MmMapIoSpace causes Bug Check 0x1A

I have a very simple code running on windows 10 build # 1607, when I call MmMapIoSpace with size of 1MB (?0x100000?) with MmNonCached or MmCached I get a Bug Check 0x1A with 0x1233 as parameter.
This does not happen on other windows 10 machines similar build. For instance on skylake i7 it works versus on Xeon platforms does not work.
Wondering what could be the issue or am I doing anything incorrect and if so how can I make my code to run across all the hardware platforms…any pointer to where should I start looking would greatly be appreciated…

Thanks in advance…

xxxxx@yahoo.com wrote:

I have a very simple code running on windows 10 build # 1607, when I call MmMapIoSpace with size of 1MB (?0x100000?) with MmNonCached or MmCached I get a Bug Check 0x1A with 0x1233 as parameter.

The obvious unanswered question is, where did you get the physical
address? 0x1233 suggests that the page you accessed is not locked.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I do following:

LARGE_INTEGER PhysicalAddr = { 0 };
PhysicalAddr.QuadPart = 0x00100000;

Thanks…

xxxxx@yahoo.com wrote:

I do following:

LARGE_INTEGER PhysicalAddr = { 0 };
PhysicalAddr.QuadPart = 0x00100000;

What led you to think that is a legitimate thing to do? The cache
attributes of your new mapping have to match that of any existing
mapping. You don’t know anything about how that range is already being
mapped. It’s quite possible that the mapping is different on different
processors.

am I doing anything incorrect

Absolutely, yes. Why do you want this?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> What led you to think that is a legitimate thing to do? The cache…
Are you saying that I am getting lucky on the machine which I have working.

Absolutely, yes. Why do you want this?
Within our product offering we have a customer visible API that they can call after passing a physical address and in return get a mapped address with the caching attributes we want. We of course do not want them to run into bug checks therefore want to be proactive and detect the violation that can lead to system crash, wondering if I can possibly achieve that.

Thanks…

xxxxx@yahoo.com wrote:

> What led you to think that is a legitimate thing to do? The cache…
Are you saying that I am getting lucky on the machine which I have working.

Yes, I am afraid so.

> Absolutely, yes. Why do you want this?
Within our product offering we have a customer visible API that they can call after passing a physical address and in return get a mapped address with the caching attributes we want. We of course do not want them to run into bug checks therefore want to be proactive and detect the violation that can lead to system crash, wondering if I can possibly achieve that.

This kind of thing should NEVER have been released into the wild.
Allowing a user-mode app arbitrary access to arbitrary physical
addresses could not possibly be a larger security hole.

Now, in the spirit of complete truth, we have a general-purpose hardware
debugger that we wrote 30 years ago that allows arbitrary access to
mapped memory, I/O ports, and PCI config space. It has migrated from a
DOS real-mode product, to a DPMI-based DOS product, to a Win 95 product
with driver, to an NT product with driver, and the current driver does
exactly what you do. There are machines where I can’t access certain
parts of memory. However, this is for internal use only; we would never
release it into the wild.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

It seems like MmMapIoSpace API is not doing any checks on certain windows 10 setups rather issues a KeBugCheck. But what’s confusing is description of this bugcheck (0x1A, 1233). It says that driver attempted to map a physical memory page that was not locked.
Per my understanding of MmMapIoSpace maps into non-page memory, which is essentially locked isn’t it ? or am I missing something obvious…

Thanks…

xxxxx@yahoo.com wrote:

It seems like MmMapIoSpace API is not doing any checks on certain windows 10 setups rather issues a KeBugCheck. But what’s confusing is description of this bugcheck (0x1A, 1233). It says that driver attempted to map a physical memory page that was not locked.
Per my understanding of MmMapIoSpace maps into non-page memory, which is essentially locked isn’t it ? or am I missing something obvious…

I think what they’re saying is that the page is already assigned, to a
virtual memory block that is paged, and hence might change at any
moment. I can’t think of any other way to make the message make sense.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.