Changeset 109165 in vbox for trunk/src/VBox/Additions/WINNT/Graphics/Video/mp/wddm/gallium/Svga.cpp

Timestamp:

May 5, 2025 6:17:33 PM (4 days ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

168723

Message:

WDDM: Miniport: unify handling of guest backing memory for surfaces, object tables, etc. bugref:10885

File:

• trunk/src/VBox/Additions/WINNT/Graphics/Video/mp/wddm/gallium/Svga.cpp (modified) (52 diffs)

trunk/src/VBox/Additions/WINNT/Graphics/Video/mp/wddm/gallium/Svga.cpp

@@ -5 +5 @@
 
 /*
- * Copyright (C) 2016-2024 Oracle and/or its affiliates.
+ * Copyright (C) 2016-2025 Oracle and/or its affiliates.
  *
  * This file is part of VirtualBox base platform packages, as
@@ -61 +61 @@
 
     for (uint32_t i = 0; i < RT_ELEMENTS(pSvga->aOT); ++i)
-    {
-        SvgaGboFree(&pSvga->aOT[i].gbo);
-
-        RTR0MemObjFree(pSvga->aOT[i].hMemObj, true);
-        pSvga->aOT[i].hMemObj = NIL_RTR0MEMOBJ;
-    }
+        SvgaGboUnreference(pSvga, &pSvga->aOT[i].pGbo);
 
     return Status;
@@ -74 +69 @@
 struct VMSVGAOTFREE
 {
-    VMSVGAGBO  gbo;
-    RTR0MEMOBJ hMemObj;
+    PVMSVGAGBO  pGbo;
 };
 
@@ -81 +75 @@
 static DECLCALLBACK(void) svgaOTFreeCb(VBOXWDDM_EXT_VMSVGA *pSvga, void *pvData, uint32_t cbData)
 {
-    RT_NOREF(pSvga);
     AssertReturnVoid(cbData == sizeof(struct VMSVGAOTFREE));
     struct VMSVGAOTFREE *p = (struct VMSVGAOTFREE *)pvData;
-    SvgaGboFree(&p->gbo);
-    RTR0MemObjFree(p->hMemObj, true);
+    SvgaGboUnreference(pSvga, &p->pGbo);
 }
 
@@ -94 +86 @@
     uint32_t cMaxEntries;
 } VMSVGAOTINFO, *PVMSVGAOTINFO;
-
 
 static VMSVGAOTINFO const s_aOTInfo[SVGA_OTABLE_DX_MAX] =
@@ -133 +124 @@
         cbOT *= 2;
 
-    /* Allocate pages for the new COTable. */
-    RTR0MEMOBJ hMemObjOT;
-    int rc = RTR0MemObjAllocPageTag(&hMemObjOT, cbOT, false /* executable R0 mapping */, "VMSVGAOT");
-    AssertRCReturn(rc, STATUS_INSUFFICIENT_RESOURCES);
-
-    memset(RTR0MemObjAddress(hMemObjOT), 0, cbOT);
-
-    /* Allocate a new gbo. */
-    VMSVGAGBO gbo;
-    NTSTATUS Status = SvgaGboInit(&gbo, cbOT >> PAGE_SHIFT);
-    AssertReturnStmt(NT_SUCCESS(Status),
-                     RTR0MemObjFree(hMemObjOT, true),
-                     Status);
-
-    Status = SvgaGboFillPageTableForMemObj(&gbo, hMemObjOT);
-    AssertReturnStmt(NT_SUCCESS(Status),
-                     SvgaGboFree(&gbo); RTR0MemObjFree(hMemObjOT, true),
-                     Status);
+    PVMSVGAGBO pGbo;
+    NTSTATUS Status = SvgaGboCreate(pSvga, &pGbo, cbOT, "VMSVGAOT");
+    AssertReturn(NT_SUCCESS(Status), Status);
+
+    memset(RTR0MemObjAddress(pGbo->hMemObj), 0, cbOT);
 
     if (pOT->cEntries == 0)
@@ -160 +138 @@
             SVGA3dCmdSetOTableBase64 *pCmd = (SVGA3dCmdSetOTableBase64 *)pvCmd;
             pCmd->type             = enmType;
-            pCmd->baseAddress      = gbo.base;
-            pCmd->sizeInBytes      = gbo.cbGbo;
+            pCmd->baseAddress      = pGbo->base;
+            pCmd->sizeInBytes      = pGbo->cbGbo;
             pCmd->validSizeInBytes = 0;
-            pCmd->ptDepth          = gbo.enmMobFormat;
+            pCmd->ptDepth          = pGbo->enmMobFormat;
 
             SvgaCmdBufCommit(pSvga, sizeof(*pCmd));
         }
         else
-            AssertFailedReturnStmt(SvgaGboFree(&gbo); RTR0MemObjFree(hMemObjOT, true),
+            AssertFailedReturnStmt(SvgaGboUnreference(pSvga, &pGbo),
                                    STATUS_INSUFFICIENT_RESOURCES);
     }
@@ -179 +157 @@
             SVGA3dCmdGrowOTable *pCmd = (SVGA3dCmdGrowOTable *)pvCmd;
             pCmd->type             = enmType;
-            pCmd->baseAddress      = gbo.base;
-            pCmd->sizeInBytes      = gbo.cbGbo;
+            pCmd->baseAddress      = pGbo->base;
+            pCmd->sizeInBytes      = pGbo->cbGbo;
             pCmd->validSizeInBytes = pOT->cEntries * pOTInfo->cbEntry;
-            pCmd->ptDepth          = gbo.enmMobFormat;
+            pCmd->ptDepth          = pGbo->enmMobFormat;
 
             SvgaCmdBufCommit(pSvga, sizeof(*pCmd));
         }
         else
-            AssertFailedReturnStmt(SvgaGboFree(&gbo); RTR0MemObjFree(hMemObjOT, true),
+            AssertFailedReturnStmt(SvgaGboUnreference(pSvga, &pGbo),
                                    STATUS_INSUFFICIENT_RESOURCES);
 
-        /* Command buffer completion callback to free the OT. */
+        /* Command buffer completion callback to free the old OT. */
         struct VMSVGAOTFREE callbackData;
-        callbackData.gbo = pOT->gbo;
-        callbackData.hMemObj = pOT->hMemObj;
+        callbackData.pGbo = pOT->pGbo;
         SvgaCmdBufSetCompletionCallback(pSvga, svgaOTFreeCb, &callbackData, sizeof(callbackData));
 
-        memset(&pOT->gbo, 0, sizeof(pOT->gbo));
-        pOT->hMemObj = NIL_RTR0MEMOBJ;
-    }
-
+        pOT->pGbo = 0;
+    }
+
+    Assert(!pOT->pGbo);
     SvgaCmdBufFlush(pSvga);
 
-    pOT->gbo = gbo;
-    pOT->hMemObj = hMemObjOT;
+    pOT->pGbo = pGbo;
     pOT->cEntries = cbOT / pOTInfo->cbEntry;
 
@@ -223 +199 @@
 }
 
+
 static NTSTATUS svgaCreateMiniportMob(VBOXWDDM_EXT_VMSVGA *pSvga)
 {
-    NTSTATUS Status;
-
     uint32_t const cbMiniportMob = RT_ALIGN_32(sizeof(VMSVGAMINIPORTMOB), PAGE_SIZE);
-    RTR0MEMOBJ hMemObjMiniportMob;
-    int rc = RTR0MemObjAllocPageTag(&hMemObjMiniportMob, cbMiniportMob,
-                                    false /* executable R0 mapping */, "VMSVGAMOB0");
-    if (RT_SUCCESS(rc))
-    {
-        Status = SvgaMobCreate(pSvga, &pSvga->pMiniportMob, cbMiniportMob / PAGE_SIZE, 0);
+
+    NTSTATUS Status = SvgaGboCreate(pSvga, &pSvga->pMiniportGbo, cbMiniportMob, "VMSVGAMOB0");
+    if (NT_SUCCESS(Status))
+    {
+        Status = SvgaMobAlloc(pSvga, &pSvga->mobidMiniport, pSvga->pMiniportGbo);
         if (NT_SUCCESS(Status))
         {
-            Status = SvgaMobSetMemObj(pSvga->pMiniportMob, hMemObjMiniportMob);
-            if (NT_SUCCESS(Status))
+            uint32_t cbCmd = 0;
+            SvgaMobDefine(pSvga, SVGA3D_INVALID_ID, NULL, 0, &cbCmd);
+            void *pvCmd = SvgaCmdBufReserve(pSvga, cbCmd, SVGA3D_INVALID_ID);
+            if (pvCmd)
             {
-                void *pvCmd = SvgaCmdBuf3dCmdReserve(pSvga, SVGA_3D_CMD_DEFINE_GB_MOB64, sizeof(SVGA3dCmdDefineGBMob64), SVGA3D_INVALID_ID);
-                if (pvCmd)
-                {
-                    SVGA3dCmdDefineGBMob64 *pCmd = (SVGA3dCmdDefineGBMob64 *)pvCmd;
-                    pCmd->mobid       = VMSVGAMOB_ID(pSvga->pMiniportMob);
-                    pCmd->ptDepth     = pSvga->pMiniportMob->gbo.enmMobFormat;
-                    pCmd->base        = pSvga->pMiniportMob->gbo.base;
-                    pCmd->sizeInBytes = pSvga->pMiniportMob->gbo.cbGbo;
-                    SvgaCmdBufCommit(pSvga, sizeof(*pCmd));
-
-                    pSvga->pMiniportMobData = (VMSVGAMINIPORTMOB volatile *)RTR0MemObjAddress(hMemObjMiniportMob);
-                    memset((void *)pSvga->pMiniportMobData, 0, cbMiniportMob);
-                    RTListInit(&pSvga->listMobDeferredDestruction);
-                    //pSvga->u64MobFence = 0;
-                }
-                else
-                    AssertFailedStmt(Status = STATUS_INSUFFICIENT_RESOURCES);
+                SvgaMobDefine(pSvga, pSvga->mobidMiniport, pvCmd, cbCmd, &cbCmd);
+                SvgaCmdBufCommit(pSvga, cbCmd);
+
+                pSvga->pMiniportMobData = (VMSVGAMINIPORTMOB volatile *)RTR0MemObjAddress(pSvga->pMiniportGbo->hMemObj);
+                memset((void *)pSvga->pMiniportMobData, 0, cbMiniportMob);
+                RTListInit(&pSvga->listMobDeferredDestruction);
+                //pSvga->u64MobFence = 0;
             }
-        }
-    }
-    else
-        AssertFailedStmt(Status = STATUS_INSUFFICIENT_RESOURCES);
+            else
+                AssertFailedStmt(SvgaMobFree(pSvga, &pSvga->mobidMiniport); STATUS_INSUFFICIENT_RESOURCES);
+        }
+        else
+            SvgaGboUnreference(pSvga, &pSvga->pMiniportGbo);
+    }
 
     return Status;
@@ -275 +243 @@
     /* Wait for buffers to complete. Up to 5 seconds, arbitrary. */
     int cIntervals = 0;
-    while (!SvgaCmdBufIsIdle(pSvga) && cIntervals++ < 50)
+    while (!SvgaCmdBufIsIdle(pSvga) && ASMAtomicReadS32(&pSvga->cQueuedWorkItems) && cIntervals++ < 50)
     {
         /* Give the host some time to process them. */
@@ -303 +271 @@
     pSvga->u32MaxWidth  = SVGARegRead(pSvga, SVGA_REG_MAX_WIDTH);
     pSvga->u32MaxHeight = SVGARegRead(pSvga, SVGA_REG_MAX_HEIGHT);
+
+    if (pSvga->u32Caps & SVGA_CAP_GBOBJECTS)
+    {
+        pSvga->u32MaxMobSize  = SVGARegRead(pSvga, SVGA_REG_MOB_MAX_SIZE);
+    }
 
     if (pSvga->u32Caps & SVGA_CAP_GMR2)
@@ -357 +330 @@
 }
 
+#ifdef DEBUG
+static DECLCALLBACK(int) mobDumpCb(PAVLU32NODECORE pNode, void *pvUser);
+#endif
+
 void SvgaAdapterStop(PVBOXWDDM_EXT_VMSVGA pSvga,
                      DXGKRNL_INTERFACE *pDxgkInterface)
@@ -381 +358 @@
         }
 
-        if (RT_BOOL(pSvga->u32Caps & SVGA_CAP_DX))
+        if (RT_BOOL(pSvga->u32Caps & SVGA_CAP_DX) && pSvga->mobidMiniport != SVGA3D_INVALID_ID)
         {
             /* Free the miniport mob at last. Can't use SvgaMobDestroy here because it tells the host to write a fence
@@ -389 +366 @@
             {
                 SVGA3dCmdDestroyGBMob *pCmd = (SVGA3dCmdDestroyGBMob *)pvCmd;
-                pCmd->mobid = VMSVGAMOB_ID(pSvga->pMiniportMob);
+                pCmd->mobid = pSvga->mobidMiniport;
                 SvgaCmdBufCommit(pSvga, sizeof(*pCmd));
             }
@@ -399 +376 @@
 
         if (RT_BOOL(pSvga->u32Caps & SVGA_CAP_DX))
-            SvgaMobFree(pSvga, pSvga->pMiniportMob); /* After svgaHwStop because it waits for command buffer completion. */
+        {
+            SvgaMobFree(pSvga, &pSvga->mobidMiniport); /* After svgaHwStop because it waits for command buffer completion. */
+            SvgaGboUnreference(pSvga, &pSvga->pMiniportGbo);
+        }
 
         Status = pDxgkInterface->DxgkCbUnmapMemory(pDxgkInterface->DeviceHandle,
                                                    (PVOID)pSvga->pu32FIFO);
         Assert(Status == STATUS_SUCCESS); RT_NOREF(Status);
+
+#ifdef DEBUG
+        uint32_t cMobs = 0;
+        RTAvlU32DoWithAll(&pSvga->MobTree, 0, mobDumpCb, &cMobs);
+        GALOG(("cMobs = %u\n", cMobs));
+        Assert(cMobs == 0);
+#endif
 
         GaMemFree(pSvga);
@@ -435 +422 @@
     // pSvga->MobTree = NULL;
     RTListInit(&pSvga->DeletedHostObjectsList);
+    pSvga->mobidMiniport = SVGA3D_INVALID_ID;
 
     /* The port IO address is also needed for hardware access. */
@@ -1868 +1856 @@
 typedef struct GAWDDMREGION
 {
-    /* Key is GMR id (equal to u32GmrId). */
+    /* Key is GMR id (equal to 'mobid'). */
     AVLU32NODECORE Core;
     /* Pointer to a graphics context device (PVBOXWDDM_DEVICE) the GMR is associated with. */
     void      *pvOwner;
-    /* The ring-3 mapping memory object handle (from mob). */
+    /* Memory. */
+    PVMSVGAGBO pGbo;
+    /* A corresponding MOB, which provides the GMR id to the host. */
+    SVGAMobId mobid;
+    /* The ring-3 mapping memory object handle. */
     RTR0MEMOBJ MapObjR3;
     RTR3PTR    pvR3;
-    /* A corresponding MOB, which provides the GMR id and RTR0MEMOBJ for the region memory. */
-    PVMSVGAMOB pMob;
-    /* The allocated size in pages. */
+    /* The allocated size in pages and number of elements in the aPhys array. */
     uint32_t   u32NumPages;
     /* Physical addresses of the pages. */
@@ -1884 +1874 @@
 
 
+/* Deallocate gmr.
+ */
+static void gmrFreeMemory(VBOXWDDM_EXT_VMSVGA *pSvga, GAWDDMREGION *pRegion)
+{
+    if (pRegion->MapObjR3 != NIL_RTR0MEMOBJ)
+    {
+        int rc = RTR0MemObjFree(pRegion->MapObjR3, false);
+        AssertRC(rc);
+        pRegion->MapObjR3 = NIL_RTR0MEMOBJ;
+    }
+
+    SvgaMobFree(pSvga, &pRegion->mobid);
+
+    SvgaGboUnreference(pSvga, &pRegion->pGbo);
+}
+
 /* Allocate memory pages and the corresponding mob.
  */
@@ -1890 +1896 @@
     NTSTATUS Status;
 
-    /* Allocate memory. */
-    RTR0MEMOBJ MemObj;
-    int rc = RTR0MemObjAllocPageTag(&MemObj, u32NumPages << PAGE_SHIFT,
-                                    false /* executable R0 mapping */, "VMSVGAGMR");
-    AssertRC(rc);
-    if (RT_SUCCESS(rc))
-    {
-        if (!RTR0MemObjWasZeroInitialized(MemObj))
-            RT_BZERO(RTR0MemObjAddress(MemObj), (size_t)u32NumPages << PAGE_SHIFT);
-
-        /* Allocate corresponding mob. */
-        Status = SvgaMobCreate(pSvga, &pRegion->pMob, u32NumPages, 0);
-        Assert(NT_SUCCESS(Status));
-        if (NT_SUCCESS(Status))
-        {
-            Status = SvgaMobSetMemObj(pRegion->pMob, MemObj);
+    Status = SvgaGboCreate(pSvga, &pRegion->pGbo, u32NumPages << PAGE_SHIFT, "VMSVGAGMR");
+
+    if (NT_SUCCESS(Status))
+    {
+        int rc = RTR0MemObjMapUser(&pRegion->MapObjR3, pRegion->pGbo->hMemObj, (RTR3PTR)-1, 0,
+                                   RTMEM_PROT_WRITE | RTMEM_PROT_READ, NIL_RTR0PROCESS);
+        AssertRC(rc);
+        if (RT_SUCCESS(rc))
+        {
+            if (!RTR0MemObjWasZeroInitialized(pRegion->pGbo->hMemObj))
+                RT_BZERO(RTR0MemObjAddress(pRegion->pGbo->hMemObj), (size_t)u32NumPages << PAGE_SHIFT);
+
+            /* Allocate corresponding mob. */
+            Status = SvgaMobAlloc(pSvga, &pRegion->mobid, pRegion->pGbo);
             Assert(NT_SUCCESS(Status));
             if (NT_SUCCESS(Status))
+            {
+                /*
+                 * Success.
+                 */
                 return STATUS_SUCCESS;
-        }
-
-        if (   pRegion->pMob
-            && pRegion->pMob->hMemObj == NIL_RTR0MEMOBJ)
-        {
-            /* The memory object has not been assigned to the mob yet. Clean up the local object.
-             * Otherwise the caller will clean up.
-             */
-            int rc2 = RTR0MemObjFree(MemObj, false);
-            AssertRC(rc2);
-        }
+            }
+        }
+        else
+            AssertFailedStmt(Status = STATUS_INSUFFICIENT_RESOURCES);
+
+        /*
+         * Cleanup.
+         */
+        gmrFreeMemory(pSvga, pRegion);
     }
     else
@@ -1934 +1940 @@
     if (NT_SUCCESS(Status))
     {
-        int rc = RTR0MemObjMapUser(&pRegion->MapObjR3, pRegion->pMob->hMemObj, (RTR3PTR)-1, 0,
-                                   RTMEM_PROT_WRITE | RTMEM_PROT_READ, NIL_RTR0PROCESS);
-        AssertRC(rc);
-        if (RT_SUCCESS(rc))
-        {
-            uint32_t iPage;
-            for (iPage = 0; iPage < u32NumPages; ++iPage)
-                pRegion->aPhys[iPage] = RTR0MemObjGetPagePhysAddr(pRegion->pMob->hMemObj, iPage);
-
-            pRegion->pvR3 = RTR0MemObjAddressR3(pRegion->MapObjR3);
-
-            pRegion->pvOwner = pvOwner;
-            pRegion->u32NumPages = u32NumPages;
-        }
-        else
-            AssertFailedStmt(Status = STATUS_INSUFFICIENT_RESOURCES);
+        uint32_t iPage;
+        for (iPage = 0; iPage < u32NumPages; ++iPage)
+            pRegion->aPhys[iPage] = RTR0MemObjGetPagePhysAddr(pRegion->pGbo->hMemObj, iPage);
+
+        pRegion->pvR3 = RTR0MemObjAddressR3(pRegion->MapObjR3);
+
+        pRegion->pvOwner = pvOwner;
+        pRegion->u32NumPages = u32NumPages;
     }
 
@@ -1983 +1981 @@
     {
     SVGAFifoCmdDefineGMR2 *pCmd = (SVGAFifoCmdDefineGMR2 *)pu8Cmd;
-    pCmd->gmrId = VMSVGAMOB_ID(pRegion->pMob);
+    pCmd->gmrId = pRegion->mobid;
     pCmd->numPages = pRegion->u32NumPages;
     pu8Cmd += sizeof(*pCmd);
@@ -1994 +1992 @@
     {
     SVGAFifoCmdRemapGMR2 *pCmd = (SVGAFifoCmdRemapGMR2 *)pu8Cmd;
-    pCmd->gmrId = VMSVGAMOB_ID(pRegion->pMob);
+    pCmd->gmrId = pRegion->mobid;
     pCmd->flags = SVGA_REMAP_GMR2_PPN64;
     pCmd->offsetPages = 0;
@@ -2020 +2018 @@
         {
         SVGA3dCmdDefineGBMob64 *pCmd = (SVGA3dCmdDefineGBMob64 *)pu8Cmd;
-        pCmd->mobid       = VMSVGAMOB_ID(pRegion->pMob);
-        pCmd->ptDepth     = pRegion->pMob->gbo.enmMobFormat;
-        pCmd->base        = pRegion->pMob->gbo.base;
-        pCmd->sizeInBytes = pRegion->pMob->gbo.cbGbo;
+        pCmd->mobid       = pRegion->mobid;
+        pCmd->ptDepth     = pRegion->pGbo->enmMobFormat;
+        pCmd->base        = pRegion->pGbo->base;
+        pCmd->sizeInBytes = pRegion->pGbo->cbGbo;
         pu8Cmd += sizeof(*pCmd);
         }
@@ -2040 +2038 @@
     AssertReturn(pRegion, STATUS_INVALID_PARAMETER);
 
-    /* Mapping must be freed prior to the mob destruction. Otherwise, due to a race condition,
-     * SvgaMobFree could free the mapping in a system worker thread after DPC, which would not
-     * work obviously, because the mapping was created for another process.
-     */
-    if (pRegion->MapObjR3 != NIL_RTR0MEMOBJ)
-    {
-        int rc = RTR0MemObjFree(pRegion->MapObjR3, false);
-        AssertRC(rc);
-        pRegion->MapObjR3 = NIL_RTR0MEMOBJ;
-    }
-
     /* Issue commands to delete the gmr. */
     uint32_t cbRequired = 0;
-    SvgaMobDestroy(pSvga, pRegion->pMob, NULL, 0, &cbRequired);
+    if (RT_BOOL(pSvga->u32Caps & SVGA_CAP_DX))
+        SvgaMobDestroy(pSvga, 0, NULL, 0, &cbRequired);
     cbRequired += sizeof(uint32_t) + sizeof(SVGAFifoCmdDefineGMR2);
 
@@ -2068 +2056 @@
 
     SVGAFifoCmdDefineGMR2 *pCmd = (SVGAFifoCmdDefineGMR2 *)pu8Cmd;
-    pCmd->gmrId = VMSVGAMOB_ID(pRegion->pMob);
+    pCmd->gmrId = pRegion->mobid;
     pCmd->numPages = 0;
     pu8Cmd += sizeof(*pCmd);
 
-    uint32_t cbCmd = 0;
-    NTSTATUS Status = SvgaMobDestroy(pSvga, pRegion->pMob, pu8Cmd,
-                                     cbRequired - ((uintptr_t)pu8Cmd - (uintptr_t)pvCmd),
-                                     &cbCmd);
-    AssertReturn(NT_SUCCESS(Status), Status);
-    pu8Cmd += cbCmd;
+    if (RT_BOOL(pSvga->u32Caps & SVGA_CAP_DX))
+    {
+        uint32_t cbCmd = 0;
+        NTSTATUS Status = SvgaMobDestroy(pSvga, pRegion->mobid, pu8Cmd,
+                                         cbRequired - ((uintptr_t)pu8Cmd - (uintptr_t)pvCmd),
+                                         &cbCmd);
+        AssertReturn(NT_SUCCESS(Status), Status);
+        pu8Cmd += cbCmd;
+    }
 
     Assert(((uintptr_t)pu8Cmd - (uintptr_t)pvCmd) == cbRequired);
     SvgaCmdBufCommit(pSvga, ((uintptr_t)pu8Cmd - (uintptr_t)pvCmd));
-
-    /* The mob will be deleted in DPC routine after host reports completion of the above commands. */
-    pRegion->pMob = NULL;
 
 #ifdef DEBUG
@@ -2089 +2077 @@
     ASMAtomicSubU32(&pSvga->cAllocatedGmrPages, pRegion->u32NumPages);
 #endif
+
+    /* The mob id will be deleted in DPC routine after host reports completion of the above commands. */
+    pRegion->mobid = SVGA3D_INVALID_ID;
+    gmrFreeMemory(pSvga, pRegion);
+
     GaMemFree(pRegion);
     return STATUS_SUCCESS;
@@ -2110 +2103 @@
     {
         AssertReturn(pCtx->cIds < pCtx->cMaxIds, -1);
-        pCtx->au32Ids[pCtx->cIds++] = VMSVGAMOB_ID(pRegion->pMob);
+        pCtx->au32Ids[pCtx->cIds++] = pRegion->mobid;
     }
     return 0;
@@ -2142 +2135 @@
         if (pRegion)
         {
-            Assert(VMSVGAMOB_ID(pRegion->pMob) == pCtx->au32Ids[i]);
+            Assert(pRegion->mobid == pCtx->au32Ids[i]);
             GALOG(("Deallocate gmrId %d, pv %p, aPhys[0] %RHp\n",
-                   VMSVGAMOB_ID(pRegion->pMob), pRegion->pvR3, pRegion->aPhys[0]));
+                   pRegion->mobid, pRegion->pvR3, pRegion->aPhys[0]));
 
             gmrDestroy(pSvga, pRegion);
@@ -2168 +2161 @@
     AssertReturn(pRegion, STATUS_INVALID_PARAMETER);
 
-    Assert(VMSVGAMOB_ID(pRegion->pMob) == u32GmrId);
+    Assert(pRegion->mobid == u32GmrId);
     GALOG(("Freed gmrId %d, pv %p, aPhys[0] %RHp\n",
-           VMSVGAMOB_ID(pRegion->pMob), pRegion->pvR3, pRegion->aPhys[0]));
+           pRegion->mobid, pRegion->pvR3, pRegion->aPhys[0]));
 
     return gmrDestroy(pSvga, pRegion);
@@ -2192 +2185 @@
     AssertReturn(pRegion, STATUS_INVALID_PARAMETER);
 
-    Assert(VMSVGAMOB_ID(pRegion->pMob) == u32GmrId);
+    Assert(pRegion->mobid == u32GmrId);
     GALOG(("Get gmrId %d, UserAddress 0x%p\n",
-           VMSVGAMOB_ID(pRegion->pMob), pRegion->pvR3));
+           pRegion->mobid, pRegion->pvR3));
     *pu64UserAddress = (uintptr_t)pRegion->pvR3;
     *pu32Size = pRegion->u32NumPages * PAGE_SIZE;
@@ -2216 +2209 @@
     if (pRegion)
     {
+        pRegion->mobid = SVGA3D_INVALID_ID;
+
         /* Region id and VGPU10+ mobid are the same. So a mob is always allocated for the gmr.
          * The mob provides an id and, if SVGA_CAP_DX is available, is reported to the host on VGPU10.
@@ -2225 +2220 @@
         if (NT_SUCCESS(Status))
         {
-            if (VMSVGAMOB_ID(pRegion->pMob) < pSvga->u32GmrMaxIds)
+            if (pRegion->mobid < pSvga->u32GmrMaxIds)
             {
                 GALOG(("Allocated gmrId %d, pv %p, aPhys[0] %RHp\n",
-                       VMSVGAMOB_ID(pRegion->pMob), pRegion->pvR3, pRegion->aPhys[0]));
+                       pRegion->mobid, pRegion->pvR3, pRegion->aPhys[0]));
 
                 Status = gmrReportToHost(pSvga, pRegion);
@@ -2234 +2229 @@
                 if (NT_SUCCESS(Status))
                 {
-                    pRegion->Core.Key = VMSVGAMOB_ID(pRegion->pMob);
+                    pRegion->Core.Key = pRegion->mobid;
 
                     ExAcquireFastMutex(&pSvga->SvgaMutex);
@@ -2240 +2235 @@
                     ExReleaseFastMutex(&pSvga->SvgaMutex);
 
-                    *pu32GmrId = VMSVGAMOB_ID(pRegion->pMob);
+                    *pu32GmrId = pRegion->mobid;
                     *pu64UserAddress = (uint64_t)pRegion->pvR3;
 
@@ -2263 +2258 @@
         }
 
-        SvgaMobFree(pSvga, pRegion->pMob);
-        pRegion->pMob = NULL;
+        SvgaMobFree(pSvga, &pRegion->mobid);
 
         GaMemFree(pRegion);
@@ -2336 +2330 @@
  */
 
-void SvgaGboFree(VMSVGAGBO *pGbo)
-{
+void SvgaGboFree(VBOXWDDM_EXT_VMSVGA *pSvga,
+                 VMSVGAGBO *pGbo)
+{
+    RT_NOREF(pSvga);
+
+    GALOG(("gbo = %p\n", pGbo));
+    if (!pGbo->flags.fMdl)
+    {
+        if (pGbo->hMemObj != NIL_RTR0MEMOBJ)
+        {
+            int rc = RTR0MemObjFree(pGbo->hMemObj, true);
+            AssertRC(rc);
+            pGbo->hMemObj = NIL_RTR0MEMOBJ;
+        }
+    }
+
     if (pGbo->hMemObjPT != NIL_RTR0MEMOBJ)
     {
@@ -2344 +2352 @@
         pGbo->hMemObjPT = NIL_RTR0MEMOBJ;
     }
+
+#ifdef DEBUG
+    ASMAtomicDecU32(&pSvga->cAllocatedGbos);
+    GALOG(("cAllocatedGbos = %u\n", pSvga->cAllocatedGbos));
+#endif
+
     memset(pGbo, 0, sizeof(*pGbo));
-}
-
-NTSTATUS SvgaGboInit(VMSVGAGBO *pGbo, uint32_t cPages)
+    GaMemFree(pGbo);
+}
+
+static NTSTATUS svgaGboInit(VMSVGAGBO *pGbo, uint32_t cPages)
 {
     /*
@@ -2399 +2414 @@
 
 
-NTSTATUS SvgaGboFillPageTableForMDL(PVMSVGAGBO pGbo,
-                                    PMDL pMdl,
-                                    uint32_t MdlOffset)
+static NTSTATUS svgaGboFillPageTableForMDL(PVMSVGAGBO pGbo,
+                                           PMDL pMdl,
+                                           uint32_t MdlOffset)
 {
     PPFN_NUMBER paMdlPfn = &MmGetMdlPfnArray(pMdl)[MdlOffset];
@@ -2428 +2443 @@
 
 
-NTSTATUS SvgaGboFillPageTableForMemObj(PVMSVGAGBO pGbo,
-                                       RTR0MEMOBJ hMemObj)
+static NTSTATUS svgaGboFillPageTableForMemObj(PVMSVGAGBO pGbo,
+                                              RTR0MEMOBJ hMemObj)
 {
     if (pGbo->enmMobFormat == SVGA3D_MOBFMT_PTDEPTH64_0)
@@ -2455 +2470 @@
 
 
+NTSTATUS SvgaGboCreate(VBOXWDDM_EXT_VMSVGA *pSvga,
+                       PVMSVGAGBO *ppGbo,
+                       uint32_t cbGbo,
+                       const char *pszTag)
+{
+    AssertCompile(NIL_RTR0MEMOBJ == 0);
+
+    NTSTATUS Status;
+
+    PVMSVGAGBO pGbo = (PVMSVGAGBO)GaMemAllocZero(sizeof(VMSVGAGBO));
+    AssertReturn(pGbo, STATUS_INSUFFICIENT_RESOURCES);
+
+    pGbo->cRefs = 1;
+
+    int rc = RTR0MemObjAllocPageTag(&pGbo->hMemObj, cbGbo, false /* executable R0 mapping */, pszTag);
+    if (RT_SUCCESS(rc))
+    {
+        size_t const cPages = RTR0MemObjSize(pGbo->hMemObj) / PAGE_SIZE;
+        if (cPages > 0 && cPages < pSvga->u32MaxMobSize / PAGE_SIZE)
+        {
+            Status = svgaGboInit(pGbo, (uint32_t)cPages);
+            if (NT_SUCCESS(Status))
+            {
+                Status = svgaGboFillPageTableForMemObj(pGbo, pGbo->hMemObj);
+                if (NT_SUCCESS(Status))
+                {
+#ifdef DEBUG
+                    ASMAtomicIncU32(&pSvga->cAllocatedGbos);
+#endif
+                    *ppGbo = pGbo;
+                    GALOG(("gbo = %p %s\n", pGbo, pszTag));
+                    return STATUS_SUCCESS;
+                }
+            }
+        }
+        else
+            AssertFailedStmt(Status = STATUS_INVALID_PARAMETER);
+    }
+    else
+        AssertFailedStmt(Status = STATUS_INSUFFICIENT_RESOURCES);
+
+    SvgaGboUnreference(pSvga, &pGbo);
+    return Status;
+}
+
+
+NTSTATUS SvgaGboCreateForMdl(VBOXWDDM_EXT_VMSVGA *pSvga,
+                             PVMSVGAGBO *ppGbo,
+                             SIZE_T NumberOfPages,
+                             PMDL pMdl,
+                             ULONG MdlOffset)
+{
+    NTSTATUS Status;
+
+    AssertReturn(NumberOfPages > 0 && NumberOfPages < pSvga->u32MaxMobSize / PAGE_SIZE, STATUS_INVALID_PARAMETER);
+
+    PVMSVGAGBO pGbo = (PVMSVGAGBO)GaMemAllocZero(sizeof(VMSVGAGBO));
+    AssertReturn(pGbo, STATUS_INSUFFICIENT_RESOURCES);
+
+    pGbo->cRefs = 1;
+    pGbo->flags.fMdl = 1;
+    pGbo->pMdl = pMdl;
+
+    Status = svgaGboInit(pGbo, (uint32_t)NumberOfPages);
+    if (NT_SUCCESS(Status))
+    {
+        Status = svgaGboFillPageTableForMDL(pGbo, pGbo->pMdl, MdlOffset);
+        if (NT_SUCCESS(Status))
+        {
+#ifdef DEBUG
+            ASMAtomicIncU32(&pSvga->cAllocatedGbos);
+#endif
+            *ppGbo = pGbo;
+            GALOG(("gbo = %p\n", pGbo));
+            return STATUS_SUCCESS;
+        }
+    }
+
+    SvgaGboUnreference(pSvga, &pGbo);
+    return Status;
+}
+
+
 /*
  *
@@ -2460 +2558 @@
  *
  */
-
-static NTSTATUS svgaMobAlloc(VBOXWDDM_EXT_VMSVGA *pSvga,
-                             PVMSVGAMOB *ppMob)
-{
-    GALOG(("[%p]\n", pSvga));
-
-    NTSTATUS Status;
-    AssertCompile(NIL_RTR0MEMOBJ == 0);
-
-    *ppMob = (PVMSVGAMOB)GaMemAllocZero(sizeof(VMSVGAMOB));
-    AssertReturn(*ppMob, STATUS_INSUFFICIENT_RESOURCES);
-
-    Status = SvgaMobIdAlloc(pSvga, &VMSVGAMOB_ID(*ppMob));
-    AssertReturnStmt(NT_SUCCESS(Status), GaMemFree(*ppMob), STATUS_INSUFFICIENT_RESOURCES);
+/* Memory OBject tracking structure: and id accisiated with a gbo. */
+typedef struct VMSVGAMOB
+{
+    AVLU32NODECORE              core;                       /* AVL entry. Key is mobid, allocated by the miniport. */
+    PVMSVGAGBO                  pGbo;                       /* The mob has been created for this GBO and holds a reference to it. */
+    uint32_t                    u64MobFence;                /* Mob id can be freed by the guest when the host reports this fence value. */
+    RTLISTNODE                  node;                       /* VBOXWDDM_EXT_VMSVGA::listMobDeferredDestruction */
+} VMSVGAMOB, *PVMSVGAMOB;
+
+#define VMSVGAMOB_ID(a_pMob) ((a_pMob)->core.Key)
+
+void SvgaMobFree(VBOXWDDM_EXT_VMSVGA *pSvga,
+                 SVGAMobId *pMobid)
+{
+    GALOG(("[%p] %u\n", pSvga, pMobid));
+
+    if (*pMobid != SVGA3D_INVALID_ID)
+    {
+        GALOG(("mobid = %u\n", *pMobid));
+
+        KIRQL OldIrql;
+        KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
+        PVMSVGAMOB pMob = (PVMSVGAMOB)RTAvlU32Remove(&pSvga->MobTree, *pMobid);
+        KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
+
+        Assert(pMob);
+        if (pMob)
+        {
+            SvgaGboUnreference(pSvga, &pMob->pGbo);
+#ifdef DEBUG
+            ASMAtomicDecU32(&pSvga->cAllocatedMobs);
+            GALOG(("cAllocatedMobs = %u\n", pSvga->cAllocatedMobs));
+#endif
+
+            NTSTATUS Status = SvgaMobIdFree(pSvga, *pMobid);
+            Assert(NT_SUCCESS(Status)); RT_NOREF(Status);
+            GaMemFree(pMob);
+        }
+
+        *pMobid = SVGA3D_INVALID_ID;
+    }
+}
+
+
+NTSTATUS SvgaMobAlloc(VBOXWDDM_EXT_VMSVGA *pSvga,
+                      SVGAMobId *pMobid,
+                      PVMSVGAGBO pGbo)
+{
+    PVMSVGAMOB pMob = (PVMSVGAMOB)GaMemAllocZero(sizeof(VMSVGAMOB));
+    AssertReturn(pMob, STATUS_INSUFFICIENT_RESOURCES);
+
+    NTSTATUS Status = SvgaMobIdAlloc(pSvga, &VMSVGAMOB_ID(pMob));
+    AssertReturnStmt(NT_SUCCESS(Status), GaMemFree(pMob), STATUS_INSUFFICIENT_RESOURCES);
+    GALOG(("mobid = %u\n", VMSVGAMOB_ID(pMob)));
+
+    pMob->pGbo = pGbo;
+    SvgaGboReference(pGbo);
 
     KIRQL OldIrql;
     KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
-    bool fInserted = RTAvlU32Insert(&pSvga->MobTree, &(*ppMob)->core);
+    bool fInserted = RTAvlU32Insert(&pSvga->MobTree, &pMob->core);
     KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
     Assert(fInserted); RT_NOREF(fInserted);
 
-    GALOG(("mobid = %u\n", VMSVGAMOB_ID(*ppMob)));
-    return STATUS_SUCCESS;
-}
-
-void SvgaMobFree(VBOXWDDM_EXT_VMSVGA *pSvga,
-                 PVMSVGAMOB pMob)
-{
-    GALOG(("[%p] %p\n", pSvga, pMob));
-
-    if (pMob)
-    {
-        GALOG(("mobid = %u\n", VMSVGAMOB_ID(pMob)));
-
-        KIRQL OldIrql;
-        KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
-        RTAvlU32Remove(&pSvga->MobTree, pMob->core.Key);
-        KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
-
-#ifdef DEBUG
-        ASMAtomicSubU32(&pSvga->cAllocatedMobPages, pMob->gbo.cbGbo / PAGE_SIZE);
-        ASMAtomicDecU32(&pSvga->cAllocatedMobs);
-#endif
-
-        SvgaGboFree(&pMob->gbo);
-
-        if (pMob->hMemObj != NIL_RTR0MEMOBJ)
-        {
-            int rc = RTR0MemObjFree(pMob->hMemObj, true);
-            AssertRC(rc);
-            pMob->hMemObj = NIL_RTR0MEMOBJ;
-        }
-
-        NTSTATUS Status = SvgaMobIdFree(pSvga, VMSVGAMOB_ID(pMob));
-        Assert(NT_SUCCESS(Status)); RT_NOREF(Status);
-        GaMemFree(pMob);
-    }
-}
-
-PVMSVGAMOB SvgaMobQuery(VBOXWDDM_EXT_VMSVGA *pSvga,
-                        uint32_t mobid)
-{
-    KIRQL OldIrql;
-    KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
-    PVMSVGAMOB pMob = (PVMSVGAMOB)RTAvlU32Get(&pSvga->MobTree, mobid);
-    KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
-
-    GALOG(("[%p] mobid = %u -> %p\n", pSvga, mobid, pMob));
-    return pMob;
-}
-
-NTSTATUS SvgaMobCreate(VBOXWDDM_EXT_VMSVGA *pSvga,
-                       PVMSVGAMOB *ppMob,
-                       uint32_t cMobPages,
-                       HANDLE hAllocation)
-{
-    PVMSVGAMOB pMob;
-    NTSTATUS Status = svgaMobAlloc(pSvga, &pMob);
-    AssertReturn(NT_SUCCESS(Status), Status);
-
-    Status = SvgaGboInit(&pMob->gbo, cMobPages);
-    AssertReturnStmt(NT_SUCCESS(Status), SvgaMobFree(pSvga, pMob), Status);
-
-    pMob->hAllocation = hAllocation;
-    *ppMob = pMob;
-
 #ifdef DEBUG
     ASMAtomicIncU32(&pSvga->cAllocatedMobs);
-    ASMAtomicAddU32(&pSvga->cAllocatedMobPages, cMobPages);
 #endif
 
+    *pMobid = VMSVGAMOB_ID(pMob);
     return STATUS_SUCCESS;
-}
-
-NTSTATUS SvgaMobSetMemObj(PVMSVGAMOB pMob,
-                          RTR0MEMOBJ hMemObj)
-{
-    NTSTATUS Status = SvgaGboFillPageTableForMemObj(&pMob->gbo, hMemObj);
-    if (NT_SUCCESS(Status))
-        pMob->hMemObj = hMemObj;
-    return Status;
 }
 
@@ -2584 +2651 @@
     AssertReturn(id < SVGA_COTABLE_MAX_IDS, STATUS_INVALID_PARAMETER);
 
-    /* Allocate a new larger mob and inform the host. */
+    /* Allocate a new larger gbo and inform the host. */
     static uint32_t const s_acbEntry[] =
     {
@@ -2616 +2683 @@
         cbCOT *= 2;
 
-    /* Allocate pages for the new COTable. */
-    RTR0MEMOBJ hMemObjCOT;
-    int rc = RTR0MemObjAllocPageTag(&hMemObjCOT, cbCOT, false /* executable R0 mapping */, "VMSVGACOT");
-    AssertRCReturn(rc, STATUS_INSUFFICIENT_RESOURCES);
-
-    /* Allocate a new mob. */
-    PVMSVGAMOB pMob;
-    NTSTATUS Status = SvgaMobCreate(pSvga, &pMob, cbCOT >> PAGE_SHIFT, 0);
+    /* Allocate memory for the new COTable. */
+    PVMSVGAGBO pGbo;
+    NTSTATUS Status = SvgaGboCreate(pSvga, &pGbo, cbCOT, "VMSVGACOT");
+    AssertReturn(NT_SUCCESS(Status), Status);
+
+    /* Allocate a new mobid. */
+    SVGAMobId mobid;
+    Status = SvgaMobAlloc(pSvga, &mobid, pGbo);
     AssertReturnStmt(NT_SUCCESS(Status),
-                     RTR0MemObjFree(hMemObjCOT, true),
+                     SvgaGboUnreference(pSvga, &pGbo),
                      Status);
 
-    Status = SvgaMobSetMemObj(pMob, hMemObjCOT);
-    AssertReturnStmt(NT_SUCCESS(Status),
-                     SvgaMobFree(pSvga, pMob); RTR0MemObjFree(hMemObjCOT, true),
-                     Status);
+    /* Now the new allocated mob holds a reference to the gbo. */
+    SvgaGboUnreference(pSvga, &pGbo);
 
     /* Emit commands. */
-    void *pvCmd = SvgaCmdBuf3dCmdReserve(pSvga, SVGA_3D_CMD_DEFINE_GB_MOB64, sizeof(SVGA3dCmdDefineGBMob64), SVGA3D_INVALID_ID);
+    uint32_t cbCmd = 0;
+    SvgaMobDefine(pSvga, SVGA3D_INVALID_ID, NULL, 0, &cbCmd);
+    void *pvCmd = SvgaCmdBufReserve(pSvga, cbCmd, SVGA3D_INVALID_ID);
     if (pvCmd)
     {
-        SVGA3dCmdDefineGBMob64 *pCmd = (SVGA3dCmdDefineGBMob64 *)pvCmd;
-        pCmd->mobid       = VMSVGAMOB_ID(pMob);
-        pCmd->ptDepth     = pMob->gbo.enmMobFormat;
-        pCmd->base        = pMob->gbo.base;
-        pCmd->sizeInBytes = pMob->gbo.cbGbo;
-        SvgaCmdBufCommit(pSvga, sizeof(*pCmd));
-    }
-    else
-        AssertFailedReturnStmt(SvgaMobFree(pSvga, pMob); RTR0MemObjFree(hMemObjCOT, true),
+        SvgaMobDefine(pSvga, mobid, pvCmd, cbCmd, &cbCmd);
+        SvgaCmdBufCommit(pSvga, cbCmd);
+    }
+    else
+        AssertFailedReturnStmt(SvgaMobFree(pSvga, &mobid),
                                STATUS_INSUFFICIENT_RESOURCES);
 
@@ -2656 +2719 @@
             SVGA3dCmdDXSetCOTable *pCmd = (SVGA3dCmdDXSetCOTable *)pvCmd;
             pCmd->cid              = pSvgaContext->u32Cid;
-            pCmd->mobid            = VMSVGAMOB_ID(pMob);
+            pCmd->mobid            = mobid;
             pCmd->type             = enmType;
             pCmd->validSizeInBytes = pCOT->cEntries * s_acbEntry[idxCOTable];
@@ -2662 +2725 @@
         }
         else
-            AssertFailedReturnStmt(SvgaMobFree(pSvga, pMob); RTR0MemObjFree(hMemObjCOT, true),
+            AssertFailedReturnStmt(SvgaMobFree(pSvga, &mobid),
                                    STATUS_INSUFFICIENT_RESOURCES);
     }
@@ -2673 +2736 @@
             SVGA3dCmdDXGrowCOTable *pCmd = (SVGA3dCmdDXGrowCOTable *)pvCmd;
             pCmd->cid              = pSvgaContext->u32Cid;
-            pCmd->mobid            = VMSVGAMOB_ID(pMob);
+            pCmd->mobid            = mobid;
             pCmd->type             = enmType;
             pCmd->validSizeInBytes = pCOT->cEntries * s_acbEntry[idxCOTable];
@@ -2679 +2742 @@
         }
         else
-            AssertFailedReturnStmt(SvgaMobFree(pSvga, pMob); RTR0MemObjFree(hMemObjCOT, true),
+            AssertFailedReturnStmt(SvgaMobFree(pSvga, &mobid),
                                    STATUS_INSUFFICIENT_RESOURCES);
 
+        /* Delete old mob. */
         uint32_t cbCmdRequired = 0;
-        SvgaMobDestroy(pSvga, pCOT->pMob, NULL, 0, &cbCmdRequired);
+        SvgaMobDestroy(pSvga, 0, NULL, 0, &cbCmdRequired);
         pvCmd = SvgaCmdBufReserve(pSvga, cbCmdRequired, SVGA3D_INVALID_ID);
         if (pvCmd)
         {
-            SvgaMobDestroy(pSvga, pCOT->pMob, pvCmd, cbCmdRequired, &cbCmdRequired);
+            SvgaMobDestroy(pSvga, pCOT->mobid, pvCmd, cbCmdRequired, &cbCmdRequired);
             SvgaCmdBufCommit(pSvga, cbCmdRequired);
         }
 
-        pCOT->pMob = NULL;
+        pCOT->mobid = SVGA3D_INVALID_ID;
     }
 
     SvgaCmdBufFlush(pSvga);
 
-    pCOT->pMob = pMob;
+    pCOT->mobid = mobid;
     pCOT->cEntries = cbCOT / s_acbEntry[idxCOTable];
 
@@ -2702 +2766 @@
 }
 
+
+void *SvgaMobAddress(VBOXWDDM_EXT_VMSVGA *pSvga,
+                     SVGAMobId mobid)
+{
+    KIRQL OldIrql;
+    KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
+    PVMSVGAMOB pMob = (PVMSVGAMOB)RTAvlU32Get(&pSvga->MobTree, mobid);
+    KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
+    AssertReturn(pMob && pMob->pGbo, NULL);
+
+    return RTR0MemObjAddress(pMob->pGbo->hMemObj);
+}
+
+
+NTSTATUS SvgaMobDefine(VBOXWDDM_EXT_VMSVGA *pSvga,
+                       SVGAMobId mobid,
+                       void *pvCmd,
+                       uint32_t cbReserved,
+                       uint32_t *pcbCmd)
+{
+    uint32_t cbRequired = sizeof(SVGA3dCmdHeader) + sizeof(SVGA3dCmdDefineGBMob64);
+
+    *pcbCmd = cbRequired;
+    if (cbReserved < cbRequired)
+        return STATUS_GRAPHICS_INSUFFICIENT_DMA_BUFFER;
+
+    /* Find the mob. */
+    KIRQL OldIrql;
+    KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
+    PVMSVGAMOB pMob = (PVMSVGAMOB)RTAvlU32Get(&pSvga->MobTree, mobid);
+    KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
+    AssertReturn(pMob && pMob->pGbo, STATUS_INVALID_PARAMETER);
+
+    /* Generate commands. */
+    uint8_t *pu8Cmd = (uint8_t *)pvCmd;
+    SVGA3dCmdHeader *pHdr;
+
+    pHdr = (SVGA3dCmdHeader *)pu8Cmd;
+    pHdr->id   = SVGA_3D_CMD_DEFINE_GB_MOB64;
+    pHdr->size = sizeof(SVGA3dCmdDefineGBMob64);
+    pu8Cmd += sizeof(*pHdr);
+
+    {
+    SVGA3dCmdDefineGBMob64 *pCmd = (SVGA3dCmdDefineGBMob64 *)pu8Cmd;
+    pCmd->mobid       = mobid;
+    pCmd->ptDepth     = pMob->pGbo->enmMobFormat;
+    pCmd->base        = pMob->pGbo->base;
+    pCmd->sizeInBytes = pMob->pGbo->cbGbo;
+    pu8Cmd += sizeof(*pCmd);
+    }
+
+    Assert((uintptr_t)pu8Cmd - (uintptr_t)pvCmd == cbRequired);
+
+    return STATUS_SUCCESS;
+}
 
 
@@ -2720 +2839 @@
  */
 NTSTATUS SvgaMobDestroy(VBOXWDDM_EXT_VMSVGA *pSvga,
-                        PVMSVGAMOB pMob,
+                        SVGAMobId mobid,
                         void *pvCmd,
                         uint32_t cbReserved,
@@ -2732 +2851 @@
         return STATUS_GRAPHICS_INSUFFICIENT_DMA_BUFFER;
 
+    /* Find the mob. */
+    KIRQL OldIrql;
+    KeAcquireSpinLock(&pSvga->MobSpinLock, &OldIrql);
+    PVMSVGAMOB pMob = (PVMSVGAMOB)RTAvlU32Get(&pSvga->MobTree, mobid);
+    KeReleaseSpinLock(&pSvga->MobSpinLock, OldIrql);
+    AssertReturn(pMob, STATUS_INVALID_PARAMETER);
+
+    /* Mob will be actually deallocated after the host processes the fence. */
+    pMob->u64MobFence = ASMAtomicIncU64(&pSvga->u64MobFence);
+
+    /* Add the mob to the deferred destruction queue. */
+    SvgaHostObjectsLock(pSvga, &OldIrql);
+    RTListAppend(&pSvga->listMobDeferredDestruction, &pMob->node);
+    SvgaHostObjectsUnlock(pSvga, OldIrql);
+
+    /* Generate commands. */
     uint8_t *pu8Cmd = (uint8_t *)pvCmd;
     SVGA3dCmdHeader *pHdr;
@@ -2742 +2877 @@
     {
     SVGA3dCmdDestroyGBMob *pCmd = (SVGA3dCmdDestroyGBMob *)pu8Cmd;
-    pCmd->mobid = VMSVGAMOB_ID(pMob);
+    pCmd->mobid = mobid;
     pu8Cmd += sizeof(*pCmd);
     }
-
-    pMob->u64MobFence = ASMAtomicIncU64(&pSvga->u64MobFence);
 
     pHdr = (SVGA3dCmdHeader *)pu8Cmd;
@@ -2756 +2889 @@
     SVGA3dCmdDXMobFence64 *pCmd = (SVGA3dCmdDXMobFence64 *)pu8Cmd;
     pCmd->value = pMob->u64MobFence;
-    pCmd->mobId = VMSVGAMOB_ID(pSvga->pMiniportMob);
+    pCmd->mobId = pSvga->mobidMiniport;
     pCmd->mobOffset = RT_OFFSETOF(VMSVGAMINIPORTMOB, u64MobFence);
     pu8Cmd += sizeof(*pCmd);
     }
 
-    /* Add the mob to the deferred destruction queue. */
-    KIRQL OldIrql;
-    SvgaHostObjectsLock(pSvga, &OldIrql);
-    RTListAppend(&pSvga->listMobDeferredDestruction, &pMob->node);
-    SvgaHostObjectsUnlock(pSvga, OldIrql);
-
     Assert((uintptr_t)pu8Cmd - (uintptr_t)pvCmd == cbRequired);
 
     return STATUS_SUCCESS;
 }
+
+DECLINLINE(int) SvgaFenceCmp64(uint64_t u64FenceA, uint64_t u64FenceB)
+{
+     if (   u64FenceA < u64FenceB
+         || u64FenceA - u64FenceB > UINT64_MAX / 2)
+     {
+         return -1; /* FenceA is newer than FenceB. */
+     }
+     else if (u64FenceA == u64FenceB)
+     {
+         /* FenceA is equal to FenceB. */
+         return 0;
+     }
+
+     /* FenceA is older than FenceB. */
+     return 1;
+}
+
+void SvgaDeferredMobDestruction(PVBOXWDDM_EXT_VMSVGA pSvga)
+{
+    if (pSvga->pMiniportMobData)
+    {
+        uint64_t const u64MobFence = ASMAtomicReadU64(&pSvga->pMiniportMobData->u64MobFence);
+
+        /* Move mobs which were deleted by the host to the local list under the lock. */
+        RTLISTANCHOR listDestroyedMobs;
+        RTListInit(&listDestroyedMobs);
+
+        KIRQL OldIrql;
+        SvgaHostObjectsLock(pSvga, &OldIrql);
+
+        PVMSVGAMOB pIter, pNext;
+        RTListForEachSafe(&pSvga->listMobDeferredDestruction, pIter, pNext, VMSVGAMOB, node)
+        {
+            if (SvgaFenceCmp64(pIter->u64MobFence, u64MobFence) <= 0)
+            {
+                RTListNodeRemove(&pIter->node);
+                RTListAppend(&listDestroyedMobs, &pIter->node);
+            }
+        }
+
+        SvgaHostObjectsUnlock(pSvga, OldIrql);
+
+        RTListForEachSafe(&listDestroyedMobs, pIter, pNext, VMSVGAMOB, node)
+        {
+            /* Delete the data. SvgaMobFree deallocates pIter. */
+            RTListNodeRemove(&pIter->node);
+            SVGAMobId mobid = VMSVGAMOB_ID(pIter);
+            SvgaMobFree(pSvga, &mobid);
+        }
+    }
+}
+
+#ifdef DEBUG
+static DECLCALLBACK(int) mobDumpCb(PAVLU32NODECORE pNode, void *pvUser)
+{
+    PVMSVGAMOB pMob = (PVMSVGAMOB)pNode;
+    uint32_t *pcMobs = (uint32_t *)pvUser;
+    *pcMobs += 1;
+
+    GALOG(("mobid = %u, refs = %d, mdl = %u, cb = %u\n",
+        VMSVGAMOB_ID(pMob),
+        pMob->pGbo ? pMob->pGbo->cRefs : -1,
+        pMob->pGbo ? pMob->pGbo->flags.fMdl : 2,
+        pMob->pGbo ? pMob->pGbo->cbGbo : 0));
+    return 0;
+}
+#endif /* DEBUG */