1 /* 2 * PROJECT: ReactOS Kernel 3 * LICENSE: BSD - See COPYING.ARM in the top level directory 4 * FILE: ntoskrnl/mm/ARM3/pagfault.c 5 * PURPOSE: ARM Memory Manager Page Fault Handling 6 * PROGRAMMERS: ReactOS Portable Systems Group 7 */ 8 9 /* INCLUDES *******************************************************************/ 10 11 #include <ntoskrnl.h> 12 #define NDEBUG 13 #include <debug.h> 14 15 #define MODULE_INVOLVED_IN_ARM3 16 #include <mm/ARM3/miarm.h> 17 18 /* GLOBALS ********************************************************************/ 19 20 #define HYDRA_PROCESS (PEPROCESS)1 21 #if MI_TRACE_PFNS 22 BOOLEAN UserPdeFault = FALSE; 23 #endif 24 25 /* PRIVATE FUNCTIONS **********************************************************/ 26 27 static 28 NTSTATUS 29 NTAPI 30 MiCheckForUserStackOverflow(IN PVOID Address, 31 IN PVOID TrapInformation) 32 { 33 PETHREAD CurrentThread = PsGetCurrentThread(); 34 PTEB Teb = CurrentThread->Tcb.Teb; 35 PVOID StackBase, DeallocationStack, NextStackAddress; 36 SIZE_T GuaranteedSize; 37 NTSTATUS Status; 38 39 /* Do we own the address space lock? */ 40 if (CurrentThread->AddressSpaceOwner == 1) 41 { 42 /* This isn't valid */ 43 DPRINT1("Process owns address space lock\n"); 44 ASSERT(KeAreAllApcsDisabled() == TRUE); 45 return STATUS_GUARD_PAGE_VIOLATION; 46 } 47 48 /* Are we attached? */ 49 if (KeIsAttachedProcess()) 50 { 51 /* This isn't valid */ 52 DPRINT1("Process is attached\n"); 53 return STATUS_GUARD_PAGE_VIOLATION; 54 } 55 56 /* Read the current settings */ 57 StackBase = Teb->NtTib.StackBase; 58 DeallocationStack = Teb->DeallocationStack; 59 GuaranteedSize = Teb->GuaranteedStackBytes; 60 DPRINT("Handling guard page fault with Stacks Addresses 0x%p and 0x%p, guarantee: %lx\n", 61 StackBase, DeallocationStack, GuaranteedSize); 62 63 /* Guarantees make this code harder, for now, assume there aren't any */ 64 ASSERT(GuaranteedSize == 0); 65 66 /* So allocate only the minimum guard page size */ 67 GuaranteedSize = PAGE_SIZE; 68 69 /* Does this faulting stack address actually exist in the stack? */ 70 if ((Address >= StackBase) || (Address < DeallocationStack)) 71 { 72 /* That's odd... */ 73 DPRINT1("Faulting address outside of stack bounds. Address=%p, StackBase=%p, DeallocationStack=%p\n", 74 Address, StackBase, DeallocationStack); 75 return STATUS_GUARD_PAGE_VIOLATION; 76 } 77 78 /* This is where the stack will start now */ 79 NextStackAddress = (PVOID)((ULONG_PTR)PAGE_ALIGN(Address) - GuaranteedSize); 80 81 /* Do we have at least one page between here and the end of the stack? */ 82 if (((ULONG_PTR)NextStackAddress - PAGE_SIZE) <= (ULONG_PTR)DeallocationStack) 83 { 84 /* We don't -- Trying to make this guard page valid now */ 85 DPRINT1("Close to our death...\n"); 86 87 /* Calculate the next memory address */ 88 NextStackAddress = (PVOID)((ULONG_PTR)PAGE_ALIGN(DeallocationStack) + GuaranteedSize); 89 90 /* Allocate the memory */ 91 Status = ZwAllocateVirtualMemory(NtCurrentProcess(), 92 &NextStackAddress, 93 0, 94 &GuaranteedSize, 95 MEM_COMMIT, 96 PAGE_READWRITE); 97 if (NT_SUCCESS(Status)) 98 { 99 /* Success! */ 100 Teb->NtTib.StackLimit = NextStackAddress; 101 } 102 else 103 { 104 DPRINT1("Failed to allocate memory\n"); 105 } 106 107 return STATUS_STACK_OVERFLOW; 108 } 109 110 /* Don't handle this flag yet */ 111 ASSERT((PsGetCurrentProcess()->Peb->NtGlobalFlag & FLG_DISABLE_STACK_EXTENSION) == 0); 112 113 /* Update the stack limit */ 114 Teb->NtTib.StackLimit = (PVOID)((ULONG_PTR)NextStackAddress + GuaranteedSize); 115 116 /* Now move the guard page to the next page */ 117 Status = ZwAllocateVirtualMemory(NtCurrentProcess(), 118 &NextStackAddress, 119 0, 120 &GuaranteedSize, 121 MEM_COMMIT, 122 PAGE_READWRITE | PAGE_GUARD); 123 if ((NT_SUCCESS(Status) || (Status == STATUS_ALREADY_COMMITTED))) 124 { 125 /* We did it! */ 126 DPRINT("Guard page handled successfully for %p\n", Address); 127 return STATUS_PAGE_FAULT_GUARD_PAGE; 128 } 129 130 /* Fail, we couldn't move the guard page */ 131 DPRINT1("Guard page failure: %lx\n", Status); 132 ASSERT(FALSE); 133 return STATUS_STACK_OVERFLOW; 134 } 135 136 FORCEINLINE 137 BOOLEAN 138 MiIsAccessAllowed( 139 _In_ ULONG ProtectionMask, 140 _In_ BOOLEAN Write, 141 _In_ BOOLEAN Execute) 142 { 143 #define _BYTE_MASK(Bit0, Bit1, Bit2, Bit3, Bit4, Bit5, Bit6, Bit7) \ 144 (Bit0) | ((Bit1) << 1) | ((Bit2) << 2) | ((Bit3) << 3) | \ 145 ((Bit4) << 4) | ((Bit5) << 5) | ((Bit6) << 6) | ((Bit7) << 7) 146 static const UCHAR AccessAllowedMask[2][2] = 147 { 148 { // Protect 0 1 2 3 4 5 6 7 149 _BYTE_MASK(0, 1, 1, 1, 1, 1, 1, 1), // READ 150 _BYTE_MASK(0, 0, 1, 1, 0, 0, 1, 1), // EXECUTE READ 151 }, 152 { 153 _BYTE_MASK(0, 0, 0, 0, 1, 1, 1, 1), // WRITE 154 _BYTE_MASK(0, 0, 0, 0, 0, 0, 1, 1), // EXECUTE WRITE 155 } 156 }; 157 158 /* We want only the lower access bits */ 159 ProtectionMask &= MM_PROTECT_ACCESS; 160 161 /* Look it up in the table */ 162 return (AccessAllowedMask[Write != 0][Execute != 0] >> ProtectionMask) & 1; 163 } 164 165 static 166 NTSTATUS 167 NTAPI 168 MiAccessCheck(IN PMMPTE PointerPte, 169 IN BOOLEAN StoreInstruction, 170 IN KPROCESSOR_MODE PreviousMode, 171 IN ULONG_PTR ProtectionMask, 172 IN PVOID TrapFrame, 173 IN BOOLEAN LockHeld) 174 { 175 MMPTE TempPte; 176 177 /* Check for invalid user-mode access */ 178 if ((PreviousMode == UserMode) && (PointerPte > MiHighestUserPte)) 179 { 180 return STATUS_ACCESS_VIOLATION; 181 } 182 183 /* Capture the PTE -- is it valid? */ 184 TempPte = *PointerPte; 185 if (TempPte.u.Hard.Valid) 186 { 187 /* Was someone trying to write to it? */ 188 if (StoreInstruction) 189 { 190 /* Is it writable?*/ 191 if (MI_IS_PAGE_WRITEABLE(&TempPte) || 192 MI_IS_PAGE_COPY_ON_WRITE(&TempPte)) 193 { 194 /* Then there's nothing to worry about */ 195 return STATUS_SUCCESS; 196 } 197 198 /* Oops! This isn't allowed */ 199 return STATUS_ACCESS_VIOLATION; 200 } 201 202 /* Someone was trying to read from a valid PTE, that's fine too */ 203 return STATUS_SUCCESS; 204 } 205 206 /* Check if the protection on the page allows what is being attempted */ 207 if (!MiIsAccessAllowed(ProtectionMask, StoreInstruction, FALSE)) 208 { 209 return STATUS_ACCESS_VIOLATION; 210 } 211 212 /* Check if this is a guard page */ 213 if ((ProtectionMask & MM_PROTECT_SPECIAL) == MM_GUARDPAGE) 214 { 215 ASSERT(ProtectionMask != MM_DECOMMIT); 216 217 /* Attached processes can't expand their stack */ 218 if (KeIsAttachedProcess()) return STATUS_ACCESS_VIOLATION; 219 220 /* No support for prototype PTEs yet */ 221 ASSERT(TempPte.u.Soft.Prototype == 0); 222 223 /* Remove the guard page bit, and return a guard page violation */ 224 TempPte.u.Soft.Protection = ProtectionMask & ~MM_GUARDPAGE; 225 ASSERT(TempPte.u.Long != 0); 226 MI_WRITE_INVALID_PTE(PointerPte, TempPte); 227 return STATUS_GUARD_PAGE_VIOLATION; 228 } 229 230 /* Nothing to do */ 231 return STATUS_SUCCESS; 232 } 233 234 static 235 PMMPTE 236 NTAPI 237 MiCheckVirtualAddress(IN PVOID VirtualAddress, 238 OUT PULONG ProtectCode, 239 OUT PMMVAD *ProtoVad) 240 { 241 PMMVAD Vad; 242 PMMPTE PointerPte; 243 244 /* No prototype/section support for now */ 245 *ProtoVad = NULL; 246 247 /* User or kernel fault? */ 248 if (VirtualAddress <= MM_HIGHEST_USER_ADDRESS) 249 { 250 /* Special case for shared data */ 251 if (PAGE_ALIGN(VirtualAddress) == (PVOID)MM_SHARED_USER_DATA_VA) 252 { 253 /* It's a read-only page */ 254 *ProtectCode = MM_READONLY; 255 return MmSharedUserDataPte; 256 } 257 258 /* Find the VAD, it might not exist if the address is bogus */ 259 Vad = MiLocateAddress(VirtualAddress); 260 if (!Vad) 261 { 262 /* Bogus virtual address */ 263 *ProtectCode = MM_NOACCESS; 264 return NULL; 265 } 266 267 /* ReactOS does not handle physical memory VADs yet */ 268 ASSERT(Vad->u.VadFlags.VadType != VadDevicePhysicalMemory); 269 270 /* Check if it's a section, or just an allocation */ 271 if (Vad->u.VadFlags.PrivateMemory) 272 { 273 /* ReactOS does not handle AWE VADs yet */ 274 ASSERT(Vad->u.VadFlags.VadType != VadAwe); 275 276 /* This must be a TEB/PEB VAD */ 277 if (Vad->u.VadFlags.MemCommit) 278 { 279 /* It's committed, so return the VAD protection */ 280 *ProtectCode = (ULONG)Vad->u.VadFlags.Protection; 281 } 282 else 283 { 284 /* It has not yet been committed, so return no access */ 285 *ProtectCode = MM_NOACCESS; 286 } 287 288 /* In both cases, return no PTE */ 289 return NULL; 290 } 291 else 292 { 293 /* ReactOS does not supoprt these VADs yet */ 294 ASSERT(Vad->u.VadFlags.VadType != VadImageMap); 295 ASSERT(Vad->u2.VadFlags2.ExtendableFile == 0); 296 297 /* Return the proto VAD */ 298 *ProtoVad = Vad; 299 300 /* Get the prototype PTE for this page */ 301 PointerPte = (((ULONG_PTR)VirtualAddress >> PAGE_SHIFT) - Vad->StartingVpn) + Vad->FirstPrototypePte; 302 ASSERT(PointerPte != NULL); 303 ASSERT(PointerPte <= Vad->LastContiguousPte); 304 305 /* Return the Prototype PTE and the protection for the page mapping */ 306 *ProtectCode = (ULONG)Vad->u.VadFlags.Protection; 307 return PointerPte; 308 } 309 } 310 else if (MI_IS_PAGE_TABLE_ADDRESS(VirtualAddress)) 311 { 312 /* This should never happen, as these addresses are handled by the double-maping */ 313 if (((PMMPTE)VirtualAddress >= MiAddressToPte(MmPagedPoolStart)) && 314 ((PMMPTE)VirtualAddress <= MmPagedPoolInfo.LastPteForPagedPool)) 315 { 316 /* Fail such access */ 317 *ProtectCode = MM_NOACCESS; 318 return NULL; 319 } 320 321 /* Return full access rights */ 322 *ProtectCode = MM_READWRITE; 323 return NULL; 324 } 325 else if (MI_IS_SESSION_ADDRESS(VirtualAddress)) 326 { 327 /* ReactOS does not have an image list yet, so bail out to failure case */ 328 ASSERT(IsListEmpty(&MmSessionSpace->ImageList)); 329 } 330 331 /* Default case -- failure */ 332 *ProtectCode = MM_NOACCESS; 333 return NULL; 334 } 335 336 #if (_MI_PAGING_LEVELS == 2) 337 static 338 NTSTATUS 339 FASTCALL 340 MiCheckPdeForSessionSpace(IN PVOID Address) 341 { 342 MMPTE TempPde; 343 PMMPDE PointerPde; 344 PVOID SessionAddress; 345 ULONG Index; 346 347 /* Is this a session PTE? */ 348 if (MI_IS_SESSION_PTE(Address)) 349 { 350 /* Make sure the PDE for session space is valid */ 351 PointerPde = MiAddressToPde(MmSessionSpace); 352 if (!PointerPde->u.Hard.Valid) 353 { 354 /* This means there's no valid session, bail out */ 355 DbgPrint("MiCheckPdeForSessionSpace: No current session for PTE %p\n", 356 Address); 357 DbgBreakPoint(); 358 return STATUS_ACCESS_VIOLATION; 359 } 360 361 /* Now get the session-specific page table for this address */ 362 SessionAddress = MiPteToAddress(Address); 363 PointerPde = MiAddressToPte(Address); 364 if (PointerPde->u.Hard.Valid) return STATUS_WAIT_1; 365 366 /* It's not valid, so find it in the page table array */ 367 Index = ((ULONG_PTR)SessionAddress - (ULONG_PTR)MmSessionBase) >> 22; 368 TempPde.u.Long = MmSessionSpace->PageTables[Index].u.Long; 369 if (TempPde.u.Hard.Valid) 370 { 371 /* The copy is valid, so swap it in */ 372 InterlockedExchange((PLONG)PointerPde, TempPde.u.Long); 373 return STATUS_WAIT_1; 374 } 375 376 /* We don't seem to have allocated a page table for this address yet? */ 377 DbgPrint("MiCheckPdeForSessionSpace: No Session PDE for PTE %p, %p\n", 378 PointerPde->u.Long, SessionAddress); 379 DbgBreakPoint(); 380 return STATUS_ACCESS_VIOLATION; 381 } 382 383 /* Is the address also a session address? If not, we're done */ 384 if (!MI_IS_SESSION_ADDRESS(Address)) return STATUS_SUCCESS; 385 386 /* It is, so again get the PDE for session space */ 387 PointerPde = MiAddressToPde(MmSessionSpace); 388 if (!PointerPde->u.Hard.Valid) 389 { 390 /* This means there's no valid session, bail out */ 391 DbgPrint("MiCheckPdeForSessionSpace: No current session for VA %p\n", 392 Address); 393 DbgBreakPoint(); 394 return STATUS_ACCESS_VIOLATION; 395 } 396 397 /* Now get the PDE for the address itself */ 398 PointerPde = MiAddressToPde(Address); 399 if (!PointerPde->u.Hard.Valid) 400 { 401 /* Do the swap, we should be good to go */ 402 Index = ((ULONG_PTR)Address - (ULONG_PTR)MmSessionBase) >> 22; 403 PointerPde->u.Long = MmSessionSpace->PageTables[Index].u.Long; 404 if (PointerPde->u.Hard.Valid) return STATUS_WAIT_1; 405 406 /* We had not allocated a page table for this session address yet, fail! */ 407 DbgPrint("MiCheckPdeForSessionSpace: No Session PDE for VA %p, %p\n", 408 PointerPde->u.Long, Address); 409 DbgBreakPoint(); 410 return STATUS_ACCESS_VIOLATION; 411 } 412 413 /* It's valid, so there's nothing to do */ 414 return STATUS_SUCCESS; 415 } 416 417 NTSTATUS 418 FASTCALL 419 MiCheckPdeForPagedPool(IN PVOID Address) 420 { 421 PMMPDE PointerPde; 422 NTSTATUS Status = STATUS_SUCCESS; 423 424 /* Check session PDE */ 425 if (MI_IS_SESSION_ADDRESS(Address)) return MiCheckPdeForSessionSpace(Address); 426 if (MI_IS_SESSION_PTE(Address)) return MiCheckPdeForSessionSpace(Address); 427 428 // 429 // Check if this is a fault while trying to access the page table itself 430 // 431 if (MI_IS_SYSTEM_PAGE_TABLE_ADDRESS(Address)) 432 { 433 // 434 // Send a hint to the page fault handler that this is only a valid fault 435 // if we already detected this was access within the page table range 436 // 437 PointerPde = (PMMPDE)MiAddressToPte(Address); 438 Status = STATUS_WAIT_1; 439 } 440 else if (Address < MmSystemRangeStart) 441 { 442 // 443 // This is totally illegal 444 // 445 return STATUS_ACCESS_VIOLATION; 446 } 447 else 448 { 449 // 450 // Get the PDE for the address 451 // 452 PointerPde = MiAddressToPde(Address); 453 } 454 455 // 456 // Check if it's not valid 457 // 458 if (PointerPde->u.Hard.Valid == 0) 459 { 460 // 461 // Copy it from our double-mapped system page directory 462 // 463 InterlockedExchangePte(PointerPde, 464 MmSystemPagePtes[((ULONG_PTR)PointerPde & (SYSTEM_PD_SIZE - 1)) / sizeof(MMPTE)].u.Long); 465 } 466 467 // 468 // Return status 469 // 470 return Status; 471 } 472 #else 473 NTSTATUS 474 FASTCALL 475 MiCheckPdeForPagedPool(IN PVOID Address) 476 { 477 return STATUS_ACCESS_VIOLATION; 478 } 479 #endif 480 481 VOID 482 NTAPI 483 MiZeroPfn(IN PFN_NUMBER PageFrameNumber) 484 { 485 PMMPTE ZeroPte; 486 MMPTE TempPte; 487 PMMPFN Pfn1; 488 PVOID ZeroAddress; 489 490 /* Get the PFN for this page */ 491 Pfn1 = MiGetPfnEntry(PageFrameNumber); 492 ASSERT(Pfn1); 493 494 /* Grab a system PTE we can use to zero the page */ 495 ZeroPte = MiReserveSystemPtes(1, SystemPteSpace); 496 ASSERT(ZeroPte); 497 498 /* Initialize the PTE for it */ 499 TempPte = ValidKernelPte; 500 TempPte.u.Hard.PageFrameNumber = PageFrameNumber; 501 502 /* Setup caching */ 503 if (Pfn1->u3.e1.CacheAttribute == MiWriteCombined) 504 { 505 /* Write combining, no caching */ 506 MI_PAGE_DISABLE_CACHE(&TempPte); 507 MI_PAGE_WRITE_COMBINED(&TempPte); 508 } 509 else if (Pfn1->u3.e1.CacheAttribute == MiNonCached) 510 { 511 /* Write through, no caching */ 512 MI_PAGE_DISABLE_CACHE(&TempPte); 513 MI_PAGE_WRITE_THROUGH(&TempPte); 514 } 515 516 /* Make the system PTE valid with our PFN */ 517 MI_WRITE_VALID_PTE(ZeroPte, TempPte); 518 519 /* Get the address it maps to, and zero it out */ 520 ZeroAddress = MiPteToAddress(ZeroPte); 521 KeZeroPages(ZeroAddress, PAGE_SIZE); 522 523 /* Now get rid of it */ 524 MiReleaseSystemPtes(ZeroPte, 1, SystemPteSpace); 525 } 526 527 VOID 528 NTAPI 529 MiCopyPfn( 530 _In_ PFN_NUMBER DestPage, 531 _In_ PFN_NUMBER SrcPage) 532 { 533 PMMPTE SysPtes; 534 MMPTE TempPte; 535 PMMPFN DestPfn, SrcPfn; 536 PVOID DestAddress; 537 const VOID* SrcAddress; 538 539 /* Get the PFNs */ 540 DestPfn = MiGetPfnEntry(DestPage); 541 ASSERT(DestPfn); 542 SrcPfn = MiGetPfnEntry(SrcPage); 543 ASSERT(SrcPfn); 544 545 /* Grab 2 system PTEs */ 546 SysPtes = MiReserveSystemPtes(2, SystemPteSpace); 547 ASSERT(SysPtes); 548 549 /* Initialize the destination PTE */ 550 TempPte = ValidKernelPte; 551 TempPte.u.Hard.PageFrameNumber = DestPage; 552 553 /* Setup caching */ 554 if (DestPfn->u3.e1.CacheAttribute == MiWriteCombined) 555 { 556 /* Write combining, no caching */ 557 MI_PAGE_DISABLE_CACHE(&TempPte); 558 MI_PAGE_WRITE_COMBINED(&TempPte); 559 } 560 else if (DestPfn->u3.e1.CacheAttribute == MiNonCached) 561 { 562 /* Write through, no caching */ 563 MI_PAGE_DISABLE_CACHE(&TempPte); 564 MI_PAGE_WRITE_THROUGH(&TempPte); 565 } 566 567 /* Make the system PTE valid with our PFN */ 568 MI_WRITE_VALID_PTE(&SysPtes[0], TempPte); 569 570 /* Initialize the source PTE */ 571 TempPte = ValidKernelPte; 572 TempPte.u.Hard.PageFrameNumber = SrcPage; 573 574 /* Setup caching */ 575 if (SrcPfn->u3.e1.CacheAttribute == MiNonCached) 576 { 577 MI_PAGE_DISABLE_CACHE(&TempPte); 578 } 579 580 /* Make the system PTE valid with our PFN */ 581 MI_WRITE_VALID_PTE(&SysPtes[1], TempPte); 582 583 /* Get the addresses and perform the copy */ 584 DestAddress = MiPteToAddress(&SysPtes[0]); 585 SrcAddress = MiPteToAddress(&SysPtes[1]); 586 RtlCopyMemory(DestAddress, SrcAddress, PAGE_SIZE); 587 588 /* Now get rid of it */ 589 MiReleaseSystemPtes(SysPtes, 2, SystemPteSpace); 590 } 591 592 static 593 NTSTATUS 594 NTAPI 595 MiResolveDemandZeroFault(IN PVOID Address, 596 IN PMMPTE PointerPte, 597 IN ULONG Protection, 598 IN PEPROCESS Process, 599 IN KIRQL OldIrql) 600 { 601 PFN_NUMBER PageFrameNumber = 0; 602 MMPTE TempPte; 603 BOOLEAN NeedZero = FALSE, HaveLock = FALSE; 604 ULONG Color; 605 PMMPFN Pfn1; 606 DPRINT("ARM3 Demand Zero Page Fault Handler for address: %p in process: %p\n", 607 Address, 608 Process); 609 610 /* Must currently only be called by paging path */ 611 if ((Process > HYDRA_PROCESS) && (OldIrql == MM_NOIRQL)) 612 { 613 /* Sanity check */ 614 ASSERT(MI_IS_PAGE_TABLE_ADDRESS(PointerPte)); 615 616 /* No forking yet */ 617 ASSERT(Process->ForkInProgress == NULL); 618 619 /* Get process color */ 620 Color = MI_GET_NEXT_PROCESS_COLOR(Process); 621 ASSERT(Color != 0xFFFFFFFF); 622 623 /* We'll need a zero page */ 624 NeedZero = TRUE; 625 } 626 else 627 { 628 /* Check if we need a zero page */ 629 NeedZero = (OldIrql != MM_NOIRQL); 630 631 /* Session-backed image views must be zeroed */ 632 if ((Process == HYDRA_PROCESS) && 633 ((MI_IS_SESSION_IMAGE_ADDRESS(Address)) || 634 ((Address >= MiSessionViewStart) && (Address < MiSessionSpaceWs)))) 635 { 636 NeedZero = TRUE; 637 } 638 639 /* Hardcode unknown color */ 640 Color = 0xFFFFFFFF; 641 } 642 643 /* Check if the PFN database should be acquired */ 644 if (OldIrql == MM_NOIRQL) 645 { 646 /* Acquire it and remember we should release it after */ 647 OldIrql = MiAcquirePfnLock(); 648 HaveLock = TRUE; 649 } 650 651 /* We either manually locked the PFN DB, or already came with it locked */ 652 MI_ASSERT_PFN_LOCK_HELD(); 653 ASSERT(PointerPte->u.Hard.Valid == 0); 654 655 /* Assert we have enough pages */ 656 ASSERT(MmAvailablePages >= 32); 657 658 #if MI_TRACE_PFNS 659 if (UserPdeFault) MI_SET_USAGE(MI_USAGE_PAGE_TABLE); 660 if (!UserPdeFault) MI_SET_USAGE(MI_USAGE_DEMAND_ZERO); 661 #endif 662 if (Process == HYDRA_PROCESS) MI_SET_PROCESS2("Hydra"); 663 else if (Process) MI_SET_PROCESS2(Process->ImageFileName); 664 else MI_SET_PROCESS2("Kernel Demand 0"); 665 666 /* Do we need a zero page? */ 667 if (Color != 0xFFFFFFFF) 668 { 669 /* Try to get one, if we couldn't grab a free page and zero it */ 670 PageFrameNumber = MiRemoveZeroPageSafe(Color); 671 if (!PageFrameNumber) 672 { 673 /* We'll need a free page and zero it manually */ 674 PageFrameNumber = MiRemoveAnyPage(Color); 675 NeedZero = TRUE; 676 } 677 } 678 else 679 { 680 /* Get a color, and see if we should grab a zero or non-zero page */ 681 Color = MI_GET_NEXT_COLOR(); 682 if (!NeedZero) 683 { 684 /* Process or system doesn't want a zero page, grab anything */ 685 PageFrameNumber = MiRemoveAnyPage(Color); 686 } 687 else 688 { 689 /* System wants a zero page, obtain one */ 690 PageFrameNumber = MiRemoveZeroPage(Color); 691 } 692 } 693 694 /* Initialize it */ 695 MiInitializePfn(PageFrameNumber, PointerPte, TRUE); 696 697 /* Increment demand zero faults */ 698 KeGetCurrentPrcb()->MmDemandZeroCount++; 699 700 /* Do we have the lock? */ 701 if (HaveLock) 702 { 703 /* Release it */ 704 MiReleasePfnLock(OldIrql); 705 706 /* Update performance counters */ 707 if (Process > HYDRA_PROCESS) Process->NumberOfPrivatePages++; 708 } 709 710 /* Zero the page if need be */ 711 if (NeedZero) MiZeroPfn(PageFrameNumber); 712 713 /* Fault on user PDE, or fault on user PTE? */ 714 if (PointerPte <= MiHighestUserPte) 715 { 716 /* User fault, build a user PTE */ 717 MI_MAKE_HARDWARE_PTE_USER(&TempPte, 718 PointerPte, 719 Protection, 720 PageFrameNumber); 721 } 722 else 723 { 724 /* This is a user-mode PDE, create a kernel PTE for it */ 725 MI_MAKE_HARDWARE_PTE(&TempPte, 726 PointerPte, 727 Protection, 728 PageFrameNumber); 729 } 730 731 /* Set it dirty if it's a writable page */ 732 if (MI_IS_PAGE_WRITEABLE(&TempPte)) MI_MAKE_DIRTY_PAGE(&TempPte); 733 734 /* Write it */ 735 MI_WRITE_VALID_PTE(PointerPte, TempPte); 736 737 /* Did we manually acquire the lock */ 738 if (HaveLock) 739 { 740 /* Get the PFN entry */ 741 Pfn1 = MI_PFN_ELEMENT(PageFrameNumber); 742 743 /* Windows does these sanity checks */ 744 ASSERT(Pfn1->u1.Event == 0); 745 ASSERT(Pfn1->u3.e1.PrototypePte == 0); 746 } 747 748 // 749 // It's all good now 750 // 751 DPRINT("Demand zero page has now been paged in\n"); 752 return STATUS_PAGE_FAULT_DEMAND_ZERO; 753 } 754 755 static 756 NTSTATUS 757 NTAPI 758 MiCompleteProtoPteFault(IN BOOLEAN StoreInstruction, 759 IN PVOID Address, 760 IN PMMPTE PointerPte, 761 IN PMMPTE PointerProtoPte, 762 IN KIRQL OldIrql, 763 IN PMMPFN* LockedProtoPfn) 764 { 765 MMPTE TempPte; 766 PMMPTE OriginalPte, PageTablePte; 767 ULONG_PTR Protection; 768 PFN_NUMBER PageFrameIndex; 769 PMMPFN Pfn1, Pfn2; 770 BOOLEAN OriginalProtection, DirtyPage; 771 772 /* Must be called with an valid prototype PTE, with the PFN lock held */ 773 MI_ASSERT_PFN_LOCK_HELD(); 774 ASSERT(PointerProtoPte->u.Hard.Valid == 1); 775 776 /* Get the page */ 777 PageFrameIndex = PFN_FROM_PTE(PointerProtoPte); 778 779 /* Get the PFN entry and set it as a prototype PTE */ 780 Pfn1 = MiGetPfnEntry(PageFrameIndex); 781 Pfn1->u3.e1.PrototypePte = 1; 782 783 /* Increment the share count for the page table */ 784 PageTablePte = MiAddressToPte(PointerPte); 785 Pfn2 = MiGetPfnEntry(PageTablePte->u.Hard.PageFrameNumber); 786 Pfn2->u2.ShareCount++; 787 788 /* Check where we should be getting the protection information from */ 789 if (PointerPte->u.Soft.PageFileHigh == MI_PTE_LOOKUP_NEEDED) 790 { 791 /* Get the protection from the PTE, there's no real Proto PTE data */ 792 Protection = PointerPte->u.Soft.Protection; 793 794 /* Remember that we did not use the proto protection */ 795 OriginalProtection = FALSE; 796 } 797 else 798 { 799 /* Get the protection from the original PTE link */ 800 OriginalPte = &Pfn1->OriginalPte; 801 Protection = OriginalPte->u.Soft.Protection; 802 803 /* Remember that we used the original protection */ 804 OriginalProtection = TRUE; 805 806 /* Check if this was a write on a read only proto */ 807 if ((StoreInstruction) && !(Protection & MM_READWRITE)) 808 { 809 /* Clear the flag */ 810 StoreInstruction = 0; 811 } 812 } 813 814 /* Check if this was a write on a non-COW page */ 815 DirtyPage = FALSE; 816 if ((StoreInstruction) && ((Protection & MM_WRITECOPY) != MM_WRITECOPY)) 817 { 818 /* Then the page should be marked dirty */ 819 DirtyPage = TRUE; 820 821 /* ReactOS check */ 822 ASSERT(Pfn1->OriginalPte.u.Soft.Prototype != 0); 823 } 824 825 /* Did we get a locked incoming PFN? */ 826 if (*LockedProtoPfn) 827 { 828 /* Drop a reference */ 829 ASSERT((*LockedProtoPfn)->u3.e2.ReferenceCount >= 1); 830 MiDereferencePfnAndDropLockCount(*LockedProtoPfn); 831 *LockedProtoPfn = NULL; 832 } 833 834 /* Release the PFN lock */ 835 MiReleasePfnLock(OldIrql); 836 837 /* Remove special/caching bits */ 838 Protection &= ~MM_PROTECT_SPECIAL; 839 840 /* Setup caching */ 841 if (Pfn1->u3.e1.CacheAttribute == MiWriteCombined) 842 { 843 /* Write combining, no caching */ 844 MI_PAGE_DISABLE_CACHE(&TempPte); 845 MI_PAGE_WRITE_COMBINED(&TempPte); 846 } 847 else if (Pfn1->u3.e1.CacheAttribute == MiNonCached) 848 { 849 /* Write through, no caching */ 850 MI_PAGE_DISABLE_CACHE(&TempPte); 851 MI_PAGE_WRITE_THROUGH(&TempPte); 852 } 853 854 /* Check if this is a kernel or user address */ 855 if (Address < MmSystemRangeStart) 856 { 857 /* Build the user PTE */ 858 MI_MAKE_HARDWARE_PTE_USER(&TempPte, PointerPte, Protection, PageFrameIndex); 859 } 860 else 861 { 862 /* Build the kernel PTE */ 863 MI_MAKE_HARDWARE_PTE(&TempPte, PointerPte, Protection, PageFrameIndex); 864 } 865 866 /* Set the dirty flag if needed */ 867 if (DirtyPage) MI_MAKE_DIRTY_PAGE(&TempPte); 868 869 /* Write the PTE */ 870 MI_WRITE_VALID_PTE(PointerPte, TempPte); 871 872 /* Reset the protection if needed */ 873 if (OriginalProtection) Protection = MM_ZERO_ACCESS; 874 875 /* Return success */ 876 ASSERT(PointerPte == MiAddressToPte(Address)); 877 return STATUS_SUCCESS; 878 } 879 880 static 881 NTSTATUS 882 NTAPI 883 MiResolvePageFileFault(_In_ BOOLEAN StoreInstruction, 884 _In_ PVOID FaultingAddress, 885 _In_ PMMPTE PointerPte, 886 _In_ PEPROCESS CurrentProcess, 887 _Inout_ KIRQL *OldIrql) 888 { 889 ULONG Color; 890 PFN_NUMBER Page; 891 NTSTATUS Status; 892 MMPTE TempPte = *PointerPte; 893 PMMPFN Pfn1; 894 ULONG PageFileIndex = TempPte.u.Soft.PageFileLow; 895 ULONG_PTR PageFileOffset = TempPte.u.Soft.PageFileHigh; 896 ULONG Protection = TempPte.u.Soft.Protection; 897 898 /* Things we don't support yet */ 899 ASSERT(CurrentProcess > HYDRA_PROCESS); 900 ASSERT(*OldIrql != MM_NOIRQL); 901 902 /* We must hold the PFN lock */ 903 MI_ASSERT_PFN_LOCK_HELD(); 904 905 /* Some sanity checks */ 906 ASSERT(TempPte.u.Hard.Valid == 0); 907 ASSERT(TempPte.u.Soft.PageFileHigh != 0); 908 ASSERT(TempPte.u.Soft.PageFileHigh != MI_PTE_LOOKUP_NEEDED); 909 910 /* Get any page, it will be overwritten */ 911 Color = MI_GET_NEXT_PROCESS_COLOR(CurrentProcess); 912 Page = MiRemoveAnyPage(Color); 913 914 /* Initialize this PFN */ 915 MiInitializePfn(Page, PointerPte, StoreInstruction); 916 917 /* Sets the PFN as being in IO operation */ 918 Pfn1 = MI_PFN_ELEMENT(Page); 919 ASSERT(Pfn1->u1.Event == NULL); 920 ASSERT(Pfn1->u3.e1.ReadInProgress == 0); 921 ASSERT(Pfn1->u3.e1.WriteInProgress == 0); 922 Pfn1->u3.e1.ReadInProgress = 1; 923 924 /* We must write the PTE now as the PFN lock will be released while performing the IO operation */ 925 MI_MAKE_TRANSITION_PTE(&TempPte, Page, Protection); 926 927 MI_WRITE_INVALID_PTE(PointerPte, TempPte); 928 929 /* Release the PFN lock while we proceed */ 930 MiReleasePfnLock(*OldIrql); 931 932 /* Do the paging IO */ 933 Status = MiReadPageFile(Page, PageFileIndex, PageFileOffset); 934 935 /* Lock the PFN database again */ 936 *OldIrql = MiAcquirePfnLock(); 937 938 /* Nobody should have changed that while we were not looking */ 939 ASSERT(Pfn1->u3.e1.ReadInProgress == 1); 940 ASSERT(Pfn1->u3.e1.WriteInProgress == 0); 941 942 if (!NT_SUCCESS(Status)) 943 { 944 /* Malheur! */ 945 ASSERT(FALSE); 946 Pfn1->u4.InPageError = 1; 947 Pfn1->u1.ReadStatus = Status; 948 } 949 950 /* And the PTE can finally be valid */ 951 MI_MAKE_HARDWARE_PTE(&TempPte, PointerPte, Protection, Page); 952 MI_WRITE_VALID_PTE(PointerPte, TempPte); 953 954 Pfn1->u3.e1.ReadInProgress = 0; 955 /* Did someone start to wait on us while we proceeded ? */ 956 if (Pfn1->u1.Event) 957 { 958 /* Tell them we're done */ 959 KeSetEvent(Pfn1->u1.Event, IO_NO_INCREMENT, FALSE); 960 } 961 962 return Status; 963 } 964 965 static 966 NTSTATUS 967 NTAPI 968 MiResolveTransitionFault(IN BOOLEAN StoreInstruction, 969 IN PVOID FaultingAddress, 970 IN PMMPTE PointerPte, 971 IN PEPROCESS CurrentProcess, 972 IN KIRQL OldIrql, 973 OUT PKEVENT **InPageBlock) 974 { 975 PFN_NUMBER PageFrameIndex; 976 PMMPFN Pfn1; 977 MMPTE TempPte; 978 PMMPTE PointerToPteForProtoPage; 979 DPRINT("Transition fault on 0x%p with PTE 0x%p in process %s\n", 980 FaultingAddress, PointerPte, CurrentProcess->ImageFileName); 981 982 /* Windowss does this check */ 983 ASSERT(*InPageBlock == NULL); 984 985 /* ARM3 doesn't support this path */ 986 ASSERT(OldIrql != MM_NOIRQL); 987 988 /* Capture the PTE and make sure it's in transition format */ 989 TempPte = *PointerPte; 990 ASSERT((TempPte.u.Soft.Valid == 0) && 991 (TempPte.u.Soft.Prototype == 0) && 992 (TempPte.u.Soft.Transition == 1)); 993 994 /* Get the PFN and the PFN entry */ 995 PageFrameIndex = TempPte.u.Trans.PageFrameNumber; 996 DPRINT("Transition PFN: %lx\n", PageFrameIndex); 997 Pfn1 = MiGetPfnEntry(PageFrameIndex); 998 999 /* One more transition fault! */ 1000 InterlockedIncrement(&KeGetCurrentPrcb()->MmTransitionCount); 1001 1002 /* This is from ARM3 -- Windows normally handles this here */ 1003 ASSERT(Pfn1->u4.InPageError == 0); 1004 1005 /* See if we should wait before terminating the fault */ 1006 if ((Pfn1->u3.e1.ReadInProgress == 1) 1007 || ((Pfn1->u3.e1.WriteInProgress == 1) && StoreInstruction)) 1008 { 1009 DPRINT1("The page is currently in a page transition !\n"); 1010 *InPageBlock = &Pfn1->u1.Event; 1011 if (PointerPte == Pfn1->PteAddress) 1012 { 1013 DPRINT1("And this if for this particular PTE.\n"); 1014 /* The PTE will be made valid by the thread serving the fault */ 1015 return STATUS_SUCCESS; // FIXME: Maybe something more descriptive 1016 } 1017 } 1018 1019 /* Windows checks there's some free pages and this isn't an in-page error */ 1020 ASSERT(MmAvailablePages > 0); 1021 ASSERT(Pfn1->u4.InPageError == 0); 1022 1023 /* ReactOS checks for this */ 1024 ASSERT(MmAvailablePages > 32); 1025 1026 /* Was this a transition page in the valid list, or free/zero list? */ 1027 if (Pfn1->u3.e1.PageLocation == ActiveAndValid) 1028 { 1029 /* All Windows does here is a bunch of sanity checks */ 1030 DPRINT("Transition in active list\n"); 1031 ASSERT((Pfn1->PteAddress >= MiAddressToPte(MmPagedPoolStart)) && 1032 (Pfn1->PteAddress <= MiAddressToPte(MmPagedPoolEnd))); 1033 ASSERT(Pfn1->u2.ShareCount != 0); 1034 ASSERT(Pfn1->u3.e2.ReferenceCount != 0); 1035 } 1036 else 1037 { 1038 /* Otherwise, the page is removed from its list */ 1039 DPRINT("Transition page in free/zero list\n"); 1040 MiUnlinkPageFromList(Pfn1); 1041 MiReferenceUnusedPageAndBumpLockCount(Pfn1); 1042 } 1043 1044 /* At this point, there should no longer be any in-page errors */ 1045 ASSERT(Pfn1->u4.InPageError == 0); 1046 1047 /* Check if this was a PFN with no more share references */ 1048 if (Pfn1->u2.ShareCount == 0) MiDropLockCount(Pfn1); 1049 1050 /* Bump the share count and make the page valid */ 1051 Pfn1->u2.ShareCount++; 1052 Pfn1->u3.e1.PageLocation = ActiveAndValid; 1053 1054 /* Prototype PTEs are in paged pool, which itself might be in transition */ 1055 if (FaultingAddress >= MmSystemRangeStart) 1056 { 1057 /* Check if this is a paged pool PTE in transition state */ 1058 PointerToPteForProtoPage = MiAddressToPte(PointerPte); 1059 TempPte = *PointerToPteForProtoPage; 1060 if ((TempPte.u.Hard.Valid == 0) && (TempPte.u.Soft.Transition == 1)) 1061 { 1062 /* This isn't yet supported */ 1063 DPRINT1("Double transition fault not yet supported\n"); 1064 ASSERT(FALSE); 1065 } 1066 } 1067 1068 /* Build the final PTE */ 1069 ASSERT(PointerPte->u.Hard.Valid == 0); 1070 ASSERT(PointerPte->u.Trans.Prototype == 0); 1071 ASSERT(PointerPte->u.Trans.Transition == 1); 1072 TempPte.u.Long = (PointerPte->u.Long & ~0xFFF) | 1073 (MmProtectToPteMask[PointerPte->u.Trans.Protection]) | 1074 MiDetermineUserGlobalPteMask(PointerPte); 1075 1076 /* Is the PTE writeable? */ 1077 if ((Pfn1->u3.e1.Modified) && 1078 MI_IS_PAGE_WRITEABLE(&TempPte) && 1079 !MI_IS_PAGE_COPY_ON_WRITE(&TempPte)) 1080 { 1081 /* Make it dirty */ 1082 MI_MAKE_DIRTY_PAGE(&TempPte); 1083 } 1084 else 1085 { 1086 /* Make it clean */ 1087 MI_MAKE_CLEAN_PAGE(&TempPte); 1088 } 1089 1090 /* Write the valid PTE */ 1091 MI_WRITE_VALID_PTE(PointerPte, TempPte); 1092 1093 /* Return success */ 1094 return STATUS_PAGE_FAULT_TRANSITION; 1095 } 1096 1097 static 1098 NTSTATUS 1099 NTAPI 1100 MiResolveProtoPteFault(IN BOOLEAN StoreInstruction, 1101 IN PVOID Address, 1102 IN PMMPTE PointerPte, 1103 IN PMMPTE PointerProtoPte, 1104 IN OUT PMMPFN *OutPfn, 1105 OUT PVOID *PageFileData, 1106 OUT PMMPTE PteValue, 1107 IN PEPROCESS Process, 1108 IN KIRQL OldIrql, 1109 IN PVOID TrapInformation) 1110 { 1111 MMPTE TempPte, PteContents; 1112 PMMPFN Pfn1; 1113 PFN_NUMBER PageFrameIndex; 1114 NTSTATUS Status; 1115 PKEVENT* InPageBlock = NULL; 1116 ULONG Protection; 1117 1118 /* Must be called with an invalid, prototype PTE, with the PFN lock held */ 1119 MI_ASSERT_PFN_LOCK_HELD(); 1120 ASSERT(PointerPte->u.Hard.Valid == 0); 1121 ASSERT(PointerPte->u.Soft.Prototype == 1); 1122 1123 /* Read the prototype PTE and check if it's valid */ 1124 TempPte = *PointerProtoPte; 1125 if (TempPte.u.Hard.Valid == 1) 1126 { 1127 /* One more user of this mapped page */ 1128 PageFrameIndex = PFN_FROM_PTE(&TempPte); 1129 Pfn1 = MiGetPfnEntry(PageFrameIndex); 1130 Pfn1->u2.ShareCount++; 1131 1132 /* Call it a transition */ 1133 InterlockedIncrement(&KeGetCurrentPrcb()->MmTransitionCount); 1134 1135 /* Complete the prototype PTE fault -- this will release the PFN lock */ 1136 return MiCompleteProtoPteFault(StoreInstruction, 1137 Address, 1138 PointerPte, 1139 PointerProtoPte, 1140 OldIrql, 1141 OutPfn); 1142 } 1143 1144 /* Make sure there's some protection mask */ 1145 if (TempPte.u.Long == 0) 1146 { 1147 /* Release the lock */ 1148 DPRINT1("Access on reserved section?\n"); 1149 MiReleasePfnLock(OldIrql); 1150 return STATUS_ACCESS_VIOLATION; 1151 } 1152 1153 /* There is no such thing as a decommitted prototype PTE */ 1154 ASSERT(TempPte.u.Long != MmDecommittedPte.u.Long); 1155 1156 /* Check for access rights on the PTE proper */ 1157 PteContents = *PointerPte; 1158 if (PteContents.u.Soft.PageFileHigh != MI_PTE_LOOKUP_NEEDED) 1159 { 1160 if (!PteContents.u.Proto.ReadOnly) 1161 { 1162 Protection = TempPte.u.Soft.Protection; 1163 } 1164 else 1165 { 1166 Protection = MM_READONLY; 1167 } 1168 /* Check for page acess in software */ 1169 Status = MiAccessCheck(PointerProtoPte, 1170 StoreInstruction, 1171 KernelMode, 1172 TempPte.u.Soft.Protection, 1173 TrapInformation, 1174 TRUE); 1175 ASSERT(Status == STATUS_SUCCESS); 1176 } 1177 else 1178 { 1179 Protection = PteContents.u.Soft.Protection; 1180 } 1181 1182 /* Check for writing copy on write page */ 1183 if (((Protection & MM_WRITECOPY) == MM_WRITECOPY) && StoreInstruction) 1184 { 1185 PFN_NUMBER PageFrameIndex, ProtoPageFrameIndex; 1186 ULONG Color; 1187 1188 /* Resolve the proto fault as if it was a read operation */ 1189 Status = MiResolveProtoPteFault(FALSE, 1190 Address, 1191 PointerPte, 1192 PointerProtoPte, 1193 OutPfn, 1194 PageFileData, 1195 PteValue, 1196 Process, 1197 OldIrql, 1198 TrapInformation); 1199 1200 if (!NT_SUCCESS(Status)) 1201 { 1202 return Status; 1203 } 1204 1205 /* Lock again the PFN lock, MiResolveProtoPteFault unlocked it */ 1206 OldIrql = MiAcquirePfnLock(); 1207 1208 /* And re-read the proto PTE */ 1209 TempPte = *PointerProtoPte; 1210 ASSERT(TempPte.u.Hard.Valid == 1); 1211 ProtoPageFrameIndex = PFN_FROM_PTE(&TempPte); 1212 1213 /* Get a new page for the private copy */ 1214 if (Process > HYDRA_PROCESS) 1215 Color = MI_GET_NEXT_PROCESS_COLOR(Process); 1216 else 1217 Color = MI_GET_NEXT_COLOR(); 1218 1219 PageFrameIndex = MiRemoveAnyPage(Color); 1220 1221 /* Perform the copy */ 1222 MiCopyPfn(PageFrameIndex, ProtoPageFrameIndex); 1223 1224 /* This will drop everything MiResolveProtoPteFault referenced */ 1225 MiDeletePte(PointerPte, Address, Process, PointerProtoPte); 1226 1227 /* Because now we use this */ 1228 Pfn1 = MI_PFN_ELEMENT(PageFrameIndex); 1229 MiInitializePfn(PageFrameIndex, PointerPte, TRUE); 1230 1231 /* Fix the protection */ 1232 Protection &= ~MM_WRITECOPY; 1233 Protection |= MM_READWRITE; 1234 if (Address < MmSystemRangeStart) 1235 { 1236 /* Build the user PTE */ 1237 MI_MAKE_HARDWARE_PTE_USER(&PteContents, PointerPte, Protection, PageFrameIndex); 1238 } 1239 else 1240 { 1241 /* Build the kernel PTE */ 1242 MI_MAKE_HARDWARE_PTE(&PteContents, PointerPte, Protection, PageFrameIndex); 1243 } 1244 1245 /* And finally, write the valid PTE */ 1246 MI_WRITE_VALID_PTE(PointerPte, PteContents); 1247 1248 /* The caller expects us to release the PFN lock */ 1249 MiReleasePfnLock(OldIrql); 1250 return Status; 1251 } 1252 1253 /* Check for clone PTEs */ 1254 if (PointerPte <= MiHighestUserPte) ASSERT(Process->CloneRoot == NULL); 1255 1256 /* We don't support mapped files yet */ 1257 ASSERT(TempPte.u.Soft.Prototype == 0); 1258 1259 /* We might however have transition PTEs */ 1260 if (TempPte.u.Soft.Transition == 1) 1261 { 1262 /* Resolve the transition fault */ 1263 ASSERT(OldIrql != MM_NOIRQL); 1264 Status = MiResolveTransitionFault(StoreInstruction, 1265 Address, 1266 PointerProtoPte, 1267 Process, 1268 OldIrql, 1269 &InPageBlock); 1270 ASSERT(NT_SUCCESS(Status)); 1271 } 1272 else 1273 { 1274 /* We also don't support paged out pages */ 1275 ASSERT(TempPte.u.Soft.PageFileHigh == 0); 1276 1277 /* Resolve the demand zero fault */ 1278 Status = MiResolveDemandZeroFault(Address, 1279 PointerProtoPte, 1280 (ULONG)TempPte.u.Soft.Protection, 1281 Process, 1282 OldIrql); 1283 ASSERT(NT_SUCCESS(Status)); 1284 } 1285 1286 /* Complete the prototype PTE fault -- this will release the PFN lock */ 1287 ASSERT(PointerPte->u.Hard.Valid == 0); 1288 return MiCompleteProtoPteFault(StoreInstruction, 1289 Address, 1290 PointerPte, 1291 PointerProtoPte, 1292 OldIrql, 1293 OutPfn); 1294 } 1295 1296 NTSTATUS 1297 NTAPI 1298 MiDispatchFault(IN ULONG FaultCode, 1299 IN PVOID Address, 1300 IN PMMPTE PointerPte, 1301 IN PMMPTE PointerProtoPte, 1302 IN BOOLEAN Recursive, 1303 IN PEPROCESS Process, 1304 IN PVOID TrapInformation, 1305 IN PMMVAD Vad) 1306 { 1307 MMPTE TempPte; 1308 KIRQL OldIrql, LockIrql; 1309 NTSTATUS Status; 1310 PMMPTE SuperProtoPte; 1311 PMMPFN Pfn1, OutPfn = NULL; 1312 PFN_NUMBER PageFrameIndex; 1313 PFN_COUNT PteCount, ProcessedPtes; 1314 DPRINT("ARM3 Page Fault Dispatcher for address: %p in process: %p\n", 1315 Address, 1316 Process); 1317 1318 /* Make sure the addresses are ok */ 1319 ASSERT(PointerPte == MiAddressToPte(Address)); 1320 1321 // 1322 // Make sure APCs are off and we're not at dispatch 1323 // 1324 OldIrql = KeGetCurrentIrql(); 1325 ASSERT(OldIrql <= APC_LEVEL); 1326 ASSERT(KeAreAllApcsDisabled() == TRUE); 1327 1328 // 1329 // Grab a copy of the PTE 1330 // 1331 TempPte = *PointerPte; 1332 1333 /* Do we have a prototype PTE? */ 1334 if (PointerProtoPte) 1335 { 1336 /* This should never happen */ 1337 ASSERT(!MI_IS_PHYSICAL_ADDRESS(PointerProtoPte)); 1338 1339 /* Check if this is a kernel-mode address */ 1340 SuperProtoPte = MiAddressToPte(PointerProtoPte); 1341 if (Address >= MmSystemRangeStart) 1342 { 1343 /* Lock the PFN database */ 1344 LockIrql = MiAcquirePfnLock(); 1345 1346 /* Has the PTE been made valid yet? */ 1347 if (!SuperProtoPte->u.Hard.Valid) 1348 { 1349 ASSERT(FALSE); 1350 } 1351 else if (PointerPte->u.Hard.Valid == 1) 1352 { 1353 ASSERT(FALSE); 1354 } 1355 1356 /* Resolve the fault -- this will release the PFN lock */ 1357 Status = MiResolveProtoPteFault(!MI_IS_NOT_PRESENT_FAULT(FaultCode), 1358 Address, 1359 PointerPte, 1360 PointerProtoPte, 1361 &OutPfn, 1362 NULL, 1363 NULL, 1364 Process, 1365 LockIrql, 1366 TrapInformation); 1367 ASSERT(Status == STATUS_SUCCESS); 1368 1369 /* Complete this as a transition fault */ 1370 ASSERT(OldIrql == KeGetCurrentIrql()); 1371 ASSERT(OldIrql <= APC_LEVEL); 1372 ASSERT(KeAreAllApcsDisabled() == TRUE); 1373 return Status; 1374 } 1375 else 1376 { 1377 /* We only handle the lookup path */ 1378 ASSERT(PointerPte->u.Soft.PageFileHigh == MI_PTE_LOOKUP_NEEDED); 1379 1380 /* Is there a non-image VAD? */ 1381 if ((Vad) && 1382 (Vad->u.VadFlags.VadType != VadImageMap) && 1383 !(Vad->u2.VadFlags2.ExtendableFile)) 1384 { 1385 /* One day, ReactOS will cluster faults */ 1386 ASSERT(Address <= MM_HIGHEST_USER_ADDRESS); 1387 DPRINT("Should cluster fault, but won't\n"); 1388 } 1389 1390 /* Only one PTE to handle for now */ 1391 PteCount = 1; 1392 ProcessedPtes = 0; 1393 1394 /* Lock the PFN database */ 1395 LockIrql = MiAcquirePfnLock(); 1396 1397 /* We only handle the valid path */ 1398 ASSERT(SuperProtoPte->u.Hard.Valid == 1); 1399 1400 /* Capture the PTE */ 1401 TempPte = *PointerProtoPte; 1402 1403 /* Loop to handle future case of clustered faults */ 1404 while (TRUE) 1405 { 1406 /* For our current usage, this should be true */ 1407 if (TempPte.u.Hard.Valid == 1) 1408 { 1409 /* Bump the share count on the PTE */ 1410 PageFrameIndex = PFN_FROM_PTE(&TempPte); 1411 Pfn1 = MI_PFN_ELEMENT(PageFrameIndex); 1412 Pfn1->u2.ShareCount++; 1413 } 1414 else if ((TempPte.u.Soft.Prototype == 0) && 1415 (TempPte.u.Soft.Transition == 1)) 1416 { 1417 /* This is a standby page, bring it back from the cache */ 1418 PageFrameIndex = TempPte.u.Trans.PageFrameNumber; 1419 DPRINT("oooh, shiny, a soft fault! 0x%lx\n", PageFrameIndex); 1420 Pfn1 = MI_PFN_ELEMENT(PageFrameIndex); 1421 ASSERT(Pfn1->u3.e1.PageLocation != ActiveAndValid); 1422 1423 /* Should not yet happen in ReactOS */ 1424 ASSERT(Pfn1->u3.e1.ReadInProgress == 0); 1425 ASSERT(Pfn1->u4.InPageError == 0); 1426 1427 /* Get the page */ 1428 MiUnlinkPageFromList(Pfn1); 1429 1430 /* Bump its reference count */ 1431 ASSERT(Pfn1->u2.ShareCount == 0); 1432 InterlockedIncrement16((PSHORT)&Pfn1->u3.e2.ReferenceCount); 1433 Pfn1->u2.ShareCount++; 1434 1435 /* Make it valid again */ 1436 /* This looks like another macro.... */ 1437 Pfn1->u3.e1.PageLocation = ActiveAndValid; 1438 ASSERT(PointerProtoPte->u.Hard.Valid == 0); 1439 ASSERT(PointerProtoPte->u.Trans.Prototype == 0); 1440 ASSERT(PointerProtoPte->u.Trans.Transition == 1); 1441 TempPte.u.Long = (PointerProtoPte->u.Long & ~0xFFF) | 1442 MmProtectToPteMask[PointerProtoPte->u.Trans.Protection]; 1443 TempPte.u.Hard.Valid = 1; 1444 MI_MAKE_ACCESSED_PAGE(&TempPte); 1445 1446 /* Is the PTE writeable? */ 1447 if ((Pfn1->u3.e1.Modified) && 1448 MI_IS_PAGE_WRITEABLE(&TempPte) && 1449 !MI_IS_PAGE_COPY_ON_WRITE(&TempPte)) 1450 { 1451 /* Make it dirty */ 1452 MI_MAKE_DIRTY_PAGE(&TempPte); 1453 } 1454 else 1455 { 1456 /* Make it clean */ 1457 MI_MAKE_CLEAN_PAGE(&TempPte); 1458 } 1459 1460 /* Write the valid PTE */ 1461 MI_WRITE_VALID_PTE(PointerProtoPte, TempPte); 1462 ASSERT(PointerPte->u.Hard.Valid == 0); 1463 } 1464 else 1465 { 1466 /* Page is invalid, get out of the loop */ 1467 break; 1468 } 1469 1470 /* One more done, was it the last? */ 1471 if (++ProcessedPtes == PteCount) 1472 { 1473 /* Complete the fault */ 1474 MiCompleteProtoPteFault(!MI_IS_NOT_PRESENT_FAULT(FaultCode), 1475 Address, 1476 PointerPte, 1477 PointerProtoPte, 1478 LockIrql, 1479 &OutPfn); 1480 1481 /* THIS RELEASES THE PFN LOCK! */ 1482 break; 1483 } 1484 1485 /* No clustered faults yet */ 1486 ASSERT(FALSE); 1487 } 1488 1489 /* Did we resolve the fault? */ 1490 if (ProcessedPtes) 1491 { 1492 /* Bump the transition count */ 1493 InterlockedExchangeAddSizeT(&KeGetCurrentPrcb()->MmTransitionCount, ProcessedPtes); 1494 ProcessedPtes--; 1495 1496 /* Loop all the processing we did */ 1497 ASSERT(ProcessedPtes == 0); 1498 1499 /* Complete this as a transition fault */ 1500 ASSERT(OldIrql == KeGetCurrentIrql()); 1501 ASSERT(OldIrql <= APC_LEVEL); 1502 ASSERT(KeAreAllApcsDisabled() == TRUE); 1503 return STATUS_PAGE_FAULT_TRANSITION; 1504 } 1505 1506 /* We did not -- PFN lock is still held, prepare to resolve prototype PTE fault */ 1507 OutPfn = MI_PFN_ELEMENT(SuperProtoPte->u.Hard.PageFrameNumber); 1508 MiReferenceUsedPageAndBumpLockCount(OutPfn); 1509 ASSERT(OutPfn->u3.e2.ReferenceCount > 1); 1510 ASSERT(PointerPte->u.Hard.Valid == 0); 1511 1512 /* Resolve the fault -- this will release the PFN lock */ 1513 Status = MiResolveProtoPteFault(!MI_IS_NOT_PRESENT_FAULT(FaultCode), 1514 Address, 1515 PointerPte, 1516 PointerProtoPte, 1517 &OutPfn, 1518 NULL, 1519 NULL, 1520 Process, 1521 LockIrql, 1522 TrapInformation); 1523 //ASSERT(Status != STATUS_ISSUE_PAGING_IO); 1524 //ASSERT(Status != STATUS_REFAULT); 1525 //ASSERT(Status != STATUS_PTE_CHANGED); 1526 1527 /* Did the routine clean out the PFN or should we? */ 1528 if (OutPfn) 1529 { 1530 /* We had a locked PFN, so acquire the PFN lock to dereference it */ 1531 ASSERT(PointerProtoPte != NULL); 1532 OldIrql = MiAcquirePfnLock(); 1533 1534 /* Dereference the locked PFN */ 1535 MiDereferencePfnAndDropLockCount(OutPfn); 1536 ASSERT(OutPfn->u3.e2.ReferenceCount >= 1); 1537 1538 /* And now release the lock */ 1539 MiReleasePfnLock(OldIrql); 1540 } 1541 1542 /* Complete this as a transition fault */ 1543 ASSERT(OldIrql == KeGetCurrentIrql()); 1544 ASSERT(OldIrql <= APC_LEVEL); 1545 ASSERT(KeAreAllApcsDisabled() == TRUE); 1546 return Status; 1547 } 1548 } 1549 1550 /* Is this a transition PTE */ 1551 if (TempPte.u.Soft.Transition) 1552 { 1553 PKEVENT* InPageBlock = NULL; 1554 PKEVENT PreviousPageEvent; 1555 KEVENT CurrentPageEvent; 1556 1557 /* Lock the PFN database */ 1558 LockIrql = MiAcquirePfnLock(); 1559 1560 /* Resolve */ 1561 Status = MiResolveTransitionFault(!MI_IS_NOT_PRESENT_FAULT(FaultCode), Address, PointerPte, Process, LockIrql, &InPageBlock); 1562 1563 ASSERT(NT_SUCCESS(Status)); 1564 1565 if (InPageBlock != NULL) 1566 { 1567 /* Another thread is reading or writing this page. Put us into the waiting queue. */ 1568 KeInitializeEvent(&CurrentPageEvent, NotificationEvent, FALSE); 1569 PreviousPageEvent = *InPageBlock; 1570 *InPageBlock = &CurrentPageEvent; 1571 } 1572 1573 /* And now release the lock and leave*/ 1574 MiReleasePfnLock(LockIrql); 1575 1576 if (InPageBlock != NULL) 1577 { 1578 KeWaitForSingleObject(&CurrentPageEvent, WrPageIn, KernelMode, FALSE, NULL); 1579 1580 /* Let's the chain go on */ 1581 if (PreviousPageEvent) 1582 { 1583 KeSetEvent(PreviousPageEvent, IO_NO_INCREMENT, FALSE); 1584 } 1585 } 1586 1587 ASSERT(OldIrql == KeGetCurrentIrql()); 1588 ASSERT(OldIrql <= APC_LEVEL); 1589 ASSERT(KeAreAllApcsDisabled() == TRUE); 1590 return Status; 1591 } 1592 1593 /* Should we page the data back in ? */ 1594 if (TempPte.u.Soft.PageFileHigh != 0) 1595 { 1596 /* Lock the PFN database */ 1597 LockIrql = MiAcquirePfnLock(); 1598 1599 /* Resolve */ 1600 Status = MiResolvePageFileFault(!MI_IS_NOT_PRESENT_FAULT(FaultCode), Address, PointerPte, Process, &LockIrql); 1601 1602 /* And now release the lock and leave*/ 1603 MiReleasePfnLock(LockIrql); 1604 1605 ASSERT(OldIrql == KeGetCurrentIrql()); 1606 ASSERT(OldIrql <= APC_LEVEL); 1607 ASSERT(KeAreAllApcsDisabled() == TRUE); 1608 return Status; 1609 } 1610 1611 // 1612 // The PTE must be invalid but not completely empty. It must also not be a 1613 // prototype a transition or a paged-out PTE as those scenarii should've been handled above. 1614 // These are all Windows checks 1615 // 1616 ASSERT(TempPte.u.Hard.Valid == 0); 1617 ASSERT(TempPte.u.Soft.Prototype == 0); 1618 ASSERT(TempPte.u.Soft.Transition == 0); 1619 ASSERT(TempPte.u.Soft.PageFileHigh == 0); 1620 ASSERT(TempPte.u.Long != 0); 1621 1622 // 1623 // If we got this far, the PTE can only be a demand zero PTE, which is what 1624 // we want. Go handle it! 1625 // 1626 Status = MiResolveDemandZeroFault(Address, 1627 PointerPte, 1628 (ULONG)TempPte.u.Soft.Protection, 1629 Process, 1630 MM_NOIRQL); 1631 ASSERT(KeAreAllApcsDisabled() == TRUE); 1632 if (NT_SUCCESS(Status)) 1633 { 1634 // 1635 // Make sure we're returning in a sane state and pass the status down 1636 // 1637 ASSERT(OldIrql == KeGetCurrentIrql()); 1638 ASSERT(KeGetCurrentIrql() <= APC_LEVEL); 1639 return Status; 1640 } 1641 1642 // 1643 // Generate an access fault 1644 // 1645 return STATUS_ACCESS_VIOLATION; 1646 } 1647 1648 NTSTATUS 1649 NTAPI 1650 MmArmAccessFault(IN ULONG FaultCode, 1651 IN PVOID Address, 1652 IN KPROCESSOR_MODE Mode, 1653 IN PVOID TrapInformation) 1654 { 1655 KIRQL OldIrql = KeGetCurrentIrql(), LockIrql; 1656 PMMPTE ProtoPte = NULL; 1657 PMMPTE PointerPte = MiAddressToPte(Address); 1658 PMMPDE PointerPde = MiAddressToPde(Address); 1659 #if (_MI_PAGING_LEVELS >= 3) 1660 PMMPDE PointerPpe = MiAddressToPpe(Address); 1661 #if (_MI_PAGING_LEVELS == 4) 1662 PMMPDE PointerPxe = MiAddressToPxe(Address); 1663 #endif 1664 #endif 1665 MMPTE TempPte; 1666 PETHREAD CurrentThread; 1667 PEPROCESS CurrentProcess; 1668 NTSTATUS Status; 1669 PMMSUPPORT WorkingSet; 1670 ULONG ProtectionCode; 1671 PMMVAD Vad = NULL; 1672 PFN_NUMBER PageFrameIndex; 1673 ULONG Color; 1674 BOOLEAN IsSessionAddress; 1675 PMMPFN Pfn1; 1676 DPRINT("ARM3 FAULT AT: %p\n", Address); 1677 1678 /* Check for page fault on high IRQL */ 1679 if (OldIrql > APC_LEVEL) 1680 { 1681 #if (_MI_PAGING_LEVELS < 3) 1682 /* Could be a page table for paged pool, which we'll allow */ 1683 if (MI_IS_SYSTEM_PAGE_TABLE_ADDRESS(Address)) MiSynchronizeSystemPde((PMMPDE)PointerPte); 1684 MiCheckPdeForPagedPool(Address); 1685 #endif 1686 /* Check if any of the top-level pages are invalid */ 1687 if ( 1688 #if (_MI_PAGING_LEVELS == 4) 1689 (PointerPxe->u.Hard.Valid == 0) || 1690 #endif 1691 #if (_MI_PAGING_LEVELS >= 3) 1692 (PointerPpe->u.Hard.Valid == 0) || 1693 #endif 1694 (PointerPde->u.Hard.Valid == 0) || 1695 (PointerPte->u.Hard.Valid == 0)) 1696 { 1697 /* This fault is not valid, print out some debugging help */ 1698 DbgPrint("MM:***PAGE FAULT AT IRQL > 1 Va %p, IRQL %lx\n", 1699 Address, 1700 OldIrql); 1701 if (TrapInformation) 1702 { 1703 PKTRAP_FRAME TrapFrame = TrapInformation; 1704 #ifdef _M_IX86 1705 DbgPrint("MM:***EIP %p, EFL %p\n", TrapFrame->Eip, TrapFrame->EFlags); 1706 DbgPrint("MM:***EAX %p, ECX %p EDX %p\n", TrapFrame->Eax, TrapFrame->Ecx, TrapFrame->Edx); 1707 DbgPrint("MM:***EBX %p, ESI %p EDI %p\n", TrapFrame->Ebx, TrapFrame->Esi, TrapFrame->Edi); 1708 #elif defined(_M_AMD64) 1709 DbgPrint("MM:***RIP %p, EFL %p\n", TrapFrame->Rip, TrapFrame->EFlags); 1710 DbgPrint("MM:***RAX %p, RCX %p RDX %p\n", TrapFrame->Rax, TrapFrame->Rcx, TrapFrame->Rdx); 1711 DbgPrint("MM:***RBX %p, RSI %p RDI %p\n", TrapFrame->Rbx, TrapFrame->Rsi, TrapFrame->Rdi); 1712 #elif defined(_M_ARM) 1713 DbgPrint("MM:***PC %p\n", TrapFrame->Pc); 1714 DbgPrint("MM:***R0 %p, R1 %p R2 %p, R3 %p\n", TrapFrame->R0, TrapFrame->R1, TrapFrame->R2, TrapFrame->R3); 1715 DbgPrint("MM:***R11 %p, R12 %p SP %p, LR %p\n", TrapFrame->R11, TrapFrame->R12, TrapFrame->Sp, TrapFrame->Lr); 1716 #endif 1717 } 1718 1719 /* Tell the trap handler to fail */ 1720 return STATUS_IN_PAGE_ERROR | 0x10000000; 1721 } 1722 1723 /* Not yet implemented in ReactOS */ 1724 ASSERT(MI_IS_PAGE_LARGE(PointerPde) == FALSE); 1725 ASSERT((!MI_IS_NOT_PRESENT_FAULT(FaultCode) && MI_IS_PAGE_COPY_ON_WRITE(PointerPte)) == FALSE); 1726 1727 /* Check if this was a write */ 1728 if (MI_IS_WRITE_ACCESS(FaultCode)) 1729 { 1730 /* Was it to a read-only page? */ 1731 Pfn1 = MI_PFN_ELEMENT(PointerPte->u.Hard.PageFrameNumber); 1732 if (!(PointerPte->u.Long & PTE_READWRITE) && 1733 !(Pfn1->OriginalPte.u.Soft.Protection & MM_READWRITE)) 1734 { 1735 /* Crash with distinguished bugcheck code */ 1736 KeBugCheckEx(ATTEMPTED_WRITE_TO_READONLY_MEMORY, 1737 (ULONG_PTR)Address, 1738 PointerPte->u.Long, 1739 (ULONG_PTR)TrapInformation, 1740 10); 1741 } 1742 } 1743 1744 /* Nothing is actually wrong */ 1745 DPRINT1("Fault at IRQL %u is ok (%p)\n", OldIrql, Address); 1746 return STATUS_SUCCESS; 1747 } 1748 1749 /* Check for kernel fault address */ 1750 if (Address >= MmSystemRangeStart) 1751 { 1752 /* Bail out, if the fault came from user mode */ 1753 if (Mode == UserMode) return STATUS_ACCESS_VIOLATION; 1754 1755 #if (_MI_PAGING_LEVELS == 2) 1756 if (MI_IS_SYSTEM_PAGE_TABLE_ADDRESS(Address)) MiSynchronizeSystemPde((PMMPDE)PointerPte); 1757 MiCheckPdeForPagedPool(Address); 1758 #endif 1759 1760 /* Check if the higher page table entries are invalid */ 1761 if ( 1762 #if (_MI_PAGING_LEVELS == 4) 1763 /* AMD64 system, check if PXE is invalid */ 1764 (PointerPxe->u.Hard.Valid == 0) || 1765 #endif 1766 #if (_MI_PAGING_LEVELS >= 3) 1767 /* PAE/AMD64 system, check if PPE is invalid */ 1768 (PointerPpe->u.Hard.Valid == 0) || 1769 #endif 1770 /* Always check if the PDE is valid */ 1771 (PointerPde->u.Hard.Valid == 0)) 1772 { 1773 /* PXE/PPE/PDE (still) not valid, kill the system */ 1774 KeBugCheckEx(PAGE_FAULT_IN_NONPAGED_AREA, 1775 (ULONG_PTR)Address, 1776 FaultCode, 1777 (ULONG_PTR)TrapInformation, 1778 2); 1779 } 1780 1781 /* Not handling session faults yet */ 1782 IsSessionAddress = MI_IS_SESSION_ADDRESS(Address); 1783 1784 /* The PDE is valid, so read the PTE */ 1785 TempPte = *PointerPte; 1786 if (TempPte.u.Hard.Valid == 1) 1787 { 1788 /* Check if this was system space or session space */ 1789 if (!IsSessionAddress) 1790 { 1791 /* Check if the PTE is still valid under PFN lock */ 1792 OldIrql = MiAcquirePfnLock(); 1793 TempPte = *PointerPte; 1794 if (TempPte.u.Hard.Valid) 1795 { 1796 /* Check if this was a write */ 1797 if (MI_IS_WRITE_ACCESS(FaultCode)) 1798 { 1799 /* Was it to a read-only page? */ 1800 Pfn1 = MI_PFN_ELEMENT(PointerPte->u.Hard.PageFrameNumber); 1801 if (!(PointerPte->u.Long & PTE_READWRITE) && 1802 !(Pfn1->OriginalPte.u.Soft.Protection & MM_READWRITE)) 1803 { 1804 /* Crash with distinguished bugcheck code */ 1805 KeBugCheckEx(ATTEMPTED_WRITE_TO_READONLY_MEMORY, 1806 (ULONG_PTR)Address, 1807 PointerPte->u.Long, 1808 (ULONG_PTR)TrapInformation, 1809 11); 1810 } 1811 } 1812 1813 /* Check for execution of non-executable memory */ 1814 if (MI_IS_INSTRUCTION_FETCH(FaultCode) && 1815 !MI_IS_PAGE_EXECUTABLE(&TempPte)) 1816 { 1817 KeBugCheckEx(ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY, 1818 (ULONG_PTR)Address, 1819 (ULONG_PTR)TempPte.u.Long, 1820 (ULONG_PTR)TrapInformation, 1821 1); 1822 } 1823 } 1824 1825 /* Release PFN lock and return all good */ 1826 MiReleasePfnLock(OldIrql); 1827 return STATUS_SUCCESS; 1828 } 1829 } 1830 #if (_MI_PAGING_LEVELS == 2) 1831 /* Check if this was a session PTE that needs to remap the session PDE */ 1832 if (MI_IS_SESSION_PTE(Address)) 1833 { 1834 /* Do the remapping */ 1835 Status = MiCheckPdeForSessionSpace(Address); 1836 if (!NT_SUCCESS(Status)) 1837 { 1838 /* It failed, this address is invalid */ 1839 KeBugCheckEx(PAGE_FAULT_IN_NONPAGED_AREA, 1840 (ULONG_PTR)Address, 1841 FaultCode, 1842 (ULONG_PTR)TrapInformation, 1843 6); 1844 } 1845 } 1846 #else 1847 1848 _WARN("Session space stuff is not implemented yet!") 1849 1850 #endif 1851 1852 /* Check for a fault on the page table or hyperspace */ 1853 if (MI_IS_PAGE_TABLE_OR_HYPER_ADDRESS(Address)) 1854 { 1855 #if (_MI_PAGING_LEVELS < 3) 1856 /* Windows does this check but I don't understand why -- it's done above! */ 1857 ASSERT(MiCheckPdeForPagedPool(Address) != STATUS_WAIT_1); 1858 #endif 1859 /* Handle this as a user mode fault */ 1860 goto UserFault; 1861 } 1862 1863 /* Get the current thread */ 1864 CurrentThread = PsGetCurrentThread(); 1865 1866 /* What kind of address is this */ 1867 if (!IsSessionAddress) 1868 { 1869 /* Use the system working set */ 1870 WorkingSet = &MmSystemCacheWs; 1871 CurrentProcess = NULL; 1872 1873 /* Make sure we don't have a recursive working set lock */ 1874 if ((CurrentThread->OwnsProcessWorkingSetExclusive) || 1875 (CurrentThread->OwnsProcessWorkingSetShared) || 1876 (CurrentThread->OwnsSystemWorkingSetExclusive) || 1877 (CurrentThread->OwnsSystemWorkingSetShared) || 1878 (CurrentThread->OwnsSessionWorkingSetExclusive) || 1879 (CurrentThread->OwnsSessionWorkingSetShared)) 1880 { 1881 /* Fail */ 1882 return STATUS_IN_PAGE_ERROR | 0x10000000; 1883 } 1884 } 1885 else 1886 { 1887 /* Use the session process and working set */ 1888 CurrentProcess = HYDRA_PROCESS; 1889 WorkingSet = &MmSessionSpace->GlobalVirtualAddress->Vm; 1890 1891 /* Make sure we don't have a recursive working set lock */ 1892 if ((CurrentThread->OwnsSessionWorkingSetExclusive) || 1893 (CurrentThread->OwnsSessionWorkingSetShared)) 1894 { 1895 /* Fail */ 1896 return STATUS_IN_PAGE_ERROR | 0x10000000; 1897 } 1898 } 1899 1900 /* Acquire the working set lock */ 1901 KeRaiseIrql(APC_LEVEL, &LockIrql); 1902 MiLockWorkingSet(CurrentThread, WorkingSet); 1903 1904 /* Re-read PTE now that we own the lock */ 1905 TempPte = *PointerPte; 1906 if (TempPte.u.Hard.Valid == 1) 1907 { 1908 /* Check if this was a write */ 1909 if (MI_IS_WRITE_ACCESS(FaultCode)) 1910 { 1911 /* Was it to a read-only page that is not copy on write? */ 1912 Pfn1 = MI_PFN_ELEMENT(PointerPte->u.Hard.PageFrameNumber); 1913 if (!(TempPte.u.Long & PTE_READWRITE) && 1914 !(Pfn1->OriginalPte.u.Soft.Protection & MM_READWRITE) && 1915 !MI_IS_PAGE_COPY_ON_WRITE(&TempPte)) 1916 { 1917 /* Case not yet handled */ 1918 ASSERT(!IsSessionAddress); 1919 1920 /* Crash with distinguished bugcheck code */ 1921 KeBugCheckEx(ATTEMPTED_WRITE_TO_READONLY_MEMORY, 1922 (ULONG_PTR)Address, 1923 TempPte.u.Long, 1924 (ULONG_PTR)TrapInformation, 1925 12); 1926 } 1927 } 1928 1929 /* Check for execution of non-executable memory */ 1930 if (MI_IS_INSTRUCTION_FETCH(FaultCode) && 1931 !MI_IS_PAGE_EXECUTABLE(&TempPte)) 1932 { 1933 KeBugCheckEx(ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY, 1934 (ULONG_PTR)Address, 1935 (ULONG_PTR)TempPte.u.Long, 1936 (ULONG_PTR)TrapInformation, 1937 2); 1938 } 1939 1940 /* Check for read-only write in session space */ 1941 if ((IsSessionAddress) && 1942 MI_IS_WRITE_ACCESS(FaultCode) && 1943 !MI_IS_PAGE_WRITEABLE(&TempPte)) 1944 { 1945 /* Sanity check */ 1946 ASSERT(MI_IS_SESSION_IMAGE_ADDRESS(Address)); 1947 1948 /* Was this COW? */ 1949 if (!MI_IS_PAGE_COPY_ON_WRITE(&TempPte)) 1950 { 1951 /* Then this is not allowed */ 1952 KeBugCheckEx(ATTEMPTED_WRITE_TO_READONLY_MEMORY, 1953 (ULONG_PTR)Address, 1954 (ULONG_PTR)TempPte.u.Long, 1955 (ULONG_PTR)TrapInformation, 1956 13); 1957 } 1958 1959 /* Otherwise, handle COW */ 1960 ASSERT(FALSE); 1961 } 1962 1963 /* Release the working set */ 1964 MiUnlockWorkingSet(CurrentThread, WorkingSet); 1965 KeLowerIrql(LockIrql); 1966 1967 /* Otherwise, the PDE was probably invalid, and all is good now */ 1968 return STATUS_SUCCESS; 1969 } 1970 1971 /* Check one kind of prototype PTE */ 1972 if (TempPte.u.Soft.Prototype) 1973 { 1974 /* Make sure protected pool is on, and that this is a pool address */ 1975 if ((MmProtectFreedNonPagedPool) && 1976 (((Address >= MmNonPagedPoolStart) && 1977 (Address < (PVOID)((ULONG_PTR)MmNonPagedPoolStart + 1978 MmSizeOfNonPagedPoolInBytes))) || 1979 ((Address >= MmNonPagedPoolExpansionStart) && 1980 (Address < MmNonPagedPoolEnd)))) 1981 { 1982 /* Bad boy, bad boy, whatcha gonna do, whatcha gonna do when ARM3 comes for you! */ 1983 KeBugCheckEx(DRIVER_CAUGHT_MODIFYING_FREED_POOL, 1984 (ULONG_PTR)Address, 1985 FaultCode, 1986 Mode, 1987 4); 1988 } 1989 1990 /* Get the prototype PTE! */ 1991 ProtoPte = MiProtoPteToPte(&TempPte); 1992 1993 /* Do we need to locate the prototype PTE in session space? */ 1994 if ((IsSessionAddress) && 1995 (TempPte.u.Soft.PageFileHigh == MI_PTE_LOOKUP_NEEDED)) 1996 { 1997 /* Yep, go find it as well as the VAD for it */ 1998 ProtoPte = MiCheckVirtualAddress(Address, 1999 &ProtectionCode, 2000 &Vad); 2001 ASSERT(ProtoPte != NULL); 2002 } 2003 } 2004 else 2005 { 2006 /* We don't implement transition PTEs */ 2007 ASSERT(TempPte.u.Soft.Transition == 0); 2008 2009 /* Check for no-access PTE */ 2010 if (TempPte.u.Soft.Protection == MM_NOACCESS) 2011 { 2012 /* Bugcheck the system! */ 2013 KeBugCheckEx(PAGE_FAULT_IN_NONPAGED_AREA, 2014 (ULONG_PTR)Address, 2015 FaultCode, 2016 (ULONG_PTR)TrapInformation, 2017 1); 2018 } 2019 2020 /* Check for no protecton at all */ 2021 if (TempPte.u.Soft.Protection == MM_ZERO_ACCESS) 2022 { 2023 /* Bugcheck the system! */ 2024 KeBugCheckEx(PAGE_FAULT_IN_NONPAGED_AREA, 2025 (ULONG_PTR)Address, 2026 FaultCode, 2027 (ULONG_PTR)TrapInformation, 2028 0); 2029 } 2030 } 2031 2032 /* Check for demand page */ 2033 if (MI_IS_WRITE_ACCESS(FaultCode) && 2034 !(ProtoPte) && 2035 !(IsSessionAddress) && 2036 !(TempPte.u.Hard.Valid)) 2037 { 2038 /* Get the protection code */ 2039 ASSERT(TempPte.u.Soft.Transition == 0); 2040 if (!(TempPte.u.Soft.Protection & MM_READWRITE)) 2041 { 2042 /* Bugcheck the system! */ 2043 KeBugCheckEx(ATTEMPTED_WRITE_TO_READONLY_MEMORY, 2044 (ULONG_PTR)Address, 2045 TempPte.u.Long, 2046 (ULONG_PTR)TrapInformation, 2047 14); 2048 } 2049 } 2050 2051 /* Now do the real fault handling */ 2052 Status = MiDispatchFault(FaultCode, 2053 Address, 2054 PointerPte, 2055 ProtoPte, 2056 FALSE, 2057 CurrentProcess, 2058 TrapInformation, 2059 NULL); 2060 2061 /* Release the working set */ 2062 ASSERT(KeAreAllApcsDisabled() == TRUE); 2063 MiUnlockWorkingSet(CurrentThread, WorkingSet); 2064 KeLowerIrql(LockIrql); 2065 2066 /* We are done! */ 2067 DPRINT("Fault resolved with status: %lx\n", Status); 2068 return Status; 2069 } 2070 2071 /* This is a user fault */ 2072 UserFault: 2073 CurrentThread = PsGetCurrentThread(); 2074 CurrentProcess = (PEPROCESS)CurrentThread->Tcb.ApcState.Process; 2075 2076 /* Lock the working set */ 2077 MiLockProcessWorkingSet(CurrentProcess, CurrentThread); 2078 2079 ProtectionCode = MM_INVALID_PROTECTION; 2080 2081 #if (_MI_PAGING_LEVELS == 4) 2082 /* Check if the PXE is valid */ 2083 if (PointerPxe->u.Hard.Valid == 0) 2084 { 2085 /* Right now, we only handle scenarios where the PXE is totally empty */ 2086 ASSERT(PointerPxe->u.Long == 0); 2087 2088 /* This is only possible for user mode addresses! */ 2089 ASSERT(PointerPte <= MiHighestUserPte); 2090 2091 /* Check if we have a VAD */ 2092 MiCheckVirtualAddress(Address, &ProtectionCode, &Vad); 2093 if (ProtectionCode == MM_NOACCESS) 2094 { 2095 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2096 return STATUS_ACCESS_VIOLATION; 2097 } 2098 2099 /* Resolve a demand zero fault */ 2100 MiResolveDemandZeroFault(PointerPpe, 2101 PointerPxe, 2102 MM_READWRITE, 2103 CurrentProcess, 2104 MM_NOIRQL); 2105 2106 /* We should come back with a valid PXE */ 2107 ASSERT(PointerPxe->u.Hard.Valid == 1); 2108 } 2109 #endif 2110 2111 #if (_MI_PAGING_LEVELS >= 3) 2112 /* Check if the PPE is valid */ 2113 if (PointerPpe->u.Hard.Valid == 0) 2114 { 2115 /* Right now, we only handle scenarios where the PPE is totally empty */ 2116 ASSERT(PointerPpe->u.Long == 0); 2117 2118 /* This is only possible for user mode addresses! */ 2119 ASSERT(PointerPte <= MiHighestUserPte); 2120 2121 /* Check if we have a VAD, unless we did this already */ 2122 if (ProtectionCode == MM_INVALID_PROTECTION) 2123 { 2124 MiCheckVirtualAddress(Address, &ProtectionCode, &Vad); 2125 } 2126 2127 if (ProtectionCode == MM_NOACCESS) 2128 { 2129 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2130 return STATUS_ACCESS_VIOLATION; 2131 } 2132 2133 /* Resolve a demand zero fault */ 2134 MiResolveDemandZeroFault(PointerPde, 2135 PointerPpe, 2136 MM_READWRITE, 2137 CurrentProcess, 2138 MM_NOIRQL); 2139 2140 /* We should come back with a valid PPE */ 2141 ASSERT(PointerPpe->u.Hard.Valid == 1); 2142 } 2143 #endif 2144 2145 /* Check if the PDE is invalid */ 2146 if (PointerPde->u.Hard.Valid == 0) 2147 { 2148 /* Right now, we only handle scenarios where the PDE is totally empty */ 2149 ASSERT(PointerPde->u.Long == 0); 2150 2151 /* And go dispatch the fault on the PDE. This should handle the demand-zero */ 2152 #if MI_TRACE_PFNS 2153 UserPdeFault = TRUE; 2154 #endif 2155 /* Check if we have a VAD, unless we did this already */ 2156 if (ProtectionCode == MM_INVALID_PROTECTION) 2157 { 2158 MiCheckVirtualAddress(Address, &ProtectionCode, &Vad); 2159 } 2160 2161 if (ProtectionCode == MM_NOACCESS) 2162 { 2163 #if (_MI_PAGING_LEVELS == 2) 2164 /* Could be a page table for paged pool */ 2165 MiCheckPdeForPagedPool(Address); 2166 #endif 2167 /* Has the code above changed anything -- is this now a valid PTE? */ 2168 Status = (PointerPde->u.Hard.Valid == 1) ? STATUS_SUCCESS : STATUS_ACCESS_VIOLATION; 2169 2170 /* Either this was a bogus VA or we've fixed up a paged pool PDE */ 2171 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2172 return Status; 2173 } 2174 2175 /* Resolve a demand zero fault */ 2176 MiResolveDemandZeroFault(PointerPte, 2177 PointerPde, 2178 MM_READWRITE, 2179 CurrentProcess, 2180 MM_NOIRQL); 2181 #if MI_TRACE_PFNS 2182 UserPdeFault = FALSE; 2183 #endif 2184 /* We should come back with APCs enabled, and with a valid PDE */ 2185 ASSERT(KeAreAllApcsDisabled() == TRUE); 2186 ASSERT(PointerPde->u.Hard.Valid == 1); 2187 } 2188 else 2189 { 2190 /* Not yet implemented in ReactOS */ 2191 ASSERT(MI_IS_PAGE_LARGE(PointerPde) == FALSE); 2192 } 2193 2194 /* Now capture the PTE. */ 2195 TempPte = *PointerPte; 2196 2197 /* Check if the PTE is valid */ 2198 if (TempPte.u.Hard.Valid) 2199 { 2200 /* Check if this is a write on a readonly PTE */ 2201 if (MI_IS_WRITE_ACCESS(FaultCode)) 2202 { 2203 /* Is this a copy on write PTE? */ 2204 if (MI_IS_PAGE_COPY_ON_WRITE(&TempPte)) 2205 { 2206 PFN_NUMBER PageFrameIndex, OldPageFrameIndex; 2207 PMMPFN Pfn1; 2208 2209 LockIrql = MiAcquirePfnLock(); 2210 2211 ASSERT(MmAvailablePages > 0); 2212 2213 /* Allocate a new page and copy it */ 2214 PageFrameIndex = MiRemoveAnyPage(MI_GET_NEXT_PROCESS_COLOR(CurrentProcess)); 2215 OldPageFrameIndex = PFN_FROM_PTE(&TempPte); 2216 2217 MiCopyPfn(PageFrameIndex, OldPageFrameIndex); 2218 2219 /* Dereference whatever this PTE is referencing */ 2220 Pfn1 = MI_PFN_ELEMENT(OldPageFrameIndex); 2221 ASSERT(Pfn1->u3.e1.PrototypePte == 1); 2222 ASSERT(!MI_IS_PFN_DELETED(Pfn1)); 2223 ProtoPte = Pfn1->PteAddress; 2224 MiDeletePte(PointerPte, Address, CurrentProcess, ProtoPte); 2225 2226 /* And make a new shiny one with our page */ 2227 MiInitializePfn(PageFrameIndex, PointerPte, TRUE); 2228 TempPte.u.Hard.PageFrameNumber = PageFrameIndex; 2229 TempPte.u.Hard.Write = 1; 2230 TempPte.u.Hard.CopyOnWrite = 0; 2231 2232 MI_WRITE_VALID_PTE(PointerPte, TempPte); 2233 2234 MiReleasePfnLock(LockIrql); 2235 2236 /* Return the status */ 2237 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2238 return STATUS_PAGE_FAULT_COPY_ON_WRITE; 2239 } 2240 2241 /* Is this a read-only PTE? */ 2242 if (!MI_IS_PAGE_WRITEABLE(&TempPte)) 2243 { 2244 /* Return the status */ 2245 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2246 return STATUS_ACCESS_VIOLATION; 2247 } 2248 } 2249 2250 /* Check for execution of non-executable memory */ 2251 if (MI_IS_INSTRUCTION_FETCH(FaultCode) && 2252 !MI_IS_PAGE_EXECUTABLE(&TempPte)) 2253 { 2254 /* Return the status */ 2255 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2256 return STATUS_ACCESS_VIOLATION; 2257 } 2258 2259 /* The fault has already been resolved by a different thread */ 2260 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2261 return STATUS_SUCCESS; 2262 } 2263 2264 /* Quick check for demand-zero */ 2265 if (TempPte.u.Long == (MM_READWRITE << MM_PTE_SOFTWARE_PROTECTION_BITS)) 2266 { 2267 /* Resolve the fault */ 2268 MiResolveDemandZeroFault(Address, 2269 PointerPte, 2270 MM_READWRITE, 2271 CurrentProcess, 2272 MM_NOIRQL); 2273 2274 /* Return the status */ 2275 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2276 return STATUS_PAGE_FAULT_DEMAND_ZERO; 2277 } 2278 2279 /* Check for zero PTE */ 2280 if (TempPte.u.Long == 0) 2281 { 2282 /* Check if this address range belongs to a valid allocation (VAD) */ 2283 ProtoPte = MiCheckVirtualAddress(Address, &ProtectionCode, &Vad); 2284 if (ProtectionCode == MM_NOACCESS) 2285 { 2286 #if (_MI_PAGING_LEVELS == 2) 2287 /* Could be a page table for paged pool */ 2288 MiCheckPdeForPagedPool(Address); 2289 #endif 2290 /* Has the code above changed anything -- is this now a valid PTE? */ 2291 Status = (PointerPte->u.Hard.Valid == 1) ? STATUS_SUCCESS : STATUS_ACCESS_VIOLATION; 2292 2293 /* Either this was a bogus VA or we've fixed up a paged pool PDE */ 2294 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2295 return Status; 2296 } 2297 2298 /* 2299 * Check if this is a real user-mode address or actually a kernel-mode 2300 * page table for a user mode address 2301 */ 2302 if (Address <= MM_HIGHEST_USER_ADDRESS) 2303 { 2304 /* Add an additional page table reference */ 2305 MiIncrementPageTableReferences(Address); 2306 } 2307 2308 /* Is this a guard page? */ 2309 if ((ProtectionCode & MM_PROTECT_SPECIAL) == MM_GUARDPAGE) 2310 { 2311 /* The VAD protection cannot be MM_DECOMMIT! */ 2312 ASSERT(ProtectionCode != MM_DECOMMIT); 2313 2314 /* Remove the bit */ 2315 TempPte.u.Soft.Protection = ProtectionCode & ~MM_GUARDPAGE; 2316 MI_WRITE_INVALID_PTE(PointerPte, TempPte); 2317 2318 /* Not supported */ 2319 ASSERT(ProtoPte == NULL); 2320 ASSERT(CurrentThread->ApcNeeded == 0); 2321 2322 /* Drop the working set lock */ 2323 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2324 ASSERT(KeGetCurrentIrql() == OldIrql); 2325 2326 /* Handle stack expansion */ 2327 return MiCheckForUserStackOverflow(Address, TrapInformation); 2328 } 2329 2330 /* Did we get a prototype PTE back? */ 2331 if (!ProtoPte) 2332 { 2333 /* Is this PTE actually part of the PDE-PTE self-mapping directory? */ 2334 if (PointerPde == MiAddressToPde(PTE_BASE)) 2335 { 2336 /* Then it's really a demand-zero PDE (on behalf of user-mode) */ 2337 #ifdef _M_ARM 2338 _WARN("This is probably completely broken!"); 2339 MI_WRITE_INVALID_PDE((PMMPDE)PointerPte, DemandZeroPde); 2340 #else 2341 MI_WRITE_INVALID_PTE(PointerPte, DemandZeroPde); 2342 #endif 2343 } 2344 else 2345 { 2346 /* No, create a new PTE. First, write the protection */ 2347 TempPte.u.Soft.Protection = ProtectionCode; 2348 MI_WRITE_INVALID_PTE(PointerPte, TempPte); 2349 } 2350 2351 /* Lock the PFN database since we're going to grab a page */ 2352 OldIrql = MiAcquirePfnLock(); 2353 2354 /* Make sure we have enough pages */ 2355 ASSERT(MmAvailablePages >= 32); 2356 2357 /* Try to get a zero page */ 2358 MI_SET_USAGE(MI_USAGE_PEB_TEB); 2359 MI_SET_PROCESS2(CurrentProcess->ImageFileName); 2360 Color = MI_GET_NEXT_PROCESS_COLOR(CurrentProcess); 2361 PageFrameIndex = MiRemoveZeroPageSafe(Color); 2362 if (!PageFrameIndex) 2363 { 2364 /* Grab a page out of there. Later we should grab a colored zero page */ 2365 PageFrameIndex = MiRemoveAnyPage(Color); 2366 ASSERT(PageFrameIndex); 2367 2368 /* Release the lock since we need to do some zeroing */ 2369 MiReleasePfnLock(OldIrql); 2370 2371 /* Zero out the page, since it's for user-mode */ 2372 MiZeroPfn(PageFrameIndex); 2373 2374 /* Grab the lock again so we can initialize the PFN entry */ 2375 OldIrql = MiAcquirePfnLock(); 2376 } 2377 2378 /* Initialize the PFN entry now */ 2379 MiInitializePfn(PageFrameIndex, PointerPte, 1); 2380 2381 /* Increment the count of pages in the process */ 2382 CurrentProcess->NumberOfPrivatePages++; 2383 2384 /* One more demand-zero fault */ 2385 KeGetCurrentPrcb()->MmDemandZeroCount++; 2386 2387 /* And we're done with the lock */ 2388 MiReleasePfnLock(OldIrql); 2389 2390 /* Fault on user PDE, or fault on user PTE? */ 2391 if (PointerPte <= MiHighestUserPte) 2392 { 2393 /* User fault, build a user PTE */ 2394 MI_MAKE_HARDWARE_PTE_USER(&TempPte, 2395 PointerPte, 2396 PointerPte->u.Soft.Protection, 2397 PageFrameIndex); 2398 } 2399 else 2400 { 2401 /* This is a user-mode PDE, create a kernel PTE for it */ 2402 MI_MAKE_HARDWARE_PTE(&TempPte, 2403 PointerPte, 2404 PointerPte->u.Soft.Protection, 2405 PageFrameIndex); 2406 } 2407 2408 /* Write the dirty bit for writeable pages */ 2409 if (MI_IS_PAGE_WRITEABLE(&TempPte)) MI_MAKE_DIRTY_PAGE(&TempPte); 2410 2411 /* And now write down the PTE, making the address valid */ 2412 MI_WRITE_VALID_PTE(PointerPte, TempPte); 2413 Pfn1 = MI_PFN_ELEMENT(PageFrameIndex); 2414 ASSERT(Pfn1->u1.Event == NULL); 2415 2416 /* Demand zero */ 2417 ASSERT(KeGetCurrentIrql() <= APC_LEVEL); 2418 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2419 return STATUS_PAGE_FAULT_DEMAND_ZERO; 2420 } 2421 2422 /* We should have a valid protection here */ 2423 ASSERT(ProtectionCode != 0x100); 2424 2425 /* Write the prototype PTE */ 2426 TempPte = PrototypePte; 2427 TempPte.u.Soft.Protection = ProtectionCode; 2428 ASSERT(TempPte.u.Long != 0); 2429 MI_WRITE_INVALID_PTE(PointerPte, TempPte); 2430 } 2431 else 2432 { 2433 /* Get the protection code and check if this is a proto PTE */ 2434 ProtectionCode = (ULONG)TempPte.u.Soft.Protection; 2435 if (TempPte.u.Soft.Prototype) 2436 { 2437 /* Do we need to go find the real PTE? */ 2438 if (TempPte.u.Soft.PageFileHigh == MI_PTE_LOOKUP_NEEDED) 2439 { 2440 /* Get the prototype pte and VAD for it */ 2441 ProtoPte = MiCheckVirtualAddress(Address, 2442 &ProtectionCode, 2443 &Vad); 2444 if (!ProtoPte) 2445 { 2446 ASSERT(KeGetCurrentIrql() <= APC_LEVEL); 2447 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2448 return STATUS_ACCESS_VIOLATION; 2449 } 2450 } 2451 else 2452 { 2453 /* Get the prototype PTE! */ 2454 ProtoPte = MiProtoPteToPte(&TempPte); 2455 2456 /* Is it read-only */ 2457 if (TempPte.u.Proto.ReadOnly) 2458 { 2459 /* Set read-only code */ 2460 ProtectionCode = MM_READONLY; 2461 } 2462 else 2463 { 2464 /* Set unknown protection */ 2465 ProtectionCode = 0x100; 2466 ASSERT(CurrentProcess->CloneRoot != NULL); 2467 } 2468 } 2469 } 2470 } 2471 2472 /* Do we have a valid protection code? */ 2473 if (ProtectionCode != 0x100) 2474 { 2475 /* Run a software access check first, including to detect guard pages */ 2476 Status = MiAccessCheck(PointerPte, 2477 !MI_IS_NOT_PRESENT_FAULT(FaultCode), 2478 Mode, 2479 ProtectionCode, 2480 TrapInformation, 2481 FALSE); 2482 if (Status != STATUS_SUCCESS) 2483 { 2484 /* Not supported */ 2485 ASSERT(CurrentThread->ApcNeeded == 0); 2486 2487 /* Drop the working set lock */ 2488 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2489 ASSERT(KeGetCurrentIrql() == OldIrql); 2490 2491 /* Did we hit a guard page? */ 2492 if (Status == STATUS_GUARD_PAGE_VIOLATION) 2493 { 2494 /* Handle stack expansion */ 2495 return MiCheckForUserStackOverflow(Address, TrapInformation); 2496 } 2497 2498 /* Otherwise, fail back to the caller directly */ 2499 return Status; 2500 } 2501 } 2502 2503 /* Dispatch the fault */ 2504 Status = MiDispatchFault(FaultCode, 2505 Address, 2506 PointerPte, 2507 ProtoPte, 2508 FALSE, 2509 CurrentProcess, 2510 TrapInformation, 2511 Vad); 2512 2513 /* Return the status */ 2514 ASSERT(KeGetCurrentIrql() <= APC_LEVEL); 2515 MiUnlockProcessWorkingSet(CurrentProcess, CurrentThread); 2516 return Status; 2517 } 2518 2519 NTSTATUS 2520 NTAPI 2521 MmGetExecuteOptions(IN PULONG ExecuteOptions) 2522 { 2523 PKPROCESS CurrentProcess = &PsGetCurrentProcess()->Pcb; 2524 ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); 2525 2526 *ExecuteOptions = 0; 2527 2528 if (CurrentProcess->Flags.ExecuteDisable) 2529 { 2530 *ExecuteOptions |= MEM_EXECUTE_OPTION_DISABLE; 2531 } 2532 2533 if (CurrentProcess->Flags.ExecuteEnable) 2534 { 2535 *ExecuteOptions |= MEM_EXECUTE_OPTION_ENABLE; 2536 } 2537 2538 if (CurrentProcess->Flags.DisableThunkEmulation) 2539 { 2540 *ExecuteOptions |= MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION; 2541 } 2542 2543 if (CurrentProcess->Flags.Permanent) 2544 { 2545 *ExecuteOptions |= MEM_EXECUTE_OPTION_PERMANENT; 2546 } 2547 2548 if (CurrentProcess->Flags.ExecuteDispatchEnable) 2549 { 2550 *ExecuteOptions |= MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE; 2551 } 2552 2553 if (CurrentProcess->Flags.ImageDispatchEnable) 2554 { 2555 *ExecuteOptions |= MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE; 2556 } 2557 2558 return STATUS_SUCCESS; 2559 } 2560 2561 NTSTATUS 2562 NTAPI 2563 MmSetExecuteOptions(IN ULONG ExecuteOptions) 2564 { 2565 PKPROCESS CurrentProcess = &PsGetCurrentProcess()->Pcb; 2566 KLOCK_QUEUE_HANDLE ProcessLock; 2567 NTSTATUS Status = STATUS_ACCESS_DENIED; 2568 ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); 2569 2570 /* Only accept valid flags */ 2571 if (ExecuteOptions & ~MEM_EXECUTE_OPTION_VALID_FLAGS) 2572 { 2573 /* Fail */ 2574 DPRINT1("Invalid no-execute options\n"); 2575 return STATUS_INVALID_PARAMETER; 2576 } 2577 2578 /* Change the NX state in the process lock */ 2579 KiAcquireProcessLock(CurrentProcess, &ProcessLock); 2580 2581 /* Don't change anything if the permanent flag was set */ 2582 if (!CurrentProcess->Flags.Permanent) 2583 { 2584 /* Start by assuming it's not disabled */ 2585 CurrentProcess->Flags.ExecuteDisable = FALSE; 2586 2587 /* Now process each flag and turn the equivalent bit on */ 2588 if (ExecuteOptions & MEM_EXECUTE_OPTION_DISABLE) 2589 { 2590 CurrentProcess->Flags.ExecuteDisable = TRUE; 2591 } 2592 if (ExecuteOptions & MEM_EXECUTE_OPTION_ENABLE) 2593 { 2594 CurrentProcess->Flags.ExecuteEnable = TRUE; 2595 } 2596 if (ExecuteOptions & MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION) 2597 { 2598 CurrentProcess->Flags.DisableThunkEmulation = TRUE; 2599 } 2600 if (ExecuteOptions & MEM_EXECUTE_OPTION_PERMANENT) 2601 { 2602 CurrentProcess->Flags.Permanent = TRUE; 2603 } 2604 if (ExecuteOptions & MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE) 2605 { 2606 CurrentProcess->Flags.ExecuteDispatchEnable = TRUE; 2607 } 2608 if (ExecuteOptions & MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE) 2609 { 2610 CurrentProcess->Flags.ImageDispatchEnable = TRUE; 2611 } 2612 2613 /* These are turned on by default if no-execution is also eanbled */ 2614 if (CurrentProcess->Flags.ExecuteEnable) 2615 { 2616 CurrentProcess->Flags.ExecuteDispatchEnable = TRUE; 2617 CurrentProcess->Flags.ImageDispatchEnable = TRUE; 2618 } 2619 2620 /* All good */ 2621 Status = STATUS_SUCCESS; 2622 } 2623 2624 /* Release the lock and return status */ 2625 KiReleaseProcessLock(&ProcessLock); 2626 return Status; 2627 } 2628 2629 /* EOF */ 2630