memory descriptor list

hey!
the size returned by MmSizeOfMdl (PMDL mymdl) = 0x20 or 32 bytes but if you
look at the structure of the MDL its a constant 28 bytes :-
Struct MDL
{
MDL* next; //what is this for? nywayz its 4 bytes
short size; // 2 bytes
short MdlFlags; //2 bytes
eprocess proc; // pointer to a eprocess struct = 4 bytes
pvoid mappedSystemVa; // 4 bytes
pvoid startVa; //4 bytes
dword byteCount;// 4 bytes
dword byteOffset;// 4 bytes
}*PMDL;
the size of the above structure = 4 + 2 + 2 + 4 +4 +4 +4 +4 = 28 bytes
which is a constant size but when i disassemble the MmSizeOfMdl structure
i find this :-

mov eax,[ebp+08]; eax =1st parameter, base address
mov ecx,[ebp+0c]; ecx = 2nd parameter, size
add eax,00000fff; keep the last 12 bits ? 12 bits are used to index a page
frame?
lea eax,[eax+ecx+00000fff] ; eax = base address + size + 0000fff
shr eax,0c; shifts eax left 12 times (dividing by 4096... 4KB? page size?)
/*
the above instructions are calculating the number of pages spanned for the
given virtual address range (from base address to base address + size) right?
*/
lea eax,[eax*4 + 0000001C] ; 1C is 28 in decimal
ret

so the size returned = 28 bytes + number of pages spanned for a given
virutal address range. I get the 28 bytes part, but why is the function
adding the 2nd operand? should it not simply return 28 bytes? what am i
missing what are the extra bytes for?

See the comment in wdm.h right before the MDL structure is defined:

//
// I/O system definitions.
//
// Define a Memory Descriptor List (MDL)
//
// An MDL describes pages in a virtual buffer in terms of physical pages.
The
// pages associated with the buffer are described in an array that is
allocated
// just after the MDL header structure itself.
//
// One simply calculates the base of the array by adding one to the base
// MDL pointer:
//
// Pages = (PPFN_NUMBER) (Mdl + 1);
//
// Notice that while in the context of the subject thread, the base virtual
// address of a buffer mapped by an MDL may be referenced using the
following:
//
// Mdl->StartVa | Mdl->ByteOffset
//

typedef __struct_bcount(Size) struct _MDL {
struct _MDL *Next;
CSHORT Size;
CSHORT MdlFlags;
struct _EPROCESS *Process;
PVOID MappedSystemVa;
PVOID StartVa;
ULONG ByteCount;
ULONG ByteOffset;
} MDL, *PMDL;

-scott

--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com


"codeFather" <> wrote in message
news:6F41FDE9-C0DA-4B97-B4E9-...
> hey!
> the size returned by MmSizeOfMdl (PMDL mymdl) = 0x20 or 32 bytes but if
> you
> look at the structure of the MDL its a constant 28 bytes :-
> Struct MDL
> {
> MDL* next; //what is this for? nywayz its 4 bytes
> short size; // 2 bytes
> short MdlFlags; //2 bytes
> eprocess proc; // pointer to a eprocess struct = 4 bytes
> pvoid mappedSystemVa; // 4 bytes
> pvoid startVa; //4 bytes
> dword byteCount;// 4 bytes
> dword byteOffset;// 4 bytes
> }*PMDL;
> the size of the above structure = 4 + 2 + 2 + 4 +4 +4 +4 +4 = 28 bytes
> which is a constant size but when i disassemble the MmSizeOfMdl structure
> i find this :-
>
> mov eax,[ebp+08]; eax =1st parameter, base address
> mov ecx,[ebp+0c]; ecx = 2nd parameter, size
> add eax,00000fff; keep the last 12 bits ? 12 bits are used to index a page
> frame?
> lea eax,[eax+ecx+00000fff] ; eax = base address + size + 0000fff
> shr eax,0c; shifts eax left 12 times (dividing by 4096... 4KB? page size?)
> /*
> the above instructions are calculating the number of pages spanned for the
> given virtual address range (from base address to base address + size)
> right?
> */
> lea eax,[eax*4 + 0000001C] ; 1C is 28 in decimal
> ret
>
> so the size returned = 28 bytes + number of pages spanned for a given
> virutal address range. I get the 28 bytes part, but why is the function
> adding the 2nd operand? should it not simply return 28 bytes? what am i
> missing what are the extra bytes for?

thanks for the post.
so this is how a MDL helps a DMA driver? it does the virtual to physical
address translation and stores the physical addresses associated with each
virtual page at the tail of the MDL structure? so if next time i access a
particular virtual page via MDL.mappedSystemVa instead of translating the
virtual address it just returns the value in the array at the tail of the MDL
(which supposedly contains the physical address that VA maps to) ? if yes,
then what is the function of the MmMapLockedPages?

thanks again!

You're confusing two separate things that the MDL does. Try starting here
and see if this clears anything up:

http://www.osronline.com/article.cfm?id=423

-scott

--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com


"codeFather" <> wrote in message
news:4E33B5F9-AF4C-495D-96E4-...
> thanks for the post.
> so this is how a MDL helps a DMA driver? it does the virtual to physical
> address translation and stores the physical addresses associated with each
> virtual page at the tail of the MDL structure? so if next time i access a
> particular virtual page via MDL.mappedSystemVa instead of translating the
> virtual address it just returns the value in the array at the tail of the
> MDL
> (which supposedly contains the physical address that VA maps to) ? if yes,
> then what is the function of the MmMapLockedPages?
>
> thanks again!
>
>

thanks for the link. Its an amazing article, prevented me from wasting hours
on dis assembly of the Mm* functions. NT insider is marvelous resource for
driver developers.

> so this is how a MDL helps a DMA driver? it does the virtual to physical
> address translation and stores the physical addresses associated with each
> virtual page at the tail of the MDL structure?

Yes.

> (which supposedly contains the physical address that VA maps to) ? if yes,
> then what is the function of the MmMapLockedPages?

To fill the array at the MDL tail.

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com