From 6ef328578c7b5b4ac125de3f92a5f9f407a9b83a Mon Sep 17 00:00:00 2001
From: Sir Richard <sir_richard@svn.reactos.org>
Date: Tue, 28 Sep 2010 16:44:18 +0000
Subject: [PATCH] [NTOS]: The RMAP entry only has a valid process if the
 address is in user-space, otherwise process is NULL. Only attempt to acquire
 the process rundown lock if a process actually exists. Fixes crashes caused
 by 48905.

svn path=/trunk/; revision=48921
---
 reactos/ntoskrnl/mm/rmap.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/reactos/ntoskrnl/mm/rmap.c b/reactos/ntoskrnl/mm/rmap.c
index 79713001768..8d6b7a6aab4 100644
--- a/reactos/ntoskrnl/mm/rmap.c
+++ b/reactos/ntoskrnl/mm/rmap.c
@@ -75,12 +75,6 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)
    }
    Process = entry->Process;
 
-   if (!ExAcquireRundownProtection(&Process->RundownProtect))
-   {
-      ExReleaseFastMutex(&RmapListLock);
-      return STATUS_PROCESS_IS_TERMINATING;
-   }
-
    Address = entry->Address;
    if ((((ULONG_PTR)Address) & 0xFFF) != 0)
    {
@@ -89,6 +83,12 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)
 
    if (Address < MmSystemRangeStart)
    {
+       if (!ExAcquireRundownProtection(&Process->RundownProtect))
+       {
+          ExReleaseFastMutex(&RmapListLock);
+          return STATUS_PROCESS_IS_TERMINATING;
+       }
+
       Status = ObReferenceObjectByPointer(Process, PROCESS_ALL_ACCESS, NULL, KernelMode);
       ExReleaseFastMutex(&RmapListLock);
       if (!NT_SUCCESS(Status))
@@ -109,9 +109,9 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)
    if (MemoryArea == NULL || MemoryArea->DeleteInProgress)
    {
       MmUnlockAddressSpace(AddressSpace);
-      ExReleaseRundownProtection(&Process->RundownProtect);
       if (Address < MmSystemRangeStart)
       {
+         ExReleaseRundownProtection(&Process->RundownProtect);
          ObDereferenceObject(Process);
       }
       return(STATUS_UNSUCCESSFUL);
@@ -131,9 +131,9 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)
       if (PageOp == NULL)
       {
          MmUnlockAddressSpace(AddressSpace);
-         ExReleaseRundownProtection(&Process->RundownProtect);
          if (Address < MmSystemRangeStart)
          {
+            ExReleaseRundownProtection(&Process->RundownProtect);
             ObDereferenceObject(Process);
          }
          return(STATUS_UNSUCCESSFUL);
@@ -157,9 +157,9 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)
       if (PageOp == NULL)
       {
          MmUnlockAddressSpace(AddressSpace);
-         ExReleaseRundownProtection(&Process->RundownProtect);
          if (Address < MmSystemRangeStart)
          {
+            ExReleaseRundownProtection(&Process->RundownProtect);
             ObDereferenceObject(Process);
          }
          return(STATUS_UNSUCCESSFUL);
@@ -181,10 +181,9 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)
       KeBugCheck(MEMORY_MANAGEMENT);
    }
 
-   ExReleaseRundownProtection(&Process->RundownProtect);
-
    if (Address < MmSystemRangeStart)
    {
+      ExReleaseRundownProtection(&Process->RundownProtect);
       ObDereferenceObject(Process);
    }
    return(Status);