projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[NTOS/MM]
[reactos.git] / reactos / ntoskrnl / mm / ARM3 / virtual.c
1 /*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: BSD - See COPYING.ARM in the top level directory
4 * FILE: ntoskrnl/mm/ARM3/virtual.c
5 * PURPOSE: ARM Memory Manager Virtual Memory Management
6 * PROGRAMMERS: ReactOS Portable Systems Group
7 */
8
9 /* INCLUDES *******************************************************************/
10
11 #include <ntoskrnl.h>
12 #define NDEBUG
13 #include <debug.h>
14
15 #define MODULE_INVOLVED_IN_ARM3
16 #include "../ARM3/miarm.h"
17
18 #define MI_MAPPED_COPY_PAGES 14
19 #define MI_POOL_COPY_BYTES 512
20 #define MI_MAX_TRANSFER_SIZE 64 * 1024
21
22 NTSTATUS NTAPI
23 MiProtectVirtualMemory(IN PEPROCESS Process,
24 IN OUT PVOID *BaseAddress,
25 IN OUT PSIZE_T NumberOfBytesToProtect,
26 IN ULONG NewAccessProtection,
27 OUT PULONG OldAccessProtection OPTIONAL);
28
29 VOID
30 NTAPI
31 MiFlushTbAndCapture(IN PMMVAD FoundVad,
32 IN PMMPTE PointerPte,
33 IN ULONG ProtectionMask,
34 IN PMMPFN Pfn1,
35 IN BOOLEAN CaptureDirtyBit);
36
37
38 /* PRIVATE FUNCTIONS **********************************************************/
39
40 ULONG
41 NTAPI
42 MiCalculatePageCommitment(IN ULONG_PTR StartingAddress,
43 IN ULONG_PTR EndingAddress,
44 IN PMMVAD Vad,
45 IN PEPROCESS Process)
46 {
47 PMMPTE PointerPte, LastPte, PointerPde;
48 ULONG CommittedPages;
49
50 /* Compute starting and ending PTE and PDE addresses */
51 PointerPde = MiAddressToPde(StartingAddress);
52 PointerPte = MiAddressToPte(StartingAddress);
53 LastPte = MiAddressToPte(EndingAddress);
54
55 /* Handle commited pages first */
56 if (Vad->u.VadFlags.MemCommit == 1)
57 {
58 /* This is a committed VAD, so Assume the whole range is committed */
59 CommittedPages = BYTES_TO_PAGES(EndingAddress - StartingAddress);
60
61 /* Is the PDE demand-zero? */
62 PointerPde = MiAddressToPte(PointerPte);
63 if (PointerPde->u.Long != 0)
64 {
65 /* It is not. Is it valid? */
66 if (PointerPde->u.Hard.Valid == 0)
67 {
68 /* Fault it in */
69 PointerPte = MiPteToAddress(PointerPde);
70 MiMakeSystemAddressValid(PointerPte, Process);
71 }
72 }
73 else
74 {
75 /* It is, skip it and move to the next PDE, unless we're done */
76 PointerPde++;
77 PointerPte = MiPteToAddress(PointerPde);
78 if (PointerPte > LastPte) return CommittedPages;
79 }
80
81 /* Now loop all the PTEs in the range */
82 while (PointerPte <= LastPte)
83 {
84 /* Have we crossed a PDE boundary? */
85 if (MiIsPteOnPdeBoundary(PointerPte))
86 {
87 /* Is this PDE demand zero? */
88 PointerPde = MiAddressToPte(PointerPte);
89 if (PointerPde->u.Long != 0)
90 {
91 /* It isn't -- is it valid? */
92 if (PointerPde->u.Hard.Valid == 0)
93 {
94 /* Nope, fault it in */
95 PointerPte = MiPteToAddress(PointerPde);
96 MiMakeSystemAddressValid(PointerPte, Process);
97 }
98 }
99 else
100 {
101 /* It is, skip it and move to the next PDE */
102 PointerPde++;
103 PointerPte = MiPteToAddress(PointerPde);
104 continue;
105 }
106 }
107
108 /* Is this PTE demand zero? */
109 if (PointerPte->u.Long != 0)
110 {
111 /* It isn't -- is it a decommited, invalid, or faulted PTE? */
112 if ((PointerPte->u.Soft.Protection == MM_DECOMMIT) &&
113 (PointerPte->u.Hard.Valid == 0) &&
114 ((PointerPte->u.Soft.Prototype == 0) ||
115 (PointerPte->u.Soft.PageFileHigh == MI_PTE_LOOKUP_NEEDED)))
116 {
117 /* It is, so remove it from the count of commited pages */
118 CommittedPages--;
119 }
120 }
121
122 /* Move to the next PTE */
123 PointerPte++;
124 }
125
126 /* Return how many committed pages there still are */
127 return CommittedPages;
128 }
129
130 /* This is a non-commited VAD, so assume none of it is committed */
131 CommittedPages = 0;
132
133 /* Is the PDE demand-zero? */
134 PointerPde = MiAddressToPte(PointerPte);
135 if (PointerPde->u.Long != 0)
136 {
137 /* It isn't -- is it invalid? */
138 if (PointerPde->u.Hard.Valid == 0)
139 {
140 /* It is, so page it in */
141 PointerPte = MiPteToAddress(PointerPde);
142 MiMakeSystemAddressValid(PointerPte, Process);
143 }
144 }
145 else
146 {
147 /* It is, so skip it and move to the next PDE */
148 PointerPde++;
149 PointerPte = MiPteToAddress(PointerPde);
150 if (PointerPte > LastPte) return CommittedPages;
151 }
152
153 /* Loop all the PTEs in this PDE */
154 while (PointerPte <= LastPte)
155 {
156 /* Have we crossed a PDE boundary? */
157 if (MiIsPteOnPdeBoundary(PointerPte))
158 {
159 /* Is this new PDE demand-zero? */
160 PointerPde = MiAddressToPte(PointerPte);
161 if (PointerPde->u.Long != 0)
162 {
163 /* It isn't. Is it valid? */
164 if (PointerPde->u.Hard.Valid == 0)
165 {
166 /* It isn't, so make it valid */
167 PointerPte = MiPteToAddress(PointerPde);
168 MiMakeSystemAddressValid(PointerPte, Process);
169 }
170 }
171 else
172 {
173 /* It is, so skip it and move to the next one */
174 PointerPde++;
175 PointerPte = MiPteToAddress(PointerPde);
176 continue;
177 }
178 }
179
180 /* Is this PTE demand-zero? */
181 if (PointerPte->u.Long != 0)
182 {
183 /* Nope. Is it a valid, non-decommited, non-paged out PTE? */
184 if ((PointerPte->u.Soft.Protection != MM_DECOMMIT) ||
185 (PointerPte->u.Hard.Valid == 1) ||
186 ((PointerPte->u.Soft.Prototype == 1) &&
187 (PointerPte->u.Soft.PageFileHigh != MI_PTE_LOOKUP_NEEDED)))
188 {
189 /* It is! So we'll treat this as a committed page */
190 CommittedPages++;
191 }
192 }
193
194 /* Move to the next PTE */
195 PointerPte++;
196 }
197
198 /* Return how many committed pages we found in this VAD */
199 return CommittedPages;
200 }
201
202 ULONG
203 NTAPI
204 MiMakeSystemAddressValid(IN PVOID PageTableVirtualAddress,
205 IN PEPROCESS CurrentProcess)
206 {
207 NTSTATUS Status;
208 BOOLEAN WsWasLocked = FALSE, LockChange = FALSE;
209 PETHREAD CurrentThread = PsGetCurrentThread();
210
211 /* Must be a non-pool page table, since those are double-mapped already */
212 ASSERT(PageTableVirtualAddress > MM_HIGHEST_USER_ADDRESS);
213 ASSERT((PageTableVirtualAddress < MmPagedPoolStart) ||
214 (PageTableVirtualAddress > MmPagedPoolEnd));
215
216 /* Working set lock or PFN lock should be held */
217 ASSERT(KeAreAllApcsDisabled() == TRUE);
218
219 /* Check if the page table is valid */
220 while (!MmIsAddressValid(PageTableVirtualAddress))
221 {
222 /* Check if the WS is locked */
223 if (CurrentThread->OwnsProcessWorkingSetExclusive)
224 {
225 /* Unlock the working set and remember it was locked */
226 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread);
227 WsWasLocked = TRUE;
228 }
229
230 /* Fault it in */
231 Status = MmAccessFault(FALSE, PageTableVirtualAddress, KernelMode, NULL);
232 if (!NT_SUCCESS(Status))
233 {
234 /* This should not fail */
235 KeBugCheckEx(KERNEL_DATA_INPAGE_ERROR,
236 1,
237 Status,
238 (ULONG_PTR)CurrentProcess,
239 (ULONG_PTR)PageTableVirtualAddress);
240 }
241
242 /* Lock the working set again */
243 if (WsWasLocked) MiLockProcessWorkingSet(CurrentProcess, CurrentThread);
244
245 /* This flag will be useful later when we do better locking */
246 LockChange = TRUE;
247 }
248
249 /* Let caller know what the lock state is */
250 return LockChange;
251 }
252
253 ULONG
254 NTAPI
255 MiMakeSystemAddressValidPfn(IN PVOID VirtualAddress,
256 IN KIRQL OldIrql)
257 {
258 NTSTATUS Status;
259 BOOLEAN LockChange = FALSE;
260
261 /* Must be e kernel address */
262 ASSERT(VirtualAddress > MM_HIGHEST_USER_ADDRESS);
263
264 /* Check if the page is valid */
265 while (!MmIsAddressValid(VirtualAddress))
266 {
267 /* Release the PFN database */
268 KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
269
270 /* Fault it in */
271 Status = MmAccessFault(FALSE, VirtualAddress, KernelMode, NULL);
272 if (!NT_SUCCESS(Status))
273 {
274 /* This should not fail */
275 KeBugCheckEx(KERNEL_DATA_INPAGE_ERROR,
276 3,
277 Status,
278 0,
279 (ULONG_PTR)VirtualAddress);
280 }
281
282 /* This flag will be useful later when we do better locking */
283 LockChange = TRUE;
284
285 /* Lock the PFN database */
286 OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
287 }
288
289 /* Let caller know what the lock state is */
290 return LockChange;
291 }
292
293 PFN_COUNT
294 NTAPI
295 MiDeleteSystemPageableVm(IN PMMPTE PointerPte,
296 IN PFN_NUMBER PageCount,
297 IN ULONG Flags,
298 OUT PPFN_NUMBER ValidPages)
299 {
300 PFN_COUNT ActualPages = 0;
301 PETHREAD CurrentThread = PsGetCurrentThread();
302 PMMPFN Pfn1, Pfn2;
303 PFN_NUMBER PageFrameIndex, PageTableIndex;
304 KIRQL OldIrql;
305 ASSERT(KeGetCurrentIrql() <= APC_LEVEL);
306
307 /* Lock the system working set */
308 MiLockWorkingSet(CurrentThread, &MmSystemCacheWs);
309
310 /* Loop all pages */
311 while (PageCount)
312 {
313 /* Make sure there's some data about the page */
314 if (PointerPte->u.Long)
315 {
316 /* As always, only handle current ARM3 scenarios */
317 ASSERT(PointerPte->u.Soft.Prototype == 0);
318 ASSERT(PointerPte->u.Soft.Transition == 0);
319
320 /* Normally this is one possibility -- freeing a valid page */
321 if (PointerPte->u.Hard.Valid)
322 {
323 /* Get the page PFN */
324 PageFrameIndex = PFN_FROM_PTE(PointerPte);
325 Pfn1 = MiGetPfnEntry(PageFrameIndex);
326
327 /* Should not have any working set data yet */
328 ASSERT(Pfn1->u1.WsIndex == 0);
329
330 /* Actual valid, legitimate, pages */
331 if (ValidPages) (*ValidPages)++;
332
333 /* Get the page table entry */
334 PageTableIndex = Pfn1->u4.PteFrame;
335 Pfn2 = MiGetPfnEntry(PageTableIndex);
336
337 /* Lock the PFN database */
338 OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
339
340 /* Delete it the page */
341 MI_SET_PFN_DELETED(Pfn1);
342 MiDecrementShareCount(Pfn1, PageFrameIndex);
343
344 /* Decrement the page table too */
345 MiDecrementShareCount(Pfn2, PageTableIndex);
346
347 /* Release the PFN database */
348 KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
349
350 /* Destroy the PTE */
351 PointerPte->u.Long = 0;
352 }
353
354 /* Actual legitimate pages */
355 ActualPages++;
356 }
357 else
358 {
359 /*
360 * The only other ARM3 possibility is a demand zero page, which would
361 * mean freeing some of the paged pool pages that haven't even been
362 * touched yet, as part of a larger allocation.
363 *
364 * Right now, we shouldn't expect any page file information in the PTE
365 */
366 ASSERT(PointerPte->u.Soft.PageFileHigh == 0);
367
368 /* Destroy the PTE */
369 PointerPte->u.Long = 0;
370 }
371
372 /* Keep going */
373 PointerPte++;
374 PageCount--;
375 }
376
377 /* Release the working set */
378 MiUnlockWorkingSet(CurrentThread, &MmSystemCacheWs);
379
380 /* Flush the entire TLB */
381 KeFlushEntireTb(TRUE, TRUE);
382
383 /* Done */
384 return ActualPages;
385 }
386
387 VOID
388 NTAPI
389 MiDeletePte(IN PMMPTE PointerPte,
390 IN PVOID VirtualAddress,
391 IN PEPROCESS CurrentProcess,
392 IN PMMPTE PrototypePte)
393 {
394 PMMPFN Pfn1;
395 MMPTE TempPte;
396 PFN_NUMBER PageFrameIndex;
397 PMMPDE PointerPde;
398
399 /* PFN lock must be held */
400 ASSERT(KeGetCurrentIrql() == DISPATCH_LEVEL);
401
402 /* Capture the PTE */
403 TempPte = *PointerPte;
404
405 /* We only support valid PTEs for now */
406 ASSERT(TempPte.u.Hard.Valid == 1);
407 if (TempPte.u.Hard.Valid == 0)
408 {
409 /* Invalid PTEs not supported yet */
410 ASSERT(TempPte.u.Soft.Prototype == 0);
411 ASSERT(TempPte.u.Soft.Transition == 0);
412 }
413
414 /* Get the PFN entry */
415 PageFrameIndex = PFN_FROM_PTE(&TempPte);
416 Pfn1 = MiGetPfnEntry(PageFrameIndex);
417
418 /* Check if this is a valid, prototype PTE */
419 if (Pfn1->u3.e1.PrototypePte == 1)
420 {
421 /* Get the PDE and make sure it's faulted in */
422 PointerPde = MiPteToPde(PointerPte);
423 if (PointerPde->u.Hard.Valid == 0)
424 {
425 #if (_MI_PAGING_LEVELS == 2)
426 /* Could be paged pool access from a new process -- synchronize the page directories */
427 if (!NT_SUCCESS(MiCheckPdeForPagedPool(VirtualAddress)))
428 {
429 #endif
430 /* The PDE must be valid at this point */
431 KeBugCheckEx(MEMORY_MANAGEMENT,
432 0x61940,
433 (ULONG_PTR)PointerPte,
434 PointerPte->u.Long,
435 (ULONG_PTR)VirtualAddress);
436 }
437 #if (_MI_PAGING_LEVELS == 2)
438 }
439 #endif
440 /* Drop the share count */
441 MiDecrementShareCount(Pfn1, PageFrameIndex);
442
443 /* Either a fork, or this is the shared user data page */
444 if ((PointerPte <= MiHighestUserPte) && (PrototypePte != Pfn1->PteAddress))
445 {
446 /* If it's not the shared user page, then crash, since there's no fork() yet */
447 if ((PAGE_ALIGN(VirtualAddress) != (PVOID)USER_SHARED_DATA) ||
448 (MmHighestUserAddress <= (PVOID)USER_SHARED_DATA))
449 {
450 /* Must be some sort of memory corruption */
451 KeBugCheckEx(MEMORY_MANAGEMENT,
452 0x400,
453 (ULONG_PTR)PointerPte,
454 (ULONG_PTR)PrototypePte,
455 (ULONG_PTR)Pfn1->PteAddress);
456 }
457 }
458 }
459 else
460 {
461 /* Make sure the saved PTE address is valid */
462 if ((PMMPTE)((ULONG_PTR)Pfn1->PteAddress & ~0x1) != PointerPte)
463 {
464 /* The PFN entry is illegal, or invalid */
465 KeBugCheckEx(MEMORY_MANAGEMENT,
466 0x401,
467 (ULONG_PTR)PointerPte,
468 PointerPte->u.Long,
469 (ULONG_PTR)Pfn1->PteAddress);
470 }
471
472 /* There should only be 1 shared reference count */
473 ASSERT(Pfn1->u2.ShareCount == 1);
474
475 /* Drop the reference on the page table. */
476 MiDecrementShareCount(MiGetPfnEntry(Pfn1->u4.PteFrame), Pfn1->u4.PteFrame);
477
478 /* Mark the PFN for deletion and dereference what should be the last ref */
479 MI_SET_PFN_DELETED(Pfn1);
480 MiDecrementShareCount(Pfn1, PageFrameIndex);
481
482 /* We should eventually do this */
483 //CurrentProcess->NumberOfPrivatePages--;
484 }
485
486 /* Destroy the PTE and flush the TLB */
487 PointerPte->u.Long = 0;
488 KeFlushCurrentTb();
489 }
490
491 VOID
492 NTAPI
493 MiDeleteVirtualAddresses(IN ULONG_PTR Va,
494 IN ULONG_PTR EndingAddress,
495 IN PMMVAD Vad)
496 {
497 PMMPTE PointerPte, PrototypePte, LastPrototypePte;
498 PMMPDE PointerPde;
499 MMPTE TempPte;
500 PEPROCESS CurrentProcess;
501 KIRQL OldIrql;
502 BOOLEAN AddressGap = FALSE;
503 PSUBSECTION Subsection;
504 PUSHORT UsedPageTableEntries;
505
506 /* Get out if this is a fake VAD, RosMm will free the marea pages */
507 if ((Vad) && (Vad->u.VadFlags.Spare == 1)) return;
508
509 /* Grab the process and PTE/PDE for the address being deleted */
510 CurrentProcess = PsGetCurrentProcess();
511 PointerPde = MiAddressToPde(Va);
512 PointerPte = MiAddressToPte(Va);
513
514 /* Check if this is a section VAD or a VM VAD */
515 if (!(Vad) || (Vad->u.VadFlags.PrivateMemory) || !(Vad->FirstPrototypePte))
516 {
517 /* Don't worry about prototypes */
518 PrototypePte = LastPrototypePte = NULL;
519 }
520 else
521 {
522 /* Get the prototype PTE */
523 PrototypePte = Vad->FirstPrototypePte;
524 LastPrototypePte = Vad->FirstPrototypePte + 1;
525 }
526
527 /* In all cases, we don't support fork() yet */
528 ASSERT(CurrentProcess->CloneRoot == NULL);
529
530 /* Loop the PTE for each VA */
531 while (TRUE)
532 {
533 /* First keep going until we find a valid PDE */
534 while (!PointerPde->u.Long)
535 {
536 /* There are gaps in the address space */
537 AddressGap = TRUE;
538
539 /* Still no valid PDE, try the next 4MB (or whatever) */
540 PointerPde++;
541
542 /* Update the PTE on this new boundary */
543 PointerPte = MiPteToAddress(PointerPde);
544
545 /* Check if all the PDEs are invalid, so there's nothing to free */
546 Va = (ULONG_PTR)MiPteToAddress(PointerPte);
547 if (Va > EndingAddress) return;
548 }
549
550 /* Now check if the PDE is mapped in */
551 if (!PointerPde->u.Hard.Valid)
552 {
553 /* It isn't, so map it in */
554 PointerPte = MiPteToAddress(PointerPde);
555 MiMakeSystemAddressValid(PointerPte, CurrentProcess);
556 }
557
558 /* Now we should have a valid PDE, mapped in, and still have some VA */
559 ASSERT(PointerPde->u.Hard.Valid == 1);
560 ASSERT(Va <= EndingAddress);
561 UsedPageTableEntries = &MmWorkingSetList->UsedPageTableEntries[MiGetPdeOffset(Va)];
562
563 /* Check if this is a section VAD with gaps in it */
564 if ((AddressGap) && (LastPrototypePte))
565 {
566 /* We need to skip to the next correct prototype PTE */
567 PrototypePte = MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad, Va >> PAGE_SHIFT);
568
569 /* And we need the subsection to skip to the next last prototype PTE */
570 Subsection = MiLocateSubsection(Vad, Va >> PAGE_SHIFT);
571 if (Subsection)
572 {
573 /* Found it! */
574 LastPrototypePte = &Subsection->SubsectionBase[Subsection->PtesInSubsection];
575 }
576 else
577 {
578 /* No more subsections, we are done with prototype PTEs */
579 PrototypePte = NULL;
580 }
581 }
582
583 /* Lock the PFN Database while we delete the PTEs */
584 OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
585 do
586 {
587 /* Capture the PDE and make sure it exists */
588 TempPte = *PointerPte;
589 if (TempPte.u.Long)
590 {
591 DPRINT("Decrement used PTEs by address: %lx\n", Va);
592 (*UsedPageTableEntries)--;
593 ASSERT((*UsedPageTableEntries) < PTE_COUNT);
594 DPRINT("Refs: %lx\n", (*UsedPageTableEntries));
595
596 /* Check if the PTE is actually mapped in */
597 if (TempPte.u.Long & 0xFFFFFC01)
598 {
599 /* Are we dealing with section VAD? */
600 if ((LastPrototypePte) && (PrototypePte > LastPrototypePte))
601 {
602 /* We need to skip to the next correct prototype PTE */
603 PrototypePte = MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad, Va >> PAGE_SHIFT);
604
605 /* And we need the subsection to skip to the next last prototype PTE */
606 Subsection = MiLocateSubsection(Vad, Va >> PAGE_SHIFT);
607 if (Subsection)
608 {
609 /* Found it! */
610 LastPrototypePte = &Subsection->SubsectionBase[Subsection->PtesInSubsection];
611 }
612 else
613 {
614 /* No more subsections, we are done with prototype PTEs */
615 PrototypePte = NULL;
616 }
617 }
618
619 /* Check for prototype PTE */
620 if ((TempPte.u.Hard.Valid == 0) &&
621 (TempPte.u.Soft.Prototype == 1))
622 {
623 /* Just nuke it */
624 PointerPte->u.Long = 0;
625 }
626 else
627 {
628 /* Delete the PTE proper */
629 MiDeletePte(PointerPte,
630 (PVOID)Va,
631 CurrentProcess,
632 PrototypePte);
633 }
634 }
635 else
636 {
637 /* The PTE was never mapped, just nuke it here */
638 PointerPte->u.Long = 0;
639 }
640 }
641
642 /* Update the address and PTE for it */
643 Va += PAGE_SIZE;
644 PointerPte++;
645 PrototypePte++;
646
647 /* Making sure the PDE is still valid */
648 ASSERT(PointerPde->u.Hard.Valid == 1);
649 }
650 while ((Va & (PDE_MAPPED_VA - 1)) && (Va <= EndingAddress));
651
652 /* The PDE should still be valid at this point */
653 ASSERT(PointerPde->u.Hard.Valid == 1);
654
655 DPRINT("Should check if handles for: %p are zero (PDE: %lx)\n", Va, PointerPde->u.Hard.PageFrameNumber);
656 if (!(*UsedPageTableEntries))
657 {
658 DPRINT("They are!\n");
659 if (PointerPde->u.Long != 0)
660 {
661 DPRINT("PDE active: %lx in %16s\n", PointerPde->u.Hard.PageFrameNumber, CurrentProcess->ImageFileName);
662
663 /* Delete the PTE proper */
664 MiDeletePte(PointerPde,
665 MiPteToAddress(PointerPde),
666 CurrentProcess,
667 NULL);
668 }
669 }
670
671 /* Release the lock and get out if we're done */
672 KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
673 if (Va > EndingAddress) return;
674
675 /* Otherwise, we exited because we hit a new PDE boundary, so start over */
676 PointerPde = MiAddressToPde(Va);
677 AddressGap = FALSE;
678 }
679 }
680
681 LONG
682 MiGetExceptionInfo(IN PEXCEPTION_POINTERS ExceptionInfo,
683 OUT PBOOLEAN HaveBadAddress,
684 OUT PULONG_PTR BadAddress)
685 {
686 PEXCEPTION_RECORD ExceptionRecord;
687 PAGED_CODE();
688
689 //
690 // Assume default
691 //
692 *HaveBadAddress = FALSE;
693
694 //
695 // Get the exception record
696 //
697 ExceptionRecord = ExceptionInfo->ExceptionRecord;
698
699 //
700 // Look at the exception code
701 //
702 if ((ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION) ||
703 (ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION) ||
704 (ExceptionRecord->ExceptionCode == STATUS_IN_PAGE_ERROR))
705 {
706 //
707 // We can tell the address if we have more than one parameter
708 //
709 if (ExceptionRecord->NumberParameters > 1)
710 {
711 //
712 // Return the address
713 //
714 *HaveBadAddress = TRUE;
715 *BadAddress = ExceptionRecord->ExceptionInformation[1];
716 }
717 }
718
719 //
720 // Continue executing the next handler
721 //
722 return EXCEPTION_EXECUTE_HANDLER;
723 }
724
725 NTSTATUS
726 NTAPI
727 MiDoMappedCopy(IN PEPROCESS SourceProcess,
728 IN PVOID SourceAddress,
729 IN PEPROCESS TargetProcess,
730 OUT PVOID TargetAddress,
731 IN SIZE_T BufferSize,
732 IN KPROCESSOR_MODE PreviousMode,
733 OUT PSIZE_T ReturnSize)
734 {
735 PFN_NUMBER MdlBuffer[(sizeof(MDL) / sizeof(PFN_NUMBER)) + MI_MAPPED_COPY_PAGES + 1];
736 PMDL Mdl = (PMDL)MdlBuffer;
737 SIZE_T TotalSize, CurrentSize, RemainingSize;
738 volatile BOOLEAN FailedInProbe = FALSE, FailedInMapping = FALSE, FailedInMoving;
739 volatile BOOLEAN PagesLocked;
740 PVOID CurrentAddress = SourceAddress, CurrentTargetAddress = TargetAddress;
741 volatile PVOID MdlAddress;
742 KAPC_STATE ApcState;
743 BOOLEAN HaveBadAddress;
744 ULONG_PTR BadAddress;
745 NTSTATUS Status = STATUS_SUCCESS;
746 PAGED_CODE();
747
748 //
749 // Calculate the maximum amount of data to move
750 //
751 TotalSize = MI_MAPPED_COPY_PAGES * PAGE_SIZE;
752 if (BufferSize <= TotalSize) TotalSize = BufferSize;
753 CurrentSize = TotalSize;
754 RemainingSize = BufferSize;
755
756 //
757 // Loop as long as there is still data
758 //
759 while (RemainingSize > 0)
760 {
761 //
762 // Check if this transfer will finish everything off
763 //
764 if (RemainingSize < CurrentSize) CurrentSize = RemainingSize;
765
766 //
767 // Attach to the source address space
768 //
769 KeStackAttachProcess(&SourceProcess->Pcb, &ApcState);
770
771 //
772 // Reset state for this pass
773 //
774 MdlAddress = NULL;
775 PagesLocked = FALSE;
776 FailedInMoving = FALSE;
777 ASSERT(FailedInProbe == FALSE);
778
779 //
780 // Protect user-mode copy
781 //
782 _SEH2_TRY
783 {
784 //
785 // If this is our first time, probe the buffer
786 //
787 if ((CurrentAddress == SourceAddress) && (PreviousMode != KernelMode))
788 {
789 //
790 // Catch a failure here
791 //
792 FailedInProbe = TRUE;
793
794 //
795 // Do the probe
796 //
797 ProbeForRead(SourceAddress, BufferSize, sizeof(CHAR));
798
799 //
800 // Passed
801 //
802 FailedInProbe = FALSE;
803 }
804
805 //
806 // Initialize and probe and lock the MDL
807 //
808 MmInitializeMdl(Mdl, CurrentAddress, CurrentSize);
809 MmProbeAndLockPages(Mdl, PreviousMode, IoReadAccess);
810 PagesLocked = TRUE;
811
812 //
813 // Now map the pages
814 //
815 MdlAddress = MmMapLockedPagesSpecifyCache(Mdl,
816 KernelMode,
817 MmCached,
818 NULL,
819 FALSE,
820 HighPagePriority);
821 if (!MdlAddress)
822 {
823 //
824 // Use our SEH handler to pick this up
825 //
826 FailedInMapping = TRUE;
827 ExRaiseStatus(STATUS_INSUFFICIENT_RESOURCES);
828 }
829
830 //
831 // Now let go of the source and grab to the target process
832 //
833 KeUnstackDetachProcess(&ApcState);
834 KeStackAttachProcess(&TargetProcess->Pcb, &ApcState);
835
836 //
837 // Check if this is our first time through
838 //
839 if ((CurrentAddress == SourceAddress) && (PreviousMode != KernelMode))
840 {
841 //
842 // Catch a failure here
843 //
844 FailedInProbe = TRUE;
845
846 //
847 // Do the probe
848 //
849 ProbeForWrite(TargetAddress, BufferSize, sizeof(CHAR));
850
851 //
852 // Passed
853 //
854 FailedInProbe = FALSE;
855 }
856
857 //
858 // Now do the actual move
859 //
860 FailedInMoving = TRUE;
861 RtlCopyMemory(CurrentTargetAddress, MdlAddress, CurrentSize);
862 }
863 _SEH2_EXCEPT(MiGetExceptionInfo(_SEH2_GetExceptionInformation(),
864 &HaveBadAddress,
865 &BadAddress))
866 {
867 //
868 // Detach from whoever we may be attached to
869 //
870 KeUnstackDetachProcess(&ApcState);
871
872 //
873 // Check if we had mapped the pages
874 //
875 if (MdlAddress) MmUnmapLockedPages(MdlAddress, Mdl);
876
877 //
878 // Check if we had locked the pages
879 //
880 if (PagesLocked) MmUnlockPages(Mdl);
881
882 //
883 // Check if we hit working set quota
884 //
885 if (_SEH2_GetExceptionCode() == STATUS_WORKING_SET_QUOTA)
886 {
887 //
888 // Return the error
889 //
890 return STATUS_WORKING_SET_QUOTA;
891 }
892
893 //
894 // Check if we failed during the probe or mapping
895 //
896 if ((FailedInProbe) || (FailedInMapping))
897 {
898 //
899 // Exit
900 //
901 Status = _SEH2_GetExceptionCode();
902 _SEH2_YIELD(return Status);
903 }
904
905 //
906 // Otherwise, we failed probably during the move
907 //
908 *ReturnSize = BufferSize - RemainingSize;
909 if (FailedInMoving)
910 {
911 //
912 // Check if we know exactly where we stopped copying
913 //
914 if (HaveBadAddress)
915 {
916 //
917 // Return the exact number of bytes copied
918 //
919 *ReturnSize = BadAddress - (ULONG_PTR)SourceAddress;
920 }
921 }
922
923 //
924 // Return partial copy
925 //
926 Status = STATUS_PARTIAL_COPY;
927 }
928 _SEH2_END;
929
930 //
931 // Check for SEH status
932 //
933 if (Status != STATUS_SUCCESS) return Status;
934
935 //
936 // Detach from target
937 //
938 KeUnstackDetachProcess(&ApcState);
939
940 //
941 // Unmap and unlock
942 //
943 MmUnmapLockedPages(MdlAddress, Mdl);
944 MmUnlockPages(Mdl);
945
946 //
947 // Update location and size
948 //
949 RemainingSize -= CurrentSize;
950 CurrentAddress = (PVOID)((ULONG_PTR)CurrentAddress + CurrentSize);
951 CurrentTargetAddress = (PVOID)((ULONG_PTR)CurrentTargetAddress + CurrentSize);
952 }
953
954 //
955 // All bytes read
956 //
957 *ReturnSize = BufferSize;
958 return STATUS_SUCCESS;
959 }
960
961 NTSTATUS
962 NTAPI
963 MiDoPoolCopy(IN PEPROCESS SourceProcess,
964 IN PVOID SourceAddress,
965 IN PEPROCESS TargetProcess,
966 OUT PVOID TargetAddress,
967 IN SIZE_T BufferSize,
968 IN KPROCESSOR_MODE PreviousMode,
969 OUT PSIZE_T ReturnSize)
970 {
971 UCHAR StackBuffer[MI_POOL_COPY_BYTES];
972 SIZE_T TotalSize, CurrentSize, RemainingSize;
973 volatile BOOLEAN FailedInProbe = FALSE, FailedInMoving, HavePoolAddress = FALSE;
974 PVOID CurrentAddress = SourceAddress, CurrentTargetAddress = TargetAddress;
975 PVOID PoolAddress;
976 KAPC_STATE ApcState;
977 BOOLEAN HaveBadAddress;
978 ULONG_PTR BadAddress;
979 NTSTATUS Status = STATUS_SUCCESS;
980 PAGED_CODE();
981
982 //
983 // Calculate the maximum amount of data to move
984 //
985 TotalSize = MI_MAX_TRANSFER_SIZE;
986 if (BufferSize <= MI_MAX_TRANSFER_SIZE) TotalSize = BufferSize;
987 CurrentSize = TotalSize;
988 RemainingSize = BufferSize;
989
990 //
991 // Check if we can use the stack
992 //
993 if (BufferSize <= MI_POOL_COPY_BYTES)
994 {
995 //
996 // Use it
997 //
998 PoolAddress = (PVOID)StackBuffer;
999 }
1000 else
1001 {
1002 //
1003 // Allocate pool
1004 //
1005 PoolAddress = ExAllocatePoolWithTag(NonPagedPool, TotalSize, 'VmRw');
1006 if (!PoolAddress) ASSERT(FALSE);
1007 HavePoolAddress = TRUE;
1008 }
1009
1010 //
1011 // Loop as long as there is still data
1012 //
1013 while (RemainingSize > 0)
1014 {
1015 //
1016 // Check if this transfer will finish everything off
1017 //
1018 if (RemainingSize < CurrentSize) CurrentSize = RemainingSize;
1019
1020 //
1021 // Attach to the source address space
1022 //
1023 KeStackAttachProcess(&SourceProcess->Pcb, &ApcState);
1024
1025 //
1026 // Reset state for this pass
1027 //
1028 FailedInMoving = FALSE;
1029 ASSERT(FailedInProbe == FALSE);
1030
1031 //
1032 // Protect user-mode copy
1033 //
1034 _SEH2_TRY
1035 {
1036 //
1037 // If this is our first time, probe the buffer
1038 //
1039 if ((CurrentAddress == SourceAddress) && (PreviousMode != KernelMode))
1040 {
1041 //
1042 // Catch a failure here
1043 //
1044 FailedInProbe = TRUE;
1045
1046 //
1047 // Do the probe
1048 //
1049 ProbeForRead(SourceAddress, BufferSize, sizeof(CHAR));
1050
1051 //
1052 // Passed
1053 //
1054 FailedInProbe = FALSE;
1055 }
1056
1057 //
1058 // Do the copy
1059 //
1060 RtlCopyMemory(PoolAddress, CurrentAddress, CurrentSize);
1061
1062 //
1063 // Now let go of the source and grab to the target process
1064 //
1065 KeUnstackDetachProcess(&ApcState);
1066 KeStackAttachProcess(&TargetProcess->Pcb, &ApcState);
1067
1068 //
1069 // Check if this is our first time through
1070 //
1071 if ((CurrentAddress == SourceAddress) && (PreviousMode != KernelMode))
1072 {
1073 //
1074 // Catch a failure here
1075 //
1076 FailedInProbe = TRUE;
1077
1078 //
1079 // Do the probe
1080 //
1081 ProbeForWrite(TargetAddress, BufferSize, sizeof(CHAR));
1082
1083 //
1084 // Passed
1085 //
1086 FailedInProbe = FALSE;
1087 }
1088
1089 //
1090 // Now do the actual move
1091 //
1092 FailedInMoving = TRUE;
1093 RtlCopyMemory(CurrentTargetAddress, PoolAddress, CurrentSize);
1094 }
1095 _SEH2_EXCEPT(MiGetExceptionInfo(_SEH2_GetExceptionInformation(),
1096 &HaveBadAddress,
1097 &BadAddress))
1098 {
1099 //
1100 // Detach from whoever we may be attached to
1101 //
1102 KeUnstackDetachProcess(&ApcState);
1103
1104 //
1105 // Check if we had allocated pool
1106 //
1107 if (HavePoolAddress) ExFreePool(PoolAddress);
1108
1109 //
1110 // Check if we failed during the probe
1111 //
1112 if (FailedInProbe)
1113 {
1114 //
1115 // Exit
1116 //
1117 Status = _SEH2_GetExceptionCode();
1118 _SEH2_YIELD(return Status);
1119 }
1120
1121 //
1122 // Otherwise, we failed, probably during the move
1123 //
1124 *ReturnSize = BufferSize - RemainingSize;
1125 if (FailedInMoving)
1126 {
1127 //
1128 // Check if we know exactly where we stopped copying
1129 //
1130 if (HaveBadAddress)
1131 {
1132 //
1133 // Return the exact number of bytes copied
1134 //
1135 *ReturnSize = BadAddress - (ULONG_PTR)SourceAddress;
1136 }
1137 }
1138
1139 //
1140 // Return partial copy
1141 //
1142 Status = STATUS_PARTIAL_COPY;
1143 }
1144 _SEH2_END;
1145
1146 //
1147 // Check for SEH status
1148 //
1149 if (Status != STATUS_SUCCESS) return Status;
1150
1151 //
1152 // Detach from target
1153 //
1154 KeUnstackDetachProcess(&ApcState);
1155
1156 //
1157 // Update location and size
1158 //
1159 RemainingSize -= CurrentSize;
1160 CurrentAddress = (PVOID)((ULONG_PTR)CurrentAddress + CurrentSize);
1161 CurrentTargetAddress = (PVOID)((ULONG_PTR)CurrentTargetAddress +
1162 CurrentSize);
1163 }
1164
1165 //
1166 // Check if we had allocated pool
1167 //
1168 if (HavePoolAddress) ExFreePool(PoolAddress);
1169
1170 //
1171 // All bytes read
1172 //
1173 *ReturnSize = BufferSize;
1174 return STATUS_SUCCESS;
1175 }
1176
1177 NTSTATUS
1178 NTAPI
1179 MmCopyVirtualMemory(IN PEPROCESS SourceProcess,
1180 IN PVOID SourceAddress,
1181 IN PEPROCESS TargetProcess,
1182 OUT PVOID TargetAddress,
1183 IN SIZE_T BufferSize,
1184 IN KPROCESSOR_MODE PreviousMode,
1185 OUT PSIZE_T ReturnSize)
1186 {
1187 NTSTATUS Status;
1188 PEPROCESS Process = SourceProcess;
1189
1190 //
1191 // Don't accept zero-sized buffers
1192 //
1193 if (!BufferSize) return STATUS_SUCCESS;
1194
1195 //
1196 // If we are copying from ourselves, lock the target instead
1197 //
1198 if (SourceProcess == PsGetCurrentProcess()) Process = TargetProcess;
1199
1200 //
1201 // Acquire rundown protection
1202 //
1203 if (!ExAcquireRundownProtection(&Process->RundownProtect))
1204 {
1205 //
1206 // Fail
1207 //
1208 return STATUS_PROCESS_IS_TERMINATING;
1209 }
1210
1211 //
1212 // See if we should use the pool copy
1213 //
1214 if (BufferSize > MI_POOL_COPY_BYTES)
1215 {
1216 //
1217 // Use MDL-copy
1218 //
1219 Status = MiDoMappedCopy(SourceProcess,
1220 SourceAddress,
1221 TargetProcess,
1222 TargetAddress,
1223 BufferSize,
1224 PreviousMode,
1225 ReturnSize);
1226 }
1227 else
1228 {
1229 //
1230 // Do pool copy
1231 //
1232 Status = MiDoPoolCopy(SourceProcess,
1233 SourceAddress,
1234 TargetProcess,
1235 TargetAddress,
1236 BufferSize,
1237 PreviousMode,
1238 ReturnSize);
1239 }
1240
1241 //
1242 // Release the lock
1243 //
1244 ExReleaseRundownProtection(&Process->RundownProtect);
1245 return Status;
1246 }
1247
1248 NTSTATUS
1249 NTAPI
1250 MmFlushVirtualMemory(IN PEPROCESS Process,
1251 IN OUT PVOID *BaseAddress,
1252 IN OUT PSIZE_T RegionSize,
1253 OUT PIO_STATUS_BLOCK IoStatusBlock)
1254 {
1255 PAGED_CODE();
1256 UNIMPLEMENTED;
1257
1258 //
1259 // Fake success
1260 //
1261 return STATUS_SUCCESS;
1262 }
1263
1264 ULONG
1265 NTAPI
1266 MiGetPageProtection(IN PMMPTE PointerPte)
1267 {
1268 MMPTE TempPte;
1269 PMMPFN Pfn;
1270 PAGED_CODE();
1271
1272 /* Copy this PTE's contents */
1273 TempPte = *PointerPte;
1274
1275 /* Assure it's not totally zero */
1276 ASSERT(TempPte.u.Long);
1277
1278 /* Check for a special prototype format */
1279 if (TempPte.u.Soft.Valid == 0 &&
1280 TempPte.u.Soft.Prototype == 1)
1281 {
1282 /* Unsupported now */
1283 UNIMPLEMENTED;
1284 ASSERT(FALSE);
1285 }
1286
1287 /* In the easy case of transition or demand zero PTE just return its protection */
1288 if (!TempPte.u.Hard.Valid) return MmProtectToValue[TempPte.u.Soft.Protection];
1289
1290 /* If we get here, the PTE is valid, so look up the page in PFN database */
1291 Pfn = MiGetPfnEntry(TempPte.u.Hard.PageFrameNumber);
1292 if (!Pfn->u3.e1.PrototypePte)
1293 {
1294 /* Return protection of the original pte */
1295 ASSERT(Pfn->u4.AweAllocation == 0);
1296 return MmProtectToValue[Pfn->OriginalPte.u.Soft.Protection];
1297 }
1298
1299 /* This is software PTE */
1300 DPRINT1("Prototype PTE: %lx %p\n", TempPte.u.Hard.PageFrameNumber, Pfn);
1301 DPRINT1("VA: %p\n", MiPteToAddress(&TempPte));
1302 DPRINT1("Mask: %lx\n", TempPte.u.Soft.Protection);
1303 DPRINT1("Mask2: %lx\n", Pfn->OriginalPte.u.Soft.Protection);
1304 return MmProtectToValue[TempPte.u.Soft.Protection];
1305 }
1306
1307 ULONG
1308 NTAPI
1309 MiQueryAddressState(IN PVOID Va,
1310 IN PMMVAD Vad,
1311 IN PEPROCESS TargetProcess,
1312 OUT PULONG ReturnedProtect,
1313 OUT PVOID *NextVa)
1314 {
1315
1316 PMMPTE PointerPte, ProtoPte;
1317 PMMPDE PointerPde;
1318 MMPTE TempPte, TempProtoPte;
1319 BOOLEAN DemandZeroPte = TRUE, ValidPte = FALSE;
1320 ULONG State = MEM_RESERVE, Protect = 0;
1321 ASSERT((Vad->StartingVpn <= ((ULONG_PTR)Va >> PAGE_SHIFT)) &&
1322 (Vad->EndingVpn >= ((ULONG_PTR)Va >> PAGE_SHIFT)));
1323
1324 /* Only normal VADs supported */
1325 ASSERT(Vad->u.VadFlags.VadType == VadNone);
1326
1327 /* Get the PDE and PTE for the address */
1328 PointerPde = MiAddressToPde(Va);
1329 PointerPte = MiAddressToPte(Va);
1330
1331 /* Return the next range */
1332 *NextVa = (PVOID)((ULONG_PTR)Va + PAGE_SIZE);
1333
1334 /* Is the PDE demand-zero? */
1335 if (PointerPde->u.Long != 0)
1336 {
1337 /* It is not. Is it valid? */
1338 if (PointerPde->u.Hard.Valid == 0)
1339 {
1340 /* Is isn't, fault it in */
1341 PointerPte = MiPteToAddress(PointerPde);
1342 MiMakeSystemAddressValid(PointerPte, TargetProcess);
1343 ValidPte = TRUE;
1344 }
1345 }
1346 else
1347 {
1348 /* It is, skip it and move to the next PDE */
1349 *NextVa = MiPdeToAddress(PointerPde + 1);
1350 }
1351
1352 /* Is it safe to try reading the PTE? */
1353 if (ValidPte)
1354 {
1355 /* FIXME: watch out for large pages */
1356 ASSERT(PointerPde->u.Hard.LargePage == FALSE);
1357
1358 /* Capture the PTE */
1359 TempPte = *PointerPte;
1360 if (TempPte.u.Long != 0)
1361 {
1362 /* The PTE is valid, so it's not zeroed out */
1363 DemandZeroPte = FALSE;
1364
1365 /* Is it a decommited, invalid, or faulted PTE? */
1366 if ((TempPte.u.Soft.Protection == MM_DECOMMIT) &&
1367 (TempPte.u.Hard.Valid == 0) &&
1368 ((TempPte.u.Soft.Prototype == 0) ||
1369 (TempPte.u.Soft.PageFileHigh == MI_PTE_LOOKUP_NEEDED)))
1370 {
1371 /* Otherwise our defaults should hold */
1372 ASSERT(Protect == 0);
1373 ASSERT(State == MEM_RESERVE);
1374 }
1375 else
1376 {
1377 /* This means it's committed */
1378 State = MEM_COMMIT;
1379
1380 /* We don't support these */
1381 ASSERT(Vad->u.VadFlags.VadType != VadDevicePhysicalMemory);
1382 ASSERT(Vad->u.VadFlags.VadType != VadRotatePhysical);
1383 ASSERT(Vad->u.VadFlags.VadType != VadAwe);
1384
1385 /* Get protection state of this page */
1386 Protect = MiGetPageProtection(PointerPte);
1387
1388 /* Check if this is an image-backed VAD */
1389 if ((TempPte.u.Soft.Valid == 0) &&
1390 (TempPte.u.Soft.Prototype == 1) &&
1391 (Vad->u.VadFlags.PrivateMemory == 0) &&
1392 (Vad->ControlArea))
1393 {
1394 DPRINT1("Not supported\n");
1395 ASSERT(FALSE);
1396 }
1397 }
1398 }
1399 }
1400
1401 /* Check if this was a demand-zero PTE, since we need to find the state */
1402 if (DemandZeroPte)
1403 {
1404 /* Not yet handled */
1405 ASSERT(Vad->u.VadFlags.VadType != VadDevicePhysicalMemory);
1406 ASSERT(Vad->u.VadFlags.VadType != VadAwe);
1407
1408 /* Check if this is private commited memory, or an section-backed VAD */
1409 if ((Vad->u.VadFlags.PrivateMemory == 0) && (Vad->ControlArea))
1410 {
1411 /* Tell caller about the next range */
1412 *NextVa = (PVOID)((ULONG_PTR)Va + PAGE_SIZE);
1413
1414 /* Get the prototype PTE for this VAD */
1415 ProtoPte = MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad,
1416 (ULONG_PTR)Va >> PAGE_SHIFT);
1417 if (ProtoPte)
1418 {
1419 /* We should unlock the working set, but it's not being held! */
1420
1421 /* Is the prototype PTE actually valid (committed)? */
1422 TempProtoPte = *ProtoPte;
1423 if (TempProtoPte.u.Long)
1424 {
1425 /* Unless this is a memory-mapped file, handle it like private VAD */
1426 State = MEM_COMMIT;
1427 ASSERT(Vad->u.VadFlags.VadType != VadImageMap);
1428 Protect = MmProtectToValue[Vad->u.VadFlags.Protection];
1429 }
1430
1431 /* We should re-lock the working set */
1432 }
1433 }
1434 else if (Vad->u.VadFlags.MemCommit)
1435 {
1436 /* This is committed memory */
1437 State = MEM_COMMIT;
1438
1439 /* Convert the protection */
1440 Protect = MmProtectToValue[Vad->u.VadFlags.Protection];
1441 }
1442 }
1443
1444 /* Return the protection code */
1445 *ReturnedProtect = Protect;
1446 return State;
1447 }
1448
1449 NTSTATUS
1450 NTAPI
1451 MiQueryMemoryBasicInformation(IN HANDLE ProcessHandle,
1452 IN PVOID BaseAddress,
1453 OUT PVOID MemoryInformation,
1454 IN SIZE_T MemoryInformationLength,
1455 OUT PSIZE_T ReturnLength)
1456 {
1457 PEPROCESS TargetProcess;
1458 NTSTATUS Status = STATUS_SUCCESS;
1459 PMMVAD Vad = NULL;
1460 PVOID Address, NextAddress;
1461 BOOLEAN Found = FALSE;
1462 ULONG NewProtect, NewState;
1463 ULONG_PTR BaseVpn;
1464 MEMORY_BASIC_INFORMATION MemoryInfo;
1465 KAPC_STATE ApcState;
1466 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
1467 PMEMORY_AREA MemoryArea;
1468 SIZE_T ResultLength;
1469
1470 /* Check for illegal addresses in user-space, or the shared memory area */
1471 if ((BaseAddress > MM_HIGHEST_VAD_ADDRESS) ||
1472 (PAGE_ALIGN(BaseAddress) == (PVOID)MM_SHARED_USER_DATA_VA))
1473 {
1474 Address = PAGE_ALIGN(BaseAddress);
1475
1476 /* Make up an info structure describing this range */
1477 MemoryInfo.BaseAddress = Address;
1478 MemoryInfo.AllocationProtect = PAGE_READONLY;
1479 MemoryInfo.Type = MEM_PRIVATE;
1480
1481 /* Special case for shared data */
1482 if (Address == (PVOID)MM_SHARED_USER_DATA_VA)
1483 {
1484 MemoryInfo.AllocationBase = (PVOID)MM_SHARED_USER_DATA_VA;
1485 MemoryInfo.State = MEM_COMMIT;
1486 MemoryInfo.Protect = PAGE_READONLY;
1487 MemoryInfo.RegionSize = PAGE_SIZE;
1488 }
1489 else
1490 {
1491 MemoryInfo.AllocationBase = (PCHAR)MM_HIGHEST_VAD_ADDRESS + 1;
1492 MemoryInfo.State = MEM_RESERVE;
1493 MemoryInfo.Protect = PAGE_NOACCESS;
1494 MemoryInfo.RegionSize = (ULONG_PTR)MM_HIGHEST_USER_ADDRESS + 1 - (ULONG_PTR)Address;
1495 }
1496
1497 /* Return the data, NtQueryInformation already probed it*/
1498 if (PreviousMode != KernelMode)
1499 {
1500 _SEH2_TRY
1501 {
1502 *(PMEMORY_BASIC_INFORMATION)MemoryInformation = MemoryInfo;
1503 if (ReturnLength) *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
1504 }
1505 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
1506 {
1507 Status = _SEH2_GetExceptionCode();
1508 }
1509 _SEH2_END;
1510 }
1511 else
1512 {
1513 *(PMEMORY_BASIC_INFORMATION)MemoryInformation = MemoryInfo;
1514 if (ReturnLength) *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
1515 }
1516
1517 return Status;
1518 }
1519
1520 /* Check if this is for a local or remote process */
1521 if (ProcessHandle == NtCurrentProcess())
1522 {
1523 TargetProcess = PsGetCurrentProcess();
1524 }
1525 else
1526 {
1527 /* Reference the target process */
1528 Status = ObReferenceObjectByHandle(ProcessHandle,
1529 PROCESS_QUERY_INFORMATION,
1530 PsProcessType,
1531 ExGetPreviousMode(),
1532 (PVOID*)&TargetProcess,
1533 NULL);
1534 if (!NT_SUCCESS(Status)) return Status;
1535
1536 /* Attach to it now */
1537 KeStackAttachProcess(&TargetProcess->Pcb, &ApcState);
1538 }
1539
1540 /* Loop the VADs */
1541 ASSERT(TargetProcess->VadRoot.NumberGenericTableElements);
1542 if (TargetProcess->VadRoot.NumberGenericTableElements)
1543 {
1544 /* Scan on the right */
1545 Vad = (PMMVAD)TargetProcess->VadRoot.BalancedRoot.RightChild;
1546 BaseVpn = (ULONG_PTR)BaseAddress >> PAGE_SHIFT;
1547 while (Vad)
1548 {
1549 /* Check if this VAD covers the allocation range */
1550 if ((BaseVpn >= Vad->StartingVpn) &&
1551 (BaseVpn <= Vad->EndingVpn))
1552 {
1553 /* We're done */
1554 Found = TRUE;
1555 break;
1556 }
1557
1558 /* Check if this VAD is too high */
1559 if (BaseVpn < Vad->StartingVpn)
1560 {
1561 /* Stop if there is no left child */
1562 if (!Vad->LeftChild) break;
1563
1564 /* Search on the left next */
1565 Vad = Vad->LeftChild;
1566 }
1567 else
1568 {
1569 /* Then this VAD is too low, keep searching on the right */
1570 ASSERT(BaseVpn > Vad->EndingVpn);
1571
1572 /* Stop if there is no right child */
1573 if (!Vad->RightChild) break;
1574
1575 /* Search on the right next */
1576 Vad = Vad->RightChild;
1577 }
1578 }
1579 }
1580
1581 /* Was a VAD found? */
1582 if (!Found)
1583 {
1584 Address = PAGE_ALIGN(BaseAddress);
1585
1586 /* Calculate region size */
1587 if (Vad)
1588 {
1589 if (Vad->StartingVpn >= BaseVpn)
1590 {
1591 /* Region size is the free space till the start of that VAD */
1592 MemoryInfo.RegionSize = (ULONG_PTR)(Vad->StartingVpn << PAGE_SHIFT) - (ULONG_PTR)Address;
1593 }
1594 else
1595 {
1596 /* Get the next VAD */
1597 Vad = (PMMVAD)MiGetNextNode((PMMADDRESS_NODE)Vad);
1598 if (Vad)
1599 {
1600 /* Region size is the free space till the start of that VAD */
1601 MemoryInfo.RegionSize = (ULONG_PTR)(Vad->StartingVpn << PAGE_SHIFT) - (ULONG_PTR)Address;
1602 }
1603 else
1604 {
1605 /* Maximum possible region size with that base address */
1606 MemoryInfo.RegionSize = (PCHAR)MM_HIGHEST_VAD_ADDRESS + 1 - (PCHAR)Address;
1607 }
1608 }
1609 }
1610 else
1611 {
1612 /* Maximum possible region size with that base address */
1613 MemoryInfo.RegionSize = (PCHAR)MM_HIGHEST_VAD_ADDRESS + 1 - (PCHAR)Address;
1614 }
1615
1616 /* Check if we were attached */
1617 if (ProcessHandle != NtCurrentProcess())
1618 {
1619 /* Detach and derefernece the process */
1620 KeUnstackDetachProcess(&ApcState);
1621 ObDereferenceObject(TargetProcess);
1622 }
1623
1624 /* Build the rest of the initial information block */
1625 MemoryInfo.BaseAddress = Address;
1626 MemoryInfo.AllocationBase = NULL;
1627 MemoryInfo.AllocationProtect = 0;
1628 MemoryInfo.State = MEM_FREE;
1629 MemoryInfo.Protect = PAGE_NOACCESS;
1630 MemoryInfo.Type = 0;
1631
1632 /* Return the data, NtQueryInformation already probed it*/
1633 if (PreviousMode != KernelMode)
1634 {
1635 _SEH2_TRY
1636 {
1637 *(PMEMORY_BASIC_INFORMATION)MemoryInformation = MemoryInfo;
1638 if (ReturnLength) *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
1639 }
1640 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
1641 {
1642 Status = _SEH2_GetExceptionCode();
1643 }
1644 _SEH2_END;
1645 }
1646 else
1647 {
1648 *(PMEMORY_BASIC_INFORMATION)MemoryInformation = MemoryInfo;
1649 if (ReturnLength) *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
1650 }
1651
1652 return Status;
1653 }
1654
1655 /* Set the correct memory type based on what kind of VAD this is */
1656 if ((Vad->u.VadFlags.PrivateMemory) ||
1657 (Vad->u.VadFlags.VadType == VadRotatePhysical))
1658 {
1659 MemoryInfo.Type = MEM_PRIVATE;
1660 }
1661 else if (Vad->u.VadFlags.VadType == VadImageMap)
1662 {
1663 MemoryInfo.Type = MEM_IMAGE;
1664 }
1665 else
1666 {
1667 MemoryInfo.Type = MEM_MAPPED;
1668 }
1669
1670 /* Lock the address space of the process */
1671 MmLockAddressSpace(&TargetProcess->Vm);
1672
1673 /* Find the memory area the specified address belongs to */
1674 MemoryArea = MmLocateMemoryAreaByAddress(&TargetProcess->Vm, BaseAddress);
1675 ASSERT(MemoryArea != NULL);
1676
1677 /* Determine information dependent on the memory area type */
1678 if (MemoryArea->Type == MEMORY_AREA_SECTION_VIEW)
1679 {
1680 Status = MmQuerySectionView(MemoryArea, BaseAddress, &MemoryInfo, &ResultLength);
1681 ASSERT(NT_SUCCESS(Status));
1682 }
1683 else
1684 {
1685 /* Build the initial information block */
1686 Address = PAGE_ALIGN(BaseAddress);
1687 MemoryInfo.BaseAddress = Address;
1688 MemoryInfo.AllocationBase = (PVOID)(Vad->StartingVpn << PAGE_SHIFT);
1689 MemoryInfo.AllocationProtect = MmProtectToValue[Vad->u.VadFlags.Protection];
1690 MemoryInfo.Type = MEM_PRIVATE;
1691
1692 /* Find the largest chunk of memory which has the same state and protection mask */
1693 MemoryInfo.State = MiQueryAddressState(Address,
1694 Vad,
1695 TargetProcess,
1696 &MemoryInfo.Protect,
1697 &NextAddress);
1698 Address = NextAddress;
1699 while (((ULONG_PTR)Address >> PAGE_SHIFT) <= Vad->EndingVpn)
1700 {
1701 /* Keep going unless the state or protection mask changed */
1702 NewState = MiQueryAddressState(Address, Vad, TargetProcess, &NewProtect, &NextAddress);
1703 if ((NewState != MemoryInfo.State) || (NewProtect != MemoryInfo.Protect)) break;
1704 Address = NextAddress;
1705 }
1706
1707 /* Now that we know the last VA address, calculate the region size */
1708 MemoryInfo.RegionSize = ((ULONG_PTR)Address - (ULONG_PTR)MemoryInfo.BaseAddress);
1709 }
1710
1711 /* Unlock the address space of the process */
1712 MmUnlockAddressSpace(&TargetProcess->Vm);
1713
1714 /* Check if we were attached */
1715 if (ProcessHandle != NtCurrentProcess())
1716 {
1717 /* Detach and derefernece the process */
1718 KeUnstackDetachProcess(&ApcState);
1719 ObDereferenceObject(TargetProcess);
1720 }
1721
1722 /* Return the data, NtQueryInformation already probed it*/
1723 if (PreviousMode != KernelMode)
1724 {
1725 _SEH2_TRY
1726 {
1727 *(PMEMORY_BASIC_INFORMATION)MemoryInformation = MemoryInfo;
1728 if (ReturnLength) *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
1729 }
1730 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
1731 {
1732 Status = _SEH2_GetExceptionCode();
1733 }
1734 _SEH2_END;
1735 }
1736 else
1737 {
1738 *(PMEMORY_BASIC_INFORMATION)MemoryInformation = MemoryInfo;
1739 if (ReturnLength) *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
1740 }
1741
1742 /* All went well */
1743 DPRINT("Base: %p AllocBase: %p AllocProtect: %lx Protect: %lx "
1744 "State: %lx Type: %lx Size: %lx\n",
1745 MemoryInfo.BaseAddress, MemoryInfo.AllocationBase,
1746 MemoryInfo.AllocationProtect, MemoryInfo.Protect,
1747 MemoryInfo.State, MemoryInfo.Type, MemoryInfo.RegionSize);
1748
1749 return Status;
1750 }
1751
1752 NTSTATUS
1753 NTAPI
1754 MiProtectVirtualMemory(IN PEPROCESS Process,
1755 IN OUT PVOID *BaseAddress,
1756 IN OUT PSIZE_T NumberOfBytesToProtect,
1757 IN ULONG NewAccessProtection,
1758 OUT PULONG OldAccessProtection OPTIONAL)
1759 {
1760 PMEMORY_AREA MemoryArea;
1761 PMMVAD Vad;
1762 PMMSUPPORT AddressSpace;
1763 ULONG_PTR StartingAddress, EndingAddress;
1764 PMMPTE PointerPde, PointerPte, LastPte;
1765 MMPTE PteContents;
1766 //PUSHORT UsedPageTableEntries;
1767 PMMPFN Pfn1;
1768 ULONG ProtectionMask;
1769 NTSTATUS Status = STATUS_SUCCESS;
1770
1771 /* Check for ROS specific memory area */
1772 MemoryArea = MmLocateMemoryAreaByAddress(&Process->Vm, *BaseAddress);
1773 if ((MemoryArea) && (MemoryArea->Type == MEMORY_AREA_SECTION_VIEW))
1774 {
1775 return MiRosProtectVirtualMemory(Process,
1776 BaseAddress,
1777 NumberOfBytesToProtect,
1778 NewAccessProtection,
1779 OldAccessProtection);
1780 }
1781
1782 /* Calcualte base address for the VAD */
1783 StartingAddress = (ULONG_PTR)PAGE_ALIGN((*BaseAddress));
1784 EndingAddress = (((ULONG_PTR)*BaseAddress + *NumberOfBytesToProtect - 1) | (PAGE_SIZE - 1));
1785
1786 /* Calculate the protection mask and make sure it's valid */
1787 ProtectionMask = MiMakeProtectionMask(NewAccessProtection);
1788 if (ProtectionMask == MM_INVALID_PROTECTION)
1789 {
1790 DPRINT1("Invalid protection mask\n");
1791 return STATUS_INVALID_PAGE_PROTECTION;
1792 }
1793
1794 /* Lock the address space and make sure the process isn't already dead */
1795 AddressSpace = MmGetCurrentAddressSpace();
1796 MmLockAddressSpace(AddressSpace);
1797 if (Process->VmDeleted)
1798 {
1799 DPRINT1("Process is dying\n");
1800 Status = STATUS_PROCESS_IS_TERMINATING;
1801 goto FailPath;
1802 }
1803
1804 /* Get the VAD for this address range, and make sure it exists */
1805 Vad = (PMMVAD)MiCheckForConflictingNode(StartingAddress >> PAGE_SHIFT,
1806 EndingAddress >> PAGE_SHIFT,
1807 &Process->VadRoot);
1808 if (!Vad)
1809 {
1810 DPRINT("Could not find a VAD for this allocation\n");
1811 Status = STATUS_CONFLICTING_ADDRESSES;
1812 goto FailPath;
1813 }
1814
1815 /* Make sure the address is within this VAD's boundaries */
1816 if ((((ULONG_PTR)StartingAddress >> PAGE_SHIFT) < Vad->StartingVpn) ||
1817 (((ULONG_PTR)EndingAddress >> PAGE_SHIFT) > Vad->EndingVpn))
1818 {
1819 Status = STATUS_CONFLICTING_ADDRESSES;
1820 goto FailPath;
1821 }
1822
1823 /* These kinds of VADs are not supported atm */
1824 if ((Vad->u.VadFlags.VadType == VadAwe) ||
1825 (Vad->u.VadFlags.VadType == VadDevicePhysicalMemory) ||
1826 (Vad->u.VadFlags.VadType == VadLargePages))
1827 {
1828 DPRINT1("Illegal VAD for attempting to set protection\n");
1829 Status = STATUS_CONFLICTING_ADDRESSES;
1830 goto FailPath;
1831 }
1832
1833 /* Check for a VAD whose protection can't be changed */
1834 if (Vad->u.VadFlags.NoChange == 1)
1835 {
1836 DPRINT1("Trying to change protection of a NoChange VAD\n");
1837 Status = STATUS_INVALID_PAGE_PROTECTION;
1838 goto FailPath;
1839 }
1840
1841 if (Vad->u.VadFlags.PrivateMemory == 0)
1842 {
1843 /* This is a section, handled by the ROS specific code above */
1844 UNIMPLEMENTED;
1845 }
1846 else
1847 {
1848 /* Private memory, check protection flags */
1849 if ((NewAccessProtection & PAGE_WRITECOPY) ||
1850 (NewAccessProtection & PAGE_EXECUTE_WRITECOPY))
1851 {
1852 Status = STATUS_INVALID_PARAMETER_4;
1853 goto FailPath;
1854 }
1855
1856 //MiLockProcessWorkingSet(Thread, Process);
1857
1858 /* TODO: Check if all pages in this range are committed */
1859
1860 /* Compute starting and ending PTE and PDE addresses */
1861 PointerPde = MiAddressToPde(StartingAddress);
1862 PointerPte = MiAddressToPte(StartingAddress);
1863 LastPte = MiAddressToPte(EndingAddress);
1864
1865 /* Make this PDE valid */
1866 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
1867
1868 /* Save protection of the first page */
1869 if (PointerPte->u.Long != 0)
1870 {
1871 /* Capture the page protection and make the PDE valid */
1872 *OldAccessProtection = MiGetPageProtection(PointerPte);
1873 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
1874 }
1875 else
1876 {
1877 /* Grab the old protection from the VAD itself */
1878 *OldAccessProtection = MmProtectToValue[Vad->u.VadFlags.Protection];
1879 }
1880
1881 /* Loop all the PTEs now */
1882 while (PointerPte <= LastPte)
1883 {
1884 /* Check if we've crossed a PDE boundary and make the new PDE valid too */
1885 if ((((ULONG_PTR)PointerPte) & (SYSTEM_PD_SIZE - 1)) == 0)
1886 {
1887 PointerPde = MiAddressToPte(PointerPte);
1888 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
1889 }
1890
1891 /* Capture the PTE and see what we're dealing with */
1892 PteContents = *PointerPte;
1893 if (PteContents.u.Long == 0)
1894 {
1895 /* This used to be a zero PTE and it no longer is, so we must add a
1896 reference to the pagetable. */
1897 //UsedPageTableEntries = &MmWorkingSetList->UsedPageTableEntries[MiGetPdeOffset(MiPteToAddress(PointerPte))];
1898 //(*UsedPageTableEntries)++;
1899 //ASSERT((*UsedPageTableEntries) <= PTE_COUNT);
1900 DPRINT1("HACK: Not increasing UsedPageTableEntries count!\n");
1901 }
1902 else if (PteContents.u.Hard.Valid == 1)
1903 {
1904 /* Get the PFN entry */
1905 Pfn1 = MiGetPfnEntry(PFN_FROM_PTE(&PteContents));
1906
1907 /* We don't support this yet */
1908 ASSERT(Pfn1->u3.e1.PrototypePte == 0);
1909
1910 /* Check if the page should not be accessible at all */
1911 if ((NewAccessProtection & PAGE_NOACCESS) ||
1912 (NewAccessProtection & PAGE_GUARD))
1913 {
1914 /* TODO */
1915 UNIMPLEMENTED;
1916 }
1917 else
1918 {
1919 /* Write the protection mask and write it with a TLB flush */
1920 Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask;
1921 MiFlushTbAndCapture(Vad,
1922 PointerPte,
1923 ProtectionMask,
1924 Pfn1,
1925 TRUE);
1926 }
1927 }
1928 else
1929 {
1930 /* We don't support these cases yet */
1931 ASSERT(PteContents.u.Soft.Prototype == 0);
1932 ASSERT(PteContents.u.Soft.Transition == 0);
1933
1934 /* The PTE is already demand-zero, just update the protection mask */
1935 PointerPte->u.Soft.Protection = ProtectionMask;
1936 }
1937
1938 PointerPte++;
1939 }
1940
1941 /* Unlock the working set and update quota charges if needed, then return */
1942 //MiUnlockProcessWorkingSet(Thread, Process);
1943 }
1944
1945 FailPath:
1946 /* Unlock the address space */
1947 MmUnlockAddressSpace(AddressSpace);
1948
1949 /* Return parameters */
1950 *NumberOfBytesToProtect = (SIZE_T)((PUCHAR)EndingAddress - (PUCHAR)StartingAddress + 1);
1951 *BaseAddress = (PVOID)StartingAddress;
1952
1953 return Status;
1954 }
1955
1956 VOID
1957 NTAPI
1958 MiMakePdeExistAndMakeValid(IN PMMPTE PointerPde,
1959 IN PEPROCESS TargetProcess,
1960 IN KIRQL OldIrql)
1961 {
1962 PMMPTE PointerPte, PointerPpe, PointerPxe;
1963
1964 //
1965 // Sanity checks. The latter is because we only use this function with the
1966 // PFN lock not held, so it may go away in the future.
1967 //
1968 ASSERT(KeAreAllApcsDisabled() == TRUE);
1969 ASSERT(OldIrql == MM_NOIRQL);
1970
1971 //
1972 // Also get the PPE and PXE. This is okay not to #ifdef because they will
1973 // return the same address as the PDE on 2-level page table systems.
1974 //
1975 // If everything is already valid, there is nothing to do.
1976 //
1977 PointerPpe = MiAddressToPte(PointerPde);
1978 PointerPxe = MiAddressToPde(PointerPde);
1979 if ((PointerPxe->u.Hard.Valid) &&
1980 (PointerPpe->u.Hard.Valid) &&
1981 (PointerPde->u.Hard.Valid))
1982 {
1983 return;
1984 }
1985
1986 //
1987 // At least something is invalid, so begin by getting the PTE for the PDE itself
1988 // and then lookup each additional level. We must do it in this precise order
1989 // because the pagfault.c code (as well as in Windows) depends that the next
1990 // level up (higher) must be valid when faulting a lower level
1991 //
1992 PointerPte = MiPteToAddress(PointerPde);
1993 do
1994 {
1995 //
1996 // Make sure APCs continued to be disabled
1997 //
1998 ASSERT(KeAreAllApcsDisabled() == TRUE);
1999
2000 //
2001 // First, make the PXE valid if needed
2002 //
2003 if (!PointerPxe->u.Hard.Valid)
2004 {
2005 MiMakeSystemAddressValid(PointerPpe, TargetProcess);
2006 ASSERT(PointerPxe->u.Hard.Valid == 1);
2007 }
2008
2009 //
2010 // Next, the PPE
2011 //
2012 if (!PointerPpe->u.Hard.Valid)
2013 {
2014 MiMakeSystemAddressValid(PointerPde, TargetProcess);
2015 ASSERT(PointerPpe->u.Hard.Valid == 1);
2016 }
2017
2018 //
2019 // And finally, make the PDE itself valid.
2020 //
2021 MiMakeSystemAddressValid(PointerPte, TargetProcess);
2022
2023 //
2024 // This should've worked the first time so the loop is really just for
2025 // show -- ASSERT that we're actually NOT going to be looping.
2026 //
2027 ASSERT(PointerPxe->u.Hard.Valid == 1);
2028 ASSERT(PointerPpe->u.Hard.Valid == 1);
2029 ASSERT(PointerPde->u.Hard.Valid == 1);
2030 } while (!(PointerPxe->u.Hard.Valid) ||
2031 !(PointerPpe->u.Hard.Valid) ||
2032 !(PointerPde->u.Hard.Valid));
2033 }
2034
2035 VOID
2036 NTAPI
2037 MiProcessValidPteList(IN PMMPTE *ValidPteList,
2038 IN ULONG Count)
2039 {
2040 KIRQL OldIrql;
2041 ULONG i;
2042 MMPTE TempPte;
2043 PFN_NUMBER PageFrameIndex;
2044 PMMPFN Pfn1, Pfn2;
2045
2046 //
2047 // Acquire the PFN lock and loop all the PTEs in the list
2048 //
2049 OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
2050 for (i = 0; i != Count; i++)
2051 {
2052 //
2053 // The PTE must currently be valid
2054 //
2055 TempPte = *ValidPteList[i];
2056 ASSERT(TempPte.u.Hard.Valid == 1);
2057
2058 //
2059 // Get the PFN entry for the page itself, and then for its page table
2060 //
2061 PageFrameIndex = PFN_FROM_PTE(&TempPte);
2062 Pfn1 = MiGetPfnEntry(PageFrameIndex);
2063 Pfn2 = MiGetPfnEntry(Pfn1->u4.PteFrame);
2064
2065 //
2066 // Decrement the share count on the page table, and then on the page
2067 // itself
2068 //
2069 MiDecrementShareCount(Pfn2, Pfn1->u4.PteFrame);
2070 MI_SET_PFN_DELETED(Pfn1);
2071 MiDecrementShareCount(Pfn1, PageFrameIndex);
2072
2073 //
2074 // Make the page decommitted
2075 //
2076 MI_WRITE_INVALID_PTE(ValidPteList[i], MmDecommittedPte);
2077 }
2078
2079 //
2080 // All the PTEs have been dereferenced and made invalid, flush the TLB now
2081 // and then release the PFN lock
2082 //
2083 KeFlushCurrentTb();
2084 KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
2085 }
2086
2087 ULONG
2088 NTAPI
2089 MiDecommitPages(IN PVOID StartingAddress,
2090 IN PMMPTE EndingPte,
2091 IN PEPROCESS Process,
2092 IN PMMVAD Vad)
2093 {
2094 PMMPTE PointerPde, PointerPte, CommitPte = NULL;
2095 ULONG CommitReduction = 0;
2096 PMMPTE ValidPteList[256];
2097 ULONG PteCount = 0;
2098 PMMPFN Pfn1;
2099 MMPTE PteContents;
2100 PUSHORT UsedPageTableEntries;
2101 PETHREAD CurrentThread = PsGetCurrentThread();
2102
2103 //
2104 // Get the PTE and PTE for the address, and lock the working set
2105 // If this was a VAD for a MEM_COMMIT allocation, also figure out where the
2106 // commited range ends so that we can do the right accounting.
2107 //
2108 PointerPde = MiAddressToPde(StartingAddress);
2109 PointerPte = MiAddressToPte(StartingAddress);
2110 if (Vad->u.VadFlags.MemCommit) CommitPte = MiAddressToPte(Vad->EndingVpn << PAGE_SHIFT);
2111 MiLockWorkingSet(CurrentThread, &Process->Vm);
2112
2113 //
2114 // Make the PDE valid, and now loop through each page's worth of data
2115 //
2116 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
2117 while (PointerPte <= EndingPte)
2118 {
2119 //
2120 // Check if we've crossed a PDE boundary
2121 //
2122 if ((((ULONG_PTR)PointerPte) & (SYSTEM_PD_SIZE - 1)) == 0)
2123 {
2124 //
2125 // Get the new PDE and flush the valid PTEs we had built up until
2126 // now. This helps reduce the amount of TLB flushing we have to do.
2127 // Note that Windows does a much better job using timestamps and
2128 // such, and does not flush the entire TLB all the time, but right
2129 // now we have bigger problems to worry about than TLB flushing.
2130 //
2131 PointerPde = MiAddressToPde(StartingAddress);
2132 if (PteCount)
2133 {
2134 MiProcessValidPteList(ValidPteList, PteCount);
2135 PteCount = 0;
2136 }
2137
2138 //
2139 // Make this PDE valid
2140 //
2141 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
2142 }
2143
2144 //
2145 // Read this PTE. It might be active or still demand-zero.
2146 //
2147 PteContents = *PointerPte;
2148 if (PteContents.u.Long)
2149 {
2150 //
2151 // The PTE is active. It might be valid and in a working set, or
2152 // it might be a prototype PTE or paged out or even in transition.
2153 //
2154 if (PointerPte->u.Long == MmDecommittedPte.u.Long)
2155 {
2156 //
2157 // It's already decommited, so there's nothing for us to do here
2158 //
2159 CommitReduction++;
2160 }
2161 else
2162 {
2163 //
2164 // Remove it from the counters, and check if it was valid or not
2165 //
2166 //Process->NumberOfPrivatePages--;
2167 if (PteContents.u.Hard.Valid)
2168 {
2169 //
2170 // It's valid. At this point make sure that it is not a ROS
2171 // PFN. Also, we don't support ProtoPTEs in this code path.
2172 //
2173 Pfn1 = MiGetPfnEntry(PteContents.u.Hard.PageFrameNumber);
2174 ASSERT(MI_IS_ROS_PFN(Pfn1) == FALSE);
2175 ASSERT(Pfn1->u3.e1.PrototypePte == FALSE);
2176
2177 //
2178 // Flush any pending PTEs that we had not yet flushed, if our
2179 // list has gotten too big, then add this PTE to the flush list.
2180 //
2181 if (PteCount == 256)
2182 {
2183 MiProcessValidPteList(ValidPteList, PteCount);
2184 PteCount = 0;
2185 }
2186 ValidPteList[PteCount++] = PointerPte;
2187 }
2188 else
2189 {
2190 //
2191 // We do not support any of these other scenarios at the moment
2192 //
2193 ASSERT(PteContents.u.Soft.Prototype == 0);
2194 ASSERT(PteContents.u.Soft.Transition == 0);
2195 ASSERT(PteContents.u.Soft.PageFileHigh == 0);
2196
2197 //
2198 // So the only other possibility is that it is still a demand
2199 // zero PTE, in which case we undo the accounting we did
2200 // earlier and simply make the page decommitted.
2201 //
2202 //Process->NumberOfPrivatePages++;
2203 MI_WRITE_INVALID_PTE(PointerPte, MmDecommittedPte);
2204 }
2205 }
2206 }
2207 else
2208 {
2209 //
2210 // This used to be a zero PTE and it no longer is, so we must add a
2211 // reference to the pagetable.
2212 //
2213 UsedPageTableEntries = &MmWorkingSetList->UsedPageTableEntries[MiGetPdeOffset(StartingAddress)];
2214 (*UsedPageTableEntries)++;
2215 ASSERT((*UsedPageTableEntries) <= PTE_COUNT);
2216
2217 //
2218 // Next, we account for decommitted PTEs and make the PTE as such
2219 //
2220 if (PointerPte > CommitPte) CommitReduction++;
2221 MI_WRITE_INVALID_PTE(PointerPte, MmDecommittedPte);
2222 }
2223
2224 //
2225 // Move to the next PTE and the next address
2226 //
2227 PointerPte++;
2228 StartingAddress = (PVOID)((ULONG_PTR)StartingAddress + PAGE_SIZE);
2229 }
2230
2231 //
2232 // Flush any dangling PTEs from the loop in the last page table, and then
2233 // release the working set and return the commit reduction accounting.
2234 //
2235 if (PteCount) MiProcessValidPteList(ValidPteList, PteCount);
2236 MiUnlockWorkingSet(CurrentThread, &Process->Vm);
2237 return CommitReduction;
2238 }
2239
2240 /* PUBLIC FUNCTIONS ***********************************************************/
2241
2242 /*
2243 * @unimplemented
2244 */
2245 PVOID
2246 NTAPI
2247 MmGetVirtualForPhysical(IN PHYSICAL_ADDRESS PhysicalAddress)
2248 {
2249 UNIMPLEMENTED;
2250 return 0;
2251 }
2252
2253 /*
2254 * @unimplemented
2255 */
2256 PVOID
2257 NTAPI
2258 MmSecureVirtualMemory(IN PVOID Address,
2259 IN SIZE_T Length,
2260 IN ULONG Mode)
2261 {
2262 static BOOLEAN Warn; if (!Warn++) UNIMPLEMENTED;
2263 return Address;
2264 }
2265
2266 /*
2267 * @unimplemented
2268 */
2269 VOID
2270 NTAPI
2271 MmUnsecureVirtualMemory(IN PVOID SecureMem)
2272 {
2273 static BOOLEAN Warn; if (!Warn++) UNIMPLEMENTED;
2274 }
2275
2276 /* SYSTEM CALLS ***************************************************************/
2277
2278 NTSTATUS
2279 NTAPI
2280 NtReadVirtualMemory(IN HANDLE ProcessHandle,
2281 IN PVOID BaseAddress,
2282 OUT PVOID Buffer,
2283 IN SIZE_T NumberOfBytesToRead,
2284 OUT PSIZE_T NumberOfBytesRead OPTIONAL)
2285 {
2286 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
2287 PEPROCESS Process;
2288 NTSTATUS Status = STATUS_SUCCESS;
2289 SIZE_T BytesRead = 0;
2290 PAGED_CODE();
2291
2292 //
2293 // Check if we came from user mode
2294 //
2295 if (PreviousMode != KernelMode)
2296 {
2297 //
2298 // Validate the read addresses
2299 //
2300 if ((((ULONG_PTR)BaseAddress + NumberOfBytesToRead) < (ULONG_PTR)BaseAddress) ||
2301 (((ULONG_PTR)Buffer + NumberOfBytesToRead) < (ULONG_PTR)Buffer) ||
2302 (((ULONG_PTR)BaseAddress + NumberOfBytesToRead) > MmUserProbeAddress) ||
2303 (((ULONG_PTR)Buffer + NumberOfBytesToRead) > MmUserProbeAddress))
2304 {
2305 //
2306 // Don't allow to write into kernel space
2307 //
2308 return STATUS_ACCESS_VIOLATION;
2309 }
2310
2311 //
2312 // Enter SEH for probe
2313 //
2314 _SEH2_TRY
2315 {
2316 //
2317 // Probe the output value
2318 //
2319 if (NumberOfBytesRead) ProbeForWriteSize_t(NumberOfBytesRead);
2320 }
2321 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2322 {
2323 //
2324 // Get exception code
2325 //
2326 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2327 }
2328 _SEH2_END;
2329 }
2330
2331 //
2332 // Don't do zero-byte transfers
2333 //
2334 if (NumberOfBytesToRead)
2335 {
2336 //
2337 // Reference the process
2338 //
2339 Status = ObReferenceObjectByHandle(ProcessHandle,
2340 PROCESS_VM_READ,
2341 PsProcessType,
2342 PreviousMode,
2343 (PVOID*)(&Process),
2344 NULL);
2345 if (NT_SUCCESS(Status))
2346 {
2347 //
2348 // Do the copy
2349 //
2350 Status = MmCopyVirtualMemory(Process,
2351 BaseAddress,
2352 PsGetCurrentProcess(),
2353 Buffer,
2354 NumberOfBytesToRead,
2355 PreviousMode,
2356 &BytesRead);
2357
2358 //
2359 // Dereference the process
2360 //
2361 ObDereferenceObject(Process);
2362 }
2363 }
2364
2365 //
2366 // Check if the caller sent this parameter
2367 //
2368 if (NumberOfBytesRead)
2369 {
2370 //
2371 // Enter SEH to guard write
2372 //
2373 _SEH2_TRY
2374 {
2375 //
2376 // Return the number of bytes read
2377 //
2378 *NumberOfBytesRead = BytesRead;
2379 }
2380 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2381 {
2382 }
2383 _SEH2_END;
2384 }
2385
2386 //
2387 // Return status
2388 //
2389 return Status;
2390 }
2391
2392 NTSTATUS
2393 NTAPI
2394 NtWriteVirtualMemory(IN HANDLE ProcessHandle,
2395 IN PVOID BaseAddress,
2396 IN PVOID Buffer,
2397 IN SIZE_T NumberOfBytesToWrite,
2398 OUT PSIZE_T NumberOfBytesWritten OPTIONAL)
2399 {
2400 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
2401 PEPROCESS Process;
2402 NTSTATUS Status = STATUS_SUCCESS;
2403 SIZE_T BytesWritten = 0;
2404 PAGED_CODE();
2405
2406 //
2407 // Check if we came from user mode
2408 //
2409 if (PreviousMode != KernelMode)
2410 {
2411 //
2412 // Validate the read addresses
2413 //
2414 if ((((ULONG_PTR)BaseAddress + NumberOfBytesToWrite) < (ULONG_PTR)BaseAddress) ||
2415 (((ULONG_PTR)Buffer + NumberOfBytesToWrite) < (ULONG_PTR)Buffer) ||
2416 (((ULONG_PTR)BaseAddress + NumberOfBytesToWrite) > MmUserProbeAddress) ||
2417 (((ULONG_PTR)Buffer + NumberOfBytesToWrite) > MmUserProbeAddress))
2418 {
2419 //
2420 // Don't allow to write into kernel space
2421 //
2422 return STATUS_ACCESS_VIOLATION;
2423 }
2424
2425 //
2426 // Enter SEH for probe
2427 //
2428 _SEH2_TRY
2429 {
2430 //
2431 // Probe the output value
2432 //
2433 if (NumberOfBytesWritten) ProbeForWriteSize_t(NumberOfBytesWritten);
2434 }
2435 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2436 {
2437 //
2438 // Get exception code
2439 //
2440 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2441 }
2442 _SEH2_END;
2443 }
2444
2445 //
2446 // Don't do zero-byte transfers
2447 //
2448 if (NumberOfBytesToWrite)
2449 {
2450 //
2451 // Reference the process
2452 //
2453 Status = ObReferenceObjectByHandle(ProcessHandle,
2454 PROCESS_VM_WRITE,
2455 PsProcessType,
2456 PreviousMode,
2457 (PVOID*)&Process,
2458 NULL);
2459 if (NT_SUCCESS(Status))
2460 {
2461 //
2462 // Do the copy
2463 //
2464 Status = MmCopyVirtualMemory(PsGetCurrentProcess(),
2465 Buffer,
2466 Process,
2467 BaseAddress,
2468 NumberOfBytesToWrite,
2469 PreviousMode,
2470 &BytesWritten);
2471
2472 //
2473 // Dereference the process
2474 //
2475 ObDereferenceObject(Process);
2476 }
2477 }
2478
2479 //
2480 // Check if the caller sent this parameter
2481 //
2482 if (NumberOfBytesWritten)
2483 {
2484 //
2485 // Enter SEH to guard write
2486 //
2487 _SEH2_TRY
2488 {
2489 //
2490 // Return the number of bytes written
2491 //
2492 *NumberOfBytesWritten = BytesWritten;
2493 }
2494 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2495 {
2496 }
2497 _SEH2_END;
2498 }
2499
2500 //
2501 // Return status
2502 //
2503 return Status;
2504 }
2505
2506 NTSTATUS
2507 NTAPI
2508 NtProtectVirtualMemory(IN HANDLE ProcessHandle,
2509 IN OUT PVOID *UnsafeBaseAddress,
2510 IN OUT SIZE_T *UnsafeNumberOfBytesToProtect,
2511 IN ULONG NewAccessProtection,
2512 OUT PULONG UnsafeOldAccessProtection)
2513 {
2514 PEPROCESS Process;
2515 ULONG OldAccessProtection;
2516 ULONG Protection;
2517 PEPROCESS CurrentProcess = PsGetCurrentProcess();
2518 PVOID BaseAddress = NULL;
2519 SIZE_T NumberOfBytesToProtect = 0;
2520 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
2521 NTSTATUS Status;
2522 BOOLEAN Attached = FALSE;
2523 KAPC_STATE ApcState;
2524 PAGED_CODE();
2525
2526 //
2527 // Check for valid protection flags
2528 //
2529 Protection = NewAccessProtection & ~(PAGE_GUARD|PAGE_NOCACHE);
2530 if (Protection != PAGE_NOACCESS &&
2531 Protection != PAGE_READONLY &&
2532 Protection != PAGE_READWRITE &&
2533 Protection != PAGE_WRITECOPY &&
2534 Protection != PAGE_EXECUTE &&
2535 Protection != PAGE_EXECUTE_READ &&
2536 Protection != PAGE_EXECUTE_READWRITE &&
2537 Protection != PAGE_EXECUTE_WRITECOPY)
2538 {
2539 //
2540 // Fail
2541 //
2542 return STATUS_INVALID_PAGE_PROTECTION;
2543 }
2544
2545 //
2546 // Check if we came from user mode
2547 //
2548 if (PreviousMode != KernelMode)
2549 {
2550 //
2551 // Enter SEH for probing
2552 //
2553 _SEH2_TRY
2554 {
2555 //
2556 // Validate all outputs
2557 //
2558 ProbeForWritePointer(UnsafeBaseAddress);
2559 ProbeForWriteSize_t(UnsafeNumberOfBytesToProtect);
2560 ProbeForWriteUlong(UnsafeOldAccessProtection);
2561
2562 //
2563 // Capture them
2564 //
2565 BaseAddress = *UnsafeBaseAddress;
2566 NumberOfBytesToProtect = *UnsafeNumberOfBytesToProtect;
2567 }
2568 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2569 {
2570 //
2571 // Get exception code
2572 //
2573 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2574 }
2575 _SEH2_END;
2576 }
2577 else
2578 {
2579 //
2580 // Capture directly
2581 //
2582 BaseAddress = *UnsafeBaseAddress;
2583 NumberOfBytesToProtect = *UnsafeNumberOfBytesToProtect;
2584 }
2585
2586 //
2587 // Catch illegal base address
2588 //
2589 if (BaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER_2;
2590
2591 //
2592 // Catch illegal region size
2593 //
2594 if ((MmUserProbeAddress - (ULONG_PTR)BaseAddress) < NumberOfBytesToProtect)
2595 {
2596 //
2597 // Fail
2598 //
2599 return STATUS_INVALID_PARAMETER_3;
2600 }
2601
2602 //
2603 // 0 is also illegal
2604 //
2605 if (!NumberOfBytesToProtect) return STATUS_INVALID_PARAMETER_3;
2606
2607 //
2608 // Get a reference to the process
2609 //
2610 Status = ObReferenceObjectByHandle(ProcessHandle,
2611 PROCESS_VM_OPERATION,
2612 PsProcessType,
2613 PreviousMode,
2614 (PVOID*)(&Process),
2615 NULL);
2616 if (!NT_SUCCESS(Status)) return Status;
2617
2618 //
2619 // Check if we should attach
2620 //
2621 if (CurrentProcess != Process)
2622 {
2623 //
2624 // Do it
2625 //
2626 KeStackAttachProcess(&Process->Pcb, &ApcState);
2627 Attached = TRUE;
2628 }
2629
2630 //
2631 // Do the actual work
2632 //
2633 Status = MiProtectVirtualMemory(Process,
2634 &BaseAddress,
2635 &NumberOfBytesToProtect,
2636 NewAccessProtection,
2637 &OldAccessProtection);
2638
2639 //
2640 // Detach if needed
2641 //
2642 if (Attached) KeUnstackDetachProcess(&ApcState);
2643
2644 //
2645 // Release reference
2646 //
2647 ObDereferenceObject(Process);
2648
2649 //
2650 // Enter SEH to return data
2651 //
2652 _SEH2_TRY
2653 {
2654 //
2655 // Return data to user
2656 //
2657 *UnsafeOldAccessProtection = OldAccessProtection;
2658 *UnsafeBaseAddress = BaseAddress;
2659 *UnsafeNumberOfBytesToProtect = NumberOfBytesToProtect;
2660 }
2661 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2662 {
2663 }
2664 _SEH2_END;
2665
2666 //
2667 // Return status
2668 //
2669 return Status;
2670 }
2671
2672 NTSTATUS
2673 NTAPI
2674 NtLockVirtualMemory(IN HANDLE ProcessHandle,
2675 IN OUT PVOID *BaseAddress,
2676 IN OUT PSIZE_T NumberOfBytesToLock,
2677 IN ULONG MapType)
2678 {
2679 PEPROCESS Process;
2680 PEPROCESS CurrentProcess = PsGetCurrentProcess();
2681 NTSTATUS Status;
2682 BOOLEAN Attached = FALSE;
2683 KAPC_STATE ApcState;
2684 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
2685 PVOID CapturedBaseAddress;
2686 SIZE_T CapturedBytesToLock;
2687 PAGED_CODE();
2688
2689 //
2690 // Validate flags
2691 //
2692 if ((MapType & ~(MAP_PROCESS | MAP_SYSTEM)))
2693 {
2694 //
2695 // Invalid set of flags
2696 //
2697 return STATUS_INVALID_PARAMETER;
2698 }
2699
2700 //
2701 // At least one flag must be specified
2702 //
2703 if (!(MapType & (MAP_PROCESS | MAP_SYSTEM)))
2704 {
2705 //
2706 // No flag given
2707 //
2708 return STATUS_INVALID_PARAMETER;
2709 }
2710
2711 //
2712 // Enter SEH for probing
2713 //
2714 _SEH2_TRY
2715 {
2716 //
2717 // Validate output data
2718 //
2719 ProbeForWritePointer(BaseAddress);
2720 ProbeForWriteSize_t(NumberOfBytesToLock);
2721
2722 //
2723 // Capture it
2724 //
2725 CapturedBaseAddress = *BaseAddress;
2726 CapturedBytesToLock = *NumberOfBytesToLock;
2727 }
2728 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2729 {
2730 //
2731 // Get exception code
2732 //
2733 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2734 }
2735 _SEH2_END;
2736
2737 //
2738 // Catch illegal base address
2739 //
2740 if (CapturedBaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER;
2741
2742 //
2743 // Catch illegal region size
2744 //
2745 if ((MmUserProbeAddress - (ULONG_PTR)CapturedBaseAddress) < CapturedBytesToLock)
2746 {
2747 //
2748 // Fail
2749 //
2750 return STATUS_INVALID_PARAMETER;
2751 }
2752
2753 //
2754 // 0 is also illegal
2755 //
2756 if (!CapturedBytesToLock) return STATUS_INVALID_PARAMETER;
2757
2758 //
2759 // Get a reference to the process
2760 //
2761 Status = ObReferenceObjectByHandle(ProcessHandle,
2762 PROCESS_VM_OPERATION,
2763 PsProcessType,
2764 PreviousMode,
2765 (PVOID*)(&Process),
2766 NULL);
2767 if (!NT_SUCCESS(Status)) return Status;
2768
2769 //
2770 // Check if this is is system-mapped
2771 //
2772 if (MapType & MAP_SYSTEM)
2773 {
2774 //
2775 // Check for required privilege
2776 //
2777 if (!SeSinglePrivilegeCheck(SeLockMemoryPrivilege, PreviousMode))
2778 {
2779 //
2780 // Fail: Don't have it
2781 //
2782 ObDereferenceObject(Process);
2783 return STATUS_PRIVILEGE_NOT_HELD;
2784 }
2785 }
2786
2787 //
2788 // Check if we should attach
2789 //
2790 if (CurrentProcess != Process)
2791 {
2792 //
2793 // Do it
2794 //
2795 KeStackAttachProcess(&Process->Pcb, &ApcState);
2796 Attached = TRUE;
2797 }
2798
2799 //
2800 // Oops :(
2801 //
2802 UNIMPLEMENTED;
2803
2804 //
2805 // Detach if needed
2806 //
2807 if (Attached) KeUnstackDetachProcess(&ApcState);
2808
2809 //
2810 // Release reference
2811 //
2812 ObDereferenceObject(Process);
2813
2814 //
2815 // Enter SEH to return data
2816 //
2817 _SEH2_TRY
2818 {
2819 //
2820 // Return data to user
2821 //
2822 *BaseAddress = CapturedBaseAddress;
2823 *NumberOfBytesToLock = 0;
2824 }
2825 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2826 {
2827 //
2828 // Get exception code
2829 //
2830 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2831 }
2832 _SEH2_END;
2833
2834 //
2835 // Return status
2836 //
2837 return STATUS_SUCCESS;
2838 }
2839
2840 NTSTATUS
2841 NTAPI
2842 NtUnlockVirtualMemory(IN HANDLE ProcessHandle,
2843 IN OUT PVOID *BaseAddress,
2844 IN OUT PSIZE_T NumberOfBytesToUnlock,
2845 IN ULONG MapType)
2846 {
2847 PEPROCESS Process;
2848 PEPROCESS CurrentProcess = PsGetCurrentProcess();
2849 NTSTATUS Status;
2850 BOOLEAN Attached = FALSE;
2851 KAPC_STATE ApcState;
2852 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
2853 PVOID CapturedBaseAddress;
2854 SIZE_T CapturedBytesToUnlock;
2855 PAGED_CODE();
2856
2857 //
2858 // Validate flags
2859 //
2860 if ((MapType & ~(MAP_PROCESS | MAP_SYSTEM)))
2861 {
2862 //
2863 // Invalid set of flags
2864 //
2865 return STATUS_INVALID_PARAMETER;
2866 }
2867
2868 //
2869 // At least one flag must be specified
2870 //
2871 if (!(MapType & (MAP_PROCESS | MAP_SYSTEM)))
2872 {
2873 //
2874 // No flag given
2875 //
2876 return STATUS_INVALID_PARAMETER;
2877 }
2878
2879 //
2880 // Enter SEH for probing
2881 //
2882 _SEH2_TRY
2883 {
2884 //
2885 // Validate output data
2886 //
2887 ProbeForWritePointer(BaseAddress);
2888 ProbeForWriteSize_t(NumberOfBytesToUnlock);
2889
2890 //
2891 // Capture it
2892 //
2893 CapturedBaseAddress = *BaseAddress;
2894 CapturedBytesToUnlock = *NumberOfBytesToUnlock;
2895 }
2896 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2897 {
2898 //
2899 // Get exception code
2900 //
2901 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2902 }
2903 _SEH2_END;
2904
2905 //
2906 // Catch illegal base address
2907 //
2908 if (CapturedBaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER;
2909
2910 //
2911 // Catch illegal region size
2912 //
2913 if ((MmUserProbeAddress - (ULONG_PTR)CapturedBaseAddress) < CapturedBytesToUnlock)
2914 {
2915 //
2916 // Fail
2917 //
2918 return STATUS_INVALID_PARAMETER;
2919 }
2920
2921 //
2922 // 0 is also illegal
2923 //
2924 if (!CapturedBytesToUnlock) return STATUS_INVALID_PARAMETER;
2925
2926 //
2927 // Get a reference to the process
2928 //
2929 Status = ObReferenceObjectByHandle(ProcessHandle,
2930 PROCESS_VM_OPERATION,
2931 PsProcessType,
2932 PreviousMode,
2933 (PVOID*)(&Process),
2934 NULL);
2935 if (!NT_SUCCESS(Status)) return Status;
2936
2937 //
2938 // Check if this is is system-mapped
2939 //
2940 if (MapType & MAP_SYSTEM)
2941 {
2942 //
2943 // Check for required privilege
2944 //
2945 if (!SeSinglePrivilegeCheck(SeLockMemoryPrivilege, PreviousMode))
2946 {
2947 //
2948 // Fail: Don't have it
2949 //
2950 ObDereferenceObject(Process);
2951 return STATUS_PRIVILEGE_NOT_HELD;
2952 }
2953 }
2954
2955 //
2956 // Check if we should attach
2957 //
2958 if (CurrentProcess != Process)
2959 {
2960 //
2961 // Do it
2962 //
2963 KeStackAttachProcess(&Process->Pcb, &ApcState);
2964 Attached = TRUE;
2965 }
2966
2967 //
2968 // Oops :(
2969 //
2970 UNIMPLEMENTED;
2971
2972 //
2973 // Detach if needed
2974 //
2975 if (Attached) KeUnstackDetachProcess(&ApcState);
2976
2977 //
2978 // Release reference
2979 //
2980 ObDereferenceObject(Process);
2981
2982 //
2983 // Enter SEH to return data
2984 //
2985 _SEH2_TRY
2986 {
2987 //
2988 // Return data to user
2989 //
2990 *BaseAddress = PAGE_ALIGN(CapturedBaseAddress);
2991 *NumberOfBytesToUnlock = 0;
2992 }
2993 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
2994 {
2995 //
2996 // Get exception code
2997 //
2998 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2999 }
3000 _SEH2_END;
3001
3002 //
3003 // Return status
3004 //
3005 return STATUS_SUCCESS;
3006 }
3007
3008 NTSTATUS
3009 NTAPI
3010 NtFlushVirtualMemory(IN HANDLE ProcessHandle,
3011 IN OUT PVOID *BaseAddress,
3012 IN OUT PSIZE_T NumberOfBytesToFlush,
3013 OUT PIO_STATUS_BLOCK IoStatusBlock)
3014 {
3015 PEPROCESS Process;
3016 NTSTATUS Status;
3017 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
3018 PVOID CapturedBaseAddress;
3019 SIZE_T CapturedBytesToFlush;
3020 IO_STATUS_BLOCK LocalStatusBlock;
3021 PAGED_CODE();
3022
3023 //
3024 // Check if we came from user mode
3025 //
3026 if (PreviousMode != KernelMode)
3027 {
3028 //
3029 // Enter SEH for probing
3030 //
3031 _SEH2_TRY
3032 {
3033 //
3034 // Validate all outputs
3035 //
3036 ProbeForWritePointer(BaseAddress);
3037 ProbeForWriteSize_t(NumberOfBytesToFlush);
3038 ProbeForWriteIoStatusBlock(IoStatusBlock);
3039
3040 //
3041 // Capture them
3042 //
3043 CapturedBaseAddress = *BaseAddress;
3044 CapturedBytesToFlush = *NumberOfBytesToFlush;
3045 }
3046 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3047 {
3048 //
3049 // Get exception code
3050 //
3051 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3052 }
3053 _SEH2_END;
3054 }
3055 else
3056 {
3057 //
3058 // Capture directly
3059 //
3060 CapturedBaseAddress = *BaseAddress;
3061 CapturedBytesToFlush = *NumberOfBytesToFlush;
3062 }
3063
3064 //
3065 // Catch illegal base address
3066 //
3067 if (CapturedBaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER;
3068
3069 //
3070 // Catch illegal region size
3071 //
3072 if ((MmUserProbeAddress - (ULONG_PTR)CapturedBaseAddress) < CapturedBytesToFlush)
3073 {
3074 //
3075 // Fail
3076 //
3077 return STATUS_INVALID_PARAMETER;
3078 }
3079
3080 //
3081 // Get a reference to the process
3082 //
3083 Status = ObReferenceObjectByHandle(ProcessHandle,
3084 PROCESS_VM_OPERATION,
3085 PsProcessType,
3086 PreviousMode,
3087 (PVOID*)(&Process),
3088 NULL);
3089 if (!NT_SUCCESS(Status)) return Status;
3090
3091 //
3092 // Do it
3093 //
3094 Status = MmFlushVirtualMemory(Process,
3095 &CapturedBaseAddress,
3096 &CapturedBytesToFlush,
3097 &LocalStatusBlock);
3098
3099 //
3100 // Release reference
3101 //
3102 ObDereferenceObject(Process);
3103
3104 //
3105 // Enter SEH to return data
3106 //
3107 _SEH2_TRY
3108 {
3109 //
3110 // Return data to user
3111 //
3112 *BaseAddress = PAGE_ALIGN(CapturedBaseAddress);
3113 *NumberOfBytesToFlush = 0;
3114 *IoStatusBlock = LocalStatusBlock;
3115 }
3116 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3117 {
3118 }
3119 _SEH2_END;
3120
3121 //
3122 // Return status
3123 //
3124 return Status;
3125 }
3126
3127 /*
3128 * @unimplemented
3129 */
3130 NTSTATUS
3131 NTAPI
3132 NtGetWriteWatch(IN HANDLE ProcessHandle,
3133 IN ULONG Flags,
3134 IN PVOID BaseAddress,
3135 IN SIZE_T RegionSize,
3136 IN PVOID *UserAddressArray,
3137 OUT PULONG_PTR EntriesInUserAddressArray,
3138 OUT PULONG Granularity)
3139 {
3140 PEPROCESS Process;
3141 NTSTATUS Status;
3142 PVOID EndAddress;
3143 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
3144 ULONG_PTR CapturedEntryCount;
3145 PAGED_CODE();
3146
3147 //
3148 // Check if we came from user mode
3149 //
3150 if (PreviousMode != KernelMode)
3151 {
3152 //
3153 // Enter SEH for probing
3154 //
3155 _SEH2_TRY
3156 {
3157 //
3158 // Catch illegal base address
3159 //
3160 if (BaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER_2;
3161
3162 //
3163 // Catch illegal region size
3164 //
3165 if ((MmUserProbeAddress - (ULONG_PTR)BaseAddress) < RegionSize)
3166 {
3167 //
3168 // Fail
3169 //
3170 return STATUS_INVALID_PARAMETER_3;
3171 }
3172
3173 //
3174 // Validate all data
3175 //
3176 ProbeForWriteSize_t(EntriesInUserAddressArray);
3177 ProbeForWriteUlong(Granularity);
3178
3179 //
3180 // Capture them
3181 //
3182 CapturedEntryCount = *EntriesInUserAddressArray;
3183
3184 //
3185 // Must have a count
3186 //
3187 if (CapturedEntryCount == 0) return STATUS_INVALID_PARAMETER_5;
3188
3189 //
3190 // Can't be larger than the maximum
3191 //
3192 if (CapturedEntryCount > (MAXULONG_PTR / sizeof(ULONG_PTR)))
3193 {
3194 //
3195 // Fail
3196 //
3197 return STATUS_INVALID_PARAMETER_5;
3198 }
3199
3200 //
3201 // Probe the actual array
3202 //
3203 ProbeForWrite(UserAddressArray,
3204 CapturedEntryCount * sizeof(PVOID),
3205 sizeof(PVOID));
3206 }
3207 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3208 {
3209 //
3210 // Get exception code
3211 //
3212 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3213 }
3214 _SEH2_END;
3215 }
3216 else
3217 {
3218 //
3219 // Capture directly
3220 //
3221 CapturedEntryCount = *EntriesInUserAddressArray;
3222 ASSERT(CapturedEntryCount != 0);
3223 }
3224
3225 //
3226 // Check if this is a local request
3227 //
3228 if (ProcessHandle == NtCurrentProcess())
3229 {
3230 //
3231 // No need to reference the process
3232 //
3233 Process = PsGetCurrentProcess();
3234 }
3235 else
3236 {
3237 //
3238 // Reference the target
3239 //
3240 Status = ObReferenceObjectByHandle(ProcessHandle,
3241 PROCESS_VM_OPERATION,
3242 PsProcessType,
3243 PreviousMode,
3244 (PVOID *)&Process,
3245 NULL);
3246 if (!NT_SUCCESS(Status)) return Status;
3247 }
3248
3249 //
3250 // Compute the last address and validate it
3251 //
3252 EndAddress = (PVOID)((ULONG_PTR)BaseAddress + RegionSize - 1);
3253 if (BaseAddress > EndAddress)
3254 {
3255 //
3256 // Fail
3257 //
3258 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
3259 return STATUS_INVALID_PARAMETER_4;
3260 }
3261
3262 //
3263 // Oops :(
3264 //
3265 UNIMPLEMENTED;
3266
3267 //
3268 // Dereference if needed
3269 //
3270 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
3271
3272 //
3273 // Enter SEH to return data
3274 //
3275 _SEH2_TRY
3276 {
3277 //
3278 // Return data to user
3279 //
3280 *EntriesInUserAddressArray = 0;
3281 *Granularity = PAGE_SIZE;
3282 }
3283 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3284 {
3285 //
3286 // Get exception code
3287 //
3288 Status = _SEH2_GetExceptionCode();
3289 }
3290 _SEH2_END;
3291
3292 //
3293 // Return success
3294 //
3295 return STATUS_SUCCESS;
3296 }
3297
3298 /*
3299 * @unimplemented
3300 */
3301 NTSTATUS
3302 NTAPI
3303 NtResetWriteWatch(IN HANDLE ProcessHandle,
3304 IN PVOID BaseAddress,
3305 IN SIZE_T RegionSize)
3306 {
3307 PVOID EndAddress;
3308 PEPROCESS Process;
3309 NTSTATUS Status;
3310 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
3311 ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
3312
3313 //
3314 // Catch illegal base address
3315 //
3316 if (BaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER_2;
3317
3318 //
3319 // Catch illegal region size
3320 //
3321 if ((MmUserProbeAddress - (ULONG_PTR)BaseAddress) < RegionSize)
3322 {
3323 //
3324 // Fail
3325 //
3326 return STATUS_INVALID_PARAMETER_3;
3327 }
3328
3329 //
3330 // Check if this is a local request
3331 //
3332 if (ProcessHandle == NtCurrentProcess())
3333 {
3334 //
3335 // No need to reference the process
3336 //
3337 Process = PsGetCurrentProcess();
3338 }
3339 else
3340 {
3341 //
3342 // Reference the target
3343 //
3344 Status = ObReferenceObjectByHandle(ProcessHandle,
3345 PROCESS_VM_OPERATION,
3346 PsProcessType,
3347 PreviousMode,
3348 (PVOID *)&Process,
3349 NULL);
3350 if (!NT_SUCCESS(Status)) return Status;
3351 }
3352
3353 //
3354 // Compute the last address and validate it
3355 //
3356 EndAddress = (PVOID)((ULONG_PTR)BaseAddress + RegionSize - 1);
3357 if (BaseAddress > EndAddress)
3358 {
3359 //
3360 // Fail
3361 //
3362 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
3363 return STATUS_INVALID_PARAMETER_3;
3364 }
3365
3366 //
3367 // Oops :(
3368 //
3369 UNIMPLEMENTED;
3370
3371 //
3372 // Dereference if needed
3373 //
3374 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
3375
3376 //
3377 // Return success
3378 //
3379 return STATUS_SUCCESS;
3380 }
3381
3382 NTSTATUS
3383 NTAPI
3384 NtQueryVirtualMemory(IN HANDLE ProcessHandle,
3385 IN PVOID BaseAddress,
3386 IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
3387 OUT PVOID MemoryInformation,
3388 IN SIZE_T MemoryInformationLength,
3389 OUT PSIZE_T ReturnLength)
3390 {
3391 NTSTATUS Status = STATUS_SUCCESS;
3392 KPROCESSOR_MODE PreviousMode;
3393
3394 DPRINT("Querying class %d about address: %p\n", MemoryInformationClass, BaseAddress);
3395
3396 /* Bail out if the address is invalid */
3397 if (BaseAddress > MM_HIGHEST_USER_ADDRESS) return STATUS_INVALID_PARAMETER;
3398
3399 /* Probe return buffer */
3400 PreviousMode = ExGetPreviousMode();
3401 if (PreviousMode != KernelMode)
3402 {
3403 _SEH2_TRY
3404 {
3405 ProbeForWrite(MemoryInformation,
3406 MemoryInformationLength,
3407 sizeof(ULONG_PTR));
3408
3409 if (ReturnLength) ProbeForWriteSize_t(ReturnLength);
3410 }
3411 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3412 {
3413 Status = _SEH2_GetExceptionCode();
3414 }
3415 _SEH2_END;
3416
3417 if (!NT_SUCCESS(Status))
3418 {
3419 return Status;
3420 }
3421 }
3422
3423 switch(MemoryInformationClass)
3424 {
3425 case MemoryBasicInformation:
3426 /* Validate the size information of the class */
3427 if (MemoryInformationLength < sizeof(MEMORY_BASIC_INFORMATION))
3428 {
3429 /* The size is invalid */
3430 return STATUS_INFO_LENGTH_MISMATCH;
3431 }
3432 Status = MiQueryMemoryBasicInformation(ProcessHandle,
3433 BaseAddress,
3434 MemoryInformation,
3435 MemoryInformationLength,
3436 ReturnLength);
3437 break;
3438
3439 case MemorySectionName:
3440 /* Validate the size information of the class */
3441 if (MemoryInformationLength < sizeof(MEMORY_SECTION_NAME))
3442 {
3443 /* The size is invalid */
3444 return STATUS_INFO_LENGTH_MISMATCH;
3445 }
3446 Status = MiQueryMemorySectionName(ProcessHandle,
3447 BaseAddress,
3448 MemoryInformation,
3449 MemoryInformationLength,
3450 ReturnLength);
3451 break;
3452 case MemoryWorkingSetList:
3453 case MemoryBasicVlmInformation:
3454 default:
3455 DPRINT1("Unhandled memory information class %d\n", MemoryInformationClass);
3456 break;
3457 }
3458
3459 return Status;
3460 }
3461
3462 /*
3463 * @implemented
3464 */
3465 NTSTATUS
3466 NTAPI
3467 NtAllocateVirtualMemory(IN HANDLE ProcessHandle,
3468 IN OUT PVOID* UBaseAddress,
3469 IN ULONG_PTR ZeroBits,
3470 IN OUT PSIZE_T URegionSize,
3471 IN ULONG AllocationType,
3472 IN ULONG Protect)
3473 {
3474 PEPROCESS Process;
3475 PMEMORY_AREA MemoryArea;
3476 PFN_NUMBER PageCount;
3477 PMMVAD Vad, FoundVad;
3478 PUSHORT UsedPageTableEntries;
3479 NTSTATUS Status;
3480 PMMSUPPORT AddressSpace;
3481 PVOID PBaseAddress;
3482 ULONG_PTR PRegionSize, StartingAddress, EndingAddress;
3483 PEPROCESS CurrentProcess = PsGetCurrentProcess();
3484 KPROCESSOR_MODE PreviousMode = KeGetPreviousMode();
3485 PETHREAD CurrentThread = PsGetCurrentThread();
3486 KAPC_STATE ApcState;
3487 ULONG ProtectionMask, QuotaCharge = 0, QuotaFree = 0;
3488 BOOLEAN Attached = FALSE, ChangeProtection = FALSE;
3489 MMPTE TempPte;
3490 PMMPTE PointerPte, PointerPde, LastPte;
3491 PAGED_CODE();
3492
3493 /* Check for valid Zero bits */
3494 if (ZeroBits > 21)
3495 {
3496 DPRINT1("Too many zero bits\n");
3497 return STATUS_INVALID_PARAMETER_3;
3498 }
3499
3500 /* Check for valid Allocation Types */
3501 if ((AllocationType & ~(MEM_COMMIT | MEM_RESERVE | MEM_RESET | MEM_PHYSICAL |
3502 MEM_TOP_DOWN | MEM_WRITE_WATCH)))
3503 {
3504 DPRINT1("Invalid Allocation Type\n");
3505 return STATUS_INVALID_PARAMETER_5;
3506 }
3507
3508 /* Check for at least one of these Allocation Types to be set */
3509 if (!(AllocationType & (MEM_COMMIT | MEM_RESERVE | MEM_RESET)))
3510 {
3511 DPRINT1("No memory allocation base type\n");
3512 return STATUS_INVALID_PARAMETER_5;
3513 }
3514
3515 /* MEM_RESET is an exclusive flag, make sure that is valid too */
3516 if ((AllocationType & MEM_RESET) && (AllocationType != MEM_RESET))
3517 {
3518 DPRINT1("Invalid use of MEM_RESET\n");
3519 return STATUS_INVALID_PARAMETER_5;
3520 }
3521
3522 /* Check if large pages are being used */
3523 if (AllocationType & MEM_LARGE_PAGES)
3524 {
3525 /* Large page allocations MUST be committed */
3526 if (!(AllocationType & MEM_COMMIT))
3527 {
3528 DPRINT1("Must supply MEM_COMMIT with MEM_LARGE_PAGES\n");
3529 return STATUS_INVALID_PARAMETER_5;
3530 }
3531
3532 /* These flags are not allowed with large page allocations */
3533 if (AllocationType & (MEM_PHYSICAL | MEM_RESET | MEM_WRITE_WATCH))
3534 {
3535 DPRINT1("Using illegal flags with MEM_LARGE_PAGES\n");
3536 return STATUS_INVALID_PARAMETER_5;
3537 }
3538 }
3539
3540 /* MEM_WRITE_WATCH can only be used if MEM_RESERVE is also used */
3541 if ((AllocationType & MEM_WRITE_WATCH) && !(AllocationType & MEM_RESERVE))
3542 {
3543 DPRINT1("MEM_WRITE_WATCH used without MEM_RESERVE\n");
3544 return STATUS_INVALID_PARAMETER_5;
3545 }
3546
3547 /* MEM_PHYSICAL can only be used if MEM_RESERVE is also used */
3548 if ((AllocationType & MEM_PHYSICAL) && !(AllocationType & MEM_RESERVE))
3549 {
3550 DPRINT1("MEM_WRITE_WATCH used without MEM_RESERVE\n");
3551 return STATUS_INVALID_PARAMETER_5;
3552 }
3553
3554 /* Check for valid MEM_PHYSICAL usage */
3555 if (AllocationType & MEM_PHYSICAL)
3556 {
3557 /* Only these flags are allowed with MEM_PHYSIAL */
3558 if (AllocationType & ~(MEM_RESERVE | MEM_TOP_DOWN | MEM_PHYSICAL))
3559 {
3560 DPRINT1("Using illegal flags with MEM_PHYSICAL\n");
3561 return STATUS_INVALID_PARAMETER_5;
3562 }
3563
3564 /* Then make sure PAGE_READWRITE is used */
3565 if (Protect != PAGE_READWRITE)
3566 {
3567 DPRINT1("MEM_PHYSICAL used without PAGE_READWRITE\n");
3568 return STATUS_INVALID_PARAMETER_6;
3569 }
3570 }
3571
3572 //
3573 // Force PAGE_READWRITE for everything, for now
3574 //
3575 Protect = PAGE_READWRITE;
3576
3577 /* Calculate the protection mask and make sure it's valid */
3578 ProtectionMask = MiMakeProtectionMask(Protect);
3579 if (ProtectionMask == MM_INVALID_PROTECTION)
3580 {
3581 DPRINT1("Invalid protection mask\n");
3582 return STATUS_INVALID_PAGE_PROTECTION;
3583 }
3584
3585 /* Enter SEH */
3586 _SEH2_TRY
3587 {
3588 /* Check for user-mode parameters */
3589 if (PreviousMode != KernelMode)
3590 {
3591 /* Make sure they are writable */
3592 ProbeForWritePointer(UBaseAddress);
3593 ProbeForWriteUlong(URegionSize);
3594 }
3595
3596 /* Capture their values */
3597 PBaseAddress = *UBaseAddress;
3598 PRegionSize = *URegionSize;
3599 }
3600 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3601 {
3602 /* Return the exception code */
3603 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3604 }
3605 _SEH2_END;
3606
3607 /* Make sure the allocation isn't past the VAD area */
3608 if (PBaseAddress >= MM_HIGHEST_VAD_ADDRESS)
3609 {
3610 DPRINT1("Virtual allocation base above User Space\n");
3611 return STATUS_INVALID_PARAMETER_2;
3612 }
3613
3614 /* Make sure the allocation wouldn't overflow past the VAD area */
3615 if ((((ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1) - (ULONG_PTR)PBaseAddress) < PRegionSize)
3616 {
3617 DPRINT1("Region size would overflow into kernel-memory\n");
3618 return STATUS_INVALID_PARAMETER_4;
3619 }
3620
3621 /* Make sure there's a size specified */
3622 if (!PRegionSize)
3623 {
3624 DPRINT1("Region size is invalid (zero)\n");
3625 return STATUS_INVALID_PARAMETER_4;
3626 }
3627
3628 //
3629 // If this is for the current process, just use PsGetCurrentProcess
3630 //
3631 if (ProcessHandle == NtCurrentProcess())
3632 {
3633 Process = CurrentProcess;
3634 }
3635 else
3636 {
3637 //
3638 // Otherwise, reference the process with VM rights and attach to it if
3639 // this isn't the current process. We must attach because we'll be touching
3640 // PTEs and PDEs that belong to user-mode memory, and also touching the
3641 // Working Set which is stored in Hyperspace.
3642 //
3643 Status = ObReferenceObjectByHandle(ProcessHandle,
3644 PROCESS_VM_OPERATION,
3645 PsProcessType,
3646 PreviousMode,
3647 (PVOID*)&Process,
3648 NULL);
3649 if (!NT_SUCCESS(Status)) return Status;
3650 if (CurrentProcess != Process)
3651 {
3652 KeStackAttachProcess(&Process->Pcb, &ApcState);
3653 Attached = TRUE;
3654 }
3655 }
3656
3657 //
3658 // Check for large page allocations and make sure that the required privilege
3659 // is being held, before attempting to handle them.
3660 //
3661 if ((AllocationType & MEM_LARGE_PAGES) &&
3662 !(SeSinglePrivilegeCheck(SeLockMemoryPrivilege, PreviousMode)))
3663 {
3664 /* Fail without it */
3665 DPRINT1("Privilege not held for MEM_LARGE_PAGES\n");
3666 Status = STATUS_PRIVILEGE_NOT_HELD;
3667 goto FailPathNoLock;
3668 }
3669
3670 //
3671 // Assert on the things we don't yet support
3672 //
3673 ASSERT(ZeroBits == 0);
3674 ASSERT((AllocationType & MEM_LARGE_PAGES) == 0);
3675 ASSERT((AllocationType & MEM_PHYSICAL) == 0);
3676 ASSERT((AllocationType & MEM_WRITE_WATCH) == 0);
3677 ASSERT((AllocationType & MEM_TOP_DOWN) == 0);
3678 ASSERT((AllocationType & MEM_RESET) == 0);
3679 ASSERT(Process->VmTopDown == 0);
3680
3681 //
3682 // Check if the caller is reserving memory, or committing memory and letting
3683 // us pick the base address
3684 //
3685 if (!(PBaseAddress) || (AllocationType & MEM_RESERVE))
3686 {
3687 //
3688 // Do not allow COPY_ON_WRITE through this API
3689 //
3690 if ((Protect & PAGE_WRITECOPY) || (Protect & PAGE_EXECUTE_WRITECOPY))
3691 {
3692 DPRINT1("Copy on write not allowed through this path\n");
3693 Status = STATUS_INVALID_PAGE_PROTECTION;
3694 goto FailPathNoLock;
3695 }
3696
3697 //
3698 // Does the caller have an address in mind, or is this a blind commit?
3699 //
3700 if (!PBaseAddress)
3701 {
3702 //
3703 // This is a blind commit, all we need is the region size
3704 //
3705 PRegionSize = ROUND_TO_PAGES(PRegionSize);
3706 PageCount = BYTES_TO_PAGES(PRegionSize);
3707 EndingAddress = 0;
3708 StartingAddress = 0;
3709 }
3710 else
3711 {
3712 //
3713 // This is a reservation, so compute the starting address on the
3714 // expected 64KB granularity, and see where the ending address will
3715 // fall based on the aligned address and the passed in region size
3716 //
3717 StartingAddress = ROUND_DOWN((ULONG_PTR)PBaseAddress, _64K);
3718 EndingAddress = ((ULONG_PTR)PBaseAddress + PRegionSize - 1) | (PAGE_SIZE - 1);
3719 PageCount = BYTES_TO_PAGES(EndingAddress - StartingAddress);
3720 }
3721
3722 //
3723 // Allocate and initialize the VAD
3724 //
3725 Vad = ExAllocatePoolWithTag(NonPagedPool, sizeof(MMVAD_LONG), 'SdaV');
3726 ASSERT(Vad != NULL);
3727 Vad->u.LongFlags = 0;
3728 if (AllocationType & MEM_COMMIT) Vad->u.VadFlags.MemCommit = 1;
3729 Vad->u.VadFlags.Protection = ProtectionMask;
3730 Vad->u.VadFlags.PrivateMemory = 1;
3731 Vad->u.VadFlags.CommitCharge = AllocationType & MEM_COMMIT ? PageCount : 0;
3732
3733 //
3734 // Lock the address space and make sure the process isn't already dead
3735 //
3736 AddressSpace = MmGetCurrentAddressSpace();
3737 MmLockAddressSpace(AddressSpace);
3738 if (Process->VmDeleted)
3739 {
3740 Status = STATUS_PROCESS_IS_TERMINATING;
3741 goto FailPath;
3742 }
3743
3744 //
3745 // Did we have a base address? If no, find a valid address that is 64KB
3746 // aligned in the VAD tree. Otherwise, make sure that the address range
3747 // which was passed in isn't already conflicting with an existing address
3748 // range.
3749 //
3750 if (!PBaseAddress)
3751 {
3752 Status = MiFindEmptyAddressRangeInTree(PRegionSize,
3753 _64K,
3754 &Process->VadRoot,
3755 (PMMADDRESS_NODE*)&Process->VadFreeHint,
3756 &StartingAddress);
3757 if (!NT_SUCCESS(Status)) goto FailPath;
3758
3759 //
3760 // Now we know where the allocation ends. Make sure it doesn't end up
3761 // somewhere in kernel mode.
3762 //
3763 EndingAddress = ((ULONG_PTR)StartingAddress + PRegionSize - 1) | (PAGE_SIZE - 1);
3764 if ((PVOID)EndingAddress > MM_HIGHEST_VAD_ADDRESS)
3765 {
3766 Status = STATUS_NO_MEMORY;
3767 goto FailPath;
3768 }
3769 }
3770 else if (MiCheckForConflictingNode(StartingAddress >> PAGE_SHIFT,
3771 EndingAddress >> PAGE_SHIFT,
3772 &Process->VadRoot))
3773 {
3774 //
3775 // The address specified is in conflict!
3776 //
3777 Status = STATUS_CONFLICTING_ADDRESSES;
3778 goto FailPath;
3779 }
3780
3781 //
3782 // Write out the VAD fields for this allocation
3783 //
3784 Vad->StartingVpn = (ULONG_PTR)StartingAddress >> PAGE_SHIFT;
3785 Vad->EndingVpn = (ULONG_PTR)EndingAddress >> PAGE_SHIFT;
3786
3787 //
3788 // FIXME: Should setup VAD bitmap
3789 //
3790 Status = STATUS_SUCCESS;
3791
3792 //
3793 // Lock the working set and insert the VAD into the process VAD tree
3794 //
3795 MiLockProcessWorkingSet(Process, CurrentThread);
3796 Vad->ControlArea = NULL; // For Memory-Area hack
3797 MiInsertVad(Vad, Process);
3798 MiUnlockProcessWorkingSet(Process, CurrentThread);
3799
3800 //
3801 // Update the virtual size of the process, and if this is now the highest
3802 // virtual size we have ever seen, update the peak virtual size to reflect
3803 // this.
3804 //
3805 Process->VirtualSize += PRegionSize;
3806 if (Process->VirtualSize > Process->PeakVirtualSize)
3807 {
3808 Process->PeakVirtualSize = Process->VirtualSize;
3809 }
3810
3811 //
3812 // Release address space and detach and dereference the target process if
3813 // it was different from the current process
3814 //
3815 MmUnlockAddressSpace(AddressSpace);
3816 if (Attached) KeUnstackDetachProcess(&ApcState);
3817 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
3818
3819 //
3820 // Use SEH to write back the base address and the region size. In the case
3821 // of an exception, we do not return back the exception code, as the memory
3822 // *has* been allocated. The caller would now have to call VirtualQuery
3823 // or do some other similar trick to actually find out where its memory
3824 // allocation ended up
3825 //
3826 _SEH2_TRY
3827 {
3828 *URegionSize = PRegionSize;
3829 *UBaseAddress = (PVOID)StartingAddress;
3830 }
3831 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
3832 {
3833 }
3834 _SEH2_END;
3835 return STATUS_SUCCESS;
3836 }
3837
3838 //
3839 // This is a MEM_COMMIT on top of an existing address which must have been
3840 // MEM_RESERVED already. Compute the start and ending base addresses based
3841 // on the user input, and then compute the actual region size once all the
3842 // alignments have been done.
3843 //
3844 StartingAddress = (ULONG_PTR)PAGE_ALIGN(PBaseAddress);
3845 EndingAddress = (((ULONG_PTR)PBaseAddress + PRegionSize - 1) | (PAGE_SIZE - 1));
3846 PRegionSize = EndingAddress - StartingAddress + 1;
3847
3848 //
3849 // Lock the address space and make sure the process isn't already dead
3850 //
3851 AddressSpace = MmGetCurrentAddressSpace();
3852 MmLockAddressSpace(AddressSpace);
3853 if (Process->VmDeleted)
3854 {
3855 DPRINT1("Process is dying\n");
3856 Status = STATUS_PROCESS_IS_TERMINATING;
3857 goto FailPath;
3858 }
3859
3860 //
3861 // Get the VAD for this address range, and make sure it exists
3862 //
3863 FoundVad = (PMMVAD)MiCheckForConflictingNode(StartingAddress >> PAGE_SHIFT,
3864 EndingAddress >> PAGE_SHIFT,
3865 &Process->VadRoot);
3866 if (!FoundVad)
3867 {
3868 DPRINT1("Could not find a VAD for this allocation\n");
3869 Status = STATUS_CONFLICTING_ADDRESSES;
3870 goto FailPath;
3871 }
3872
3873 //
3874 // These kinds of VADs are illegal for this Windows function when trying to
3875 // commit an existing range
3876 //
3877 if ((FoundVad->u.VadFlags.VadType == VadAwe) ||
3878 (FoundVad->u.VadFlags.VadType == VadDevicePhysicalMemory) ||
3879 (FoundVad->u.VadFlags.VadType == VadLargePages))
3880 {
3881 DPRINT1("Illegal VAD for attempting a MEM_COMMIT\n");
3882 Status = STATUS_CONFLICTING_ADDRESSES;
3883 goto FailPath;
3884 }
3885
3886 //
3887 // Make sure that this address range actually fits within the VAD for it
3888 //
3889 if (((StartingAddress >> PAGE_SHIFT) < FoundVad->StartingVpn) &&
3890 ((EndingAddress >> PAGE_SHIFT) > FoundVad->EndingVpn))
3891 {
3892 DPRINT1("Address range does not fit into the VAD\n");
3893 Status = STATUS_CONFLICTING_ADDRESSES;
3894 goto FailPath;
3895 }
3896
3897 //
3898 // If this is an existing section view, we call the old RosMm routine which
3899 // has the relevant code required to handle the section scenario. In the future
3900 // we will limit this even more so that there's almost nothing that the code
3901 // needs to do, and it will become part of section.c in RosMm
3902 //
3903 MemoryArea = MmLocateMemoryAreaByAddress(AddressSpace, (PVOID)PAGE_ROUND_DOWN(PBaseAddress));
3904 if (MemoryArea->Type != MEMORY_AREA_OWNED_BY_ARM3)
3905 {
3906 return MiRosAllocateVirtualMemory(ProcessHandle,
3907 Process,
3908 MemoryArea,
3909 AddressSpace,
3910 UBaseAddress,
3911 Attached,
3912 URegionSize,
3913 AllocationType,
3914 Protect);
3915 }
3916
3917 // Is this a previously reserved section being committed? If so, enter the
3918 // special section path
3919 //
3920 if (FoundVad->u.VadFlags.PrivateMemory == FALSE)
3921 {
3922 //
3923 // You cannot commit large page sections through this API
3924 //
3925 if (FoundVad->u.VadFlags.VadType == VadLargePageSection)
3926 {
3927 DPRINT1("Large page sections cannot be VirtualAlloc'd\n");
3928 Status = STATUS_INVALID_PAGE_PROTECTION;
3929 goto FailPath;
3930 }
3931
3932 //
3933 // You can only use caching flags on a rotate VAD
3934 //
3935 if ((Protect & (PAGE_NOCACHE | PAGE_WRITECOMBINE)) &&
3936 (FoundVad->u.VadFlags.VadType != VadRotatePhysical))
3937 {
3938 DPRINT1("Cannot use caching flags with anything but rotate VADs\n");
3939 Status = STATUS_INVALID_PAGE_PROTECTION;
3940 goto FailPath;
3941 }
3942
3943 //
3944 // We should make sure that the section's permissions aren't being messed with
3945 //
3946 if (FoundVad->u.VadFlags.NoChange)
3947 {
3948 DPRINT1("SEC_NO_CHANGE section being touched. Assuming this is ok\n");
3949 }
3950
3951 //
3952 // ARM3 does not support file-backed sections, only shared memory
3953 //
3954 ASSERT(FoundVad->ControlArea->FilePointer == NULL);
3955
3956 //
3957 // Rotate VADs cannot be guard pages or inaccessible, nor copy on write
3958 //
3959 if ((FoundVad->u.VadFlags.VadType == VadRotatePhysical) &&
3960 (Protect & (PAGE_WRITECOPY | PAGE_EXECUTE_WRITECOPY | PAGE_NOACCESS | PAGE_GUARD)))
3961 {
3962 DPRINT1("Invalid page protection for rotate VAD\n");
3963 Status = STATUS_INVALID_PAGE_PROTECTION;
3964 goto FailPath;
3965 }
3966
3967 //
3968 // Compute PTE addresses and the quota charge, then grab the commit lock
3969 //
3970 PointerPte = MI_GET_PROTOTYPE_PTE_FOR_VPN(FoundVad, StartingAddress >> PAGE_SHIFT);
3971 LastPte = MI_GET_PROTOTYPE_PTE_FOR_VPN(FoundVad, EndingAddress >> PAGE_SHIFT);
3972 QuotaCharge = (ULONG)(LastPte - PointerPte + 1);
3973 KeAcquireGuardedMutexUnsafe(&MmSectionCommitMutex);
3974
3975 //
3976 // Get the segment template PTE and start looping each page
3977 //
3978 TempPte = FoundVad->ControlArea->Segment->SegmentPteTemplate;
3979 ASSERT(TempPte.u.Long != 0);
3980 while (PointerPte <= LastPte)
3981 {
3982 //
3983 // For each non-already-committed page, write the invalid template PTE
3984 //
3985 if (PointerPte->u.Long == 0)
3986 {
3987 MI_WRITE_INVALID_PTE(PointerPte, TempPte);
3988 }
3989 else
3990 {
3991 QuotaFree++;
3992 }
3993 PointerPte++;
3994 }
3995
3996 //
3997 // Now do the commit accounting and release the lock
3998 //
3999 ASSERT(QuotaCharge >= QuotaFree);
4000 QuotaCharge -= QuotaFree;
4001 FoundVad->ControlArea->Segment->NumberOfCommittedPages += QuotaCharge;
4002 KeReleaseGuardedMutexUnsafe(&MmSectionCommitMutex);
4003
4004 //
4005 // We are done with committing the section pages
4006 //
4007 Status = STATUS_SUCCESS;
4008 goto FailPath;
4009 }
4010
4011 //
4012 // This is a specific ReactOS check because we only use normal VADs
4013 //
4014 ASSERT(FoundVad->u.VadFlags.VadType == VadNone);
4015
4016 //
4017 // While this is an actual Windows check
4018 //
4019 ASSERT(FoundVad->u.VadFlags.VadType != VadRotatePhysical);
4020
4021 //
4022 // Throw out attempts to use copy-on-write through this API path
4023 //
4024 if ((Protect & PAGE_WRITECOPY) || (Protect & PAGE_EXECUTE_WRITECOPY))
4025 {
4026 DPRINT1("Write copy attempted when not allowed\n");
4027 Status = STATUS_INVALID_PAGE_PROTECTION;
4028 goto FailPath;
4029 }
4030
4031 //
4032 // Initialize a demand-zero PTE
4033 //
4034 TempPte.u.Long = 0;
4035 TempPte.u.Soft.Protection = ProtectionMask;
4036
4037 //
4038 // Get the PTE, PDE and the last PTE for this address range
4039 //
4040 PointerPde = MiAddressToPde(StartingAddress);
4041 PointerPte = MiAddressToPte(StartingAddress);
4042 LastPte = MiAddressToPte(EndingAddress);
4043
4044 //
4045 // Update the commit charge in the VAD as well as in the process, and check
4046 // if this commit charge was now higher than the last recorded peak, in which
4047 // case we also update the peak
4048 //
4049 FoundVad->u.VadFlags.CommitCharge += (1 + LastPte - PointerPte);
4050 Process->CommitCharge += (1 + LastPte - PointerPte);
4051 if (Process->CommitCharge > Process->CommitChargePeak)
4052 {
4053 Process->CommitChargePeak = Process->CommitCharge;
4054 }
4055
4056 //
4057 // Lock the working set while we play with user pages and page tables
4058 //
4059 //MiLockWorkingSet(CurrentThread, AddressSpace);
4060
4061 //
4062 // Make the current page table valid, and then loop each page within it
4063 //
4064 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
4065 while (PointerPte <= LastPte)
4066 {
4067 //
4068 // Have we crossed into a new page table?
4069 //
4070 if (!(((ULONG_PTR)PointerPte) & (SYSTEM_PD_SIZE - 1)))
4071 {
4072 //
4073 // Get the PDE and now make it valid too
4074 //
4075 PointerPde = MiAddressToPte(PointerPte);
4076 MiMakePdeExistAndMakeValid(PointerPde, Process, MM_NOIRQL);
4077 }
4078
4079 //
4080 // Is this a zero PTE as expected?
4081 //
4082 if (PointerPte->u.Long == 0)
4083 {
4084 //
4085 // First increment the count of pages in the page table for this
4086 // process
4087 //
4088 UsedPageTableEntries = &MmWorkingSetList->UsedPageTableEntries[MiGetPdeOffset(MiPteToAddress(PointerPte))];
4089 (*UsedPageTableEntries)++;
4090 ASSERT((*UsedPageTableEntries) <= PTE_COUNT);
4091
4092 //
4093 // And now write the invalid demand-zero PTE as requested
4094 //
4095 MI_WRITE_INVALID_PTE(PointerPte, TempPte);
4096 }
4097 else if (PointerPte->u.Long == MmDecommittedPte.u.Long)
4098 {
4099 //
4100 // If the PTE was already decommitted, there is nothing else to do
4101 // but to write the new demand-zero PTE
4102 //
4103 MI_WRITE_INVALID_PTE(PointerPte, TempPte);
4104 }
4105 else if (!(ChangeProtection) && (Protect != MiGetPageProtection(PointerPte)))
4106 {
4107 //
4108 // We don't handle these scenarios yet
4109 //
4110 if (PointerPte->u.Soft.Valid == 0)
4111 {
4112 ASSERT(PointerPte->u.Soft.Prototype == 0);
4113 ASSERT(PointerPte->u.Soft.PageFileHigh == 0);
4114 }
4115
4116 //
4117 // There's a change in protection, remember this for later, but do
4118 // not yet handle it.
4119 //
4120 DPRINT1("Protection change to: 0x%lx not implemented\n", Protect);
4121 ChangeProtection = TRUE;
4122 }
4123
4124 //
4125 // Move to the next PTE
4126 //
4127 PointerPte++;
4128 }
4129
4130 //
4131 // This path is not yet handled
4132 //
4133 ASSERT(ChangeProtection == FALSE);
4134
4135 //
4136 // Release the working set lock, unlock the address space, and detach from
4137 // the target process if it was not the current process. Also dereference the
4138 // target process if this wasn't the case.
4139 //
4140 //MiUnlockProcessWorkingSet(Process, CurrentThread);
4141 Status = STATUS_SUCCESS;
4142 FailPath:
4143 MmUnlockAddressSpace(AddressSpace);
4144 FailPathNoLock:
4145 if (Attached) KeUnstackDetachProcess(&ApcState);
4146 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
4147
4148 //
4149 // Use SEH to write back the base address and the region size. In the case
4150 // of an exception, we strangely do return back the exception code, even
4151 // though the memory *has* been allocated. This mimics Windows behavior and
4152 // there is not much we can do about it.
4153 //
4154 _SEH2_TRY
4155 {
4156 *URegionSize = PRegionSize;
4157 *UBaseAddress = (PVOID)StartingAddress;
4158 }
4159 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
4160 {
4161 Status = _SEH2_GetExceptionCode();
4162 }
4163 _SEH2_END;
4164 return Status;
4165 }
4166
4167 /*
4168 * @implemented
4169 */
4170 NTSTATUS
4171 NTAPI
4172 NtFreeVirtualMemory(IN HANDLE ProcessHandle,
4173 IN PVOID* UBaseAddress,
4174 IN PSIZE_T URegionSize,
4175 IN ULONG FreeType)
4176 {
4177 PMEMORY_AREA MemoryArea;
4178 SIZE_T PRegionSize;
4179 PVOID PBaseAddress;
4180 ULONG_PTR CommitReduction = 0;
4181 ULONG_PTR StartingAddress, EndingAddress;
4182 PMMVAD Vad;
4183 NTSTATUS Status;
4184 PEPROCESS Process;
4185 PMMSUPPORT AddressSpace;
4186 PETHREAD CurrentThread = PsGetCurrentThread();
4187 PEPROCESS CurrentProcess = PsGetCurrentProcess();
4188 KPROCESSOR_MODE PreviousMode = KeGetPreviousMode();
4189 KAPC_STATE ApcState;
4190 BOOLEAN Attached = FALSE;
4191 PAGED_CODE();
4192
4193 //
4194 // Only two flags are supported
4195 //
4196 if (!(FreeType & (MEM_RELEASE | MEM_DECOMMIT)))
4197 {
4198 DPRINT1("Invalid FreeType\n");
4199 return STATUS_INVALID_PARAMETER_4;
4200 }
4201
4202 //
4203 // Check if no flag was used, or if both flags were used
4204 //
4205 if (!((FreeType & (MEM_DECOMMIT | MEM_RELEASE))) ||
4206 ((FreeType & (MEM_DECOMMIT | MEM_RELEASE)) == (MEM_DECOMMIT | MEM_RELEASE)))
4207 {
4208 DPRINT1("Invalid FreeType combination\n");
4209 return STATUS_INVALID_PARAMETER_4;
4210 }
4211
4212 //
4213 // Enter SEH for probe and capture. On failure, return back to the caller
4214 // with an exception violation.
4215 //
4216 _SEH2_TRY
4217 {
4218 //
4219 // Check for user-mode parameters and make sure that they are writeable
4220 //
4221 if (PreviousMode != KernelMode)
4222 {
4223 ProbeForWritePointer(UBaseAddress);
4224 ProbeForWriteUlong(URegionSize);
4225 }
4226
4227 //
4228 // Capture the current values
4229 //
4230 PBaseAddress = *UBaseAddress;
4231 PRegionSize = *URegionSize;
4232 }
4233 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
4234 {
4235 _SEH2_YIELD(return _SEH2_GetExceptionCode());
4236 }
4237 _SEH2_END;
4238
4239 //
4240 // Make sure the allocation isn't past the user area
4241 //
4242 if (PBaseAddress >= MM_HIGHEST_USER_ADDRESS)
4243 {
4244 DPRINT1("Virtual free base above User Space\n");
4245 return STATUS_INVALID_PARAMETER_2;
4246 }
4247
4248 //
4249 // Make sure the allocation wouldn't overflow past the user area
4250 //
4251 if (((ULONG_PTR)MM_HIGHEST_USER_ADDRESS - (ULONG_PTR)PBaseAddress) < PRegionSize)
4252 {
4253 DPRINT1("Region size would overflow into kernel-memory\n");
4254 return STATUS_INVALID_PARAMETER_3;
4255 }
4256
4257 //
4258 // If this is for the current process, just use PsGetCurrentProcess
4259 //
4260 if (ProcessHandle == NtCurrentProcess())
4261 {
4262 Process = CurrentProcess;
4263 }
4264 else
4265 {
4266 //
4267 // Otherwise, reference the process with VM rights and attach to it if
4268 // this isn't the current process. We must attach because we'll be touching
4269 // PTEs and PDEs that belong to user-mode memory, and also touching the
4270 // Working Set which is stored in Hyperspace.
4271 //
4272 Status = ObReferenceObjectByHandle(ProcessHandle,
4273 PROCESS_VM_OPERATION,
4274 PsProcessType,
4275 PreviousMode,
4276 (PVOID*)&Process,
4277 NULL);
4278 if (!NT_SUCCESS(Status)) return Status;
4279 if (CurrentProcess != Process)
4280 {
4281 KeStackAttachProcess(&Process->Pcb, &ApcState);
4282 Attached = TRUE;
4283 }
4284 }
4285
4286 //
4287 // Lock the address space
4288 //
4289 AddressSpace = MmGetCurrentAddressSpace();
4290 MmLockAddressSpace(AddressSpace);
4291
4292 //
4293 // If the address space is being deleted, fail the de-allocation since it's
4294 // too late to do anything about it
4295 //
4296 if (Process->VmDeleted)
4297 {
4298 DPRINT1("Process is dead\n");
4299 Status = STATUS_PROCESS_IS_TERMINATING;
4300 goto FailPath;
4301 }
4302
4303 //
4304 // Compute start and end addresses, and locate the VAD
4305 //
4306 StartingAddress = (ULONG_PTR)PAGE_ALIGN(PBaseAddress);
4307 EndingAddress = ((ULONG_PTR)PBaseAddress + PRegionSize - 1) | (PAGE_SIZE - 1);
4308 Vad = MiLocateAddress((PVOID)StartingAddress);
4309 if (!Vad)
4310 {
4311 DPRINT1("Unable to find VAD for address 0x%p\n", StartingAddress);
4312 Status = STATUS_MEMORY_NOT_ALLOCATED;
4313 goto FailPath;
4314 }
4315
4316 //
4317 // If the range exceeds the VAD's ending VPN, fail this request
4318 //
4319 if (Vad->EndingVpn < (EndingAddress >> PAGE_SHIFT))
4320 {
4321 DPRINT1("Address 0x%p is beyond the VAD\n", EndingAddress);
4322 Status = STATUS_UNABLE_TO_FREE_VM;
4323 goto FailPath;
4324 }
4325
4326 //
4327 // These ASSERTs are here because ReactOS ARM3 does not currently implement
4328 // any other kinds of VADs.
4329 //
4330 ASSERT(Vad->u.VadFlags.PrivateMemory == 1);
4331 ASSERT(Vad->u.VadFlags.NoChange == 0);
4332 ASSERT(Vad->u.VadFlags.VadType == VadNone);
4333
4334 //
4335 // Finally, make sure there is a ReactOS Mm MEMORY_AREA for this allocation
4336 // and that is is an ARM3 memory area, and not a section view, as we currently
4337 // don't support freeing those though this interface.
4338 //
4339 MemoryArea = MmLocateMemoryAreaByAddress(AddressSpace, (PVOID)StartingAddress);
4340 ASSERT(MemoryArea);
4341 ASSERT(MemoryArea->Type == MEMORY_AREA_OWNED_BY_ARM3);
4342
4343 //
4344 // Now we can try the operation. First check if this is a RELEASE or a DECOMMIT
4345 //
4346 if (FreeType & MEM_RELEASE)
4347 {
4348 //
4349 // Is the caller trying to remove the whole VAD, or remove only a portion
4350 // of it? If no region size is specified, then the assumption is that the
4351 // whole VAD is to be destroyed
4352 //
4353 if (!PRegionSize)
4354 {
4355 //
4356 // The caller must specify the base address identically to the range
4357 // that is stored in the VAD.
4358 //
4359 if (((ULONG_PTR)PBaseAddress >> PAGE_SHIFT) != Vad->StartingVpn)
4360 {
4361 DPRINT1("Address 0x%p does not match the VAD\n", PBaseAddress);
4362 Status = STATUS_FREE_VM_NOT_AT_BASE;
4363 goto FailPath;
4364 }
4365
4366 //
4367 // Now compute the actual start/end addresses based on the VAD
4368 //
4369 StartingAddress = Vad->StartingVpn << PAGE_SHIFT;
4370 EndingAddress = (Vad->EndingVpn << PAGE_SHIFT) | (PAGE_SIZE - 1);
4371
4372 //
4373 // Finally lock the working set and remove the VAD from the VAD tree
4374 //
4375 MiLockWorkingSet(CurrentThread, AddressSpace);
4376 ASSERT(Process->VadRoot.NumberGenericTableElements >= 1);
4377 MiRemoveNode((PMMADDRESS_NODE)Vad, &Process->VadRoot);
4378 }
4379 else
4380 {
4381 //
4382 // This means the caller wants to release a specific region within
4383 // the range. We have to find out which range this is -- the following
4384 // possibilities exist plus their union (CASE D):
4385 //
4386 // STARTING ADDRESS ENDING ADDRESS
4387 // [<========][========================================][=========>]
4388 // CASE A CASE B CASE C
4389 //
4390 //
4391 // First, check for case A or D
4392 //
4393 if ((StartingAddress >> PAGE_SHIFT) == Vad->StartingVpn)
4394 {
4395 //
4396 // Check for case D
4397 //
4398 if ((EndingAddress >> PAGE_SHIFT) == Vad->EndingVpn)
4399 {
4400 //
4401 // This is the easiest one to handle -- it is identical to
4402 // the code path above when the caller sets a zero region size
4403 // and the whole VAD is destroyed
4404 //
4405 MiLockWorkingSet(CurrentThread, AddressSpace);
4406 ASSERT(Process->VadRoot.NumberGenericTableElements >= 1);
4407 MiRemoveNode((PMMADDRESS_NODE)Vad, &Process->VadRoot);
4408 }
4409 else
4410 {
4411 //
4412 // This case is pretty easy too -- we compute a bunch of
4413 // pages to decommit, and then push the VAD's starting address
4414 // a bit further down, then decrement the commit charge
4415 //
4416 // NOT YET IMPLEMENTED IN ARM3.
4417 //
4418 DPRINT1("Case A not handled\n");
4419 Status = STATUS_FREE_VM_NOT_AT_BASE;
4420 goto FailPath;
4421
4422 //
4423 // After analyzing the VAD, set it to NULL so that we don't
4424 // free it in the exit path
4425 //
4426 Vad = NULL;
4427 }
4428 }
4429 else
4430 {
4431 //
4432 // This is case B or case C. First check for case C
4433 //
4434 if ((EndingAddress >> PAGE_SHIFT) == Vad->EndingVpn)
4435 {
4436 PMEMORY_AREA MemoryArea;
4437
4438 //
4439 // This is pretty easy and similar to case A. We compute the
4440 // amount of pages to decommit, update the VAD's commit charge
4441 // and then change the ending address of the VAD to be a bit
4442 // smaller.
4443 //
4444 MiLockWorkingSet(CurrentThread, AddressSpace);
4445 CommitReduction = MiCalculatePageCommitment(StartingAddress,
4446 EndingAddress,
4447 Vad,
4448 Process);
4449 Vad->u.VadFlags.CommitCharge -= CommitReduction;
4450 // For ReactOS: shrink the corresponding memory area
4451 MemoryArea = MmLocateMemoryAreaByAddress(AddressSpace, (PVOID)StartingAddress);
4452 ASSERT(Vad->StartingVpn << PAGE_SHIFT == (ULONG_PTR)MemoryArea->StartingAddress);
4453 ASSERT((Vad->EndingVpn + 1) << PAGE_SHIFT == (ULONG_PTR)MemoryArea->EndingAddress);
4454 Vad->EndingVpn = ((ULONG_PTR)StartingAddress - 1) >> PAGE_SHIFT;
4455 MemoryArea->EndingAddress = (PVOID)(((Vad->EndingVpn + 1) << PAGE_SHIFT) - 1);
4456 }
4457 else
4458 {
4459 //
4460 // This is case B and the hardest one. Because we are removing
4461 // a chunk of memory from the very middle of the VAD, we must
4462 // actually split the VAD into two new VADs and compute the
4463 // commit charges for each of them, and reinsert new charges.
4464 //
4465 // NOT YET IMPLEMENTED IN ARM3.
4466 //
4467 DPRINT1("Case B not handled\n");
4468 Status = STATUS_FREE_VM_NOT_AT_BASE;
4469 goto FailPath;
4470 }
4471
4472 //
4473 // After analyzing the VAD, set it to NULL so that we don't
4474 // free it in the exit path
4475 //
4476 Vad = NULL;
4477 }
4478 }
4479
4480 //
4481 // Now we have a range of pages to dereference, so call the right API
4482 // to do that and then release the working set, since we're done messing
4483 // around with process pages.
4484 //
4485 MiDeleteVirtualAddresses(StartingAddress, EndingAddress, NULL);
4486 MiUnlockWorkingSet(CurrentThread, AddressSpace);
4487 Status = STATUS_SUCCESS;
4488
4489 FinalPath:
4490 //
4491 // Update the process counters
4492 //
4493 PRegionSize = EndingAddress - StartingAddress + 1;
4494 Process->CommitCharge -= CommitReduction;
4495 if (FreeType & MEM_RELEASE) Process->VirtualSize -= PRegionSize;
4496
4497 //
4498 // Unlock the address space and free the VAD in failure cases. Next,
4499 // detach from the target process so we can write the region size and the
4500 // base address to the correct source process, and dereference the target
4501 // process.
4502 //
4503 MmUnlockAddressSpace(AddressSpace);
4504 if (Vad) ExFreePool(Vad);
4505 if (Attached) KeUnstackDetachProcess(&ApcState);
4506 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
4507
4508 //
4509 // Use SEH to safely return the region size and the base address of the
4510 // deallocation. If we get an access violation, don't return a failure code
4511 // as the deallocation *has* happened. The caller will just have to figure
4512 // out another way to find out where it is (such as VirtualQuery).
4513 //
4514 _SEH2_TRY
4515 {
4516 *URegionSize = PRegionSize;
4517 *UBaseAddress = (PVOID)StartingAddress;
4518 }
4519 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
4520 {
4521 }
4522 _SEH2_END;
4523 return Status;
4524 }
4525
4526 //
4527 // This is the decommit path. You cannot decommit from the following VADs in
4528 // Windows, so fail the vall
4529 //
4530 if ((Vad->u.VadFlags.VadType == VadAwe) ||
4531 (Vad->u.VadFlags.VadType == VadLargePages) ||
4532 (Vad->u.VadFlags.VadType == VadRotatePhysical))
4533 {
4534 DPRINT1("Trying to decommit from invalid VAD\n");
4535 Status = STATUS_MEMORY_NOT_ALLOCATED;
4536 goto FailPath;
4537 }
4538
4539 //
4540 // If the caller did not specify a region size, first make sure that this
4541 // region is actually committed. If it is, then compute the ending address
4542 // based on the VAD.
4543 //
4544 if (!PRegionSize)
4545 {
4546 if (((ULONG_PTR)PBaseAddress >> PAGE_SHIFT) != Vad->StartingVpn)
4547 {
4548 DPRINT1("Decomitting non-committed memory\n");
4549 Status = STATUS_FREE_VM_NOT_AT_BASE;
4550 goto FailPath;
4551 }
4552 EndingAddress = (Vad->EndingVpn << PAGE_SHIFT) | (PAGE_SIZE - 1);
4553 }
4554
4555 //
4556 // Decommit the PTEs for the range plus the actual backing pages for the
4557 // range, then reduce that amount from the commit charge in the VAD
4558 //
4559 CommitReduction = MiAddressToPte(EndingAddress) -
4560 MiAddressToPte(StartingAddress) +
4561 1 -
4562 MiDecommitPages((PVOID)StartingAddress,
4563 MiAddressToPte(EndingAddress),
4564 Process,
4565 Vad);
4566 ASSERT(CommitReduction >= 0);
4567 Vad->u.VadFlags.CommitCharge -= CommitReduction;
4568 ASSERT(Vad->u.VadFlags.CommitCharge >= 0);
4569
4570 //
4571 // We are done, go to the exit path without freeing the VAD as it remains
4572 // valid since we have not released the allocation.
4573 //
4574 Vad = NULL;
4575 Status = STATUS_SUCCESS;
4576 goto FinalPath;
4577
4578 //
4579 // In the failure path, we detach and derefernece the target process, and
4580 // return whatever failure code was sent.
4581 //
4582 FailPath:
4583 MmUnlockAddressSpace(AddressSpace);
4584 if (Attached) KeUnstackDetachProcess(&ApcState);
4585 if (ProcessHandle != NtCurrentProcess()) ObDereferenceObject(Process);
4586 return Status;
4587 }
4588
4589 /* EOF */
A free Windows-compatible Operating System