2 * PROJECT: ReactOS Kernel
3 * LICENSE: BSD - See COPYING.ARM in the top level directory
4 * FILE: ntoskrnl/mm/ARM3/virtual.c
5 * PURPOSE: ARM Memory Manager Virtual Memory Management
6 * PROGRAMMERS: ReactOS Portable Systems Group
9 /* INCLUDES *******************************************************************/
10 /* So long, and Thanks for All the Fish */
16 #define MODULE_INVOLVED_IN_ARM3
17 #include "../ARM3/miarm.h"
19 #define MI_MAPPED_COPY_PAGES 14
20 #define MI_POOL_COPY_BYTES 512
21 #define MI_MAX_TRANSFER_SIZE 64 * 1024
24 MiProtectVirtualMemory(IN PEPROCESS Process
,
25 IN OUT PVOID
*BaseAddress
,
26 IN OUT PSIZE_T NumberOfBytesToProtect
,
27 IN ULONG NewAccessProtection
,
28 OUT PULONG OldAccessProtection OPTIONAL
);
32 MiFlushTbAndCapture(IN PMMVAD FoundVad
,
34 IN ULONG ProtectionMask
,
36 IN BOOLEAN CaptureDirtyBit
);
39 /* PRIVATE FUNCTIONS **********************************************************/
43 MiCalculatePageCommitment(IN ULONG_PTR StartingAddress
,
44 IN ULONG_PTR EndingAddress
,
48 PMMPTE PointerPte
, LastPte
, PointerPde
;
51 /* Compute starting and ending PTE and PDE addresses */
52 PointerPde
= MiAddressToPde(StartingAddress
);
53 PointerPte
= MiAddressToPte(StartingAddress
);
54 LastPte
= MiAddressToPte(EndingAddress
);
56 /* Handle commited pages first */
57 if (Vad
->u
.VadFlags
.MemCommit
== 1)
59 /* This is a committed VAD, so Assume the whole range is committed */
60 CommittedPages
= BYTES_TO_PAGES(EndingAddress
- StartingAddress
);
62 /* Is the PDE demand-zero? */
63 PointerPde
= MiAddressToPte(PointerPte
);
64 if (PointerPde
->u
.Long
!= 0)
66 /* It is not. Is it valid? */
67 if (PointerPde
->u
.Hard
.Valid
== 0)
70 PointerPte
= MiPteToAddress(PointerPde
);
71 MiMakeSystemAddressValid(PointerPte
, Process
);
76 /* It is, skip it and move to the next PDE, unless we're done */
78 PointerPte
= MiPteToAddress(PointerPde
);
79 if (PointerPte
> LastPte
) return CommittedPages
;
82 /* Now loop all the PTEs in the range */
83 while (PointerPte
<= LastPte
)
85 /* Have we crossed a PDE boundary? */
86 if (MiIsPteOnPdeBoundary(PointerPte
))
88 /* Is this PDE demand zero? */
89 PointerPde
= MiAddressToPte(PointerPte
);
90 if (PointerPde
->u
.Long
!= 0)
92 /* It isn't -- is it valid? */
93 if (PointerPde
->u
.Hard
.Valid
== 0)
95 /* Nope, fault it in */
96 PointerPte
= MiPteToAddress(PointerPde
);
97 MiMakeSystemAddressValid(PointerPte
, Process
);
102 /* It is, skip it and move to the next PDE */
104 PointerPte
= MiPteToAddress(PointerPde
);
109 /* Is this PTE demand zero? */
110 if (PointerPte
->u
.Long
!= 0)
112 /* It isn't -- is it a decommited, invalid, or faulted PTE? */
113 if ((PointerPte
->u
.Soft
.Protection
== MM_DECOMMIT
) &&
114 (PointerPte
->u
.Hard
.Valid
== 0) &&
115 ((PointerPte
->u
.Soft
.Prototype
== 0) ||
116 (PointerPte
->u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)))
118 /* It is, so remove it from the count of commited pages */
123 /* Move to the next PTE */
127 /* Return how many committed pages there still are */
128 return CommittedPages
;
131 /* This is a non-commited VAD, so assume none of it is committed */
134 /* Is the PDE demand-zero? */
135 PointerPde
= MiAddressToPte(PointerPte
);
136 if (PointerPde
->u
.Long
!= 0)
138 /* It isn't -- is it invalid? */
139 if (PointerPde
->u
.Hard
.Valid
== 0)
141 /* It is, so page it in */
142 PointerPte
= MiPteToAddress(PointerPde
);
143 MiMakeSystemAddressValid(PointerPte
, Process
);
148 /* It is, so skip it and move to the next PDE */
150 PointerPte
= MiPteToAddress(PointerPde
);
151 if (PointerPte
> LastPte
) return CommittedPages
;
154 /* Loop all the PTEs in this PDE */
155 while (PointerPte
<= LastPte
)
157 /* Have we crossed a PDE boundary? */
158 if (MiIsPteOnPdeBoundary(PointerPte
))
160 /* Is this new PDE demand-zero? */
161 PointerPde
= MiAddressToPte(PointerPte
);
162 if (PointerPde
->u
.Long
!= 0)
164 /* It isn't. Is it valid? */
165 if (PointerPde
->u
.Hard
.Valid
== 0)
167 /* It isn't, so make it valid */
168 PointerPte
= MiPteToAddress(PointerPde
);
169 MiMakeSystemAddressValid(PointerPte
, Process
);
174 /* It is, so skip it and move to the next one */
176 PointerPte
= MiPteToAddress(PointerPde
);
181 /* Is this PTE demand-zero? */
182 if (PointerPte
->u
.Long
!= 0)
184 /* Nope. Is it a valid, non-decommited, non-paged out PTE? */
185 if ((PointerPte
->u
.Soft
.Protection
!= MM_DECOMMIT
) ||
186 (PointerPte
->u
.Hard
.Valid
== 1) ||
187 ((PointerPte
->u
.Soft
.Prototype
== 1) &&
188 (PointerPte
->u
.Soft
.PageFileHigh
!= MI_PTE_LOOKUP_NEEDED
)))
190 /* It is! So we'll treat this as a committed page */
195 /* Move to the next PTE */
199 /* Return how many committed pages we found in this VAD */
200 return CommittedPages
;
205 MiMakeSystemAddressValid(IN PVOID PageTableVirtualAddress
,
206 IN PEPROCESS CurrentProcess
)
209 BOOLEAN WsShared
= FALSE
, WsSafe
= FALSE
, LockChange
= FALSE
;
210 PETHREAD CurrentThread
= PsGetCurrentThread();
212 /* Must be a non-pool page table, since those are double-mapped already */
213 ASSERT(PageTableVirtualAddress
> MM_HIGHEST_USER_ADDRESS
);
214 ASSERT((PageTableVirtualAddress
< MmPagedPoolStart
) ||
215 (PageTableVirtualAddress
> MmPagedPoolEnd
));
217 /* Working set lock or PFN lock should be held */
218 ASSERT(KeAreAllApcsDisabled() == TRUE
);
220 /* Check if the page table is valid */
221 while (!MmIsAddressValid(PageTableVirtualAddress
))
223 /* Release the working set lock */
224 MiUnlockProcessWorkingSetForFault(CurrentProcess
,
230 Status
= MmAccessFault(FALSE
, PageTableVirtualAddress
, KernelMode
, NULL
);
231 if (!NT_SUCCESS(Status
))
233 /* This should not fail */
234 KeBugCheckEx(KERNEL_DATA_INPAGE_ERROR
,
237 (ULONG_PTR
)CurrentProcess
,
238 (ULONG_PTR
)PageTableVirtualAddress
);
241 /* Lock the working set again */
242 MiLockProcessWorkingSetForFault(CurrentProcess
,
247 /* This flag will be useful later when we do better locking */
251 /* Let caller know what the lock state is */
257 MiMakeSystemAddressValidPfn(IN PVOID VirtualAddress
,
261 BOOLEAN LockChange
= FALSE
;
263 /* Must be e kernel address */
264 ASSERT(VirtualAddress
> MM_HIGHEST_USER_ADDRESS
);
266 /* Check if the page is valid */
267 while (!MmIsAddressValid(VirtualAddress
))
269 /* Release the PFN database */
270 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
273 Status
= MmAccessFault(FALSE
, VirtualAddress
, KernelMode
, NULL
);
274 if (!NT_SUCCESS(Status
))
276 /* This should not fail */
277 KeBugCheckEx(KERNEL_DATA_INPAGE_ERROR
,
281 (ULONG_PTR
)VirtualAddress
);
284 /* This flag will be useful later when we do better locking */
287 /* Lock the PFN database */
288 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
291 /* Let caller know what the lock state is */
297 MiDeleteSystemPageableVm(IN PMMPTE PointerPte
,
298 IN PFN_NUMBER PageCount
,
300 OUT PPFN_NUMBER ValidPages
)
302 PFN_COUNT ActualPages
= 0;
303 PETHREAD CurrentThread
= PsGetCurrentThread();
305 PFN_NUMBER PageFrameIndex
, PageTableIndex
;
307 ASSERT(KeGetCurrentIrql() <= APC_LEVEL
);
309 /* Lock the system working set */
310 MiLockWorkingSet(CurrentThread
, &MmSystemCacheWs
);
315 /* Make sure there's some data about the page */
316 if (PointerPte
->u
.Long
)
318 /* As always, only handle current ARM3 scenarios */
319 ASSERT(PointerPte
->u
.Soft
.Prototype
== 0);
320 ASSERT(PointerPte
->u
.Soft
.Transition
== 0);
322 /* Normally this is one possibility -- freeing a valid page */
323 if (PointerPte
->u
.Hard
.Valid
)
325 /* Get the page PFN */
326 PageFrameIndex
= PFN_FROM_PTE(PointerPte
);
327 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
329 /* Should not have any working set data yet */
330 ASSERT(Pfn1
->u1
.WsIndex
== 0);
332 /* Actual valid, legitimate, pages */
333 if (ValidPages
) (*ValidPages
)++;
335 /* Get the page table entry */
336 PageTableIndex
= Pfn1
->u4
.PteFrame
;
337 Pfn2
= MiGetPfnEntry(PageTableIndex
);
339 /* Lock the PFN database */
340 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
342 /* Delete it the page */
343 MI_SET_PFN_DELETED(Pfn1
);
344 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
346 /* Decrement the page table too */
347 MiDecrementShareCount(Pfn2
, PageTableIndex
);
349 /* Release the PFN database */
350 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
352 /* Destroy the PTE */
353 MI_WRITE_INVALID_PTE(PointerPte
, MmZeroPte
);
356 /* Actual legitimate pages */
362 * The only other ARM3 possibility is a demand zero page, which would
363 * mean freeing some of the paged pool pages that haven't even been
364 * touched yet, as part of a larger allocation.
366 * Right now, we shouldn't expect any page file information in the PTE
368 ASSERT(PointerPte
->u
.Soft
.PageFileHigh
== 0);
370 /* Destroy the PTE */
371 MI_WRITE_INVALID_PTE(PointerPte
, MmZeroPte
);
379 /* Release the working set */
380 MiUnlockWorkingSet(CurrentThread
, &MmSystemCacheWs
);
382 /* Flush the entire TLB */
383 KeFlushEntireTb(TRUE
, TRUE
);
391 MiDeletePte(IN PMMPTE PointerPte
,
392 IN PVOID VirtualAddress
,
393 IN PEPROCESS CurrentProcess
,
394 IN PMMPTE PrototypePte
)
398 PFN_NUMBER PageFrameIndex
;
401 /* PFN lock must be held */
402 ASSERT(KeGetCurrentIrql() == DISPATCH_LEVEL
);
404 /* Capture the PTE */
405 TempPte
= *PointerPte
;
407 /* We only support valid PTEs for now */
408 ASSERT(TempPte
.u
.Hard
.Valid
== 1);
409 if (TempPte
.u
.Hard
.Valid
== 0)
411 /* Invalid PTEs not supported yet */
412 ASSERT(TempPte
.u
.Soft
.Prototype
== 0);
413 ASSERT(TempPte
.u
.Soft
.Transition
== 0);
416 /* Get the PFN entry */
417 PageFrameIndex
= PFN_FROM_PTE(&TempPte
);
418 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
420 /* Check if this is a valid, prototype PTE */
421 if (Pfn1
->u3
.e1
.PrototypePte
== 1)
423 /* Get the PDE and make sure it's faulted in */
424 PointerPde
= MiPteToPde(PointerPte
);
425 if (PointerPde
->u
.Hard
.Valid
== 0)
427 #if (_MI_PAGING_LEVELS == 2)
428 /* Could be paged pool access from a new process -- synchronize the page directories */
429 if (!NT_SUCCESS(MiCheckPdeForPagedPool(VirtualAddress
)))
432 /* The PDE must be valid at this point */
433 KeBugCheckEx(MEMORY_MANAGEMENT
,
435 (ULONG_PTR
)PointerPte
,
437 (ULONG_PTR
)VirtualAddress
);
439 #if (_MI_PAGING_LEVELS == 2)
442 /* Drop the share count */
443 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
445 /* Either a fork, or this is the shared user data page */
446 if ((PointerPte
<= MiHighestUserPte
) && (PrototypePte
!= Pfn1
->PteAddress
))
448 /* If it's not the shared user page, then crash, since there's no fork() yet */
449 if ((PAGE_ALIGN(VirtualAddress
) != (PVOID
)USER_SHARED_DATA
) ||
450 (MmHighestUserAddress
<= (PVOID
)USER_SHARED_DATA
))
452 /* Must be some sort of memory corruption */
453 KeBugCheckEx(MEMORY_MANAGEMENT
,
455 (ULONG_PTR
)PointerPte
,
456 (ULONG_PTR
)PrototypePte
,
457 (ULONG_PTR
)Pfn1
->PteAddress
);
463 /* Make sure the saved PTE address is valid */
464 if ((PMMPTE
)((ULONG_PTR
)Pfn1
->PteAddress
& ~0x1) != PointerPte
)
466 /* The PFN entry is illegal, or invalid */
467 KeBugCheckEx(MEMORY_MANAGEMENT
,
469 (ULONG_PTR
)PointerPte
,
471 (ULONG_PTR
)Pfn1
->PteAddress
);
474 /* There should only be 1 shared reference count */
475 ASSERT(Pfn1
->u2
.ShareCount
== 1);
477 /* Drop the reference on the page table. */
478 MiDecrementShareCount(MiGetPfnEntry(Pfn1
->u4
.PteFrame
), Pfn1
->u4
.PteFrame
);
480 /* Mark the PFN for deletion and dereference what should be the last ref */
481 MI_SET_PFN_DELETED(Pfn1
);
482 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
484 /* We should eventually do this */
485 //CurrentProcess->NumberOfPrivatePages--;
488 /* Destroy the PTE and flush the TLB */
489 MI_WRITE_INVALID_PTE(PointerPte
, MmZeroPte
);
495 MiDeleteVirtualAddresses(IN ULONG_PTR Va
,
496 IN ULONG_PTR EndingAddress
,
499 PMMPTE PointerPte
, PrototypePte
, LastPrototypePte
;
502 PEPROCESS CurrentProcess
;
504 BOOLEAN AddressGap
= FALSE
;
505 PSUBSECTION Subsection
;
507 /* Get out if this is a fake VAD, RosMm will free the marea pages */
508 if ((Vad
) && (Vad
->u
.VadFlags
.Spare
== 1)) return;
510 /* Grab the process and PTE/PDE for the address being deleted */
511 CurrentProcess
= PsGetCurrentProcess();
512 PointerPde
= MiAddressToPde(Va
);
513 PointerPte
= MiAddressToPte(Va
);
515 /* Check if this is a section VAD or a VM VAD */
516 if (!(Vad
) || (Vad
->u
.VadFlags
.PrivateMemory
) || !(Vad
->FirstPrototypePte
))
518 /* Don't worry about prototypes */
519 PrototypePte
= LastPrototypePte
= NULL
;
523 /* Get the prototype PTE */
524 PrototypePte
= Vad
->FirstPrototypePte
;
525 LastPrototypePte
= Vad
->FirstPrototypePte
+ 1;
528 /* In all cases, we don't support fork() yet */
529 ASSERT(CurrentProcess
->CloneRoot
== NULL
);
531 /* Loop the PTE for each VA */
534 /* First keep going until we find a valid PDE */
535 while (!PointerPde
->u
.Long
)
537 /* There are gaps in the address space */
540 /* Still no valid PDE, try the next 4MB (or whatever) */
543 /* Update the PTE on this new boundary */
544 PointerPte
= MiPteToAddress(PointerPde
);
546 /* Check if all the PDEs are invalid, so there's nothing to free */
547 Va
= (ULONG_PTR
)MiPteToAddress(PointerPte
);
548 if (Va
> EndingAddress
) return;
551 /* Now check if the PDE is mapped in */
552 if (!PointerPde
->u
.Hard
.Valid
)
554 /* It isn't, so map it in */
555 PointerPte
= MiPteToAddress(PointerPde
);
556 MiMakeSystemAddressValid(PointerPte
, CurrentProcess
);
559 /* Now we should have a valid PDE, mapped in, and still have some VA */
560 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
561 ASSERT(Va
<= EndingAddress
);
563 /* Check if this is a section VAD with gaps in it */
564 if ((AddressGap
) && (LastPrototypePte
))
566 /* We need to skip to the next correct prototype PTE */
567 PrototypePte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad
, Va
>> PAGE_SHIFT
);
569 /* And we need the subsection to skip to the next last prototype PTE */
570 Subsection
= MiLocateSubsection(Vad
, Va
>> PAGE_SHIFT
);
574 LastPrototypePte
= &Subsection
->SubsectionBase
[Subsection
->PtesInSubsection
];
578 /* No more subsections, we are done with prototype PTEs */
583 /* Lock the PFN Database while we delete the PTEs */
584 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
587 /* Capture the PDE and make sure it exists */
588 TempPte
= *PointerPte
;
591 MiDecrementPageTableReferences((PVOID
)Va
);
593 /* Check if the PTE is actually mapped in */
594 if (MI_IS_MAPPED_PTE(&TempPte
))
596 /* Are we dealing with section VAD? */
597 if ((LastPrototypePte
) && (PrototypePte
> LastPrototypePte
))
599 /* We need to skip to the next correct prototype PTE */
600 PrototypePte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad
, Va
>> PAGE_SHIFT
);
602 /* And we need the subsection to skip to the next last prototype PTE */
603 Subsection
= MiLocateSubsection(Vad
, Va
>> PAGE_SHIFT
);
607 LastPrototypePte
= &Subsection
->SubsectionBase
[Subsection
->PtesInSubsection
];
611 /* No more subsections, we are done with prototype PTEs */
616 /* Check for prototype PTE */
617 if ((TempPte
.u
.Hard
.Valid
== 0) &&
618 (TempPte
.u
.Soft
.Prototype
== 1))
621 MI_WRITE_INVALID_PTE(PointerPte
, MmZeroPte
);
625 /* Delete the PTE proper */
626 MiDeletePte(PointerPte
,
634 /* The PTE was never mapped, just nuke it here */
635 MI_WRITE_INVALID_PTE(PointerPte
, MmZeroPte
);
639 /* Update the address and PTE for it */
644 /* Making sure the PDE is still valid */
645 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
647 while ((Va
& (PDE_MAPPED_VA
- 1)) && (Va
<= EndingAddress
));
649 /* The PDE should still be valid at this point */
650 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
652 /* Check remaining PTE count (go back 1 page due to above loop) */
653 if (MiQueryPageTableReferences((PVOID
)(Va
- PAGE_SIZE
)) == 0)
655 if (PointerPde
->u
.Long
!= 0)
657 /* Delete the PTE proper */
658 MiDeletePte(PointerPde
,
659 MiPteToAddress(PointerPde
),
665 /* Release the lock and get out if we're done */
666 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
667 if (Va
> EndingAddress
) return;
669 /* Otherwise, we exited because we hit a new PDE boundary, so start over */
670 PointerPde
= MiAddressToPde(Va
);
676 MiGetExceptionInfo(IN PEXCEPTION_POINTERS ExceptionInfo
,
677 OUT PBOOLEAN HaveBadAddress
,
678 OUT PULONG_PTR BadAddress
)
680 PEXCEPTION_RECORD ExceptionRecord
;
686 *HaveBadAddress
= FALSE
;
689 // Get the exception record
691 ExceptionRecord
= ExceptionInfo
->ExceptionRecord
;
694 // Look at the exception code
696 if ((ExceptionRecord
->ExceptionCode
== STATUS_ACCESS_VIOLATION
) ||
697 (ExceptionRecord
->ExceptionCode
== STATUS_GUARD_PAGE_VIOLATION
) ||
698 (ExceptionRecord
->ExceptionCode
== STATUS_IN_PAGE_ERROR
))
701 // We can tell the address if we have more than one parameter
703 if (ExceptionRecord
->NumberParameters
> 1)
706 // Return the address
708 *HaveBadAddress
= TRUE
;
709 *BadAddress
= ExceptionRecord
->ExceptionInformation
[1];
714 // Continue executing the next handler
716 return EXCEPTION_EXECUTE_HANDLER
;
721 MiDoMappedCopy(IN PEPROCESS SourceProcess
,
722 IN PVOID SourceAddress
,
723 IN PEPROCESS TargetProcess
,
724 OUT PVOID TargetAddress
,
725 IN SIZE_T BufferSize
,
726 IN KPROCESSOR_MODE PreviousMode
,
727 OUT PSIZE_T ReturnSize
)
729 PFN_NUMBER MdlBuffer
[(sizeof(MDL
) / sizeof(PFN_NUMBER
)) + MI_MAPPED_COPY_PAGES
+ 1];
730 PMDL Mdl
= (PMDL
)MdlBuffer
;
731 SIZE_T TotalSize
, CurrentSize
, RemainingSize
;
732 volatile BOOLEAN FailedInProbe
= FALSE
, FailedInMapping
= FALSE
, FailedInMoving
;
733 volatile BOOLEAN PagesLocked
;
734 PVOID CurrentAddress
= SourceAddress
, CurrentTargetAddress
= TargetAddress
;
735 volatile PVOID MdlAddress
;
737 BOOLEAN HaveBadAddress
;
738 ULONG_PTR BadAddress
;
739 NTSTATUS Status
= STATUS_SUCCESS
;
743 // Calculate the maximum amount of data to move
745 TotalSize
= MI_MAPPED_COPY_PAGES
* PAGE_SIZE
;
746 if (BufferSize
<= TotalSize
) TotalSize
= BufferSize
;
747 CurrentSize
= TotalSize
;
748 RemainingSize
= BufferSize
;
751 // Loop as long as there is still data
753 while (RemainingSize
> 0)
756 // Check if this transfer will finish everything off
758 if (RemainingSize
< CurrentSize
) CurrentSize
= RemainingSize
;
761 // Attach to the source address space
763 KeStackAttachProcess(&SourceProcess
->Pcb
, &ApcState
);
766 // Reset state for this pass
770 FailedInMoving
= FALSE
;
771 ASSERT(FailedInProbe
== FALSE
);
774 // Protect user-mode copy
779 // If this is our first time, probe the buffer
781 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
784 // Catch a failure here
786 FailedInProbe
= TRUE
;
791 ProbeForRead(SourceAddress
, BufferSize
, sizeof(CHAR
));
796 FailedInProbe
= FALSE
;
800 // Initialize and probe and lock the MDL
802 MmInitializeMdl(Mdl
, CurrentAddress
, CurrentSize
);
803 MmProbeAndLockPages(Mdl
, PreviousMode
, IoReadAccess
);
809 MdlAddress
= MmMapLockedPagesSpecifyCache(Mdl
,
818 // Use our SEH handler to pick this up
820 FailedInMapping
= TRUE
;
821 ExRaiseStatus(STATUS_INSUFFICIENT_RESOURCES
);
825 // Now let go of the source and grab to the target process
827 KeUnstackDetachProcess(&ApcState
);
828 KeStackAttachProcess(&TargetProcess
->Pcb
, &ApcState
);
831 // Check if this is our first time through
833 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
836 // Catch a failure here
838 FailedInProbe
= TRUE
;
843 ProbeForWrite(TargetAddress
, BufferSize
, sizeof(CHAR
));
848 FailedInProbe
= FALSE
;
852 // Now do the actual move
854 FailedInMoving
= TRUE
;
855 RtlCopyMemory(CurrentTargetAddress
, MdlAddress
, CurrentSize
);
857 _SEH2_EXCEPT(MiGetExceptionInfo(_SEH2_GetExceptionInformation(),
862 // Detach from whoever we may be attached to
864 KeUnstackDetachProcess(&ApcState
);
867 // Check if we had mapped the pages
869 if (MdlAddress
) MmUnmapLockedPages(MdlAddress
, Mdl
);
872 // Check if we had locked the pages
874 if (PagesLocked
) MmUnlockPages(Mdl
);
877 // Check if we hit working set quota
879 if (_SEH2_GetExceptionCode() == STATUS_WORKING_SET_QUOTA
)
884 _SEH2_YIELD(return STATUS_WORKING_SET_QUOTA
);
888 // Check if we failed during the probe or mapping
890 if ((FailedInProbe
) || (FailedInMapping
))
895 Status
= _SEH2_GetExceptionCode();
896 _SEH2_YIELD(return Status
);
900 // Otherwise, we failed probably during the move
902 *ReturnSize
= BufferSize
- RemainingSize
;
906 // Check if we know exactly where we stopped copying
911 // Return the exact number of bytes copied
913 *ReturnSize
= BadAddress
- (ULONG_PTR
)SourceAddress
;
918 // Return partial copy
920 Status
= STATUS_PARTIAL_COPY
;
925 // Check for SEH status
927 if (Status
!= STATUS_SUCCESS
) return Status
;
930 // Detach from target
932 KeUnstackDetachProcess(&ApcState
);
937 MmUnmapLockedPages(MdlAddress
, Mdl
);
941 // Update location and size
943 RemainingSize
-= CurrentSize
;
944 CurrentAddress
= (PVOID
)((ULONG_PTR
)CurrentAddress
+ CurrentSize
);
945 CurrentTargetAddress
= (PVOID
)((ULONG_PTR
)CurrentTargetAddress
+ CurrentSize
);
951 *ReturnSize
= BufferSize
;
952 return STATUS_SUCCESS
;
957 MiDoPoolCopy(IN PEPROCESS SourceProcess
,
958 IN PVOID SourceAddress
,
959 IN PEPROCESS TargetProcess
,
960 OUT PVOID TargetAddress
,
961 IN SIZE_T BufferSize
,
962 IN KPROCESSOR_MODE PreviousMode
,
963 OUT PSIZE_T ReturnSize
)
965 UCHAR StackBuffer
[MI_POOL_COPY_BYTES
];
966 SIZE_T TotalSize
, CurrentSize
, RemainingSize
;
967 volatile BOOLEAN FailedInProbe
= FALSE
, FailedInMoving
, HavePoolAddress
= FALSE
;
968 PVOID CurrentAddress
= SourceAddress
, CurrentTargetAddress
= TargetAddress
;
971 BOOLEAN HaveBadAddress
;
972 ULONG_PTR BadAddress
;
973 NTSTATUS Status
= STATUS_SUCCESS
;
977 // Calculate the maximum amount of data to move
979 TotalSize
= MI_MAX_TRANSFER_SIZE
;
980 if (BufferSize
<= MI_MAX_TRANSFER_SIZE
) TotalSize
= BufferSize
;
981 CurrentSize
= TotalSize
;
982 RemainingSize
= BufferSize
;
985 // Check if we can use the stack
987 if (BufferSize
<= MI_POOL_COPY_BYTES
)
992 PoolAddress
= (PVOID
)StackBuffer
;
999 PoolAddress
= ExAllocatePoolWithTag(NonPagedPool
, TotalSize
, 'VmRw');
1000 if (!PoolAddress
) ASSERT(FALSE
);
1001 HavePoolAddress
= TRUE
;
1005 // Loop as long as there is still data
1007 while (RemainingSize
> 0)
1010 // Check if this transfer will finish everything off
1012 if (RemainingSize
< CurrentSize
) CurrentSize
= RemainingSize
;
1015 // Attach to the source address space
1017 KeStackAttachProcess(&SourceProcess
->Pcb
, &ApcState
);
1020 // Reset state for this pass
1022 FailedInMoving
= FALSE
;
1023 ASSERT(FailedInProbe
== FALSE
);
1026 // Protect user-mode copy
1031 // If this is our first time, probe the buffer
1033 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
1036 // Catch a failure here
1038 FailedInProbe
= TRUE
;
1043 ProbeForRead(SourceAddress
, BufferSize
, sizeof(CHAR
));
1048 FailedInProbe
= FALSE
;
1054 RtlCopyMemory(PoolAddress
, CurrentAddress
, CurrentSize
);
1057 // Now let go of the source and grab to the target process
1059 KeUnstackDetachProcess(&ApcState
);
1060 KeStackAttachProcess(&TargetProcess
->Pcb
, &ApcState
);
1063 // Check if this is our first time through
1065 if ((CurrentAddress
== SourceAddress
) && (PreviousMode
!= KernelMode
))
1068 // Catch a failure here
1070 FailedInProbe
= TRUE
;
1075 ProbeForWrite(TargetAddress
, BufferSize
, sizeof(CHAR
));
1080 FailedInProbe
= FALSE
;
1084 // Now do the actual move
1086 FailedInMoving
= TRUE
;
1087 RtlCopyMemory(CurrentTargetAddress
, PoolAddress
, CurrentSize
);
1089 _SEH2_EXCEPT(MiGetExceptionInfo(_SEH2_GetExceptionInformation(),
1094 // Detach from whoever we may be attached to
1096 KeUnstackDetachProcess(&ApcState
);
1099 // Check if we had allocated pool
1101 if (HavePoolAddress
) ExFreePoolWithTag(PoolAddress
, 'VmRw');
1104 // Check if we failed during the probe
1111 Status
= _SEH2_GetExceptionCode();
1112 _SEH2_YIELD(return Status
);
1116 // Otherwise, we failed, probably during the move
1118 *ReturnSize
= BufferSize
- RemainingSize
;
1122 // Check if we know exactly where we stopped copying
1127 // Return the exact number of bytes copied
1129 *ReturnSize
= BadAddress
- (ULONG_PTR
)SourceAddress
;
1134 // Return partial copy
1136 Status
= STATUS_PARTIAL_COPY
;
1141 // Check for SEH status
1143 if (Status
!= STATUS_SUCCESS
) return Status
;
1146 // Detach from target
1148 KeUnstackDetachProcess(&ApcState
);
1151 // Update location and size
1153 RemainingSize
-= CurrentSize
;
1154 CurrentAddress
= (PVOID
)((ULONG_PTR
)CurrentAddress
+ CurrentSize
);
1155 CurrentTargetAddress
= (PVOID
)((ULONG_PTR
)CurrentTargetAddress
+
1160 // Check if we had allocated pool
1162 if (HavePoolAddress
) ExFreePoolWithTag(PoolAddress
, 'VmRw');
1167 *ReturnSize
= BufferSize
;
1168 return STATUS_SUCCESS
;
1173 MmCopyVirtualMemory(IN PEPROCESS SourceProcess
,
1174 IN PVOID SourceAddress
,
1175 IN PEPROCESS TargetProcess
,
1176 OUT PVOID TargetAddress
,
1177 IN SIZE_T BufferSize
,
1178 IN KPROCESSOR_MODE PreviousMode
,
1179 OUT PSIZE_T ReturnSize
)
1182 PEPROCESS Process
= SourceProcess
;
1185 // Don't accept zero-sized buffers
1187 if (!BufferSize
) return STATUS_SUCCESS
;
1190 // If we are copying from ourselves, lock the target instead
1192 if (SourceProcess
== PsGetCurrentProcess()) Process
= TargetProcess
;
1195 // Acquire rundown protection
1197 if (!ExAcquireRundownProtection(&Process
->RundownProtect
))
1202 return STATUS_PROCESS_IS_TERMINATING
;
1206 // See if we should use the pool copy
1208 if (BufferSize
> MI_POOL_COPY_BYTES
)
1213 Status
= MiDoMappedCopy(SourceProcess
,
1226 Status
= MiDoPoolCopy(SourceProcess
,
1238 ExReleaseRundownProtection(&Process
->RundownProtect
);
1244 MmFlushVirtualMemory(IN PEPROCESS Process
,
1245 IN OUT PVOID
*BaseAddress
,
1246 IN OUT PSIZE_T RegionSize
,
1247 OUT PIO_STATUS_BLOCK IoStatusBlock
)
1255 return STATUS_SUCCESS
;
1260 MiGetPageProtection(IN PMMPTE PointerPte
)
1266 /* Copy this PTE's contents */
1267 TempPte
= *PointerPte
;
1269 /* Assure it's not totally zero */
1270 ASSERT(TempPte
.u
.Long
);
1272 /* Check for a special prototype format */
1273 if (TempPte
.u
.Soft
.Valid
== 0 &&
1274 TempPte
.u
.Soft
.Prototype
== 1)
1276 /* Unsupported now */
1281 /* In the easy case of transition or demand zero PTE just return its protection */
1282 if (!TempPte
.u
.Hard
.Valid
) return MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1284 /* If we get here, the PTE is valid, so look up the page in PFN database */
1285 Pfn
= MiGetPfnEntry(TempPte
.u
.Hard
.PageFrameNumber
);
1286 if (!Pfn
->u3
.e1
.PrototypePte
)
1288 /* Return protection of the original pte */
1289 ASSERT(Pfn
->u4
.AweAllocation
== 0);
1290 return MmProtectToValue
[Pfn
->OriginalPte
.u
.Soft
.Protection
];
1293 /* This is software PTE */
1294 DPRINT1("Prototype PTE: %lx %p\n", TempPte
.u
.Hard
.PageFrameNumber
, Pfn
);
1295 DPRINT1("VA: %p\n", MiPteToAddress(&TempPte
));
1296 DPRINT1("Mask: %lx\n", TempPte
.u
.Soft
.Protection
);
1297 DPRINT1("Mask2: %lx\n", Pfn
->OriginalPte
.u
.Soft
.Protection
);
1298 return MmProtectToValue
[TempPte
.u
.Soft
.Protection
];
1303 MiQueryAddressState(IN PVOID Va
,
1305 IN PEPROCESS TargetProcess
,
1306 OUT PULONG ReturnedProtect
,
1310 PMMPTE PointerPte
, ProtoPte
;
1312 MMPTE TempPte
, TempProtoPte
;
1313 BOOLEAN DemandZeroPte
= TRUE
, ValidPte
= FALSE
;
1314 ULONG State
= MEM_RESERVE
, Protect
= 0;
1315 ASSERT((Vad
->StartingVpn
<= ((ULONG_PTR
)Va
>> PAGE_SHIFT
)) &&
1316 (Vad
->EndingVpn
>= ((ULONG_PTR
)Va
>> PAGE_SHIFT
)));
1318 /* Only normal VADs supported */
1319 ASSERT(Vad
->u
.VadFlags
.VadType
== VadNone
);
1321 /* Get the PDE and PTE for the address */
1322 PointerPde
= MiAddressToPde(Va
);
1323 PointerPte
= MiAddressToPte(Va
);
1325 /* Return the next range */
1326 *NextVa
= (PVOID
)((ULONG_PTR
)Va
+ PAGE_SIZE
);
1328 /* Is the PDE demand-zero? */
1329 if (PointerPde
->u
.Long
!= 0)
1331 /* It is not. Is it valid? */
1332 if (PointerPde
->u
.Hard
.Valid
== 0)
1334 /* Is isn't, fault it in */
1335 PointerPte
= MiPteToAddress(PointerPde
);
1336 MiMakeSystemAddressValid(PointerPte
, TargetProcess
);
1342 /* It is, skip it and move to the next PDE */
1343 *NextVa
= MiPdeToAddress(PointerPde
+ 1);
1346 /* Is it safe to try reading the PTE? */
1349 /* FIXME: watch out for large pages */
1350 ASSERT(PointerPde
->u
.Hard
.LargePage
== FALSE
);
1352 /* Capture the PTE */
1353 TempPte
= *PointerPte
;
1354 if (TempPte
.u
.Long
!= 0)
1356 /* The PTE is valid, so it's not zeroed out */
1357 DemandZeroPte
= FALSE
;
1359 /* Is it a decommited, invalid, or faulted PTE? */
1360 if ((TempPte
.u
.Soft
.Protection
== MM_DECOMMIT
) &&
1361 (TempPte
.u
.Hard
.Valid
== 0) &&
1362 ((TempPte
.u
.Soft
.Prototype
== 0) ||
1363 (TempPte
.u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)))
1365 /* Otherwise our defaults should hold */
1366 ASSERT(Protect
== 0);
1367 ASSERT(State
== MEM_RESERVE
);
1371 /* This means it's committed */
1374 /* We don't support these */
1375 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadDevicePhysicalMemory
);
1376 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadRotatePhysical
);
1377 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadAwe
);
1379 /* Get protection state of this page */
1380 Protect
= MiGetPageProtection(PointerPte
);
1382 /* Check if this is an image-backed VAD */
1383 if ((TempPte
.u
.Soft
.Valid
== 0) &&
1384 (TempPte
.u
.Soft
.Prototype
== 1) &&
1385 (Vad
->u
.VadFlags
.PrivateMemory
== 0) &&
1388 DPRINT1("Not supported\n");
1395 /* Check if this was a demand-zero PTE, since we need to find the state */
1398 /* Not yet handled */
1399 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadDevicePhysicalMemory
);
1400 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadAwe
);
1402 /* Check if this is private commited memory, or an section-backed VAD */
1403 if ((Vad
->u
.VadFlags
.PrivateMemory
== 0) && (Vad
->ControlArea
))
1405 /* Tell caller about the next range */
1406 *NextVa
= (PVOID
)((ULONG_PTR
)Va
+ PAGE_SIZE
);
1408 /* Get the prototype PTE for this VAD */
1409 ProtoPte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(Vad
,
1410 (ULONG_PTR
)Va
>> PAGE_SHIFT
);
1413 /* We should unlock the working set, but it's not being held! */
1415 /* Is the prototype PTE actually valid (committed)? */
1416 TempProtoPte
= *ProtoPte
;
1417 if (TempProtoPte
.u
.Long
)
1419 /* Unless this is a memory-mapped file, handle it like private VAD */
1421 ASSERT(Vad
->u
.VadFlags
.VadType
!= VadImageMap
);
1422 Protect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
1425 /* We should re-lock the working set */
1428 else if (Vad
->u
.VadFlags
.MemCommit
)
1430 /* This is committed memory */
1433 /* Convert the protection */
1434 Protect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
1438 /* Return the protection code */
1439 *ReturnedProtect
= Protect
;
1445 MiQueryMemoryBasicInformation(IN HANDLE ProcessHandle
,
1446 IN PVOID BaseAddress
,
1447 OUT PVOID MemoryInformation
,
1448 IN SIZE_T MemoryInformationLength
,
1449 OUT PSIZE_T ReturnLength
)
1451 PEPROCESS TargetProcess
;
1452 NTSTATUS Status
= STATUS_SUCCESS
;
1454 PVOID Address
, NextAddress
;
1455 BOOLEAN Found
= FALSE
;
1456 ULONG NewProtect
, NewState
;
1458 MEMORY_BASIC_INFORMATION MemoryInfo
;
1459 KAPC_STATE ApcState
;
1460 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
1461 PMEMORY_AREA MemoryArea
;
1462 SIZE_T ResultLength
;
1464 /* Check for illegal addresses in user-space, or the shared memory area */
1465 if ((BaseAddress
> MM_HIGHEST_VAD_ADDRESS
) ||
1466 (PAGE_ALIGN(BaseAddress
) == (PVOID
)MM_SHARED_USER_DATA_VA
))
1468 Address
= PAGE_ALIGN(BaseAddress
);
1470 /* Make up an info structure describing this range */
1471 MemoryInfo
.BaseAddress
= Address
;
1472 MemoryInfo
.AllocationProtect
= PAGE_READONLY
;
1473 MemoryInfo
.Type
= MEM_PRIVATE
;
1475 /* Special case for shared data */
1476 if (Address
== (PVOID
)MM_SHARED_USER_DATA_VA
)
1478 MemoryInfo
.AllocationBase
= (PVOID
)MM_SHARED_USER_DATA_VA
;
1479 MemoryInfo
.State
= MEM_COMMIT
;
1480 MemoryInfo
.Protect
= PAGE_READONLY
;
1481 MemoryInfo
.RegionSize
= PAGE_SIZE
;
1485 MemoryInfo
.AllocationBase
= (PCHAR
)MM_HIGHEST_VAD_ADDRESS
+ 1;
1486 MemoryInfo
.State
= MEM_RESERVE
;
1487 MemoryInfo
.Protect
= PAGE_NOACCESS
;
1488 MemoryInfo
.RegionSize
= (ULONG_PTR
)MM_HIGHEST_USER_ADDRESS
+ 1 - (ULONG_PTR
)Address
;
1491 /* Return the data, NtQueryInformation already probed it*/
1492 if (PreviousMode
!= KernelMode
)
1496 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1497 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1499 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
1501 Status
= _SEH2_GetExceptionCode();
1507 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1508 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1514 /* Check if this is for a local or remote process */
1515 if (ProcessHandle
== NtCurrentProcess())
1517 TargetProcess
= PsGetCurrentProcess();
1521 /* Reference the target process */
1522 Status
= ObReferenceObjectByHandle(ProcessHandle
,
1523 PROCESS_QUERY_INFORMATION
,
1525 ExGetPreviousMode(),
1526 (PVOID
*)&TargetProcess
,
1528 if (!NT_SUCCESS(Status
)) return Status
;
1530 /* Attach to it now */
1531 KeStackAttachProcess(&TargetProcess
->Pcb
, &ApcState
);
1534 /* Lock the address space and make sure the process isn't already dead */
1535 MmLockAddressSpace(&TargetProcess
->Vm
);
1536 if (TargetProcess
->VmDeleted
)
1538 /* Unlock the address space of the process */
1539 MmUnlockAddressSpace(&TargetProcess
->Vm
);
1541 /* Check if we were attached */
1542 if (ProcessHandle
!= NtCurrentProcess())
1544 /* Detach and dereference the process */
1545 KeUnstackDetachProcess(&ApcState
);
1546 ObDereferenceObject(TargetProcess
);
1550 DPRINT1("Process is dying\n");
1551 return STATUS_PROCESS_IS_TERMINATING
;
1555 ASSERT(TargetProcess
->VadRoot
.NumberGenericTableElements
);
1556 if (TargetProcess
->VadRoot
.NumberGenericTableElements
)
1558 /* Scan on the right */
1559 Vad
= (PMMVAD
)TargetProcess
->VadRoot
.BalancedRoot
.RightChild
;
1560 BaseVpn
= (ULONG_PTR
)BaseAddress
>> PAGE_SHIFT
;
1563 /* Check if this VAD covers the allocation range */
1564 if ((BaseVpn
>= Vad
->StartingVpn
) &&
1565 (BaseVpn
<= Vad
->EndingVpn
))
1572 /* Check if this VAD is too high */
1573 if (BaseVpn
< Vad
->StartingVpn
)
1575 /* Stop if there is no left child */
1576 if (!Vad
->LeftChild
) break;
1578 /* Search on the left next */
1579 Vad
= Vad
->LeftChild
;
1583 /* Then this VAD is too low, keep searching on the right */
1584 ASSERT(BaseVpn
> Vad
->EndingVpn
);
1586 /* Stop if there is no right child */
1587 if (!Vad
->RightChild
) break;
1589 /* Search on the right next */
1590 Vad
= Vad
->RightChild
;
1595 /* Was a VAD found? */
1598 Address
= PAGE_ALIGN(BaseAddress
);
1600 /* Calculate region size */
1603 if (Vad
->StartingVpn
>= BaseVpn
)
1605 /* Region size is the free space till the start of that VAD */
1606 MemoryInfo
.RegionSize
= (ULONG_PTR
)(Vad
->StartingVpn
<< PAGE_SHIFT
) - (ULONG_PTR
)Address
;
1610 /* Get the next VAD */
1611 Vad
= (PMMVAD
)MiGetNextNode((PMMADDRESS_NODE
)Vad
);
1614 /* Region size is the free space till the start of that VAD */
1615 MemoryInfo
.RegionSize
= (ULONG_PTR
)(Vad
->StartingVpn
<< PAGE_SHIFT
) - (ULONG_PTR
)Address
;
1619 /* Maximum possible region size with that base address */
1620 MemoryInfo
.RegionSize
= (PCHAR
)MM_HIGHEST_VAD_ADDRESS
+ 1 - (PCHAR
)Address
;
1626 /* Maximum possible region size with that base address */
1627 MemoryInfo
.RegionSize
= (PCHAR
)MM_HIGHEST_VAD_ADDRESS
+ 1 - (PCHAR
)Address
;
1630 /* Unlock the address space of the process */
1631 MmUnlockAddressSpace(&TargetProcess
->Vm
);
1633 /* Check if we were attached */
1634 if (ProcessHandle
!= NtCurrentProcess())
1636 /* Detach and derefernece the process */
1637 KeUnstackDetachProcess(&ApcState
);
1638 ObDereferenceObject(TargetProcess
);
1641 /* Build the rest of the initial information block */
1642 MemoryInfo
.BaseAddress
= Address
;
1643 MemoryInfo
.AllocationBase
= NULL
;
1644 MemoryInfo
.AllocationProtect
= 0;
1645 MemoryInfo
.State
= MEM_FREE
;
1646 MemoryInfo
.Protect
= PAGE_NOACCESS
;
1647 MemoryInfo
.Type
= 0;
1649 /* Return the data, NtQueryInformation already probed it*/
1650 if (PreviousMode
!= KernelMode
)
1654 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1655 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1657 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
1659 Status
= _SEH2_GetExceptionCode();
1665 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1666 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1672 /* Set the correct memory type based on what kind of VAD this is */
1673 if ((Vad
->u
.VadFlags
.PrivateMemory
) ||
1674 (Vad
->u
.VadFlags
.VadType
== VadRotatePhysical
))
1676 MemoryInfo
.Type
= MEM_PRIVATE
;
1678 else if (Vad
->u
.VadFlags
.VadType
== VadImageMap
)
1680 MemoryInfo
.Type
= MEM_IMAGE
;
1684 MemoryInfo
.Type
= MEM_MAPPED
;
1687 /* Find the memory area the specified address belongs to */
1688 MemoryArea
= MmLocateMemoryAreaByAddress(&TargetProcess
->Vm
, BaseAddress
);
1689 ASSERT(MemoryArea
!= NULL
);
1691 /* Determine information dependent on the memory area type */
1692 if (MemoryArea
->Type
== MEMORY_AREA_SECTION_VIEW
)
1694 Status
= MmQuerySectionView(MemoryArea
, BaseAddress
, &MemoryInfo
, &ResultLength
);
1695 ASSERT(NT_SUCCESS(Status
));
1699 /* Build the initial information block */
1700 Address
= PAGE_ALIGN(BaseAddress
);
1701 MemoryInfo
.BaseAddress
= Address
;
1702 MemoryInfo
.AllocationBase
= (PVOID
)(Vad
->StartingVpn
<< PAGE_SHIFT
);
1703 MemoryInfo
.AllocationProtect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
1704 MemoryInfo
.Type
= MEM_PRIVATE
;
1706 /* Find the largest chunk of memory which has the same state and protection mask */
1707 MemoryInfo
.State
= MiQueryAddressState(Address
,
1710 &MemoryInfo
.Protect
,
1712 Address
= NextAddress
;
1713 while (((ULONG_PTR
)Address
>> PAGE_SHIFT
) <= Vad
->EndingVpn
)
1715 /* Keep going unless the state or protection mask changed */
1716 NewState
= MiQueryAddressState(Address
, Vad
, TargetProcess
, &NewProtect
, &NextAddress
);
1717 if ((NewState
!= MemoryInfo
.State
) || (NewProtect
!= MemoryInfo
.Protect
)) break;
1718 Address
= NextAddress
;
1721 /* Now that we know the last VA address, calculate the region size */
1722 MemoryInfo
.RegionSize
= ((ULONG_PTR
)Address
- (ULONG_PTR
)MemoryInfo
.BaseAddress
);
1725 /* Unlock the address space of the process */
1726 MmUnlockAddressSpace(&TargetProcess
->Vm
);
1728 /* Check if we were attached */
1729 if (ProcessHandle
!= NtCurrentProcess())
1731 /* Detach and derefernece the process */
1732 KeUnstackDetachProcess(&ApcState
);
1733 ObDereferenceObject(TargetProcess
);
1736 /* Return the data, NtQueryInformation already probed it*/
1737 if (PreviousMode
!= KernelMode
)
1741 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1742 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1744 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
1746 Status
= _SEH2_GetExceptionCode();
1752 *(PMEMORY_BASIC_INFORMATION
)MemoryInformation
= MemoryInfo
;
1753 if (ReturnLength
) *ReturnLength
= sizeof(MEMORY_BASIC_INFORMATION
);
1757 DPRINT("Base: %p AllocBase: %p AllocProtect: %lx Protect: %lx "
1758 "State: %lx Type: %lx Size: %lx\n",
1759 MemoryInfo
.BaseAddress
, MemoryInfo
.AllocationBase
,
1760 MemoryInfo
.AllocationProtect
, MemoryInfo
.Protect
,
1761 MemoryInfo
.State
, MemoryInfo
.Type
, MemoryInfo
.RegionSize
);
1768 MiIsEntireRangeCommitted(IN ULONG_PTR StartingAddress
,
1769 IN ULONG_PTR EndingAddress
,
1771 IN PEPROCESS Process
)
1773 PMMPTE PointerPte
, LastPte
, PointerPde
;
1774 BOOLEAN OnBoundary
= TRUE
;
1777 /* Get the PDE and PTE addresses */
1778 PointerPde
= MiAddressToPde(StartingAddress
);
1779 PointerPte
= MiAddressToPte(StartingAddress
);
1780 LastPte
= MiAddressToPte(EndingAddress
);
1782 /* Loop all the PTEs */
1783 while (PointerPte
<= LastPte
)
1785 /* Check if we've hit an new PDE boundary */
1788 /* Is this PDE demand zero? */
1789 PointerPde
= MiAddressToPte(PointerPte
);
1790 if (PointerPde
->u
.Long
!= 0)
1792 /* It isn't -- is it valid? */
1793 if (PointerPde
->u
.Hard
.Valid
== 0)
1795 /* Nope, fault it in */
1796 PointerPte
= MiPteToAddress(PointerPde
);
1797 MiMakeSystemAddressValid(PointerPte
, Process
);
1802 /* The PTE was already valid, so move to the next one */
1804 PointerPte
= MiPteToAddress(PointerPde
);
1806 /* Is the entire VAD committed? If not, fail */
1807 if (!Vad
->u
.VadFlags
.MemCommit
) return FALSE
;
1809 /* Everything is committed so far past the range, return true */
1810 if (PointerPte
> LastPte
) return TRUE
;
1814 /* Is the PTE demand zero? */
1815 if (PointerPte
->u
.Long
== 0)
1817 /* Is the entire VAD committed? If not, fail */
1818 if (!Vad
->u
.VadFlags
.MemCommit
) return FALSE
;
1822 /* It isn't -- is it a decommited, invalid, or faulted PTE? */
1823 if ((PointerPte
->u
.Soft
.Protection
== MM_DECOMMIT
) &&
1824 (PointerPte
->u
.Hard
.Valid
== 0) &&
1825 ((PointerPte
->u
.Soft
.Prototype
== 0) ||
1826 (PointerPte
->u
.Soft
.PageFileHigh
== MI_PTE_LOOKUP_NEEDED
)))
1828 /* Then part of the range is decommitted, so fail */
1833 /* Move to the next PTE */
1835 OnBoundary
= MiIsPteOnPdeBoundary(PointerPte
);
1838 /* All PTEs seem valid, and no VAD checks failed, the range is okay */
1844 MiRosProtectVirtualMemory(IN PEPROCESS Process
,
1845 IN OUT PVOID
*BaseAddress
,
1846 IN OUT PSIZE_T NumberOfBytesToProtect
,
1847 IN ULONG NewAccessProtection
,
1848 OUT PULONG OldAccessProtection OPTIONAL
)
1850 PMEMORY_AREA MemoryArea
;
1851 PMMSUPPORT AddressSpace
;
1852 ULONG OldAccessProtection_
;
1855 *NumberOfBytesToProtect
= PAGE_ROUND_UP((ULONG_PTR
)(*BaseAddress
) + (*NumberOfBytesToProtect
)) - PAGE_ROUND_DOWN(*BaseAddress
);
1856 *BaseAddress
= (PVOID
)PAGE_ROUND_DOWN(*BaseAddress
);
1858 AddressSpace
= &Process
->Vm
;
1859 MmLockAddressSpace(AddressSpace
);
1860 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, *BaseAddress
);
1861 if (MemoryArea
== NULL
|| MemoryArea
->DeleteInProgress
)
1863 MmUnlockAddressSpace(AddressSpace
);
1864 return STATUS_UNSUCCESSFUL
;
1867 if (OldAccessProtection
== NULL
) OldAccessProtection
= &OldAccessProtection_
;
1869 ASSERT(MemoryArea
->Type
== MEMORY_AREA_SECTION_VIEW
);
1870 Status
= MmProtectSectionView(AddressSpace
,
1873 *NumberOfBytesToProtect
,
1874 NewAccessProtection
,
1875 OldAccessProtection
);
1877 MmUnlockAddressSpace(AddressSpace
);
1884 MiProtectVirtualMemory(IN PEPROCESS Process
,
1885 IN OUT PVOID
*BaseAddress
,
1886 IN OUT PSIZE_T NumberOfBytesToProtect
,
1887 IN ULONG NewAccessProtection
,
1888 OUT PULONG OldAccessProtection OPTIONAL
)
1890 PMEMORY_AREA MemoryArea
;
1892 PMMSUPPORT AddressSpace
;
1893 ULONG_PTR StartingAddress
, EndingAddress
;
1894 PMMPTE PointerPde
, PointerPte
, LastPte
;
1897 ULONG ProtectionMask
, OldProtect
;
1899 NTSTATUS Status
= STATUS_SUCCESS
;
1900 PETHREAD Thread
= PsGetCurrentThread();
1902 /* Calculate base address for the VAD */
1903 StartingAddress
= (ULONG_PTR
)PAGE_ALIGN((*BaseAddress
));
1904 EndingAddress
= (((ULONG_PTR
)*BaseAddress
+ *NumberOfBytesToProtect
- 1) | (PAGE_SIZE
- 1));
1906 /* Calculate the protection mask and make sure it's valid */
1907 ProtectionMask
= MiMakeProtectionMask(NewAccessProtection
);
1908 if (ProtectionMask
== MM_INVALID_PROTECTION
)
1910 DPRINT1("Invalid protection mask\n");
1911 return STATUS_INVALID_PAGE_PROTECTION
;
1914 /* Check for ROS specific memory area */
1915 MemoryArea
= MmLocateMemoryAreaByAddress(&Process
->Vm
, *BaseAddress
);
1916 if ((MemoryArea
) && (MemoryArea
->Type
== MEMORY_AREA_SECTION_VIEW
))
1919 return MiRosProtectVirtualMemory(Process
,
1921 NumberOfBytesToProtect
,
1922 NewAccessProtection
,
1923 OldAccessProtection
);
1926 /* Lock the address space and make sure the process isn't already dead */
1927 AddressSpace
= MmGetCurrentAddressSpace();
1928 MmLockAddressSpace(AddressSpace
);
1929 if (Process
->VmDeleted
)
1931 DPRINT1("Process is dying\n");
1932 Status
= STATUS_PROCESS_IS_TERMINATING
;
1936 /* Get the VAD for this address range, and make sure it exists */
1937 Vad
= (PMMVAD
)MiCheckForConflictingNode(StartingAddress
>> PAGE_SHIFT
,
1938 EndingAddress
>> PAGE_SHIFT
,
1942 DPRINT("Could not find a VAD for this allocation\n");
1943 Status
= STATUS_CONFLICTING_ADDRESSES
;
1947 /* Make sure the address is within this VAD's boundaries */
1948 if ((((ULONG_PTR
)StartingAddress
>> PAGE_SHIFT
) < Vad
->StartingVpn
) ||
1949 (((ULONG_PTR
)EndingAddress
>> PAGE_SHIFT
) > Vad
->EndingVpn
))
1951 Status
= STATUS_CONFLICTING_ADDRESSES
;
1955 /* These kinds of VADs are not supported atm */
1956 if ((Vad
->u
.VadFlags
.VadType
== VadAwe
) ||
1957 (Vad
->u
.VadFlags
.VadType
== VadDevicePhysicalMemory
) ||
1958 (Vad
->u
.VadFlags
.VadType
== VadLargePages
))
1960 DPRINT1("Illegal VAD for attempting to set protection\n");
1961 Status
= STATUS_CONFLICTING_ADDRESSES
;
1965 /* Check for a VAD whose protection can't be changed */
1966 if (Vad
->u
.VadFlags
.NoChange
== 1)
1968 DPRINT1("Trying to change protection of a NoChange VAD\n");
1969 Status
= STATUS_INVALID_PAGE_PROTECTION
;
1973 /* Is this section, or private memory? */
1974 if (Vad
->u
.VadFlags
.PrivateMemory
== 0)
1976 /* Not yet supported */
1977 if (Vad
->u
.VadFlags
.VadType
== VadLargePageSection
)
1979 DPRINT1("Illegal VAD for attempting to set protection\n");
1980 Status
= STATUS_CONFLICTING_ADDRESSES
;
1984 /* Rotate VADs are not yet supported */
1985 if (Vad
->u
.VadFlags
.VadType
== VadRotatePhysical
)
1987 DPRINT1("Illegal VAD for attempting to set protection\n");
1988 Status
= STATUS_CONFLICTING_ADDRESSES
;
1992 /* Not valid on section files */
1993 if (NewAccessProtection
& (PAGE_NOCACHE
| PAGE_WRITECOMBINE
))
1996 DPRINT1("Invalid protection flags for section\n");
1997 Status
= STATUS_INVALID_PARAMETER_4
;
2001 /* Check if data or page file mapping protection PTE is compatible */
2002 if (!Vad
->ControlArea
->u
.Flags
.Image
)
2005 DPRINT1("Fixme: Not checking for valid protection\n");
2008 /* This is a section, and this is not yet supported */
2009 DPRINT1("Section protection not yet supported\n");
2014 /* Private memory, check protection flags */
2015 if ((NewAccessProtection
& PAGE_WRITECOPY
) ||
2016 (NewAccessProtection
& PAGE_EXECUTE_WRITECOPY
))
2018 DPRINT1("Invalid protection flags for private memory\n");
2019 Status
= STATUS_INVALID_PARAMETER_4
;
2023 /* Lock the working set */
2024 MiLockProcessWorkingSetUnsafe(Process
, Thread
);
2026 /* Check if all pages in this range are committed */
2027 Committed
= MiIsEntireRangeCommitted(StartingAddress
,
2034 DPRINT1("The entire range is not committed\n");
2035 Status
= STATUS_NOT_COMMITTED
;
2036 MiUnlockProcessWorkingSetUnsafe(Process
, Thread
);
2040 /* Compute starting and ending PTE and PDE addresses */
2041 PointerPde
= MiAddressToPde(StartingAddress
);
2042 PointerPte
= MiAddressToPte(StartingAddress
);
2043 LastPte
= MiAddressToPte(EndingAddress
);
2045 /* Make this PDE valid */
2046 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2048 /* Save protection of the first page */
2049 if (PointerPte
->u
.Long
!= 0)
2051 /* Capture the page protection and make the PDE valid */
2052 OldProtect
= MiGetPageProtection(PointerPte
);
2053 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2057 /* Grab the old protection from the VAD itself */
2058 OldProtect
= MmProtectToValue
[Vad
->u
.VadFlags
.Protection
];
2061 /* Loop all the PTEs now */
2062 while (PointerPte
<= LastPte
)
2064 /* Check if we've crossed a PDE boundary and make the new PDE valid too */
2065 if (MiIsPteOnPdeBoundary(PointerPte
))
2067 PointerPde
= MiAddressToPte(PointerPte
);
2068 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2071 /* Capture the PTE and check if it was empty */
2072 PteContents
= *PointerPte
;
2073 if (PteContents
.u
.Long
== 0)
2075 /* This used to be a zero PTE and it no longer is, so we must add a
2076 reference to the pagetable. */
2077 MiIncrementPageTableReferences(MiPteToAddress(PointerPte
));
2080 /* Check what kind of PTE we are dealing with */
2081 if (PteContents
.u
.Hard
.Valid
== 1)
2083 /* Get the PFN entry */
2084 Pfn1
= MiGetPfnEntry(PFN_FROM_PTE(&PteContents
));
2086 /* We don't support this yet */
2087 ASSERT(Pfn1
->u3
.e1
.PrototypePte
== 0);
2089 /* Check if the page should not be accessible at all */
2090 if ((NewAccessProtection
& PAGE_NOACCESS
) ||
2091 (NewAccessProtection
& PAGE_GUARD
))
2093 /* The page should be in the WS and we should make it transition now */
2094 DPRINT1("Making valid page invalid is not yet supported!\n");
2095 Status
= STATUS_NOT_IMPLEMENTED
;
2096 /* Unlock the working set */
2097 MiUnlockProcessWorkingSetUnsafe(Process
, Thread
);
2101 /* Write the protection mask and write it with a TLB flush */
2102 Pfn1
->OriginalPte
.u
.Soft
.Protection
= ProtectionMask
;
2103 MiFlushTbAndCapture(Vad
,
2111 /* We don't support these cases yet */
2112 ASSERT(PteContents
.u
.Soft
.Prototype
== 0);
2113 ASSERT(PteContents
.u
.Soft
.Transition
== 0);
2115 /* The PTE is already demand-zero, just update the protection mask */
2116 PteContents
.u
.Soft
.Protection
= ProtectionMask
;
2117 MI_WRITE_INVALID_PTE(PointerPte
, PteContents
);
2118 ASSERT(PointerPte
->u
.Long
!= 0);
2121 /* Move to the next PTE */
2125 /* Unlock the working set */
2126 MiUnlockProcessWorkingSetUnsafe(Process
, Thread
);
2129 /* Unlock the address space */
2130 MmUnlockAddressSpace(AddressSpace
);
2132 /* Return parameters and success */
2133 *NumberOfBytesToProtect
= EndingAddress
- StartingAddress
+ 1;
2134 *BaseAddress
= (PVOID
)StartingAddress
;
2135 *OldAccessProtection
= OldProtect
;
2136 return STATUS_SUCCESS
;
2139 /* Unlock the address space and return the failure code */
2140 MmUnlockAddressSpace(AddressSpace
);
2146 MiMakePdeExistAndMakeValid(IN PMMPTE PointerPde
,
2147 IN PEPROCESS TargetProcess
,
2150 PMMPTE PointerPte
, PointerPpe
, PointerPxe
;
2153 // Sanity checks. The latter is because we only use this function with the
2154 // PFN lock not held, so it may go away in the future.
2156 ASSERT(KeAreAllApcsDisabled() == TRUE
);
2157 ASSERT(OldIrql
== MM_NOIRQL
);
2160 // Also get the PPE and PXE. This is okay not to #ifdef because they will
2161 // return the same address as the PDE on 2-level page table systems.
2163 // If everything is already valid, there is nothing to do.
2165 PointerPpe
= MiAddressToPte(PointerPde
);
2166 PointerPxe
= MiAddressToPde(PointerPde
);
2167 if ((PointerPxe
->u
.Hard
.Valid
) &&
2168 (PointerPpe
->u
.Hard
.Valid
) &&
2169 (PointerPde
->u
.Hard
.Valid
))
2175 // At least something is invalid, so begin by getting the PTE for the PDE itself
2176 // and then lookup each additional level. We must do it in this precise order
2177 // because the pagfault.c code (as well as in Windows) depends that the next
2178 // level up (higher) must be valid when faulting a lower level
2180 PointerPte
= MiPteToAddress(PointerPde
);
2184 // Make sure APCs continued to be disabled
2186 ASSERT(KeAreAllApcsDisabled() == TRUE
);
2189 // First, make the PXE valid if needed
2191 if (!PointerPxe
->u
.Hard
.Valid
)
2193 MiMakeSystemAddressValid(PointerPpe
, TargetProcess
);
2194 ASSERT(PointerPxe
->u
.Hard
.Valid
== 1);
2200 if (!PointerPpe
->u
.Hard
.Valid
)
2202 MiMakeSystemAddressValid(PointerPde
, TargetProcess
);
2203 ASSERT(PointerPpe
->u
.Hard
.Valid
== 1);
2207 // And finally, make the PDE itself valid.
2209 MiMakeSystemAddressValid(PointerPte
, TargetProcess
);
2212 // This should've worked the first time so the loop is really just for
2213 // show -- ASSERT that we're actually NOT going to be looping.
2215 ASSERT(PointerPxe
->u
.Hard
.Valid
== 1);
2216 ASSERT(PointerPpe
->u
.Hard
.Valid
== 1);
2217 ASSERT(PointerPde
->u
.Hard
.Valid
== 1);
2218 } while (!(PointerPxe
->u
.Hard
.Valid
) ||
2219 !(PointerPpe
->u
.Hard
.Valid
) ||
2220 !(PointerPde
->u
.Hard
.Valid
));
2225 MiProcessValidPteList(IN PMMPTE
*ValidPteList
,
2231 PFN_NUMBER PageFrameIndex
;
2235 // Acquire the PFN lock and loop all the PTEs in the list
2237 OldIrql
= KeAcquireQueuedSpinLock(LockQueuePfnLock
);
2238 for (i
= 0; i
!= Count
; i
++)
2241 // The PTE must currently be valid
2243 TempPte
= *ValidPteList
[i
];
2244 ASSERT(TempPte
.u
.Hard
.Valid
== 1);
2247 // Get the PFN entry for the page itself, and then for its page table
2249 PageFrameIndex
= PFN_FROM_PTE(&TempPte
);
2250 Pfn1
= MiGetPfnEntry(PageFrameIndex
);
2251 Pfn2
= MiGetPfnEntry(Pfn1
->u4
.PteFrame
);
2254 // Decrement the share count on the page table, and then on the page
2257 MiDecrementShareCount(Pfn2
, Pfn1
->u4
.PteFrame
);
2258 MI_SET_PFN_DELETED(Pfn1
);
2259 MiDecrementShareCount(Pfn1
, PageFrameIndex
);
2262 // Make the page decommitted
2264 MI_WRITE_INVALID_PTE(ValidPteList
[i
], MmDecommittedPte
);
2268 // All the PTEs have been dereferenced and made invalid, flush the TLB now
2269 // and then release the PFN lock
2272 KeReleaseQueuedSpinLock(LockQueuePfnLock
, OldIrql
);
2277 MiDecommitPages(IN PVOID StartingAddress
,
2278 IN PMMPTE EndingPte
,
2279 IN PEPROCESS Process
,
2282 PMMPTE PointerPde
, PointerPte
, CommitPte
= NULL
;
2283 ULONG CommitReduction
= 0;
2284 PMMPTE ValidPteList
[256];
2288 PETHREAD CurrentThread
= PsGetCurrentThread();
2291 // Get the PTE and PTE for the address, and lock the working set
2292 // If this was a VAD for a MEM_COMMIT allocation, also figure out where the
2293 // commited range ends so that we can do the right accounting.
2295 PointerPde
= MiAddressToPde(StartingAddress
);
2296 PointerPte
= MiAddressToPte(StartingAddress
);
2297 if (Vad
->u
.VadFlags
.MemCommit
) CommitPte
= MiAddressToPte(Vad
->EndingVpn
<< PAGE_SHIFT
);
2298 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
2301 // Make the PDE valid, and now loop through each page's worth of data
2303 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2304 while (PointerPte
<= EndingPte
)
2307 // Check if we've crossed a PDE boundary
2309 if (MiIsPteOnPdeBoundary(PointerPte
))
2312 // Get the new PDE and flush the valid PTEs we had built up until
2313 // now. This helps reduce the amount of TLB flushing we have to do.
2314 // Note that Windows does a much better job using timestamps and
2315 // such, and does not flush the entire TLB all the time, but right
2316 // now we have bigger problems to worry about than TLB flushing.
2318 PointerPde
= MiAddressToPde(StartingAddress
);
2321 MiProcessValidPteList(ValidPteList
, PteCount
);
2326 // Make this PDE valid
2328 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
2332 // Read this PTE. It might be active or still demand-zero.
2334 PteContents
= *PointerPte
;
2335 if (PteContents
.u
.Long
)
2338 // The PTE is active. It might be valid and in a working set, or
2339 // it might be a prototype PTE or paged out or even in transition.
2341 if (PointerPte
->u
.Long
== MmDecommittedPte
.u
.Long
)
2344 // It's already decommited, so there's nothing for us to do here
2351 // Remove it from the counters, and check if it was valid or not
2353 //Process->NumberOfPrivatePages--;
2354 if (PteContents
.u
.Hard
.Valid
)
2357 // It's valid. At this point make sure that it is not a ROS
2358 // PFN. Also, we don't support ProtoPTEs in this code path.
2360 Pfn1
= MiGetPfnEntry(PteContents
.u
.Hard
.PageFrameNumber
);
2361 ASSERT(MI_IS_ROS_PFN(Pfn1
) == FALSE
);
2362 ASSERT(Pfn1
->u3
.e1
.PrototypePte
== FALSE
);
2365 // Flush any pending PTEs that we had not yet flushed, if our
2366 // list has gotten too big, then add this PTE to the flush list.
2368 if (PteCount
== 256)
2370 MiProcessValidPteList(ValidPteList
, PteCount
);
2373 ValidPteList
[PteCount
++] = PointerPte
;
2378 // We do not support any of these other scenarios at the moment
2380 ASSERT(PteContents
.u
.Soft
.Prototype
== 0);
2381 ASSERT(PteContents
.u
.Soft
.Transition
== 0);
2382 ASSERT(PteContents
.u
.Soft
.PageFileHigh
== 0);
2385 // So the only other possibility is that it is still a demand
2386 // zero PTE, in which case we undo the accounting we did
2387 // earlier and simply make the page decommitted.
2389 //Process->NumberOfPrivatePages++;
2390 MI_WRITE_INVALID_PTE(PointerPte
, MmDecommittedPte
);
2397 // This used to be a zero PTE and it no longer is, so we must add a
2398 // reference to the pagetable.
2400 MiIncrementPageTableReferences(StartingAddress
);
2403 // Next, we account for decommitted PTEs and make the PTE as such
2405 if (PointerPte
> CommitPte
) CommitReduction
++;
2406 MI_WRITE_INVALID_PTE(PointerPte
, MmDecommittedPte
);
2410 // Move to the next PTE and the next address
2413 StartingAddress
= (PVOID
)((ULONG_PTR
)StartingAddress
+ PAGE_SIZE
);
2417 // Flush any dangling PTEs from the loop in the last page table, and then
2418 // release the working set and return the commit reduction accounting.
2420 if (PteCount
) MiProcessValidPteList(ValidPteList
, PteCount
);
2421 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
2422 return CommitReduction
;
2425 /* PUBLIC FUNCTIONS ***********************************************************/
2432 MmGetVirtualForPhysical(IN PHYSICAL_ADDRESS PhysicalAddress
)
2443 MmSecureVirtualMemory(IN PVOID Address
,
2447 static BOOLEAN Warn
; if (!Warn
++) UNIMPLEMENTED
;
2456 MmUnsecureVirtualMemory(IN PVOID SecureMem
)
2458 static BOOLEAN Warn
; if (!Warn
++) UNIMPLEMENTED
;
2461 /* SYSTEM CALLS ***************************************************************/
2465 NtReadVirtualMemory(IN HANDLE ProcessHandle
,
2466 IN PVOID BaseAddress
,
2468 IN SIZE_T NumberOfBytesToRead
,
2469 OUT PSIZE_T NumberOfBytesRead OPTIONAL
)
2471 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2473 NTSTATUS Status
= STATUS_SUCCESS
;
2474 SIZE_T BytesRead
= 0;
2478 // Check if we came from user mode
2480 if (PreviousMode
!= KernelMode
)
2483 // Validate the read addresses
2485 if ((((ULONG_PTR
)BaseAddress
+ NumberOfBytesToRead
) < (ULONG_PTR
)BaseAddress
) ||
2486 (((ULONG_PTR
)Buffer
+ NumberOfBytesToRead
) < (ULONG_PTR
)Buffer
) ||
2487 (((ULONG_PTR
)BaseAddress
+ NumberOfBytesToRead
) > MmUserProbeAddress
) ||
2488 (((ULONG_PTR
)Buffer
+ NumberOfBytesToRead
) > MmUserProbeAddress
))
2491 // Don't allow to write into kernel space
2493 return STATUS_ACCESS_VIOLATION
;
2497 // Enter SEH for probe
2502 // Probe the output value
2504 if (NumberOfBytesRead
) ProbeForWriteSize_t(NumberOfBytesRead
);
2506 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2509 // Get exception code
2511 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2517 // Don't do zero-byte transfers
2519 if (NumberOfBytesToRead
)
2522 // Reference the process
2524 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2530 if (NT_SUCCESS(Status
))
2535 Status
= MmCopyVirtualMemory(Process
,
2537 PsGetCurrentProcess(),
2539 NumberOfBytesToRead
,
2544 // Dereference the process
2546 ObDereferenceObject(Process
);
2551 // Check if the caller sent this parameter
2553 if (NumberOfBytesRead
)
2556 // Enter SEH to guard write
2561 // Return the number of bytes read
2563 *NumberOfBytesRead
= BytesRead
;
2565 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2579 NtWriteVirtualMemory(IN HANDLE ProcessHandle
,
2580 IN PVOID BaseAddress
,
2582 IN SIZE_T NumberOfBytesToWrite
,
2583 OUT PSIZE_T NumberOfBytesWritten OPTIONAL
)
2585 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2587 NTSTATUS Status
= STATUS_SUCCESS
;
2588 SIZE_T BytesWritten
= 0;
2592 // Check if we came from user mode
2594 if (PreviousMode
!= KernelMode
)
2597 // Validate the read addresses
2599 if ((((ULONG_PTR
)BaseAddress
+ NumberOfBytesToWrite
) < (ULONG_PTR
)BaseAddress
) ||
2600 (((ULONG_PTR
)Buffer
+ NumberOfBytesToWrite
) < (ULONG_PTR
)Buffer
) ||
2601 (((ULONG_PTR
)BaseAddress
+ NumberOfBytesToWrite
) > MmUserProbeAddress
) ||
2602 (((ULONG_PTR
)Buffer
+ NumberOfBytesToWrite
) > MmUserProbeAddress
))
2605 // Don't allow to write into kernel space
2607 return STATUS_ACCESS_VIOLATION
;
2611 // Enter SEH for probe
2616 // Probe the output value
2618 if (NumberOfBytesWritten
) ProbeForWriteSize_t(NumberOfBytesWritten
);
2620 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2623 // Get exception code
2625 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2631 // Don't do zero-byte transfers
2633 if (NumberOfBytesToWrite
)
2636 // Reference the process
2638 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2644 if (NT_SUCCESS(Status
))
2649 Status
= MmCopyVirtualMemory(PsGetCurrentProcess(),
2653 NumberOfBytesToWrite
,
2658 // Dereference the process
2660 ObDereferenceObject(Process
);
2665 // Check if the caller sent this parameter
2667 if (NumberOfBytesWritten
)
2670 // Enter SEH to guard write
2675 // Return the number of bytes written
2677 *NumberOfBytesWritten
= BytesWritten
;
2679 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2693 NtProtectVirtualMemory(IN HANDLE ProcessHandle
,
2694 IN OUT PVOID
*UnsafeBaseAddress
,
2695 IN OUT SIZE_T
*UnsafeNumberOfBytesToProtect
,
2696 IN ULONG NewAccessProtection
,
2697 OUT PULONG UnsafeOldAccessProtection
)
2700 ULONG OldAccessProtection
;
2702 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
2703 PVOID BaseAddress
= NULL
;
2704 SIZE_T NumberOfBytesToProtect
= 0;
2705 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2707 BOOLEAN Attached
= FALSE
;
2708 KAPC_STATE ApcState
;
2712 // Check for valid protection flags
2714 Protection
= NewAccessProtection
& ~(PAGE_GUARD
|PAGE_NOCACHE
);
2715 if (Protection
!= PAGE_NOACCESS
&&
2716 Protection
!= PAGE_READONLY
&&
2717 Protection
!= PAGE_READWRITE
&&
2718 Protection
!= PAGE_WRITECOPY
&&
2719 Protection
!= PAGE_EXECUTE
&&
2720 Protection
!= PAGE_EXECUTE_READ
&&
2721 Protection
!= PAGE_EXECUTE_READWRITE
&&
2722 Protection
!= PAGE_EXECUTE_WRITECOPY
)
2727 return STATUS_INVALID_PAGE_PROTECTION
;
2731 // Check if we came from user mode
2733 if (PreviousMode
!= KernelMode
)
2736 // Enter SEH for probing
2741 // Validate all outputs
2743 ProbeForWritePointer(UnsafeBaseAddress
);
2744 ProbeForWriteSize_t(UnsafeNumberOfBytesToProtect
);
2745 ProbeForWriteUlong(UnsafeOldAccessProtection
);
2750 BaseAddress
= *UnsafeBaseAddress
;
2751 NumberOfBytesToProtect
= *UnsafeNumberOfBytesToProtect
;
2753 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2756 // Get exception code
2758 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2767 BaseAddress
= *UnsafeBaseAddress
;
2768 NumberOfBytesToProtect
= *UnsafeNumberOfBytesToProtect
;
2772 // Catch illegal base address
2774 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER_2
;
2777 // Catch illegal region size
2779 if ((MmUserProbeAddress
- (ULONG_PTR
)BaseAddress
) < NumberOfBytesToProtect
)
2784 return STATUS_INVALID_PARAMETER_3
;
2788 // 0 is also illegal
2790 if (!NumberOfBytesToProtect
) return STATUS_INVALID_PARAMETER_3
;
2793 // Get a reference to the process
2795 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2796 PROCESS_VM_OPERATION
,
2801 if (!NT_SUCCESS(Status
)) return Status
;
2804 // Check if we should attach
2806 if (CurrentProcess
!= Process
)
2811 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
2816 // Do the actual work
2818 Status
= MiProtectVirtualMemory(Process
,
2820 &NumberOfBytesToProtect
,
2821 NewAccessProtection
,
2822 &OldAccessProtection
);
2827 if (Attached
) KeUnstackDetachProcess(&ApcState
);
2830 // Release reference
2832 ObDereferenceObject(Process
);
2835 // Enter SEH to return data
2840 // Return data to user
2842 *UnsafeOldAccessProtection
= OldAccessProtection
;
2843 *UnsafeBaseAddress
= BaseAddress
;
2844 *UnsafeNumberOfBytesToProtect
= NumberOfBytesToProtect
;
2846 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2859 NtLockVirtualMemory(IN HANDLE ProcessHandle
,
2860 IN OUT PVOID
*BaseAddress
,
2861 IN OUT PSIZE_T NumberOfBytesToLock
,
2865 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
2867 BOOLEAN Attached
= FALSE
;
2868 KAPC_STATE ApcState
;
2869 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
2870 PVOID CapturedBaseAddress
;
2871 SIZE_T CapturedBytesToLock
;
2877 if ((MapType
& ~(MAP_PROCESS
| MAP_SYSTEM
)))
2880 // Invalid set of flags
2882 return STATUS_INVALID_PARAMETER
;
2886 // At least one flag must be specified
2888 if (!(MapType
& (MAP_PROCESS
| MAP_SYSTEM
)))
2893 return STATUS_INVALID_PARAMETER
;
2897 // Enter SEH for probing
2902 // Validate output data
2904 ProbeForWritePointer(BaseAddress
);
2905 ProbeForWriteSize_t(NumberOfBytesToLock
);
2910 CapturedBaseAddress
= *BaseAddress
;
2911 CapturedBytesToLock
= *NumberOfBytesToLock
;
2913 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
2916 // Get exception code
2918 _SEH2_YIELD(return _SEH2_GetExceptionCode());
2923 // Catch illegal base address
2925 if (CapturedBaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
2928 // Catch illegal region size
2930 if ((MmUserProbeAddress
- (ULONG_PTR
)CapturedBaseAddress
) < CapturedBytesToLock
)
2935 return STATUS_INVALID_PARAMETER
;
2939 // 0 is also illegal
2941 if (!CapturedBytesToLock
) return STATUS_INVALID_PARAMETER
;
2944 // Get a reference to the process
2946 Status
= ObReferenceObjectByHandle(ProcessHandle
,
2947 PROCESS_VM_OPERATION
,
2952 if (!NT_SUCCESS(Status
)) return Status
;
2955 // Check if this is is system-mapped
2957 if (MapType
& MAP_SYSTEM
)
2960 // Check for required privilege
2962 if (!SeSinglePrivilegeCheck(SeLockMemoryPrivilege
, PreviousMode
))
2965 // Fail: Don't have it
2967 ObDereferenceObject(Process
);
2968 return STATUS_PRIVILEGE_NOT_HELD
;
2973 // Check if we should attach
2975 if (CurrentProcess
!= Process
)
2980 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
2992 if (Attached
) KeUnstackDetachProcess(&ApcState
);
2995 // Release reference
2997 ObDereferenceObject(Process
);
3000 // Enter SEH to return data
3005 // Return data to user
3007 *BaseAddress
= CapturedBaseAddress
;
3008 *NumberOfBytesToLock
= 0;
3010 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3013 // Get exception code
3015 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3022 return STATUS_SUCCESS
;
3027 NtUnlockVirtualMemory(IN HANDLE ProcessHandle
,
3028 IN OUT PVOID
*BaseAddress
,
3029 IN OUT PSIZE_T NumberOfBytesToUnlock
,
3033 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
3035 BOOLEAN Attached
= FALSE
;
3036 KAPC_STATE ApcState
;
3037 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3038 PVOID CapturedBaseAddress
;
3039 SIZE_T CapturedBytesToUnlock
;
3045 if ((MapType
& ~(MAP_PROCESS
| MAP_SYSTEM
)))
3048 // Invalid set of flags
3050 return STATUS_INVALID_PARAMETER
;
3054 // At least one flag must be specified
3056 if (!(MapType
& (MAP_PROCESS
| MAP_SYSTEM
)))
3061 return STATUS_INVALID_PARAMETER
;
3065 // Enter SEH for probing
3070 // Validate output data
3072 ProbeForWritePointer(BaseAddress
);
3073 ProbeForWriteSize_t(NumberOfBytesToUnlock
);
3078 CapturedBaseAddress
= *BaseAddress
;
3079 CapturedBytesToUnlock
= *NumberOfBytesToUnlock
;
3081 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3084 // Get exception code
3086 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3091 // Catch illegal base address
3093 if (CapturedBaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
3096 // Catch illegal region size
3098 if ((MmUserProbeAddress
- (ULONG_PTR
)CapturedBaseAddress
) < CapturedBytesToUnlock
)
3103 return STATUS_INVALID_PARAMETER
;
3107 // 0 is also illegal
3109 if (!CapturedBytesToUnlock
) return STATUS_INVALID_PARAMETER
;
3112 // Get a reference to the process
3114 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3115 PROCESS_VM_OPERATION
,
3120 if (!NT_SUCCESS(Status
)) return Status
;
3123 // Check if this is is system-mapped
3125 if (MapType
& MAP_SYSTEM
)
3128 // Check for required privilege
3130 if (!SeSinglePrivilegeCheck(SeLockMemoryPrivilege
, PreviousMode
))
3133 // Fail: Don't have it
3135 ObDereferenceObject(Process
);
3136 return STATUS_PRIVILEGE_NOT_HELD
;
3141 // Check if we should attach
3143 if (CurrentProcess
!= Process
)
3148 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
3160 if (Attached
) KeUnstackDetachProcess(&ApcState
);
3163 // Release reference
3165 ObDereferenceObject(Process
);
3168 // Enter SEH to return data
3173 // Return data to user
3175 *BaseAddress
= PAGE_ALIGN(CapturedBaseAddress
);
3176 *NumberOfBytesToUnlock
= 0;
3178 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3181 // Get exception code
3183 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3190 return STATUS_SUCCESS
;
3195 NtFlushVirtualMemory(IN HANDLE ProcessHandle
,
3196 IN OUT PVOID
*BaseAddress
,
3197 IN OUT PSIZE_T NumberOfBytesToFlush
,
3198 OUT PIO_STATUS_BLOCK IoStatusBlock
)
3202 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3203 PVOID CapturedBaseAddress
;
3204 SIZE_T CapturedBytesToFlush
;
3205 IO_STATUS_BLOCK LocalStatusBlock
;
3209 // Check if we came from user mode
3211 if (PreviousMode
!= KernelMode
)
3214 // Enter SEH for probing
3219 // Validate all outputs
3221 ProbeForWritePointer(BaseAddress
);
3222 ProbeForWriteSize_t(NumberOfBytesToFlush
);
3223 ProbeForWriteIoStatusBlock(IoStatusBlock
);
3228 CapturedBaseAddress
= *BaseAddress
;
3229 CapturedBytesToFlush
= *NumberOfBytesToFlush
;
3231 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3234 // Get exception code
3236 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3245 CapturedBaseAddress
= *BaseAddress
;
3246 CapturedBytesToFlush
= *NumberOfBytesToFlush
;
3250 // Catch illegal base address
3252 if (CapturedBaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
3255 // Catch illegal region size
3257 if ((MmUserProbeAddress
- (ULONG_PTR
)CapturedBaseAddress
) < CapturedBytesToFlush
)
3262 return STATUS_INVALID_PARAMETER
;
3266 // Get a reference to the process
3268 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3269 PROCESS_VM_OPERATION
,
3274 if (!NT_SUCCESS(Status
)) return Status
;
3279 Status
= MmFlushVirtualMemory(Process
,
3280 &CapturedBaseAddress
,
3281 &CapturedBytesToFlush
,
3285 // Release reference
3287 ObDereferenceObject(Process
);
3290 // Enter SEH to return data
3295 // Return data to user
3297 *BaseAddress
= PAGE_ALIGN(CapturedBaseAddress
);
3298 *NumberOfBytesToFlush
= 0;
3299 *IoStatusBlock
= LocalStatusBlock
;
3301 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3317 NtGetWriteWatch(IN HANDLE ProcessHandle
,
3319 IN PVOID BaseAddress
,
3320 IN SIZE_T RegionSize
,
3321 IN PVOID
*UserAddressArray
,
3322 OUT PULONG_PTR EntriesInUserAddressArray
,
3323 OUT PULONG Granularity
)
3328 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3329 ULONG_PTR CapturedEntryCount
;
3333 // Check if we came from user mode
3335 if (PreviousMode
!= KernelMode
)
3338 // Enter SEH for probing
3343 // Catch illegal base address
3345 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) _SEH2_YIELD(return STATUS_INVALID_PARAMETER_2
);
3348 // Catch illegal region size
3350 if ((MmUserProbeAddress
- (ULONG_PTR
)BaseAddress
) < RegionSize
)
3355 _SEH2_YIELD(return STATUS_INVALID_PARAMETER_3
);
3359 // Validate all data
3361 ProbeForWriteSize_t(EntriesInUserAddressArray
);
3362 ProbeForWriteUlong(Granularity
);
3367 CapturedEntryCount
= *EntriesInUserAddressArray
;
3370 // Must have a count
3372 if (CapturedEntryCount
== 0) _SEH2_YIELD(return STATUS_INVALID_PARAMETER_5
);
3375 // Can't be larger than the maximum
3377 if (CapturedEntryCount
> (MAXULONG_PTR
/ sizeof(ULONG_PTR
)))
3382 _SEH2_YIELD(return STATUS_INVALID_PARAMETER_5
);
3386 // Probe the actual array
3388 ProbeForWrite(UserAddressArray
,
3389 CapturedEntryCount
* sizeof(PVOID
),
3392 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3395 // Get exception code
3397 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3406 CapturedEntryCount
= *EntriesInUserAddressArray
;
3407 ASSERT(CapturedEntryCount
!= 0);
3411 // Check if this is a local request
3413 if (ProcessHandle
== NtCurrentProcess())
3416 // No need to reference the process
3418 Process
= PsGetCurrentProcess();
3423 // Reference the target
3425 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3426 PROCESS_VM_OPERATION
,
3431 if (!NT_SUCCESS(Status
)) return Status
;
3435 // Compute the last address and validate it
3437 EndAddress
= (PVOID
)((ULONG_PTR
)BaseAddress
+ RegionSize
- 1);
3438 if (BaseAddress
> EndAddress
)
3443 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
3444 return STATUS_INVALID_PARAMETER_4
;
3453 // Dereference if needed
3455 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
3458 // Enter SEH to return data
3463 // Return data to user
3465 *EntriesInUserAddressArray
= 0;
3466 *Granularity
= PAGE_SIZE
;
3468 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3471 // Get exception code
3473 Status
= _SEH2_GetExceptionCode();
3480 return STATUS_SUCCESS
;
3488 NtResetWriteWatch(IN HANDLE ProcessHandle
,
3489 IN PVOID BaseAddress
,
3490 IN SIZE_T RegionSize
)
3495 KPROCESSOR_MODE PreviousMode
= ExGetPreviousMode();
3496 ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL
);
3499 // Catch illegal base address
3501 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER_2
;
3504 // Catch illegal region size
3506 if ((MmUserProbeAddress
- (ULONG_PTR
)BaseAddress
) < RegionSize
)
3511 return STATUS_INVALID_PARAMETER_3
;
3515 // Check if this is a local request
3517 if (ProcessHandle
== NtCurrentProcess())
3520 // No need to reference the process
3522 Process
= PsGetCurrentProcess();
3527 // Reference the target
3529 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3530 PROCESS_VM_OPERATION
,
3535 if (!NT_SUCCESS(Status
)) return Status
;
3539 // Compute the last address and validate it
3541 EndAddress
= (PVOID
)((ULONG_PTR
)BaseAddress
+ RegionSize
- 1);
3542 if (BaseAddress
> EndAddress
)
3547 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
3548 return STATUS_INVALID_PARAMETER_3
;
3557 // Dereference if needed
3559 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
3564 return STATUS_SUCCESS
;
3569 NtQueryVirtualMemory(IN HANDLE ProcessHandle
,
3570 IN PVOID BaseAddress
,
3571 IN MEMORY_INFORMATION_CLASS MemoryInformationClass
,
3572 OUT PVOID MemoryInformation
,
3573 IN SIZE_T MemoryInformationLength
,
3574 OUT PSIZE_T ReturnLength
)
3576 NTSTATUS Status
= STATUS_SUCCESS
;
3577 KPROCESSOR_MODE PreviousMode
;
3579 DPRINT("Querying class %d about address: %p\n", MemoryInformationClass
, BaseAddress
);
3581 /* Bail out if the address is invalid */
3582 if (BaseAddress
> MM_HIGHEST_USER_ADDRESS
) return STATUS_INVALID_PARAMETER
;
3584 /* Probe return buffer */
3585 PreviousMode
= ExGetPreviousMode();
3586 if (PreviousMode
!= KernelMode
)
3590 ProbeForWrite(MemoryInformation
,
3591 MemoryInformationLength
,
3594 if (ReturnLength
) ProbeForWriteSize_t(ReturnLength
);
3596 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3598 Status
= _SEH2_GetExceptionCode();
3602 if (!NT_SUCCESS(Status
))
3608 switch(MemoryInformationClass
)
3610 case MemoryBasicInformation
:
3611 /* Validate the size information of the class */
3612 if (MemoryInformationLength
< sizeof(MEMORY_BASIC_INFORMATION
))
3614 /* The size is invalid */
3615 return STATUS_INFO_LENGTH_MISMATCH
;
3617 Status
= MiQueryMemoryBasicInformation(ProcessHandle
,
3620 MemoryInformationLength
,
3624 case MemorySectionName
:
3625 /* Validate the size information of the class */
3626 if (MemoryInformationLength
< sizeof(MEMORY_SECTION_NAME
))
3628 /* The size is invalid */
3629 return STATUS_INFO_LENGTH_MISMATCH
;
3631 Status
= MiQueryMemorySectionName(ProcessHandle
,
3634 MemoryInformationLength
,
3637 case MemoryWorkingSetList
:
3638 case MemoryBasicVlmInformation
:
3640 DPRINT1("Unhandled memory information class %d\n", MemoryInformationClass
);
3652 NtAllocateVirtualMemory(IN HANDLE ProcessHandle
,
3653 IN OUT PVOID
* UBaseAddress
,
3654 IN ULONG_PTR ZeroBits
,
3655 IN OUT PSIZE_T URegionSize
,
3656 IN ULONG AllocationType
,
3660 PMEMORY_AREA MemoryArea
;
3661 PFN_NUMBER PageCount
;
3662 PMMVAD Vad
, FoundVad
;
3664 PMMSUPPORT AddressSpace
;
3666 ULONG_PTR PRegionSize
, StartingAddress
, EndingAddress
;
3667 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
3668 KPROCESSOR_MODE PreviousMode
= KeGetPreviousMode();
3669 PETHREAD CurrentThread
= PsGetCurrentThread();
3670 KAPC_STATE ApcState
;
3671 ULONG ProtectionMask
, QuotaCharge
= 0, QuotaFree
= 0;
3672 BOOLEAN Attached
= FALSE
, ChangeProtection
= FALSE
;
3674 PMMPTE PointerPte
, PointerPde
, LastPte
;
3677 /* Check for valid Zero bits */
3680 DPRINT1("Too many zero bits\n");
3681 return STATUS_INVALID_PARAMETER_3
;
3684 /* Check for valid Allocation Types */
3685 if ((AllocationType
& ~(MEM_COMMIT
| MEM_RESERVE
| MEM_RESET
| MEM_PHYSICAL
|
3686 MEM_TOP_DOWN
| MEM_WRITE_WATCH
)))
3688 DPRINT1("Invalid Allocation Type\n");
3689 return STATUS_INVALID_PARAMETER_5
;
3692 /* Check for at least one of these Allocation Types to be set */
3693 if (!(AllocationType
& (MEM_COMMIT
| MEM_RESERVE
| MEM_RESET
)))
3695 DPRINT1("No memory allocation base type\n");
3696 return STATUS_INVALID_PARAMETER_5
;
3699 /* MEM_RESET is an exclusive flag, make sure that is valid too */
3700 if ((AllocationType
& MEM_RESET
) && (AllocationType
!= MEM_RESET
))
3702 DPRINT1("Invalid use of MEM_RESET\n");
3703 return STATUS_INVALID_PARAMETER_5
;
3706 /* Check if large pages are being used */
3707 if (AllocationType
& MEM_LARGE_PAGES
)
3709 /* Large page allocations MUST be committed */
3710 if (!(AllocationType
& MEM_COMMIT
))
3712 DPRINT1("Must supply MEM_COMMIT with MEM_LARGE_PAGES\n");
3713 return STATUS_INVALID_PARAMETER_5
;
3716 /* These flags are not allowed with large page allocations */
3717 if (AllocationType
& (MEM_PHYSICAL
| MEM_RESET
| MEM_WRITE_WATCH
))
3719 DPRINT1("Using illegal flags with MEM_LARGE_PAGES\n");
3720 return STATUS_INVALID_PARAMETER_5
;
3724 /* MEM_WRITE_WATCH can only be used if MEM_RESERVE is also used */
3725 if ((AllocationType
& MEM_WRITE_WATCH
) && !(AllocationType
& MEM_RESERVE
))
3727 DPRINT1("MEM_WRITE_WATCH used without MEM_RESERVE\n");
3728 return STATUS_INVALID_PARAMETER_5
;
3731 /* MEM_PHYSICAL can only be used if MEM_RESERVE is also used */
3732 if ((AllocationType
& MEM_PHYSICAL
) && !(AllocationType
& MEM_RESERVE
))
3734 DPRINT1("MEM_WRITE_WATCH used without MEM_RESERVE\n");
3735 return STATUS_INVALID_PARAMETER_5
;
3738 /* Check for valid MEM_PHYSICAL usage */
3739 if (AllocationType
& MEM_PHYSICAL
)
3741 /* Only these flags are allowed with MEM_PHYSIAL */
3742 if (AllocationType
& ~(MEM_RESERVE
| MEM_TOP_DOWN
| MEM_PHYSICAL
))
3744 DPRINT1("Using illegal flags with MEM_PHYSICAL\n");
3745 return STATUS_INVALID_PARAMETER_5
;
3748 /* Then make sure PAGE_READWRITE is used */
3749 if (Protect
!= PAGE_READWRITE
)
3751 DPRINT1("MEM_PHYSICAL used without PAGE_READWRITE\n");
3752 return STATUS_INVALID_PARAMETER_6
;
3756 /* Calculate the protection mask and make sure it's valid */
3757 ProtectionMask
= MiMakeProtectionMask(Protect
);
3758 if (ProtectionMask
== MM_INVALID_PROTECTION
)
3760 DPRINT1("Invalid protection mask\n");
3761 return STATUS_INVALID_PAGE_PROTECTION
;
3767 /* Check for user-mode parameters */
3768 if (PreviousMode
!= KernelMode
)
3770 /* Make sure they are writable */
3771 ProbeForWritePointer(UBaseAddress
);
3772 ProbeForWriteUlong(URegionSize
);
3775 /* Capture their values */
3776 PBaseAddress
= *UBaseAddress
;
3777 PRegionSize
= *URegionSize
;
3779 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
3781 /* Return the exception code */
3782 _SEH2_YIELD(return _SEH2_GetExceptionCode());
3786 /* Make sure the allocation isn't past the VAD area */
3787 if (PBaseAddress
>= MM_HIGHEST_VAD_ADDRESS
)
3789 DPRINT1("Virtual allocation base above User Space\n");
3790 return STATUS_INVALID_PARAMETER_2
;
3793 /* Make sure the allocation wouldn't overflow past the VAD area */
3794 if ((((ULONG_PTR
)MM_HIGHEST_VAD_ADDRESS
+ 1) - (ULONG_PTR
)PBaseAddress
) < PRegionSize
)
3796 DPRINT1("Region size would overflow into kernel-memory\n");
3797 return STATUS_INVALID_PARAMETER_4
;
3800 /* Make sure there's a size specified */
3803 DPRINT1("Region size is invalid (zero)\n");
3804 return STATUS_INVALID_PARAMETER_4
;
3808 // If this is for the current process, just use PsGetCurrentProcess
3810 if (ProcessHandle
== NtCurrentProcess())
3812 Process
= CurrentProcess
;
3817 // Otherwise, reference the process with VM rights and attach to it if
3818 // this isn't the current process. We must attach because we'll be touching
3819 // PTEs and PDEs that belong to user-mode memory, and also touching the
3820 // Working Set which is stored in Hyperspace.
3822 Status
= ObReferenceObjectByHandle(ProcessHandle
,
3823 PROCESS_VM_OPERATION
,
3828 if (!NT_SUCCESS(Status
)) return Status
;
3829 if (CurrentProcess
!= Process
)
3831 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
3837 // Check for large page allocations and make sure that the required privilege
3838 // is being held, before attempting to handle them.
3840 if ((AllocationType
& MEM_LARGE_PAGES
) &&
3841 !(SeSinglePrivilegeCheck(SeLockMemoryPrivilege
, PreviousMode
)))
3843 /* Fail without it */
3844 DPRINT1("Privilege not held for MEM_LARGE_PAGES\n");
3845 Status
= STATUS_PRIVILEGE_NOT_HELD
;
3846 goto FailPathNoLock
;
3850 // Fail on the things we don't yet support
3854 DPRINT1("Zero bits not supported\n");
3855 Status
= STATUS_INVALID_PARAMETER
;
3856 goto FailPathNoLock
;
3858 if ((AllocationType
& MEM_LARGE_PAGES
) == MEM_LARGE_PAGES
)
3860 DPRINT1("MEM_LARGE_PAGES not supported\n");
3861 Status
= STATUS_INVALID_PARAMETER
;
3862 goto FailPathNoLock
;
3864 if ((AllocationType
& MEM_PHYSICAL
) == MEM_PHYSICAL
)
3866 DPRINT1("MEM_PHYSICAL not supported\n");
3867 Status
= STATUS_INVALID_PARAMETER
;
3868 goto FailPathNoLock
;
3870 if ((AllocationType
& MEM_WRITE_WATCH
) == MEM_WRITE_WATCH
)
3872 DPRINT1("MEM_WRITE_WATCH not supported\n");
3873 Status
= STATUS_INVALID_PARAMETER
;
3874 goto FailPathNoLock
;
3876 if ((AllocationType
& MEM_TOP_DOWN
) == MEM_TOP_DOWN
)
3878 DPRINT1("MEM_TOP_DOWN not supported\n");
3879 AllocationType
&= ~MEM_TOP_DOWN
;
3882 if (Process
->VmTopDown
== 1)
3884 DPRINT1("VmTopDown not supported\n");
3885 Status
= STATUS_INVALID_PARAMETER
;
3886 goto FailPathNoLock
;
3890 // Check if the caller is reserving memory, or committing memory and letting
3891 // us pick the base address
3893 if (!(PBaseAddress
) || (AllocationType
& MEM_RESERVE
))
3896 // Do not allow COPY_ON_WRITE through this API
3898 if ((Protect
& PAGE_WRITECOPY
) || (Protect
& PAGE_EXECUTE_WRITECOPY
))
3900 DPRINT1("Copy on write not allowed through this path\n");
3901 Status
= STATUS_INVALID_PAGE_PROTECTION
;
3902 goto FailPathNoLock
;
3906 // Does the caller have an address in mind, or is this a blind commit?
3911 // This is a blind commit, all we need is the region size
3913 PRegionSize
= ROUND_TO_PAGES(PRegionSize
);
3914 PageCount
= BYTES_TO_PAGES(PRegionSize
);
3916 StartingAddress
= 0;
3921 // This is a reservation, so compute the starting address on the
3922 // expected 64KB granularity, and see where the ending address will
3923 // fall based on the aligned address and the passed in region size
3925 StartingAddress
= ROUND_DOWN((ULONG_PTR
)PBaseAddress
, _64K
);
3926 EndingAddress
= ((ULONG_PTR
)PBaseAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1);
3927 PageCount
= BYTES_TO_PAGES(EndingAddress
- StartingAddress
);
3931 // Allocate and initialize the VAD
3933 Vad
= ExAllocatePoolWithTag(NonPagedPool
, sizeof(MMVAD_LONG
), 'SdaV');
3934 ASSERT(Vad
!= NULL
);
3935 Vad
->u
.LongFlags
= 0;
3936 if (AllocationType
& MEM_COMMIT
) Vad
->u
.VadFlags
.MemCommit
= 1;
3937 Vad
->u
.VadFlags
.Protection
= ProtectionMask
;
3938 Vad
->u
.VadFlags
.PrivateMemory
= 1;
3939 Vad
->u
.VadFlags
.CommitCharge
= AllocationType
& MEM_COMMIT
? PageCount
: 0;
3942 // Lock the address space and make sure the process isn't already dead
3944 AddressSpace
= MmGetCurrentAddressSpace();
3945 MmLockAddressSpace(AddressSpace
);
3946 if (Process
->VmDeleted
)
3948 Status
= STATUS_PROCESS_IS_TERMINATING
;
3953 // Did we have a base address? If no, find a valid address that is 64KB
3954 // aligned in the VAD tree. Otherwise, make sure that the address range
3955 // which was passed in isn't already conflicting with an existing address
3960 Status
= MiFindEmptyAddressRangeInTree(PRegionSize
,
3963 (PMMADDRESS_NODE
*)&Process
->VadFreeHint
,
3965 if (!NT_SUCCESS(Status
)) goto FailPath
;
3968 // Now we know where the allocation ends. Make sure it doesn't end up
3969 // somewhere in kernel mode.
3971 EndingAddress
= ((ULONG_PTR
)StartingAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1);
3972 if ((PVOID
)EndingAddress
> MM_HIGHEST_VAD_ADDRESS
)
3974 Status
= STATUS_NO_MEMORY
;
3978 else if (MiCheckForConflictingNode(StartingAddress
>> PAGE_SHIFT
,
3979 EndingAddress
>> PAGE_SHIFT
,
3983 // The address specified is in conflict!
3985 Status
= STATUS_CONFLICTING_ADDRESSES
;
3990 // Write out the VAD fields for this allocation
3992 Vad
->StartingVpn
= (ULONG_PTR
)StartingAddress
>> PAGE_SHIFT
;
3993 Vad
->EndingVpn
= (ULONG_PTR
)EndingAddress
>> PAGE_SHIFT
;
3996 // FIXME: Should setup VAD bitmap
3998 Status
= STATUS_SUCCESS
;
4001 // Lock the working set and insert the VAD into the process VAD tree
4003 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4004 Vad
->ControlArea
= NULL
; // For Memory-Area hack
4005 MiInsertVad(Vad
, Process
);
4006 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4009 // Update the virtual size of the process, and if this is now the highest
4010 // virtual size we have ever seen, update the peak virtual size to reflect
4013 Process
->VirtualSize
+= PRegionSize
;
4014 if (Process
->VirtualSize
> Process
->PeakVirtualSize
)
4016 Process
->PeakVirtualSize
= Process
->VirtualSize
;
4020 // Release address space and detach and dereference the target process if
4021 // it was different from the current process
4023 MmUnlockAddressSpace(AddressSpace
);
4024 if (Attached
) KeUnstackDetachProcess(&ApcState
);
4025 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4028 // Use SEH to write back the base address and the region size. In the case
4029 // of an exception, we do not return back the exception code, as the memory
4030 // *has* been allocated. The caller would now have to call VirtualQuery
4031 // or do some other similar trick to actually find out where its memory
4032 // allocation ended up
4036 *URegionSize
= PRegionSize
;
4037 *UBaseAddress
= (PVOID
)StartingAddress
;
4039 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4043 return STATUS_SUCCESS
;
4047 // This is a MEM_COMMIT on top of an existing address which must have been
4048 // MEM_RESERVED already. Compute the start and ending base addresses based
4049 // on the user input, and then compute the actual region size once all the
4050 // alignments have been done.
4052 StartingAddress
= (ULONG_PTR
)PAGE_ALIGN(PBaseAddress
);
4053 EndingAddress
= (((ULONG_PTR
)PBaseAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1));
4054 PRegionSize
= EndingAddress
- StartingAddress
+ 1;
4057 // Lock the address space and make sure the process isn't already dead
4059 AddressSpace
= MmGetCurrentAddressSpace();
4060 MmLockAddressSpace(AddressSpace
);
4061 if (Process
->VmDeleted
)
4063 DPRINT1("Process is dying\n");
4064 Status
= STATUS_PROCESS_IS_TERMINATING
;
4069 // Get the VAD for this address range, and make sure it exists
4071 FoundVad
= (PMMVAD
)MiCheckForConflictingNode(StartingAddress
>> PAGE_SHIFT
,
4072 EndingAddress
>> PAGE_SHIFT
,
4076 DPRINT1("Could not find a VAD for this allocation\n");
4077 Status
= STATUS_CONFLICTING_ADDRESSES
;
4081 if ((AllocationType
& MEM_RESET
) == MEM_RESET
)
4083 /// @todo HACK: pretend success
4084 DPRINT("MEM_RESET not supported\n");
4085 Status
= STATUS_SUCCESS
;
4090 // These kinds of VADs are illegal for this Windows function when trying to
4091 // commit an existing range
4093 if ((FoundVad
->u
.VadFlags
.VadType
== VadAwe
) ||
4094 (FoundVad
->u
.VadFlags
.VadType
== VadDevicePhysicalMemory
) ||
4095 (FoundVad
->u
.VadFlags
.VadType
== VadLargePages
))
4097 DPRINT1("Illegal VAD for attempting a MEM_COMMIT\n");
4098 Status
= STATUS_CONFLICTING_ADDRESSES
;
4103 // Make sure that this address range actually fits within the VAD for it
4105 if (((StartingAddress
>> PAGE_SHIFT
) < FoundVad
->StartingVpn
) ||
4106 ((EndingAddress
>> PAGE_SHIFT
) > FoundVad
->EndingVpn
))
4108 DPRINT1("Address range does not fit into the VAD\n");
4109 Status
= STATUS_CONFLICTING_ADDRESSES
;
4114 // Make sure this is an ARM3 section
4116 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, (PVOID
)PAGE_ROUND_DOWN(PBaseAddress
));
4117 if (MemoryArea
->Type
!= MEMORY_AREA_OWNED_BY_ARM3
)
4119 DPRINT1("Illegal commit of non-ARM3 section!\n");
4120 Status
= STATUS_ALREADY_COMMITTED
;
4124 // Is this a previously reserved section being committed? If so, enter the
4125 // special section path
4127 if (FoundVad
->u
.VadFlags
.PrivateMemory
== FALSE
)
4130 // You cannot commit large page sections through this API
4132 if (FoundVad
->u
.VadFlags
.VadType
== VadLargePageSection
)
4134 DPRINT1("Large page sections cannot be VirtualAlloc'd\n");
4135 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4140 // You can only use caching flags on a rotate VAD
4142 if ((Protect
& (PAGE_NOCACHE
| PAGE_WRITECOMBINE
)) &&
4143 (FoundVad
->u
.VadFlags
.VadType
!= VadRotatePhysical
))
4145 DPRINT1("Cannot use caching flags with anything but rotate VADs\n");
4146 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4151 // We should make sure that the section's permissions aren't being
4154 if (FoundVad
->u
.VadFlags
.NoChange
)
4157 // Make sure it's okay to touch it
4159 Status
= MiCheckSecuredVad(FoundVad
,
4163 if (!NT_SUCCESS(Status
))
4165 DPRINT1("Secured VAD being messed around with\n");
4171 // ARM3 does not support file-backed sections, only shared memory
4173 ASSERT(FoundVad
->ControlArea
->FilePointer
== NULL
);
4176 // Rotate VADs cannot be guard pages or inaccessible, nor copy on write
4178 if ((FoundVad
->u
.VadFlags
.VadType
== VadRotatePhysical
) &&
4179 (Protect
& (PAGE_WRITECOPY
| PAGE_EXECUTE_WRITECOPY
| PAGE_NOACCESS
| PAGE_GUARD
)))
4181 DPRINT1("Invalid page protection for rotate VAD\n");
4182 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4187 // Compute PTE addresses and the quota charge, then grab the commit lock
4189 PointerPte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(FoundVad
, StartingAddress
>> PAGE_SHIFT
);
4190 LastPte
= MI_GET_PROTOTYPE_PTE_FOR_VPN(FoundVad
, EndingAddress
>> PAGE_SHIFT
);
4191 QuotaCharge
= (ULONG
)(LastPte
- PointerPte
+ 1);
4192 KeAcquireGuardedMutexUnsafe(&MmSectionCommitMutex
);
4195 // Get the segment template PTE and start looping each page
4197 TempPte
= FoundVad
->ControlArea
->Segment
->SegmentPteTemplate
;
4198 ASSERT(TempPte
.u
.Long
!= 0);
4199 while (PointerPte
<= LastPte
)
4202 // For each non-already-committed page, write the invalid template PTE
4204 if (PointerPte
->u
.Long
== 0)
4206 MI_WRITE_INVALID_PTE(PointerPte
, TempPte
);
4216 // Now do the commit accounting and release the lock
4218 ASSERT(QuotaCharge
>= QuotaFree
);
4219 QuotaCharge
-= QuotaFree
;
4220 FoundVad
->ControlArea
->Segment
->NumberOfCommittedPages
+= QuotaCharge
;
4221 KeReleaseGuardedMutexUnsafe(&MmSectionCommitMutex
);
4224 // We are done with committing the section pages
4226 Status
= STATUS_SUCCESS
;
4231 // This is a specific ReactOS check because we only use normal VADs
4233 ASSERT(FoundVad
->u
.VadFlags
.VadType
== VadNone
);
4236 // While this is an actual Windows check
4238 ASSERT(FoundVad
->u
.VadFlags
.VadType
!= VadRotatePhysical
);
4241 // Throw out attempts to use copy-on-write through this API path
4243 if ((Protect
& PAGE_WRITECOPY
) || (Protect
& PAGE_EXECUTE_WRITECOPY
))
4245 DPRINT1("Write copy attempted when not allowed\n");
4246 Status
= STATUS_INVALID_PAGE_PROTECTION
;
4251 // Initialize a demand-zero PTE
4254 TempPte
.u
.Soft
.Protection
= ProtectionMask
;
4255 NT_ASSERT(TempPte
.u
.Long
!= 0);
4258 // Get the PTE, PDE and the last PTE for this address range
4260 PointerPde
= MiAddressToPde(StartingAddress
);
4261 PointerPte
= MiAddressToPte(StartingAddress
);
4262 LastPte
= MiAddressToPte(EndingAddress
);
4265 // Update the commit charge in the VAD as well as in the process, and check
4266 // if this commit charge was now higher than the last recorded peak, in which
4267 // case we also update the peak
4269 FoundVad
->u
.VadFlags
.CommitCharge
+= (1 + LastPte
- PointerPte
);
4270 Process
->CommitCharge
+= (1 + LastPte
- PointerPte
);
4271 if (Process
->CommitCharge
> Process
->CommitChargePeak
)
4273 Process
->CommitChargePeak
= Process
->CommitCharge
;
4277 // Lock the working set while we play with user pages and page tables
4279 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4282 // Make the current page table valid, and then loop each page within it
4284 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
4285 while (PointerPte
<= LastPte
)
4288 // Have we crossed into a new page table?
4290 if (MiIsPteOnPdeBoundary(PointerPte
))
4293 // Get the PDE and now make it valid too
4295 PointerPde
= MiAddressToPte(PointerPte
);
4296 MiMakePdeExistAndMakeValid(PointerPde
, Process
, MM_NOIRQL
);
4300 // Is this a zero PTE as expected?
4302 if (PointerPte
->u
.Long
== 0)
4305 // First increment the count of pages in the page table for this
4308 MiIncrementPageTableReferences(MiPteToAddress(PointerPte
));
4311 // And now write the invalid demand-zero PTE as requested
4313 MI_WRITE_INVALID_PTE(PointerPte
, TempPte
);
4315 else if (PointerPte
->u
.Long
== MmDecommittedPte
.u
.Long
)
4318 // If the PTE was already decommitted, there is nothing else to do
4319 // but to write the new demand-zero PTE
4321 MI_WRITE_INVALID_PTE(PointerPte
, TempPte
);
4323 else if (!(ChangeProtection
) && (Protect
!= MiGetPageProtection(PointerPte
)))
4326 // We don't handle these scenarios yet
4328 if (PointerPte
->u
.Soft
.Valid
== 0)
4330 ASSERT(PointerPte
->u
.Soft
.Prototype
== 0);
4331 ASSERT(PointerPte
->u
.Soft
.PageFileHigh
== 0);
4335 // There's a change in protection, remember this for later, but do
4336 // not yet handle it.
4338 ChangeProtection
= TRUE
;
4342 // Move to the next PTE
4348 // Release the working set lock, unlock the address space, and detach from
4349 // the target process if it was not the current process. Also dereference the
4350 // target process if this wasn't the case.
4352 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4353 Status
= STATUS_SUCCESS
;
4355 MmUnlockAddressSpace(AddressSpace
);
4358 // Check if we need to update the protection
4360 if (ChangeProtection
)
4362 PVOID ProtectBaseAddress
= (PVOID
)StartingAddress
;
4363 SIZE_T ProtectSize
= PRegionSize
;
4364 ULONG OldProtection
;
4367 // Change the protection of the region
4369 MiProtectVirtualMemory(Process
,
4370 &ProtectBaseAddress
,
4377 if (Attached
) KeUnstackDetachProcess(&ApcState
);
4378 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4381 // Use SEH to write back the base address and the region size. In the case
4382 // of an exception, we strangely do return back the exception code, even
4383 // though the memory *has* been allocated. This mimics Windows behavior and
4384 // there is not much we can do about it.
4388 *URegionSize
= PRegionSize
;
4389 *UBaseAddress
= (PVOID
)StartingAddress
;
4391 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4393 Status
= _SEH2_GetExceptionCode();
4404 NtFreeVirtualMemory(IN HANDLE ProcessHandle
,
4405 IN PVOID
* UBaseAddress
,
4406 IN PSIZE_T URegionSize
,
4409 PMEMORY_AREA MemoryArea
;
4412 ULONG_PTR CommitReduction
= 0;
4413 ULONG_PTR StartingAddress
, EndingAddress
;
4417 PMMSUPPORT AddressSpace
;
4418 PETHREAD CurrentThread
= PsGetCurrentThread();
4419 PEPROCESS CurrentProcess
= PsGetCurrentProcess();
4420 KPROCESSOR_MODE PreviousMode
= KeGetPreviousMode();
4421 KAPC_STATE ApcState
;
4422 BOOLEAN Attached
= FALSE
;
4426 // Only two flags are supported
4428 if (!(FreeType
& (MEM_RELEASE
| MEM_DECOMMIT
)))
4430 DPRINT1("Invalid FreeType\n");
4431 return STATUS_INVALID_PARAMETER_4
;
4435 // Check if no flag was used, or if both flags were used
4437 if (!((FreeType
& (MEM_DECOMMIT
| MEM_RELEASE
))) ||
4438 ((FreeType
& (MEM_DECOMMIT
| MEM_RELEASE
)) == (MEM_DECOMMIT
| MEM_RELEASE
)))
4440 DPRINT1("Invalid FreeType combination\n");
4441 return STATUS_INVALID_PARAMETER_4
;
4445 // Enter SEH for probe and capture. On failure, return back to the caller
4446 // with an exception violation.
4451 // Check for user-mode parameters and make sure that they are writeable
4453 if (PreviousMode
!= KernelMode
)
4455 ProbeForWritePointer(UBaseAddress
);
4456 ProbeForWriteUlong(URegionSize
);
4460 // Capture the current values
4462 PBaseAddress
= *UBaseAddress
;
4463 PRegionSize
= *URegionSize
;
4465 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4467 _SEH2_YIELD(return _SEH2_GetExceptionCode());
4472 // Make sure the allocation isn't past the user area
4474 if (PBaseAddress
>= MM_HIGHEST_USER_ADDRESS
)
4476 DPRINT1("Virtual free base above User Space\n");
4477 return STATUS_INVALID_PARAMETER_2
;
4481 // Make sure the allocation wouldn't overflow past the user area
4483 if (((ULONG_PTR
)MM_HIGHEST_USER_ADDRESS
- (ULONG_PTR
)PBaseAddress
) < PRegionSize
)
4485 DPRINT1("Region size would overflow into kernel-memory\n");
4486 return STATUS_INVALID_PARAMETER_3
;
4490 // If this is for the current process, just use PsGetCurrentProcess
4492 if (ProcessHandle
== NtCurrentProcess())
4494 Process
= CurrentProcess
;
4499 // Otherwise, reference the process with VM rights and attach to it if
4500 // this isn't the current process. We must attach because we'll be touching
4501 // PTEs and PDEs that belong to user-mode memory, and also touching the
4502 // Working Set which is stored in Hyperspace.
4504 Status
= ObReferenceObjectByHandle(ProcessHandle
,
4505 PROCESS_VM_OPERATION
,
4510 if (!NT_SUCCESS(Status
)) return Status
;
4511 if (CurrentProcess
!= Process
)
4513 KeStackAttachProcess(&Process
->Pcb
, &ApcState
);
4519 // Lock the address space
4521 AddressSpace
= MmGetCurrentAddressSpace();
4522 MmLockAddressSpace(AddressSpace
);
4525 // If the address space is being deleted, fail the de-allocation since it's
4526 // too late to do anything about it
4528 if (Process
->VmDeleted
)
4530 DPRINT1("Process is dead\n");
4531 Status
= STATUS_PROCESS_IS_TERMINATING
;
4536 // Compute start and end addresses, and locate the VAD
4538 StartingAddress
= (ULONG_PTR
)PAGE_ALIGN(PBaseAddress
);
4539 EndingAddress
= ((ULONG_PTR
)PBaseAddress
+ PRegionSize
- 1) | (PAGE_SIZE
- 1);
4540 Vad
= MiLocateAddress((PVOID
)StartingAddress
);
4543 DPRINT1("Unable to find VAD for address 0x%p\n", StartingAddress
);
4544 Status
= STATUS_MEMORY_NOT_ALLOCATED
;
4549 // If the range exceeds the VAD's ending VPN, fail this request
4551 if (Vad
->EndingVpn
< (EndingAddress
>> PAGE_SHIFT
))
4553 DPRINT1("Address 0x%p is beyond the VAD\n", EndingAddress
);
4554 Status
= STATUS_UNABLE_TO_FREE_VM
;
4559 // Only private memory (except rotate VADs) can be freed through here */
4561 if ((!(Vad
->u
.VadFlags
.PrivateMemory
) &&
4562 (Vad
->u
.VadFlags
.VadType
!= VadRotatePhysical
)) ||
4563 (Vad
->u
.VadFlags
.VadType
== VadDevicePhysicalMemory
))
4565 DPRINT1("Attempt to free section memory\n");
4566 Status
= STATUS_UNABLE_TO_DELETE_SECTION
;
4571 // ARM3 does not yet handle protected VM
4573 ASSERT(Vad
->u
.VadFlags
.NoChange
== 0);
4576 // Finally, make sure there is a ReactOS Mm MEMORY_AREA for this allocation
4577 // and that is is an ARM3 memory area, and not a section view, as we currently
4578 // don't support freeing those though this interface.
4580 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, (PVOID
)StartingAddress
);
4582 ASSERT(MemoryArea
->Type
== MEMORY_AREA_OWNED_BY_ARM3
);
4585 // Now we can try the operation. First check if this is a RELEASE or a DECOMMIT
4587 if (FreeType
& MEM_RELEASE
)
4590 // ARM3 only supports this VAD in this path
4592 ASSERT(Vad
->u
.VadFlags
.VadType
== VadNone
);
4595 // Is the caller trying to remove the whole VAD, or remove only a portion
4596 // of it? If no region size is specified, then the assumption is that the
4597 // whole VAD is to be destroyed
4602 // The caller must specify the base address identically to the range
4603 // that is stored in the VAD.
4605 if (((ULONG_PTR
)PBaseAddress
>> PAGE_SHIFT
) != Vad
->StartingVpn
)
4607 DPRINT1("Address 0x%p does not match the VAD\n", PBaseAddress
);
4608 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
4613 // Now compute the actual start/end addresses based on the VAD
4615 StartingAddress
= Vad
->StartingVpn
<< PAGE_SHIFT
;
4616 EndingAddress
= (Vad
->EndingVpn
<< PAGE_SHIFT
) | (PAGE_SIZE
- 1);
4619 // Finally lock the working set and remove the VAD from the VAD tree
4621 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4622 ASSERT(Process
->VadRoot
.NumberGenericTableElements
>= 1);
4623 MiRemoveNode((PMMADDRESS_NODE
)Vad
, &Process
->VadRoot
);
4628 // This means the caller wants to release a specific region within
4629 // the range. We have to find out which range this is -- the following
4630 // possibilities exist plus their union (CASE D):
4632 // STARTING ADDRESS ENDING ADDRESS
4633 // [<========][========================================][=========>]
4634 // CASE A CASE B CASE C
4637 // First, check for case A or D
4639 if ((StartingAddress
>> PAGE_SHIFT
) == Vad
->StartingVpn
)
4644 if ((EndingAddress
>> PAGE_SHIFT
) == Vad
->EndingVpn
)
4647 // This is the easiest one to handle -- it is identical to
4648 // the code path above when the caller sets a zero region size
4649 // and the whole VAD is destroyed
4651 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4652 ASSERT(Process
->VadRoot
.NumberGenericTableElements
>= 1);
4653 MiRemoveNode((PMMADDRESS_NODE
)Vad
, &Process
->VadRoot
);
4658 // This case is pretty easy too -- we compute a bunch of
4659 // pages to decommit, and then push the VAD's starting address
4660 // a bit further down, then decrement the commit charge
4662 // NOT YET IMPLEMENTED IN ARM3.
4664 DPRINT1("Case A not handled\n");
4665 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
4669 // After analyzing the VAD, set it to NULL so that we don't
4670 // free it in the exit path
4678 // This is case B or case C. First check for case C
4680 if ((EndingAddress
>> PAGE_SHIFT
) == Vad
->EndingVpn
)
4682 PMEMORY_AREA MemoryArea
;
4685 // This is pretty easy and similar to case A. We compute the
4686 // amount of pages to decommit, update the VAD's commit charge
4687 // and then change the ending address of the VAD to be a bit
4690 MiLockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4691 CommitReduction
= MiCalculatePageCommitment(StartingAddress
,
4695 Vad
->u
.VadFlags
.CommitCharge
-= CommitReduction
;
4696 // For ReactOS: shrink the corresponding memory area
4697 MemoryArea
= MmLocateMemoryAreaByAddress(AddressSpace
, (PVOID
)StartingAddress
);
4698 ASSERT(Vad
->StartingVpn
<< PAGE_SHIFT
== (ULONG_PTR
)MemoryArea
->StartingAddress
);
4699 ASSERT((Vad
->EndingVpn
+ 1) << PAGE_SHIFT
== (ULONG_PTR
)MemoryArea
->EndingAddress
);
4700 Vad
->EndingVpn
= ((ULONG_PTR
)StartingAddress
- 1) >> PAGE_SHIFT
;
4701 MemoryArea
->EndingAddress
= (PVOID
)(((Vad
->EndingVpn
+ 1) << PAGE_SHIFT
) - 1);
4706 // This is case B and the hardest one. Because we are removing
4707 // a chunk of memory from the very middle of the VAD, we must
4708 // actually split the VAD into two new VADs and compute the
4709 // commit charges for each of them, and reinsert new charges.
4711 // NOT YET IMPLEMENTED IN ARM3.
4713 DPRINT1("Case B not handled\n");
4714 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
4719 // After analyzing the VAD, set it to NULL so that we don't
4720 // free it in the exit path
4727 // Now we have a range of pages to dereference, so call the right API
4728 // to do that and then release the working set, since we're done messing
4729 // around with process pages.
4731 MiDeleteVirtualAddresses(StartingAddress
, EndingAddress
, NULL
);
4732 MiUnlockProcessWorkingSetUnsafe(Process
, CurrentThread
);
4733 Status
= STATUS_SUCCESS
;
4737 // Update the process counters
4739 PRegionSize
= EndingAddress
- StartingAddress
+ 1;
4740 Process
->CommitCharge
-= CommitReduction
;
4741 if (FreeType
& MEM_RELEASE
) Process
->VirtualSize
-= PRegionSize
;
4744 // Unlock the address space and free the VAD in failure cases. Next,
4745 // detach from the target process so we can write the region size and the
4746 // base address to the correct source process, and dereference the target
4749 MmUnlockAddressSpace(AddressSpace
);
4750 if (Vad
) ExFreePool(Vad
);
4751 if (Attached
) KeUnstackDetachProcess(&ApcState
);
4752 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4755 // Use SEH to safely return the region size and the base address of the
4756 // deallocation. If we get an access violation, don't return a failure code
4757 // as the deallocation *has* happened. The caller will just have to figure
4758 // out another way to find out where it is (such as VirtualQuery).
4762 *URegionSize
= PRegionSize
;
4763 *UBaseAddress
= (PVOID
)StartingAddress
;
4765 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
4773 // This is the decommit path. You cannot decommit from the following VADs in
4774 // Windows, so fail the vall
4776 if ((Vad
->u
.VadFlags
.VadType
== VadAwe
) ||
4777 (Vad
->u
.VadFlags
.VadType
== VadLargePages
) ||
4778 (Vad
->u
.VadFlags
.VadType
== VadRotatePhysical
))
4780 DPRINT1("Trying to decommit from invalid VAD\n");
4781 Status
= STATUS_MEMORY_NOT_ALLOCATED
;
4786 // If the caller did not specify a region size, first make sure that this
4787 // region is actually committed. If it is, then compute the ending address
4788 // based on the VAD.
4792 if (((ULONG_PTR
)PBaseAddress
>> PAGE_SHIFT
) != Vad
->StartingVpn
)
4794 DPRINT1("Decomitting non-committed memory\n");
4795 Status
= STATUS_FREE_VM_NOT_AT_BASE
;
4798 EndingAddress
= (Vad
->EndingVpn
<< PAGE_SHIFT
) | (PAGE_SIZE
- 1);
4802 // Decommit the PTEs for the range plus the actual backing pages for the
4803 // range, then reduce that amount from the commit charge in the VAD
4805 CommitReduction
= MiAddressToPte(EndingAddress
) -
4806 MiAddressToPte(StartingAddress
) +
4808 MiDecommitPages((PVOID
)StartingAddress
,
4809 MiAddressToPte(EndingAddress
),
4812 ASSERT(CommitReduction
>= 0);
4813 Vad
->u
.VadFlags
.CommitCharge
-= CommitReduction
;
4814 ASSERT(Vad
->u
.VadFlags
.CommitCharge
>= 0);
4817 // We are done, go to the exit path without freeing the VAD as it remains
4818 // valid since we have not released the allocation.
4821 Status
= STATUS_SUCCESS
;
4825 // In the failure path, we detach and derefernece the target process, and
4826 // return whatever failure code was sent.
4829 MmUnlockAddressSpace(AddressSpace
);
4830 if (Attached
) KeUnstackDetachProcess(&ApcState
);
4831 if (ProcessHandle
!= NtCurrentProcess()) ObDereferenceObject(Process
);
4838 MmGetPhysicalAddress(PVOID Address
)
4840 PHYSICAL_ADDRESS PhysicalAddress
;
4844 /* Check if the PXE/PPE/PDE is valid */
4846 #if (_MI_PAGING_LEVELS == 4)
4847 (MiAddressToPxe(Address
)->u
.Hard
.Valid
) &&
4849 #if (_MI_PAGING_LEVELS >= 3)
4850 (MiAddressToPpe(Address
)->u
.Hard
.Valid
) &&
4852 (MiAddressToPde(Address
)->u
.Hard
.Valid
))
4854 /* Check for large pages */
4855 TempPde
= *MiAddressToPde(Address
);
4856 if (TempPde
.u
.Hard
.LargePage
)
4858 /* Physical address is base page + large page offset */
4859 PhysicalAddress
.QuadPart
= TempPde
.u
.Hard
.PageFrameNumber
<< PAGE_SHIFT
;
4860 PhysicalAddress
.QuadPart
+= ((ULONG_PTR
)Address
& (PAGE_SIZE
* PTE_PER_PAGE
- 1));
4861 return PhysicalAddress
;
4864 /* Check if the PTE is valid */
4865 TempPte
= *MiAddressToPte(Address
);
4866 if (TempPte
.u
.Hard
.Valid
)
4868 /* Physical address is base page + page offset */
4869 PhysicalAddress
.QuadPart
= TempPte
.u
.Hard
.PageFrameNumber
<< PAGE_SHIFT
;
4870 PhysicalAddress
.QuadPart
+= ((ULONG_PTR
)Address
& (PAGE_SIZE
- 1));
4871 return PhysicalAddress
;
4875 DPRINT1("MM:MmGetPhysicalAddressFailed base address was %p\n", Address
);
4876 PhysicalAddress
.QuadPart
= 0;
4877 return PhysicalAddress
;