[ros-diffs] [sir_richard] 45620: [NTOS]: Fix off-by-one error in MDL locking which caused the last PFN not to be referenced if it was part of a locked MDL, because it was assumed to be "higher than the last PFN". This further caused the entire MDL to be incorrectly treated as an I/O space mapping. Later, when unlocked, the last PFN's reference count would drop to 0, and the virtual memory range that had been locked would now be using a freed page, that would get re-used later. Noticed this bug because my WC

Author: sir_richard Date: Fri Feb 19 18:45:10 2010 New Revision: 45620 URL: http://svn.reactos.org/svn/reactos?rev=45620&view=rev Log: [NTOS]: Fix off-by-one error in MDL locking which caused the last PFN not to be referenced if it was part of a locked MDL, because it was assumed to be "higher than the last PFN". This further caused the entire MDL to be incorrectly treated as an I/O space mapping. Later, when unlocked, the last PFN's reference count would drop to 0, and the virtual memory range that had been locked would now be using a freed page, that would get re-used later. Noticed this bug because my WC changes allocation strategies to increase the chance of pages at the end to be used, ans the last PFN was being used a lot due to this. Modified: trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c Modified: trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c?… ============================================================================== --- trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c [iso-8859-1] Fri Feb 19 18:45:10 2010 @@ -954,7 +954,7 @@ // Grab the PFN // PageFrameIndex = PFN_FROM_PTE(PointerPte); - if (PageFrameIndex < MmHighestPhysicalPage) + if (PageFrameIndex <= MmHighestPhysicalPage) { // // Get the PFN entry