Page frame reuse(Windows 7)

Hello everyone.

I noticed some weird behavior on my Windows 7 virtual machine. I’m using Linux’s KVM to track execution and modifications to page frames.

I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
a virtual memory range belonging to a DLL that is loaded in userspace.

Now, i noticed that one of the frames that is locked within that DLL, is also used in some other DLL! even though i see no connection between these DLLs, and i don’t see the content being equal too.

Is there any possibility for this to happen? Does Windows 7 have a mechanism similar to Linux’s KSM(Kernel same page merging)?

I noticed each DLL uses a different segment of that page frame.

Thanks.

xxxxx@gmail.com wrote:

I noticed some weird behavior on my Windows 7 virtual machine. I’m using Linux’s KVM to track execution and modifications to page frames.

I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
a virtual memory range belonging to a DLL that is loaded in userspace.

Now, i noticed that one of the frames that is locked within that DLL, is also used in some other DLL! even though i see no connection between these DLLs, and i don’t see the content being equal too.

Do you mean, within the code portion of the DLL?  Part of the .text
section?  Are these within a single process?

Is there any possibility for this to happen?

No.  It’s certainly possible for a single page to have multiple virtual
mappings, but in that case the views will (of course) all be identical. 
Can you show us the actual evidence for this?  If you dump the physical
page, the contents are what they are.  If a virtual region in another
DLL shows different content, then it cannot possibly be mapped to the
same physical page.

I noticed each DLL uses a different segment of that page frame.

What does that mean?  A page is an indivisible structure.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Some hypervisors will optimize physical memory use by detecting identical pages, even across VMs, and map them all to the same physical page. If you have a hundred VMs, all the identical read only pages, like code, can add up to a significant amount of memory.

Jan

On Jan 11, 2018, at 10:34 AM, xxxxx@probo.com wrote:
>
> xxxxx@gmail.com wrote:
>> I noticed some weird behavior on my Windows 7 virtual machine. I’m using Linux’s KVM to track execution and modifications to page frames.
>>
>> I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
>> a virtual memory range belonging to a DLL that is loaded in userspace.
>>
>> Now, i noticed that one of the frames that is locked within that DLL, is also used in some other DLL! even though i see no connection between these DLLs, and i don’t see the content being equal too.
>
> Do you mean, within the code portion of the DLL? Part of the .text
> section? Are these within a single process?
>
>
>> Is there any possibility for this to happen?
>
> No. It’s certainly possible for a single page to have multiple virtual
> mappings, but in that case the views will (of course) all be identical.
> Can you show us the actual evidence for this? If you dump the physical
> page, the contents are what they are. If a virtual region in another
> DLL shows different content, then it cannot possibly be mapped to the
> same physical page.
>
>
>> I noticed each DLL uses a different segment of that page frame.
>
> What does that mean? A page is an indivisible structure.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Like zero pages, for example.

On Jan 11, 2018 10:31 PM, “xxxxx@pmatrix.com
wrote:

> Some hypervisors will optimize physical memory use by detecting identical
> pages, even across VMs, and map them all to the same physical page. If you
> have a hundred VMs, all the identical read only pages, like code, can add
> up to a significant amount of memory.
>
> Jan
>
> > On Jan 11, 2018, at 10:34 AM, xxxxx@probo.com
> wrote:
> >
> > xxxxx@gmail.com wrote:
> >> I noticed some weird behavior on my Windows 7 virtual machine. I’m
> using Linux’s KVM to track execution and modifications to page frames.
> >>
> >> I have some code in Windows 7 thats uses MmProbeAndLockPages() to lock
> >> a virtual memory range belonging to a DLL that is loaded in userspace.
> >>
> >> Now, i noticed that one of the frames that is locked within that DLL,
> is also used in some other DLL! even though i see no connection between
> these DLLs, and i don’t see the content being equal too.
> >
> > Do you mean, within the code portion of the DLL? Part of the .text
> > section? Are these within a single process?
> >
> >
> >> Is there any possibility for this to happen?
> >
> > No. It’s certainly possible for a single page to have multiple virtual
> > mappings, but in that case the views will (of course) all be identical.
> > Can you show us the actual evidence for this? If you dump the physical
> > page, the contents are what they are. If a virtual region in another
> > DLL shows different content, then it cannot possibly be mapped to the
> > same physical page.
> >
> >
> >> I noticed each DLL uses a different segment of that page frame.
> >
> > What does that mean? A page is an indivisible structure.
> >
> > –
> > Tim Roberts, xxxxx@probo.com
> > Providenza & Boekelheide, Inc.
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:> showlists.cfm?list=ntdev>
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:>

On Jan 11, 2018, at 8:30 PM, xxxxx@pmatrix.com wrote:
>
> Some hypervisors will optimize physical memory use by detecting identical pages, even across VMs, and map them all to the same physical page. If you have a hundred VMs, all the identical read only pages, like code, can add up to a significant amount of memory.

Yes, but you cannot have two virtual pages map to a single physical page with two different contents.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

There are cases of multiple writable virtual pages being aliased with totally differently contexts to the same physical page. These are for “don’t care” pages. Specifically in the case where the virtual memory manager generates sparse MDLs to optimize IO read sizes. In these cases the OS wants to read say disk offset 0x1000 and 0x3000, so it might generate a single read that’s 0x3000 long, mapping the 0x1000 data to the desired location, mapping the 0x2000 data to a don’t care page, and the 0x3000 data to the desired location. When the dma transfer happens, the middle page is still read, but it’s values are sent to a don’t care page. The strategy is it’s faster to do a single 0x3000 read than two 0x1000 reads. I’ve written code myself where I needed a big dummy receive buffer, and built an MDL that mapped all the pages of a few megabytes virtual space to a single page. This was used for some error recovery where I needed to discard a bunch of data, but still needed a virtual address/MDL to pass to the transfer API.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@probo.com
Sent: Friday, January 12, 2018 12:04 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Page frame reuse(Windows 7)

On Jan 11, 2018, at 8:30 PM, xxxxx@pmatrix.com wrote:
>
> Some hypervisors will optimize physical memory use by detecting identical pages, even across VMs, and map them all to the same physical page. If you have a hundred VMs, all the identical read only pages, like code, can add up to a significant amount of memory.

Yes, but you cannot have two virtual pages map to a single physical page with two different contents.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>