Seems like the simplest thing would be the best. Use a METHOD_IN_DIRECT (so
the buffer is writable) IOCTL and just pass the locked buffer to Xen. If
you do that in a KMDF driver, you only have to put it in a WDFQUEUE that has
a EvtIoCanceledOnQueue routine, and basically forget about it. When the app
cancels the request, ask Xen to stop using the buffer.
Phil
Philip D. Barila??? (303) 776-1264
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Monday, November 22, 2010 7:20 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] mapping large userspace buffers from a driver
Yes, MmSecureVirtualMemory is generally discouraged from the standpoint of
using it to avoid try/except usage across accesses to the VA region in
question. For example, a malicious application could hand you back a VA
range that corresponds to a memory mapped file view backed by a network
file, and accesses to that VA range may still fault if the network
connection were to go away, MmSecureVirtualMemory or not. Consequently,
there aren’t very many scenarios where MmSecureVirtualMemory is really all
that useful to begin with.
Please also note that MmSecureVirtualMemory has nothing to do with locking
pages down such that they aren’t pageable (it only deals with the virtual
mapping itself), so it would be an error to assume that you can save away
the apparent backing physical address of a region that has just been
MmSecureVirtualMemory’d only. This would likely yield random memory
corruption when those pages are outpaged and the physical addresses in
question are repurposed for some other use.
If you need to lock the physical pages down of a user mode allocation, you
should use the standard MmProbeAndLockPages approach. Note also that you
will need to remember to unlock the pages when the process goes away (one
way to do this might be to tie the lifetime of the locked pages to a pending
I/O request).
It sounds to me like you aren’t even going to use the user VA mapping from
anywhere other than the user app though (if I understand you correctly), so
I’m not sure why you why you would be looking at MmSecureVirtualMemory.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
Sent: Monday, November 22, 2010 5:06 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] mapping large userspace buffers from a driver
I want to be able to map large (~1MB) buffers to Xen (Dom0, strictly
speaking, for anyone who knows a bit about Xen), which is also accessible
via userspace under windows. Because of the overheads of granting access to
Xen to access memory owned by VM, I want to do the mapping when the windows
application starts, and unmap it when the application ends.
From what I understand of memory sharing between userspace and kernel space,
I believe that the userspace application should allocate the memory then
give it to the driver which does the appropriate locking and then makes the
pfn’s accessible to Xen. I believe the opposite (allocate the memory in the
driver and give it to userspace) is either not possible or not recommended.
Because the buffer remains mapped, I want the driver to give the application
a handle to that memory (just a counter starting at 1 or something like
that) and then use that handle to tell the driver when there is new
information in that buffer which in turn signals xen.
So the process from the userspace applications point of view would go:
- allocate a buffer
- open the driver
- tell the driver to map the buffer (via IOCTL presumably). Store the
returned handle (eg 1) 4. load the buffer with data 5. tell the driver that
the buffer identified by handle (eg 1) contains data (again, via IOCTL) 6.
when the call completes, xen is finished with the buffer 7. repeat 8. unmap
the buffer at the end (IOCTL)
Does that sound like an even remotely sensible way to approach this? if
there weren’t any overheads in mapping the buffers to xen then I’d just go
with plain IOCTL’s and have done with it.
It seems that in order to make use of the input (for passing the address and
size of the buffer to be mapped) and output (for returning my
handle) parameters in the DeviceIoControl call, I need to use “neither
buffered nor direct i/o”, but the docs say that “only highest-level drivers”
can do that as they must be executing in the context of the calling thread.
Does my driver qualify if it is being directly called by the userspace
application? Is there another channel I could use to return the handle, eg
the lpBytesReturned parameter? Or is that strictly for indicating the
length?
I believe I can prevent the userspace application from releasing the buffer
by using MmSecureVirtualMemory. The docs seem to discourage the use of that
function though… or maybe they are discouraging scenarios which would lead
to requiring the use of that function…
All comments and suggestions appreciated?
Thanks
James
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer