Re: How to use MmMapLockedPagesSpecifyCache - more info

Hi again, Molly,

Here is more info about this problem. I found that

  1. The original thread that issued the IRP_MJ_READ request.
    Irp->UserBuffer was E1A2E000,
    Irp->MdlAddress was NULL
    (so not an user mode address)

  2. My filter has “decided” that the operation will
    be queued to worker thread.
    Before queuing, it performed the LockBuffer operation,
    (like FatLockUserBuffer), calling IoAllocateMdl
    and MmProbeAndLockPages.
    The pointer to created MDL has been set into Irp->MdlAddress.
    The MDL itself was this:

kd> dt nt!_MDL FF4EF008
+0x000 Next : (null)
+0x004 Size : 32 (0x20 hexa)
+0x006 MdlFlags : 138 (0x8A hexa)
+0x008 Process : (null)
+0x00c MappedSystemVa : 0xf9e2e000
+0x010 StartVa : 0xe1a2e000
+0x014 ByteCount : 0x200
+0x018 ByteOffset : 0

The MDL flags are
MDL_PAGES_LOCKED
MDL_ALLOCATED_FIXED_SIZE
MDL_WRITE_OPERATION

  1. The worker thread called the MapUserBuffer (like FatMapUserBuffer)
    operation, which uses my expanded version
    of MmGetSystemAddressForMdlSafe.

Because of

if(Irp->MdlAddress->MdlFlags & (MDL_MAPPED_TO_SYSTEM_VA |
MDL_SOURCE_IS_NONPAGED_POOL))

the MmMapLockedPagesSpecifyCache has actually not
been called, instead the Irp->MdlAddress->MappedSystemVa
has been used.

But this address (f9e2e000) is not accessible, debugger
shows error (this is why the system crashed with
IRQL_NOT_LESS_OR_EQUAL).
The another address in the MDL, e1a2e000,
could be read without problem.

Could you please look at these facts and guess what is wrong ?
Maybe in the case of kernel mode buffers the buffer should
not be locked … ?

L.