Example #1
 * @implemented
MmProbeAndLockPages(IN PMDL Mdl,
                    IN KPROCESSOR_MODE AccessMode,
                    IN LOCK_OPERATION Operation)
    PPFN_NUMBER MdlPages;
    PVOID Base, Address, LastAddress, StartAddress;
    ULONG LockPages, TotalPages;
    PEPROCESS CurrentProcess;
    NTSTATUS ProbeStatus;
    PMMPTE PointerPte, LastPte;
    PMMPDE PointerPde;
#if (_MI_PAGING_LEVELS >= 3)
    PMMPDE PointerPpe;
#if (_MI_PAGING_LEVELS == 4)
    PMMPDE PointerPxe;
    PFN_NUMBER PageFrameIndex;
    BOOLEAN UsePfnLock;
    KIRQL OldIrql;
    PMMPFN Pfn1;
    DPRINT("Probing MDL: %p\n", Mdl);

    // Sanity checks
    ASSERT(Mdl->ByteCount != 0);
    ASSERT(((ULONG)Mdl->ByteOffset & ~(PAGE_SIZE - 1)) == 0);
    ASSERT(((ULONG_PTR)Mdl->StartVa & (PAGE_SIZE - 1)) == 0);
    ASSERT((Mdl->MdlFlags & (MDL_PAGES_LOCKED |
                             MDL_MAPPED_TO_SYSTEM_VA |
                             MDL_SOURCE_IS_NONPAGED_POOL |
                             MDL_PARTIAL |
                             MDL_IO_SPACE)) == 0);

    // Get page and base information
    MdlPages = (PPFN_NUMBER)(Mdl + 1);
    Base = Mdl->StartVa;

    // Get the addresses and how many pages we span (and need to lock)
    Address = (PVOID)((ULONG_PTR)Base + Mdl->ByteOffset);
    LastAddress = (PVOID)((ULONG_PTR)Address + Mdl->ByteCount);
    LockPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES(Address, Mdl->ByteCount);
    ASSERT(LockPages != 0);

    /* Block invalid access */
    if ((AccessMode != KernelMode) &&
        ((LastAddress > (PVOID)MM_USER_PROBE_ADDRESS) || (Address >= LastAddress)))
        /* Caller should be in SEH, raise the error */
        *MdlPages = LIST_HEAD;

    // Get the process
    if (Address <= MM_HIGHEST_USER_ADDRESS)
        // Get the process
        CurrentProcess = PsGetCurrentProcess();
        // No process
        CurrentProcess = NULL;

    // Save the number of pages we'll have to lock, and the start address
    TotalPages = LockPages;
    StartAddress = Address;

    /* Large pages not supported */

    // Now probe them
    ProbeStatus = STATUS_SUCCESS;
        // Enter probe loop
            // Assume failure
            *MdlPages = LIST_HEAD;

            // Read
            *(volatile CHAR*)Address;

            // Check if this is write access (only probe for user-mode)
            if ((Operation != IoReadAccess) &&
                (Address <= MM_HIGHEST_USER_ADDRESS))
                // Probe for write too

            // Next address...
            Address = PAGE_ALIGN((ULONG_PTR)Address + PAGE_SIZE);

            // Next page...
        } while (Address < LastAddress);

        // Reset back to the original page
        ASSERT(LockPages == 0);
        MdlPages = (PPFN_NUMBER)(Mdl + 1);
        // Oops :(
        ProbeStatus = _SEH2_GetExceptionCode();

    // So how did that go?
    if (ProbeStatus != STATUS_SUCCESS)
        // Fail
        Mdl->Process = NULL;

    // Get the PTE and PDE
    PointerPte = MiAddressToPte(StartAddress);
    PointerPde = MiAddressToPde(StartAddress);
#if (_MI_PAGING_LEVELS >= 3)
    PointerPpe = MiAddressToPpe(StartAddress);
#if (_MI_PAGING_LEVELS == 4)
    PointerPxe = MiAddressToPxe(StartAddress);

    // Sanity check
    ASSERT(MdlPages == (PPFN_NUMBER)(Mdl + 1));

    // Check what kind of operation this is
    if (Operation != IoReadAccess)
        // Set the write flag
        Mdl->MdlFlags |= MDL_WRITE_OPERATION;
        // Remove the write flag
        Mdl->MdlFlags &= ~(MDL_WRITE_OPERATION);

    // Mark the MDL as locked *now*
    Mdl->MdlFlags |= MDL_PAGES_LOCKED;

    // Check if this came from kernel mode
        // We should not have a process
        ASSERT(CurrentProcess == NULL);
        Mdl->Process = NULL;

        // In kernel mode, we don't need to check for write access
        Operation = IoReadAccess;

        // Use the PFN lock
        UsePfnLock = TRUE;
        OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
        // Sanity checks
        ASSERT(TotalPages != 0);
        ASSERT(CurrentProcess == PsGetCurrentProcess());

        // Track locked pages

        // Save the process
        Mdl->Process = CurrentProcess;

        /* Lock the process working set */
        MiLockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());
        UsePfnLock = FALSE;
        OldIrql = MM_NOIRQL;

    // Get the last PTE
    LastPte = MiAddressToPte((PVOID)((ULONG_PTR)LastAddress - 1));

    // Loop the pages
        // Assume failure and check for non-mapped pages
        *MdlPages = LIST_HEAD;
        while (
#if (_MI_PAGING_LEVELS == 4)
               (PointerPxe->u.Hard.Valid == 0) ||
#if (_MI_PAGING_LEVELS >= 3)
               (PointerPpe->u.Hard.Valid == 0) ||
               (PointerPde->u.Hard.Valid == 0) ||
               (PointerPte->u.Hard.Valid == 0))
            // What kind of lock were we using?
            if (UsePfnLock)
                // Release PFN lock
                KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
                /* Release process working set */
                MiUnlockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());

            // Access the page
            Address = MiPteToAddress(PointerPte);

            //HACK: Pass a placeholder TrapInformation so the fault handler knows we're unlocked
            Status = MmAccessFault(FALSE, Address, KernelMode, (PVOID)0xBADBADA3);
            if (!NT_SUCCESS(Status))
                // Fail
                DPRINT1("Access fault failed\n");
                goto Cleanup;

            // What lock should we use?
            if (UsePfnLock)
                // Grab the PFN lock
                OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
                /* Lock the process working set */
                MiLockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());

        // Check if this was a write or modify
        if (Operation != IoReadAccess)
            // Check if the PTE is not writable
            if (MI_IS_PAGE_WRITEABLE(PointerPte) == FALSE)
                // Check if it's copy on write
                if (MI_IS_PAGE_COPY_ON_WRITE(PointerPte))
                    // Get the base address and allow a change for user-mode
                    Address = MiPteToAddress(PointerPte);
                    if (Address <= MM_HIGHEST_USER_ADDRESS)
                        // What kind of lock were we using?
                        if (UsePfnLock)
                            // Release PFN lock
                            KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
                            /* Release process working set */
                            MiUnlockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());

                        // Access the page

                        //HACK: Pass a placeholder TrapInformation so the fault handler knows we're unlocked
                        Status = MmAccessFault(TRUE, Address, KernelMode, (PVOID)0xBADBADA3);
                        if (!NT_SUCCESS(Status))
                            // Fail
                            DPRINT1("Access fault failed\n");
                            goto Cleanup;

                        // Re-acquire the lock
                        if (UsePfnLock)
                            // Grab the PFN lock
                            OldIrql = KeAcquireQueuedSpinLock(LockQueuePfnLock);
                            /* Lock the process working set */
                            MiLockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());

                        // Start over

                // Fail, since we won't allow this
                Status = STATUS_ACCESS_VIOLATION;
                goto CleanupWithLock;

        // Grab the PFN
        PageFrameIndex = PFN_FROM_PTE(PointerPte);
        Pfn1 = MiGetPfnEntry(PageFrameIndex);
        if (Pfn1)
            /* Either this is for kernel-mode, or the working set is held */
            ASSERT((CurrentProcess == NULL) || (UsePfnLock == FALSE));

            /* No Physical VADs supported yet */
            if (CurrentProcess) ASSERT(CurrentProcess->PhysicalVadRoot == NULL);

            /* This address should already exist and be fully valid */
            // For I/O addresses, just remember this
            Mdl->MdlFlags |= MDL_IO_SPACE;

        // Write the page and move on
        *MdlPages++ = PageFrameIndex;

        /* Check if we're on a PDE boundary */
        if (MiIsPteOnPdeBoundary(PointerPte)) PointerPde++;
#if (_MI_PAGING_LEVELS >= 3)
        if (MiIsPteOnPpeBoundary(PointerPte)) PointerPpe++;
#if (_MI_PAGING_LEVELS == 4)
        if (MiIsPteOnPxeBoundary(PointerPte)) PointerPxe++;

    } while (PointerPte <= LastPte);

    // What kind of lock were we using?
    if (UsePfnLock)
        // Release PFN lock
        KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
        /* Release process working set */
        MiUnlockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());

    // Sanity check
    ASSERT((Mdl->MdlFlags & MDL_DESCRIBES_AWE) == 0);

    // This is the failure path

    // What kind of lock were we using?
    if (UsePfnLock)
        // Release PFN lock
        KeReleaseQueuedSpinLock(LockQueuePfnLock, OldIrql);
        /* Release process working set */
        MiUnlockProcessWorkingSet(CurrentProcess, PsGetCurrentThread());
    // Pages must be locked so MmUnlock can work

    // Raise the error
Example #2
MiIsEntireRangeCommitted (
    IN PVOID StartingAddress,
    IN PVOID EndingAddress,
    IN PMMVAD Vad,
    IN PEPROCESS Process


Routine Description:

    This routine examines the range of pages from the starting address
    up to and including the ending address and returns TRUE if every
    page in the range is committed, FALSE otherwise.


    StartingAddress - Supplies the starting address of the range.

    EndingAddress - Supplies the ending address of the range.

    Vad - Supplies the virtual address descriptor which describes the range.

    Process - Supplies the current process.

Return Value:

    TRUE if the entire range is committed.
    FALSE if any page within the range is not committed.


    Kernel mode, APCs disabled, WorkingSetMutex and AddressCreation mutexes


    PMMPTE PointerPte;
    PMMPTE LastPte;
    PMMPTE PointerPde;
    PMMPTE PointerPpe;
    PMMPTE PointerPxe;
    ULONG FirstTime;
    ULONG Waited;
    PVOID Va;


    FirstTime = TRUE;

    PointerPde = MiGetPdeAddress (StartingAddress);
    PointerPte = MiGetPteAddress (StartingAddress);
    LastPte = MiGetPteAddress (EndingAddress);

    // Set the Va to the starting address + 8, this solves problems
    // associated with address 0 (NULL) being used as a valid virtual
    // address and NULL in the VAD commitment field indicating no pages
    // are committed.

    Va = (PVOID)((PCHAR)StartingAddress + 8);

    while (PointerPte <= LastPte) {

        if (MiIsPteOnPdeBoundary(PointerPte) || (FirstTime)) {

            // This may be a PXE/PPE/PDE boundary, check to see if all the
            // PXE/PPE/PDE pages exist.

            FirstTime = FALSE;
            PointerPde = MiGetPteAddress (PointerPte);
            PointerPpe = MiGetPteAddress (PointerPde);
            PointerPxe = MiGetPteAddress (PointerPpe);

            do {

#if (_MI_PAGING_LEVELS >= 4)

                while (!MiDoesPxeExistAndMakeValid (PointerPxe, Process, MM_NOIRQL, &Waited)) {

                    // No PPE exists for the starting address, check the VAD
                    // to see if the pages are committed.

                    PointerPxe += 1;

                    PointerPpe = MiGetVirtualAddressMappedByPte (PointerPxe);
                    PointerPde = MiGetVirtualAddressMappedByPte (PointerPpe);
                    PointerPte = MiGetVirtualAddressMappedByPte (PointerPde);
                    Va = MiGetVirtualAddressMappedByPte (PointerPte);

                    if (PointerPte > LastPte) {

                        // Make sure the entire range is committed.

                        if (Vad->u.VadFlags.MemCommit == 0) {

                            // The entire range to be decommitted is not
                            // committed, return an error.

                            return FALSE;
                        return TRUE;

                    // Make sure the range thus far is committed.

                    if (Vad->u.VadFlags.MemCommit == 0) {

                        // The entire range to be decommitted is not committed,
                        // return an error.

                        return FALSE;

                while (!MiDoesPpeExistAndMakeValid (PointerPpe, Process, MM_NOIRQL, &Waited)) {

                    // No PDE exists for the starting address, check the VAD
                    // to see if the pages are committed.

                    PointerPpe += 1;
                    PointerPde = MiGetVirtualAddressMappedByPte (PointerPpe);
                    PointerPte = MiGetVirtualAddressMappedByPte (PointerPde);
                    Va = MiGetVirtualAddressMappedByPte (PointerPte);

                    if (PointerPte > LastPte) {

                        // Make sure the entire range is committed.

                        if (Vad->u.VadFlags.MemCommit == 0) {

                            // The entire range to be decommitted is not
                            // committed, return an error.

                            return FALSE;
                        return TRUE;

                    // Make sure the range thus far is committed.

                    if (Vad->u.VadFlags.MemCommit == 0) {

                        // The entire range to be decommitted is not committed,
                        // return an error.

                        return FALSE;
#if (_MI_PAGING_LEVELS >= 4)
                    if (MiIsPteOnPdeBoundary (PointerPpe)) {
                        PointerPxe = MiGetPteAddress (PointerPpe);
                        goto retry;

                Waited = 0;

                while (!MiDoesPdeExistAndMakeValid (PointerPde, Process, MM_NOIRQL, &Waited)) {

                    // No PDE exists for the starting address, check the VAD
                    // to see if the pages are committed.

                    PointerPde += 1;
                    PointerPpe = MiGetPteAddress (PointerPde);
                    PointerPxe = MiGetPdeAddress (PointerPde);
                    PointerPte = MiGetVirtualAddressMappedByPte (PointerPde);
                    Va = MiGetVirtualAddressMappedByPte (PointerPte);

                    if (PointerPte > LastPte) {

                        // Make sure the entire range is committed.

                        if (Vad->u.VadFlags.MemCommit == 0) {

                            // The entire range to be decommitted is not committed,
                            // return an error.

                            return FALSE;
                        return TRUE;

                    // Make sure the range thus far is committed.

                    if (Vad->u.VadFlags.MemCommit == 0) {

                        // The entire range to be decommitted is not committed,
                        // return an error.

                        return FALSE;
#if (_MI_PAGING_LEVELS >= 3)
                    if (MiIsPteOnPdeBoundary (PointerPde)) {
                        PointerPpe = MiGetPteAddress (PointerPde);
#if (_MI_PAGING_LEVELS >= 4)
                        if (MiIsPteOnPpeBoundary (PointerPde)) {
                            PointerPxe = MiGetPdeAddress (PointerPde);
                            Waited = 1;
                        Waited = 1;
            } while (Waited != 0);

        // The page table page exists, check each PTE for commitment.

        if (PointerPte->u.Long == 0) {

            // This page has not been committed, check the VAD.

            if (Vad->u.VadFlags.MemCommit == 0) {

                // The entire range to be decommitted is not committed,
                // return an error.

                return FALSE;
        else {

            // Has this page been explicitly decommitted?

            if (MiIsPteDecommittedPage (PointerPte)) {

                // This page has been explicitly decommitted, return an error.

                return FALSE;
        PointerPte += 1;
        Va = (PVOID)((PCHAR)(Va) + PAGE_SIZE);
    return TRUE;