[sir_richard] 45620: [NTOS]: Fix off-by-one error in MDL locking which caused the last PFN not to be referenced if it was part of a locked MDL, because it was assumed to be "higher than the last PFN". This further caused the entire MDL to be incorrectly treated as an I/O space mapping. Later, when unlocked, the last PFN's reference count would drop to 0, and the virtual memory range that had been locked would now be using a freed page, that would get re-used later. Noticed this bug because my WC
19 Feb
2010
19 Feb
'10
5:45 p.m.
Author: sir_richard
Date: Fri Feb 19 18:45:10 2010
New Revision: 45620
URL: http://svn.reactos.org/svn/reactos?rev=45620&view=rev
Log:
[NTOS]: Fix off-by-one error in MDL locking which caused the last PFN not to be referenced
if it was part of a locked MDL, because it was assumed to be "higher than the last
PFN". This further caused the entire MDL to be incorrectly treated as an I/O space
mapping. Later, when unlocked, the last PFN's reference count would drop to 0, and the
virtual memory range that had been locked would now be using a freed page, that would get
re-used later. Noticed this bug because my WC changes allocation strategies to increase
the chance of pages at the end to be used, ans the last PFN was being used a lot due to
this.
Modified:
trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c
Modified: trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c?…
==============================================================================
--- trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/mm/ARM3/mdlsup.c [iso-8859-1] Fri Feb 19 18:45:10 2010
@@ -954,7 +954,7 @@
// Grab the PFN
//
PageFrameIndex = PFN_FROM_PTE(PointerPte);
- if (PageFrameIndex < MmHighestPhysicalPage)
+ if (PageFrameIndex <= MmHighestPhysicalPage)
{
//
// Get the PFN entry
5327
days inactive
5327
days old
0 comments
1 participants
participants (1)
-
sir_richard@svn.reactos.org