[NTOS:MM] Fix a race

2024-12-28 01:55:19 +00:00 · 2020-12-30 09:43:55 +01:00 · 2020-12-30 09:43:55 +01:00 · 8ed15a49a7
commit 8ed15a49a7
parent 11eee4eeec
2 changed files with 32 additions and 2 deletions
--- a/ntoskrnl/mm/freelist.c
+++ b/ntoskrnl/mm/freelist.c
@ -436,7 +436,12 @@ MmGetRmapListHeadPage(PFN_NUMBER Pfn)
    /* Get the entry */
    Pfn1 = MiGetPfnEntry(Pfn);
    ASSERT(Pfn1);
-    ASSERT_IS_ROS_PFN(Pfn1);
+
+    if (!MI_IS_ROS_PFN(Pfn1))
+    {
+        MiReleasePfnLock(oldIrql);
+        return NULL;
+    }

    /* Get the list head */
    ListHead = Pfn1->RmapListHead;
--- a/ntoskrnl/mm/rmap.c
+++ b/ntoskrnl/mm/rmap.c
@ -149,7 +149,32 @@ MmPageOutPhysicalAddress(PFN_NUMBER Page)

        /* Delete this virtual mapping in the process */
        MmDeleteVirtualMapping(Process, Address, &Dirty, &MapPage);
-        ASSERT(MapPage == Page);
+
+        /* There is a window betwwen the start of this function and now,
+         * where it's possible that the process changed its memory layout,
+         * because of copy-on-write, unmapping memory, or whatsoever.
+         * Just go away if that is the case */
+        if (MapPage != Page)
+        {
+            PMM_REGION Region = MmFindRegion((PVOID)MA_GetStartingAddress(MemoryArea),
+                            &MemoryArea->SectionData.RegionListHead,
+                            Address, NULL);
+            /* Restore the mapping */
+            MmCreateVirtualMapping(Process, Address, Region->Protect, &MapPage, 1);
+            if (Dirty)
+                MmSetDirtyPage(Process, Address);
+
+            MmUnlockSectionSegment(Segment);
+            MmUnlockAddressSpace(AddressSpace);
+            if (Address < MmSystemRangeStart)
+            {
+                ExReleaseRundownProtection(&Process->RundownProtect);
+                ObDereferenceObject(Process);
+            }
+
+            /* We can still try to flush it to disk, though */
+            goto WriteSegment;
+        }

        if (Page != PFN_FROM_SSE(Entry))
        {