));
5575 return PhysicalAddress
;
5579 KeRosDumpStackFrames(NULL
, 20);
5580 DPRINT1("MM:MmGetPhysicalAddressFailed base address was %p\n", Address
);
5581 PhysicalAddress
.QuadPart
= 0;
5582 return PhysicalAddress
;