MDL mapping

Petr_Kurtin · November 13, 2009, 11:14am

Hello,

I have a filecopy routine in kernel-mode and when I issue IRP_MJ_WRITE,
irp->UserBuffer is sometimes used in non-system process by ecache.sys
(ReadyBoost, Vista OS). Since MDL was only mapped into system process,
ecache driver accesses invalid memory. How can map MDL into all processes?

In system workitem, I open the file and then call:

MmCreateSection + MmMapViewOfSection
MmInitializeMdl + MmProbeAndLockPages

and issue IRP_MJ_WRITE with:

irp->MdlAddress = pMdl;
irp->UserBuffer = MmGetMdlVirtualAddress( pMdl );

Thanks,

Petr

kd> dt nt!_MDL 9aea6084

+0x000 Next : (null)

+0x004 Size : 100

+0x006 MdlFlags : 3 (MDL_MAPPED_TO_SYSTEM_VA | MDL_PAGES_LOCKED)

+0x008 Process : 0x83333a58 _EPROCESS

+0x00c MappedSystemVa : 0x02330000

+0x010 StartVa : 0x02330000

+0x014 ByteCount : 0x11400

+0x018 ByteOffset : 0

ecache.sys callstack:

kd> kb

ChildEBP RetAddr Args to Child

8039d97c 818e6c83 00000003 1f0f5e92 00000000
nt!RtlpBreakWithStatusInstruction

8039d9cc 818e7769 00000003 02330000 8185feb4 nt!KiBugCheckDebugBreak+0x1c

8039dd98 81866fb9 0000000a 02330000 00000002 nt!KeBugCheck2+0x66d

8039dd98 8185feb4 0000000a 02330000 00000002 nt!KiTrap0E+0x2e1

8039de30 8612b128 9aebf000 02330000 00011400 nt!RtlCompareMemory+0x14

8039de94 818c01fb 850d3020 84642d70 00d350f8
ecache!EcDispatchReadWriteCompletion+0x462

8039dec8 8615fd5f 8039defc 8615f3ee 84c6eac8 nt!IopfCompleteRequest+0x11d

8039ded0 8615f3ee 84c6eac8 84642d70 00000001
CLASSPNP!ClassCompleteRequest+0x11

8039defc 818c01fb 00000000 83353c08 00f774f8
CLASSPNP!TransferPktComplete+0x2b6

8039df34 805be047 84f775a4 8039df78 805c1658 nt!IopfCompleteRequest+0x11d

8039df40 805c1658 83353c08 00000001 00000000
storport!RaidCompleteRequestEx+0x1c

8039df78 805be31f 845d6008 81913300 8039dff4
storport!RaidUnitCompleteRequest+0x8f

8039df88 818c36a2 843529cc 84352958 00000000
storport!RaidpAdapterDpcRoutine+0x28

8039dff4 818c12d5 884b0ad0 00000000 00000000 nt!KiRetireDpcList+0x147

8039dff8 884b0ad0 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45

Tracy_Camp · November 13, 2009, 11:31am

Look at MmGetSystemAddressForMdlSafe(), this gives you a kernel VA which
is valid in all process contexts.

t.

On Fri, 13 Nov 2009, Petr Kurtin wrote:

Hello,

I have a filecopy routine in kernel-mode and when I issue IRP_MJ_WRITE,
irp->UserBuffer is sometimes used in non-system process by ecache.sys
(ReadyBoost, Vista OS). Since MDL was only mapped into system process,
ecache driver accesses invalid memory. How can map MDL into all processes?

In system workitem, I open the file and then call:

MmCreateSection + MmMapViewOfSection

MmInitializeMdl + MmProbeAndLockPages

and issue IRP_MJ_WRITE with:

irp->MdlAddress = pMdl;

irp->UserBuffer = MmGetMdlVirtualAddress( pMdl );

Thanks,

Petr

kd> dt nt!_MDL 9aea6084

+0x000 Next : (null)

+0x004 Size : 100

+0x006 MdlFlags : 3 (MDL_MAPPED_TO_SYSTEM_VA | MDL_PAGES_LOCKED)

+0x008 Process : 0x83333a58 _EPROCESS

+0x00c MappedSystemVa : 0x02330000

+0x010 StartVa : 0x02330000

+0x014 ByteCount : 0x11400

+0x018 ByteOffset : 0

ecache.sys callstack:

kd> kb

ChildEBP RetAddr Args to Child

8039d97c 818e6c83 00000003 1f0f5e92 00000000
nt!RtlpBreakWithStatusInstruction

8039d9cc 818e7769 00000003 02330000 8185feb4 nt!KiBugCheckDebugBreak+0x1c

8039dd98 81866fb9 0000000a 02330000 00000002 nt!KeBugCheck2+0x66d

8039dd98 8185feb4 0000000a 02330000 00000002 nt!KiTrap0E+0x2e1

8039de30 8612b128 9aebf000 02330000 00011400 nt!RtlCompareMemory+0x14

8039de94 818c01fb 850d3020 84642d70 00d350f8
ecache!EcDispatchReadWriteCompletion+0x462

8039dec8 8615fd5f 8039defc 8615f3ee 84c6eac8 nt!IopfCompleteRequest+0x11d

8039ded0 8615f3ee 84c6eac8 84642d70 00000001
CLASSPNP!ClassCompleteRequest+0x11

8039defc 818c01fb 00000000 83353c08 00f774f8
CLASSPNP!TransferPktComplete+0x2b6

8039df34 805be047 84f775a4 8039df78 805c1658 nt!IopfCompleteRequest+0x11d

8039df40 805c1658 83353c08 00000001 00000000
storport!RaidCompleteRequestEx+0x1c

8039df78 805be31f 845d6008 81913300 8039dff4
storport!RaidUnitCompleteRequest+0x8f

8039df88 818c36a2 843529cc 84352958 00000000
storport!RaidpAdapterDpcRoutine+0x28

8039dff4 818c12d5 884b0ad0 00000000 00000000 nt!KiRetireDpcList+0x147

8039dff8 884b0ad0 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · November 13, 2009, 12:12pm

Do you ever play with the MdlFlags at all? It’s very strange that you have
the MDL_MAPPED_TO_SYSTEM_VA bit set but the MappedSystemVa address in the
MDL is a user mode address.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Petr Kurtin” wrote in message news:xxxxx@ntfsd…
Hello,
I have a filecopy routine in kernel-mode and when I issue IRP_MJ_WRITE,
irp->UserBuffer is sometimes used in non-system process by ecache.sys
(ReadyBoost, Vista OS). Since MDL was only mapped into system process,
ecache driver accesses invalid memory. How can map MDL into all processes?

In system workitem, I open the file and then call:
- MmCreateSection + MmMapViewOfSection
- MmInitializeMdl + MmProbeAndLockPages
and issue IRP_MJ_WRITE with:
- irp->MdlAddress = pMdl;
- irp->UserBuffer = MmGetMdlVirtualAddress( pMdl );

Thanks,
Petr

kd> dt nt!_MDL 9aea6084
+0x000 Next : (null)
+0x004 Size : 100
+0x006 MdlFlags : 3 (MDL_MAPPED_TO_SYSTEM_VA | MDL_PAGES_LOCKED)
+0x008 Process : 0x83333a58 _EPROCESS
+0x00c MappedSystemVa : 0x02330000
+0x010 StartVa : 0x02330000
+0x014 ByteCount : 0x11400
+0x018 ByteOffset : 0

ecache.sys callstack:

kd> kb
ChildEBP RetAddr Args to Child
8039d97c 818e6c83 00000003 1f0f5e92 00000000
nt!RtlpBreakWithStatusInstruction
8039d9cc 818e7769 00000003 02330000 8185feb4 nt!KiBugCheckDebugBreak+0x1c
8039dd98 81866fb9 0000000a 02330000 00000002 nt!KeBugCheck2+0x66d
8039dd98 8185feb4 0000000a 02330000 00000002 nt!KiTrap0E+0x2e1
8039de30 8612b128 9aebf000 02330000 00011400 nt!RtlCompareMemory+0x14
8039de94 818c01fb 850d3020 84642d70 00d350f8
ecache!EcDispatchReadWriteCompletion+0x462
8039dec8 8615fd5f 8039defc 8615f3ee 84c6eac8 nt!IopfCompleteRequest+0x11d
8039ded0 8615f3ee 84c6eac8 84642d70 00000001
CLASSPNP!ClassCompleteRequest+0x11
8039defc 818c01fb 00000000 83353c08 00f774f8
CLASSPNP!TransferPktComplete+0x2b6
8039df34 805be047 84f775a4 8039df78 805c1658 nt!IopfCompleteRequest+0x11d
8039df40 805c1658 83353c08 00000001 00000000
storport!RaidCompleteRequestEx+0x1c
8039df78 805be31f 845d6008 81913300 8039dff4
storport!RaidUnitCompleteRequest+0x8f
8039df88 818c36a2 843529cc 84352958 00000000
storport!RaidpAdapterDpcRoutine+0x28
8039dff4 818c12d5 884b0ad0 00000000 00000000 nt!KiRetireDpcList+0x147
8039dff8 884b0ad0 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45

Petr_Kurtin · November 13, 2009, 2:02pm

ahh, I did set that MDL flag and it should be an optimization for beneath
drivers.

Thank you both for your guidance!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Friday, November 13, 2009 6:12 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] MDL mapping

Do you ever play with the MdlFlags at all? It’s very strange that you have
the MDL_MAPPED_TO_SYSTEM_VA bit set but the MappedSystemVa address in the
MDL is a user mode address.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Petr Kurtin” wrote in message news:xxxxx@ntfsd…
Hello,
I have a filecopy routine in kernel-mode and when I issue IRP_MJ_WRITE,
irp->UserBuffer is sometimes used in non-system process by ecache.sys
(ReadyBoost, Vista OS). Since MDL was only mapped into system process,
ecache driver accesses invalid memory. How can map MDL into all processes?

In system workitem, I open the file and then call:
- MmCreateSection + MmMapViewOfSection
- MmInitializeMdl + MmProbeAndLockPages
and issue IRP_MJ_WRITE with:
- irp->MdlAddress = pMdl;
- irp->UserBuffer = MmGetMdlVirtualAddress( pMdl );

Thanks,
Petr

kd> dt nt!_MDL 9aea6084
+0x000 Next : (null)
+0x004 Size : 100
+0x006 MdlFlags : 3 (MDL_MAPPED_TO_SYSTEM_VA | MDL_PAGES_LOCKED)
+0x008 Process : 0x83333a58 _EPROCESS
+0x00c MappedSystemVa : 0x02330000
+0x010 StartVa : 0x02330000
+0x014 ByteCount : 0x11400
+0x018 ByteOffset : 0

ecache.sys callstack:

kd> kb
ChildEBP RetAddr Args to Child
8039d97c 818e6c83 00000003 1f0f5e92 00000000
nt!RtlpBreakWithStatusInstruction
8039d9cc 818e7769 00000003 02330000 8185feb4 nt!KiBugCheckDebugBreak+0x1c
8039dd98 81866fb9 0000000a 02330000 00000002 nt!KeBugCheck2+0x66d
8039dd98 8185feb4 0000000a 02330000 00000002 nt!KiTrap0E+0x2e1
8039de30 8612b128 9aebf000 02330000 00011400 nt!RtlCompareMemory+0x14
8039de94 818c01fb 850d3020 84642d70 00d350f8
ecache!EcDispatchReadWriteCompletion+0x462
8039dec8 8615fd5f 8039defc 8615f3ee 84c6eac8 nt!IopfCompleteRequest+0x11d
8039ded0 8615f3ee 84c6eac8 84642d70 00000001
CLASSPNP!ClassCompleteRequest+0x11
8039defc 818c01fb 00000000 83353c08 00f774f8
CLASSPNP!TransferPktComplete+0x2b6
8039df34 805be047 84f775a4 8039df78 805c1658 nt!IopfCompleteRequest+0x11d
8039df40 805c1658 83353c08 00000001 00000000
storport!RaidCompleteRequestEx+0x1c
8039df78 805be31f 845d6008 81913300 8039dff4
storport!RaidUnitCompleteRequest+0x8f
8039df88 818c36a2 843529cc 84352958 00000000
storport!RaidpAdapterDpcRoutine+0x28
8039dff4 818c12d5 884b0ad0 00000000 00000000 nt!KiRetireDpcList+0x147
8039dff8 884b0ad0 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer