关于MDL的一些事（2）

对驱动程序采用
Direct I/O
方式进行数据读的测试



采用这种方式进行读数据时，
I/O Manager

调用
MmProbeAndLockPages

将
ReadFile

参数提供的用户空间缓冲区对应的物理页面锁定为不可换出，然后将得到的MDL放在Irp->MdlAddress里，将IRP传递给相应驱动程序的DispatchRead。根据Walter
Oney在书中的描述，此时I/O
Manager的行为可以用下面的代码来描述：

KPROCESSOR_MODE mode;   // <== either KernelMode or UserMode
PMDL mdl = IoAllocateMdl(uva, length, FALSE, TRUE, Irp);
MmProbeAndLockPages(mdl, mode,
reading ? IoWriteAccess : IoReadAccess);
<code to send and await IRP>
MmUnlockPages(mdl);
IoFreeMdl(mdl);

这里主要关注的地方是MmProbeAndLockPages有没有进行实际的虚拟地址的映射，即将物理页面映射到内核地址空间中。我们用下面的驱动代码来测试这一行为。

NTSTATUS DispatchRead(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
PVOID pSysAddr;
PMDL pMDL = pIrp->MdlAddress;
DbgPrint("******************DispatchRead******************/n");
DbgPrint("Before MmGetSystemAddressForMdlSafe/n");
OutputMDL(pMDL);
pSysAddr = MmGetSystemAddressForMdlSafe(pMDL,LowPagePriority);
if(!pSysAddr) {
DbgPrint("MmGetSystemAddressForMdlSafe failed./n");
return STATUS_SUCCESS;
}

DbgPrint("After MmGetSystemAddressForMdlSafe/n");
OutputMDL(pMDL);
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = MmGetMdlByteCount(pMDL);
IoCompleteRequest(pIrp,IO_NO_INCREMENT);

return STATUS_SUCCESS;
}

再写一个应用程序来发起一个读操作：

void TestMDLDriver()
{
HANDLE hDevice;
BOOL bRet;
DWORD dwRead;
BYTE buf[10000] = {'S','Q','U','I'};
hDevice = CreateFile(_T("////.//MDLTest"),GENERIC_READ,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hDevice==INVALID_HANDLE_VALUE)
{
fprintf(stderr,"CreateFile error : %d/n",GetLastError());
return;
}
//issue a read request
bRet = ReadFile(hDevice,buf,sizeof(buf),&dwRead,NULL);
if(!bRet)
{
fprintf(stderr,"ReadFile error : %d/n",GetLastError());
return;
}
printf("Read bytes:%d/n",dwRead);
//
CloseHandle(hDevice);
}

导致的内核输出如下：

00000009	4.27463436	******************DispatchRead******************
00000010	4.27464771	Before MmGetSystemAddressForMdlSafe
00000011	4.27465439	MDL_TEST: Size=40
00000012	4.27466011	MDL_TEST: MdlFlags=0x008a
00000013	4.27466583	MDL_TEST: Process=0x86ca7b58
00000014	4.27467155	MDL_TEST: MappedSystemVa=0x92b1f000
00000015	4.27467775	MDL_TEST: StartVa=0x001ad000
00000016	4.27468348	MDL_TEST: ByteCount=10000
00000017	4.27468824	MDL_TEST: ByteOffset=1148
00000018	4.27469397	MDL_TEST: p[0]=0x00064429
00000019	4.27469969	MDL_TEST: p[1]=0x000619fc
00000020	4.27470541	MDL_TEST: p[2]=0x000618ee
00000021	4.27471066	MDL_TEST: p[3]=0x00060749
00000022	4.27471685	MDL_TEST: p[4]=0x86abca24
00000023	4.27472448	After MmGetSystemAddressForMdlSafe
00000024	4.27472973	MDL_TEST: Size=40
00000025	4.27473545	MDL_TEST: MdlFlags=0x008b
00000026	4.27474070	MDL_TEST: Process=0x86ca7b58
00000027	4.27474689	MDL_TEST: MappedSystemVa=0xb01e747c
00000028	4.27475214	MDL_TEST: StartVa=0x001ad000
00000029	4.27475786	MDL_TEST: ByteCount=10000
00000030	4.27476311	MDL_TEST: ByteOffset=1148
00000031	4.27476835	MDL_TEST: p[0]=0x00064429
00000032	4.27477455	MDL_TEST: p[1]=0x000619fc
00000033	4.27477980	MDL_TEST: p[2]=0x000618ee
00000034	4.27478504	MDL_TEST: p[3]=0x00060749
00000035	4.27479029	MDL_TEST: p[4]=0x86abca24

此时从VS的调试器中看到，应用程序中buf[10000]的地址为0x001ad47c

从输出可以得到如下结论：

1.MmProbeAndLockPages并不将物理页面映射到内核地址空间，而仅锁定物理页面；MappedSystemVa的变化可以显示这一点

2.buf的地址=StartVa+ByteOffset；

3.MmGetSystemAddressForMdlSafe进行实际的映射操作，并设置MdlFlags的MDL_MAPPED_TO_SYSTEM_VA标志。

4.MmProbeAndLockPages将MdlFlags=MDL_WRITE_OPERATION |
MDL_ALLOCATED_FIXED_SIZE | MDL_PAGES_LOCKED