I am sorry for the late reply.
I aggree your point but I had unmap the mapped-user address space.
Pls let me to explain my senario.
- While mapping the kernel virtual Space with user virtual Space, I had
put KdPrint((…)) to print the physical address of Kernel and User
virtual spaces using MmGetPhysicalAddress(…). I got the same physical
addresses, say 1A920C0064x.
PhysicalAddress = MmGetPhysicalAddress(
pDevExt->pDeviceBuffer );
KdPrint((“\nPhysical Address of Allocated KernelMemory :
%16X64x”, PhysicalAddress.QuadPart));
PhysicalAddress = MmGetPhysicalAddress(
pDevExt->pMappedUserSpace );
KdPrint((“\nPhysical Address of Allocated KernelMemory :
%16X64x”, PhysicalAddress.QuadPart));
- After unmap the user virtual address, I printed the physical address
of user address, now the value was different, say 064x.
MmUnmapLockedPages(
pDevExt->pMappedUserSpace,
pDevExt->pMappingMdl
);
IoFreeMdl( pDevExt->pMappingMdl );
PhysicalAddress = MmGetPhysicalAddress(
pDevExt->pMappedUserSpace );
KdPrint((“\nPhysical Address of Allocated KernelMemory :
%16X64x”, PhysicalAddress.QuadPart));
- This time I didn’t get nay crash for long time.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mats PETERSSON
Sent: Thursday, April 21, 2005 2:09 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] doubt regarding mapping the user and kernel space
Thanks for your response.
It is my mistake…Yes I didn’t call MmUnmapLockedPages(…).
You are telling that mapping doesn’t allocate any memory in user
space.
But after I de-allocated kernel memory and unmapped user memory, I
have still able to access the user space memory. I anticipated some
user mode exception. Now I am not getting any kind of bugcheck.
Yes, you would still be able to access the memory, since the PTE’s
created for the user-space page-table are still available. Since the
user-space page-tables still contain the “valid” bit, you don’t get any
exception.
That, however, doesn’t mean that it’s a good thing to access these
pages.
Let’s say you allocate one page of kernel memory in non-paged pool, that
page is at 0x4000000 physical address. Then map it to user memory,
giving it a virtual address of 0x12340000. Now we de-allocate the kernel
memory.
0x4000000 physical page is now “unused” according to the OS. Next the OS
decides that it needs a page of memory for the file-system. It gets our
page at 0x4000000, and fills it with some directory data to be written
to the disk. Now your user-mode app goes and writes to the memory,
filling it with it’s data. Then the file-system writes it’s directory
data. Guess
what: Your file-system is now corrupt. You won’t get a blue-screen at
this time [some time later, maybe, but not now].
Since there are two page-tables, both pointing at the same physical
memory, there is no way to determine that one of them points to memory
that has previously been de-allocated (the OS doesn’t keep track of
user-mode mappings against kernel memory, it’s your task to do that
correctly). As long as the page-table for user-mode contains valid data,
which it will do “forever” when it comes to non-paged pool, as it’s
never being paged out, you can access that memory from the user-mode
app. It won’t contain the kernel-mode data that you expect it to
contain, and any write to that memory will cause horrible things to
happen. In your case, pool-corruption, which probably means that you
were allocating a small portion of memory, and when you write to that
memory after the kernel driver has freed it, it’s causing an overwrite
of the kernel’s pool tracking, which causes your bug-check. In a
different scenario, you may get random bug-checks in a different driver
(say for instance that there is a pointer stored in a data-structure
owned by the network driver, and you overwrite that pointer with some
value that isn’t a good pointer, the network driver would get a
page-fault in an unexpected region).
–
Mats
Raja
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, April 20, 2005 10:04 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] doubt regarding mapping the user and kernel space
Kannan, Raja wrote:
> Hi Everybody,
> I have some doubt regarding mapping the user and kernel space.
>
> I allocated memory space in non-paged pool from a user thread
> context (i.e., through DeviceIoControl) and mapped it to the user
> space, So that I got a user-space address which had mapped can
> access kernel mode memory from user space.
>
A dangerous practice, but that’s a discussion for another day.
> After I had used that memory space I deallocated the allocated
> non-paged pool. Now how I could reallocate the mapped user-space? Or
> What is the scope of the mapped user-space?
>
YOU need to unmap the user-mode mapping before freeing the non-paged
pool. That is your driver’s responsibility. The operating system
does not track this.
> I assume that mapping the allocated kernel-space with user-space
> will allocate the same size in user-space and both will get the same
> copy of PTEs. Am I right?
>
Well, there will be two separate sets of PTEs, but both sets will
point to the same physical addresses. When you release the memory
back to the non-paged pool, you are telling the operating system that
it is safe to assign those physical pages for other purposes. It does
not know that you have left around a user-space address that still
points to this memory. When your user-mode process writes to that
address, it is writing on someone else’s memory. Such an action is
generally incompatible with the ongoing peaceful existance of your
Windows session.
> If I try to use the mapped user-space memory after I deallocated the
> kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.
>
Exactly. I’m not sure what else you would expect.
> Please explain me what will be happening while doing the map.
>
I think you described it. The operating system creates a new set of
PTEs in the user-mode space that point to your existing physical
address. It does not allocate any memory for this, nor does it track
that there are two mappings to this address. That is YOUR
responsibility.
–
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as:
xxxxx@networkgeneral.com To unsubscribe send a blank email to
xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag
argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT00011222
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@networkgeneral.com
To unsubscribe send a blank email to xxxxx@lists.osr.com