Help, NDIS BSOD
in [Device Drivers]
|
Prev: Is it ok to terminate the process from process notification routin
Next: Any wifi / bluetooth keyboard / mouse receiver driver source code?
From: Steve Cheng on 14 Jan 2010 02:51 We have an NDIS IM developed based on Passthru sample. It works fine on x86 platform for years. Recently, we port it to x64 server and got BSOD every 20 hours of loading. It won't happen at sunday when nobody connect to that server. The crash code are DRIVER_CORRUPTED_MMPOOL (d0), DRIVER_CORRUPTED_EXPOOL (c5) or BAD_POOL_CALLER (c2). Sometimes, it crashed at allocating memory in our driver. Sometimes, it crashed at deallocating memory in our driver. Most of the time, it crashed out of our code. Any hints how to debug? Segments of dump are as followings: Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x64 Product: Server, suite: Enterprise TerminalServer SingleUserTS StorageServer Built by: 3790.srv03_sp2_gdr.090319-1204 Machine Name: Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d4140 =============== Dump 1 DRIVER_CORRUPTED_EXPOOL (c5) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is caused by drivers that have corrupted the system pool. Run the driver verifier against any new (or suspect) drivers, and if that doesn't turn up the culprit, then use gflags to enable special pool. Arguments: Arg1: 0000000000000000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, value 0 = read operation, 1 = write operation Arg4: fffff800011a9f93, address which referenced memory Debugging Details: ------------------ BUGCHECK_STR: 0xC5_2 CURRENT_IRQL: 2 FAULTING_IP: nt!ExDeferredFreePool+303 fffff800`011a9f93 488908 mov qword ptr [rax],rcx DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System TRAP_FRAME: fffffadf90e5ca00 -- (.trap 0xfffffadf90e5ca00) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=fffffadf95886060 rsi=0000000000000000 rdi=0000000000000000 rip=fffff800011a9f93 rsp=fffffadf90e5cb90 rbp=fffff800011ce1c0 r8=fffffadf95886000 r9=0000000000000001 r10=fffffadf96837560 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy nt!ExDeferredFreePool+0x303: fffff800`011a9f93 488908 mov qword ptr [rax],rcx ds:b180:0000=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff8000102e5b4 to fffff8000102e890 STACK_TEXT: fffffadf`90e5c878 fffff800`0102e5b4 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx fffffadf`90e5c880 fffff800`0102d547 : 00000000`00000202 fffff800`01025817 fffffadf`9747eb00 fffffa80`0a600020 : nt!KiBugCheckDispatch+0x74 fffffadf`90e5ca00 fffff800`011a9f93 : 00000000`00000001 fffffadf`9b22d260 00000000`00000000 ffffffff`ffffffff : nt!KiPageFault+0x207 fffffadf`90e5cb90 fffff800`011aa03d : fffffadf`977f4f80 00000000`000005cc fffffadf`977f4f70 fffff800`011ce1c0 : nt!ExDeferredFreePool+0x303 fffffadf`90e5cc00 fffffadf`9012a6b4 : fffffadf`9b22d260 fffffadf`9ba2b228 fffffadf`9b22d260 fffffadf`9ba2b228 : nt!ExFreePoolWithTag+0x759 fffffadf`90e5ccc0 fffff800`010375ca : fffffadf`977f4f90 fffffadf`9012a620 fffffadf`9cc7a040 fffff800`011cd9c0 : NDIS!ndisMRundownRequests+0xd7 fffffadf`90e5cd00 fffff800`0124a972 : fffffadf`9cc7a040 00000000`00000080 fffffadf`9cc7a040 fffffadf`90aa3680 : nt!ExpWorkerThread+0x13b fffffadf`90e5cd70 fffff800`01020226 : fffffadf`90a9b180 fffffadf`9cc7a040 fffffadf`90aa3680 fffff800`011b4dc0 : nt!PspSystemThreadStartup+0x3e fffffadf`90e5cdd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 =================================== Dump 2 DRIVER_CORRUPTED_MMPOOL (d0) Arguments: Arg1: 0000000000000000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, value 0 = read operation, 1 = write operation Arg4: fffff800011a5087, address which referenced memory An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is caused by drivers that have corrupted the system pool. Run the driver verifier against any new (or suspect) drivers, and if that doesn't turn up the culprit, then use gflags to enable special pool. You can also set HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ProtectNonPagedPool to a DWORD 1 value and reboot. Then the system will unmap freed nonpaged pool, preventing drivers (although not DMA-hardware) from corrupting the pool. Debugging Details: ------------------ WRITE_ADDRESS: 0000000000000000 CURRENT_IRQL: 2 FAULTING_IP: nt!MiAllocatePoolPages+2ed fffff800`011a5087 488908 mov qword ptr [rax],rcx DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD0 PROCESS_NAME: System TRAP_FRAME: fffffadf8bdef7c0 -- (.trap 0xfffffadf8bdef7c0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff800011a5087 rsp=fffffadf8bdef950 rbp=fffff6fb7da00000 r8=fffff800011d3ba0 r9=0000000000000000 r10=fffff80001000000 r11=fffffadf8bdefdb8 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc nt!MiAllocatePoolPages+0x2ed: fffff800`011a5087 488908 mov qword ptr [rax],rcx ds:0001:00000000`00000000=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff8000102e5b4 to fffff8000102e890 STACK_TEXT: fffffadf`8bdef638 fffff800`0102e5b4 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx fffffadf`8bdef640 fffff800`0102d547 : 53203130`3131313a 000a3030`313a484f fffffadf`9b910700 00000000`00000000 : nt!KiBugCheckDispatch+0x74 fffffadf`8bdef7c0 fffff800`011a5087 : 00000000`00000000 00000000`00000103 00000000`000005ea 00000000`00000002 : nt!KiPageFault+0x207 fffffadf`8bdef950 fffff800`011aa2cf : fffffadf`00000000 00000000`00000002 fffff800`011ce1c0 00000000`00000000 : nt!MiAllocatePoolPages+0x2ed fffffadf`8bdefa70 fffffadf`900ef574 : fffffadf`00000000 fffffadf`8bdefc30 fffffadf`00000001 fffffadf`8bdefc20 : nt!ExAllocatePoolWithTag+0xc25 fffffadf`8bdefb30 fffffadf`8f341619 : fffffadf`9a840970 00000000`00000000 fffffadf`8bdefbb4 fffffadf`8bdefba8 : NDIS!NdisAllocateMemoryWithTag+0x13 fffffadf`8bdefb60 fffffadf`8f34582e : fffffadf`9a840970 fffffadf`8bdefc20 fffffadf`8bdefc30 fffffadf`900ea4a4 : CurtainP!CrAllocateAndCopyMemory+0xc9 [c:\working2\curtain\3.0\core\ndisdriver\curtainp\curtainfilter.c @ 177] fffffadf`8bdefbf0 fffffadf`8f33d402 : fffffadf`9ab20cf0 fffffadf`9a840970 fffffadf`96e40500 fffffadf`8bdefce0 : CurtainP!CurtainBuildPacket+0x4e [c:\working2\curtain\3.0\core\ndisdriver\curtainp\curtainfilter.c @ 3037] fffffadf`8bdefc70 fffffadf`900eb8cb : fffffadf`9ab20cf0 fffffadf`8bdefdc8 fffffadf`00000001 fffffadf`902e6479 : CurtainP!MPSendPackets+0x1e2 [c:\working2\curtain\3.0\core\ndisdriver\curtainp\miniport.c @ 525] fffffadf`8bdefd60 fffffadf`8e7556f4 : fffff800`01000000 fffffadf`9a840970 fffffadf`9a840970 00000000`00000000 : NDIS!ndisMSendX+0x242 fffffadf`8bdefdc0 fffffadf`8e7558c9 : 00000000`00000000 00000000`00000002 fffffadf`962bd110 fffffadf`9a885010 : tcpip!ARPSendData+0x23a fffffadf`8bdefe30 fffffadf`8e7523aa : fffffadf`8bdf0050 fffffadf`8bdf0018 fffffadf`9a887ba0 00000000`62160185 : tcpip!ARPTransmit+0x151 fffffadf`8bdefec0 fffffadf`8e74ec6d : 00000000`824f0106 fffffadf`972db010 00000000`000005c8 00000000`000005b4 : tcpip!IPTransmit+0xaf5 fffffadf`8bdf0140 fffffadf`8e7494cb : fffffadf`98e7ba00 fffffadf`8bdf0202 fffffadf`972db010 00000000`00000001 : tcpip!TCPSend+0x8d5 fffffadf`8bdf0220 fffffadf`8e74f9ec : 00000000`00000002 00000000`00000000 00000000`00000000 fffffadf`98e7c308 : tcpip!TdiSend+0x2fb fffffadf`8bdf0290 fffffadf`8e6e085c : fffffadf`98e7c1e0 fffffadf`982c4e90 fffffadf`9a9ab9b0 fffffadf`98e7ba50 : tcpip!TCPSendData+0xee fffffadf`8bdf02f0 fffffadf`8cfffae9 : fffffadf`98e7ba50 fffffadf`9a9ab9b0 fffffadf`98e7c228 fffffadf`98e7b010 : netbt!NTSend+0x227 fffffadf`8bdf03b0 fffffadf`8d001729 : fffffadf`98e7b010 00000000`00000001 fffffadf`98e7c430 00000000`00008000 : srv!SrvStartSend2+0x168 fffffadf`8bdf0400 fffffadf`8d000d3f : 00000000`00000000 00000000`00000000 00000000`00000000 fffffadf`98e7ba50 : srv!SrvFsdRestartLargeReadAndX+0x3f5 fffffadf`8bdf0470 fffff800`01025126 : 00000000`0000000e 00000000`00000000 00000000`0000000e 00000000`00000000 : srv!SrvFsdIoCompletionRoutine+0x1e fffffadf`8bdf04a0 fffffadf`901593f3 : fffffadf`95865880 fffffadf`8bdf0701 fffffadf`95865880 fffffadf`8bdf0710 : nt!IopfCompleteRequest+0x117 fffffadf`8bdf0510 fffffadf`90153394 : fffffadf`94f3d130 fffffadf`95865880 fffffadf`98e7ba50 fffffa80`03cfd110 : Ntfs!NtfsCompleteRequest+0xdc fffffadf`8bdf0540 fffffadf`90152e2e : fffffadf`8bdf06d0 fffffadf`98e7ba50 fffffadf`95865801 fffffadf`95865880 : Ntfs!NtfsCommonRead+0x1567 fffffadf`8bdf06d0 fffffadf`9031d922 : fffffadf`9a999cd0 fffffadf`98e7ba50 fffffadf`98e7ba50 fffffadf`98e7ba50 : Ntfs!NtfsFsdRead+0x262 fffffadf`8bdf0800 fffffadf`902f91fc : fffffadf`98e7ba58 fffffadf`98e7ba80 fffffadf`99b27c10 fffffadf`9a999cd0 : fltmgr!FltpDispatch+0x1c2 fffffadf`8bdf0860 fffffadf`902e6479 : fffffadf`96c29040 fffffadf`98e7b020 fffffadf`98e7ba50 00000000`00000001 : RSFilter!RsRead+0xdc fffffadf`8bdf0910 fffffadf`9031d922 : fffffadf`99b27c10 fffffadf`98e7ba50 fffffadf`98e7ba50 fffffadf`98e7ba50 : sis!SipCommonRead+0x79 fffffadf`8bdf0a50 fffffadf`9031d922 : 00000000`00000000 fffffadf`98e7ba50 fffffadf`98e7ba50 fffffadf`9806b6e0 : fltmgr!FltpDispatch+0x1c2 fffffadf`8bdf0ab0 fffffadf`8d061475 : 00000000`00000000 00000000`00000000 fffffadf`98e7b010 00000000`00000001 : fltmgr!FltpDispatch+0x1c2 fffffadf`8bdf0b10 fffffadf`8cfff8f7 : fffffadf`98e7b010 fffffadf`98e7b010 fffffadf`8cffe000 00000000`00000000 : srv!SrvSmbReadAndX+0xe03 fffffadf`8bdf0c40 fffffadf`8cfff853 : fffffadf`98e7b010 fffffadf`98e7b010 fffffadf`9740d340 fffffadf`98e7c410 : srv!SrvProcessSmb+0x19f fffffadf`8bdf0ca0 fffffadf`8d0590f2 : 00000000`000000d0 fffffadf`9c57d020 00000000`0000000f 00000000`0000000f : srv!SrvRestartReceive+0xca fffffadf`8bdf0d10 fffff800`0124a972 : fffffadf`96c29040 00000000`00000080 fffffadf`96c29040 fffffadf`90aa3680 : srv!WorkerThread+0x144 fffffadf`8bdf0d70 fffff800`01020226 : fffffadf`90a9b180 fffffadf`96c29040 fffffadf`90aa3680 fffffadf`97863f00 : nt!PspSystemThreadStartup+0x3e fffffadf`8bdf0dd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 ========================== Dump 3 DRIVER_CORRUPTED_MMPOOL (d0) Arguments: Arg1: 0000000000000000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, value 0 = read operation, 1 = write operation Arg4: fffff800011a5087, address which referenced memory An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is caused by drivers that have corrupted the system pool. Run the driver verifier against any new (or suspect) drivers, and if that doesn't turn up the culprit, then use gflags to enable special pool. You can also set HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ProtectNonPagedPool to a DWORD 1 value and reboot. Then the system will unmap freed nonpaged pool, preventing drivers (although not DMA-hardware) from corrupting the pool. Debugging Details: ------------------ WRITE_ADDRESS: 0000000000000000 CURRENT_IRQL: 2 FAULTING_IP: nt!MiAllocatePoolPages+2ed fffff800`011a5087 488908 mov qword ptr [rax],rcx DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD0 PROCESS_NAME: System TRAP_FRAME: fffffadf8bdef7c0 -- (.trap 0xfffffadf8bdef7c0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff800011a5087 rsp=fffffadf8bdef950 rbp=fffff6fb7da00000 r8=fffff800011d3ba0 r9=0000000000000000 r10=fffff80001000000 r11=fffffadf8bdefdb8 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc nt!MiAllocatePoolPages+0x2ed: fffff800`011a5087 488908 mov qword ptr [rax],rcx ds:0001:00000000`00000000=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff8000102e5b4 to fffff8000102e890 STACK_TEXT: fffffadf`8bdef638 fffff800`0102e5b4 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx fffffadf`8bdef640 fffff800`0102d547 : 53203130`3131313a 000a3030`313a484f fffffadf`9b910700 00000000`00000000 : nt!KiBugCheckDispatch+0x74 fffffadf`8bdef7c0 fffff800`011a5087 : 00000000`00000000 00000000`00000103 00000000`000005ea 00000000`00000002 : nt!KiPageFault+0x207 fffffadf`8bdef950 fffff800`011aa2cf : fffffadf`00000000 00000000`00000002 fffff800`011ce1c0 00000000`00000000 : nt!MiAllocatePoolPages+0x2ed fffffadf`8bdefa70 fffffadf`900ef574 : fffffadf`00000000 fffffadf`8bdefc30 fffffadf`00000001 fffffadf`8bdefc20 : nt!ExAllocatePoolWithTag+0xc25 fffffadf`8bdefb30 fffffadf`8f341619 : fffffadf`9a840970 00000000`00000000 fffffadf`8bdefbb4 fffffadf`8bdefba8 : NDIS!NdisAllocateMemoryWithTag+0x13 fffffadf`8bdefb60 fffffadf`8f34582e : fffffadf`9a840970 fffffadf`8bdefc20 fffffadf`8bdefc30 fffffadf`900ea4a4 : CurtainP!CrAllocateAndCopyMemory+0xc9 [c:\working2\curtain\3.0\core\ndisdriver\curtainp\curtainfilter.c @ 177] fffffadf`8bdefbf0 fffffadf`8f33d402 : fffffadf`9ab20cf0 fffffadf`9a840970 fffffadf`96e40500 fffffadf`8bdefce0 : CurtainP!CurtainBuildPacket+0x4e [c:\working2\curtain\3.0\core\ndisdriver\curtainp\curtainfilter.c @ 3037] fffffadf`8bdefc70 fffffadf`900eb8cb : fffffadf`9ab20cf0 fffffadf`8bdefdc8 fffffadf`00000001 fffffadf`902e6479 : CurtainP!MPSendPackets+0x1e2 [c:\working2\curtain\3.0\core\ndisdriver\curtainp\miniport.c @ 525] fffffadf`8bdefd60 fffffadf`8e7556f4 : fffff800`01000000 fffffadf`9a840970 fffffadf`9a840970 00000000`00000000 : NDIS!ndisMSendX+0x242 fffffadf`8bdefdc0 fffffadf`8e7558c9 : 00000000`00000000 00000000`00000002 fffffadf`962bd110 fffffadf`9a885010 : tcpip!ARPSendData+0x23a fffffadf`8bdefe30 fffffadf`8e7523aa : fffffadf`8bdf0050 fffffadf`8bdf0018 fffffadf`9a887ba0 00000000`62160185 : tcpip!ARPTransmit+0x151 fffffadf`8bdefec0 fffffadf`8e74ec6d : 00000000`824f0106 fffffadf`972db010 00000000`000005c8 00000000`000005b4 : tcpip!IPTransmit+0xaf5 fffffadf`8bdf0140 fffffadf`8e7494cb : fffffadf`98e7ba00 fffffadf`8bdf0202 fffffadf`972db010 00000000`00000001 : tcpip!TCPSend+0x8d5 fffffadf`8bdf0220 fffffadf`8e74f9ec : 00000000`00000002 00000000`00000000 00000000`00000000 fffffadf`98e7c308 : tcpip!TdiSend+0x2fb fffffadf`8bdf0290 fffffadf`8e6e085c : fffffadf`98e7c1e0 fffffadf`982c4e90 fffffadf`9a9ab9b0 fffffadf`98e7ba50 : tcpip!TCPSendData+0xee fffffadf`8bdf02f0 fffffadf`8cfffae9 : fffffadf`98e7ba50 fffffadf`9a9ab9b0 fffffadf`98e7c228 fffffadf`98e7b010 : netbt!NTSend+0x227 fffffadf`8bdf03b0 fffffadf`8d001729 : fffffadf`98e7b010 00000000`00000001 fffffadf`98e7c430 00000000`00008000 : srv!SrvStartSend2+0x168 fffffadf`8bdf0400 fffffadf`8d000d3f : 00000000`00000000 00000000`00000000 00000000`00000000 fffffadf`98e7ba50 : srv!SrvFsdRestartLargeReadAndX+0x3f5 fffffadf`8bdf0470 fffff800`01025126 : 00000000`0000000e 00000000`00000000 00000000`0000000e 00000000`00000000 : srv!SrvFsdIoCompletionRoutine+0x1e fffffadf`8bdf04a0 fffffadf`901593f3 : fffffadf`95865880 fffffadf`8bdf0701 fffffadf`95865880 fffffadf`8bdf0710 : nt!IopfCompleteRequest+0x117 fffffadf`8bdf0510 fffffadf`90153394 : fffffadf`94f3d130 fffffadf`95865880 fffffadf`98e7ba50 fffffa80`03cfd110 : Ntfs!NtfsCompleteRequest+0xdc fffffadf`8bdf0540 fffffadf`90152e2e : fffffadf`8bdf06d0 fffffadf`98e7ba50 fffffadf`95865801 fffffadf`95865880 : Ntfs!NtfsCommonRead+0x1567 fffffadf`8bdf06d0 fffffadf`9031d922 : fffffadf`9a999cd0 fffffadf`98e7ba50 fffffadf`98e7ba50 fffffadf`98e7ba50 : Ntfs!NtfsFsdRead+0x262 fffffadf`8bdf0800 fffffadf`902f91fc : fffffadf`98e7ba58 fffffadf`98e7ba80 fffffadf`99b27c10 fffffadf`9a999cd0 : fltmgr!FltpDispatch+0x1c2 fffffadf`8bdf0860 fffffadf`902e6479 : fffffadf`96c29040 fffffadf`98e7b020 fffffadf`98e7ba50 00000000`00000001 : RSFilter!RsRead+0xdc fffffadf`8bdf0910 fffffadf`9031d922 : fffffadf`99b27c10 fffffadf`98e7ba50 fffffadf`98e7ba50 fffffadf`98e7ba50 : sis!SipCommonRead+0x79 fffffadf`8bdf0a50 fffffadf`9031d922 : 00000000`00000000 fffffadf`98e7ba50 fffffadf`98e7ba50 fffffadf`9806b6e0 : fltmgr!FltpDispatch+0x1c2 fffffadf`8bdf0ab0 fffffadf`8d061475 : 00000000`00000000 00000000`00000000 fffffadf`98e7b010 00000000`00000001 : fltmgr!FltpDispatch+0x1c2 fffffadf`8bdf0b10 fffffadf`8cfff8f7 : fffffadf`98e7b010 fffffadf`98e7b010 fffffadf`8cffe000 00000000`00000000 : srv!SrvSmbReadAndX+0xe03 fffffadf`8bdf0c40 fffffadf`8cfff853 : fffffadf`98e7b010 fffffadf`98e7b010 fffffadf`9740d340 fffffadf`98e7c410 : srv!SrvProcessSmb+0x19f fffffadf`8bdf0ca0 fffffadf`8d0590f2 : 00000000`000000d0 fffffadf`9c57d020 00000000`0000000f 00000000`0000000f : srv!SrvRestartReceive+0xca fffffadf`8bdf0d10 fffff800`0124a972 : fffffadf`96c29040 00000000`00000080 fffffadf`96c29040 fffffadf`90aa3680 : srv!WorkerThread+0x144 fffffadf`8bdf0d70 fffff800`01020226 : fffffadf`90a9b180 fffffadf`96c29040 fffffadf`90aa3680 fffffadf`97863f00 : nt!PspSystemThreadStartup+0x3e fffffadf`8bdf0dd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 ================ Dump 4 BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 0000000000000007, Attempt to free pool which was already freed Arg2: 000000000000121a, (reserved) Arg3: 0000000000000000, Memory contents of the pool block Arg4: fffffadf95877570, Address of the block of pool being deallocated Debugging Details: ------------------ Page 6877 not present in the dump file. Type ".hh dbgerr004" for details Page 6877 not present in the dump file. Type ".hh dbgerr004" for details Page 6877 not present in the dump file. Type ".hh dbgerr004" for details *** WARNING: Unable to verify timestamp for ati2dvag.dll *** ERROR: Module load completed but symbols could not be loaded for ati2dvag.dll *** WARNING: Unable to verify timestamp for ati2cqag.dll *** ERROR: Module load completed but symbols could not be loaded for ati2cqag.dll *** WARNING: Unable to verify timestamp for ATMFD.DLL *** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL *** ERROR: Module load completed but symbols could not be loaded for bridge.sys *** ERROR: Module load completed but symbols could not be loaded for BASFND.sys *** ERROR: Module load completed but symbols could not be loaded for secdrv.sys *** ERROR: Module load completed but symbols could not be loaded for BNCHMRK2.vsd *** ERROR: Module load completed but symbols could not be loaded for VirtFile.sys *** ERROR: Module load completed but symbols could not be loaded for basamd64.sys *** ERROR: Module load completed but symbols could not be loaded for scsichng.sys *** ERROR: Module load completed but symbols could not be loaded for ati2mtag.sys *** ERROR: Module load completed but symbols could not be loaded for ibmcg2k3.sys *** ERROR: Module load completed but symbols could not be loaded for bxnd52a.sys *** ERROR: Module load completed but symbols could not be loaded for bxvbda.sys *** ERROR: Module load completed but symbols could not be loaded for snapman.sys *** ERROR: Module load completed but symbols could not be loaded for timntr.sys *** ERROR: Module load completed but symbols could not be loaded for vsp.sys *** ERROR: Module load completed but symbols could not be loaded for lsi_sas.sys *** ERROR: Module load completed but symbols could not be loaded for adpu320.sys *** ERROR: Module load completed but symbols could not be loaded for ibmtpbs2k3.sys *** ERROR: Module load completed but symbols could not be loaded for halfinch.sys *** ERROR: Module load completed but symbols could not be loaded for tifsfilt.sys *** ERROR: Module load completed but symbols could not be loaded for percsas.sys *** ERROR: Module load completed but symbols could not be loaded for megasas.sys *** ERROR: Module load completed but symbols could not be loaded for ibmcgbs2k3.sys *** ERROR: Module load completed but symbols could not be loaded for dcdbas64.sys *** ERROR: Module load completed but symbols could not be loaded for tpfilter.sys *** ERROR: Module load completed but symbols could not be loaded for IBMCgFt2k3.sys *** ERROR: Module load completed but symbols could not be loaded for CdaC15BA.sys *** ERROR: Module load completed but symbols could not be loaded for CdaD10BA.sys POOL_ADDRESS: fffffadf95877570 BUGCHECK_STR: 0xc2_7 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff800011a9769 to fffff8000102e890 STACK_TEXT: fffffadf`90e71428 fffff800`011a9769 : 00000000`000000c2 00000000`00000007 00000000`0000121a 00000000`00000000 : nt!KeBugCheckEx fffffadf`90e71430 fffff800`01009779 : fffffadf`95ecb400 00000000`00000004 fffffadf`967f7010 00000000`00000000 : nt!ExFreePoolWithTag+0x401 fffffadf`90e714f0 fffffadf`90155313 : fffffadf`95ecb430 00000000`00000000 fffffa80`0086a010 fffffadf`95ecb430 : nt!ExDeleteResourceLite+0xc6 fffffadf`90e71540 fffffadf`901c6e53 : fffffadf`90e715e0 fffffadf`9aba8c20 fffffadf`90e715e0 00000000`00000000 : Ntfs!NtfsFreeEresource+0x70 fffffadf`90e71570 fffffadf`901517db : fffffa80`0086a048 fffffadf`9aba8c20 fffffadf`9908b1c8 fffffa80`2184b110 : Ntfs!NtfsDeleteFcb+0x8c fffffadf`90e715b0 fffffadf`901c8873 : fffffadf`95ecb430 fffffadf`9908b1c8 fffffa80`0086a010 fffffa80`0086a338 : Ntfs!NtfsTeardownFromLcb+0x31f fffffadf`90e71640 fffffadf`90153435 : fffffadf`95ecb430 fffffadf`90159395 fffffadf`95ecb430 fffff800`01036180 : Ntfs!NtfsTeardownStructures+0x103 fffffadf`90e716d0 fffffadf`901cebe8 : fffffadf`95ecb430 fffffadf`9aba8c20 00000000`00000000 fffffa80`0086a010 : Ntfs!NtfsDecrementCloseCounts+0xaa fffffadf`90e71710 fffffadf`901ce915 : fffffadf`95ecb430 fffffa80`0086a110 fffffa80`0086a010 fffffadf`9908b1c8 : Ntfs!NtfsCommonClose+0x54f fffffadf`90e717b0 fffffadf`9031d922 : fffffadf`96ec1301 fffffadf`975fb010 fffffadf`975fb010 fffffadf`975fb030 : Ntfs!NtfsFsdClose+0x392 fffffadf`90e718a0 fffffadf`902e02ea : fffffadf`96ec1350 fffffadf`975fb010 fffffadf`975fb010 fffffadf`990b7c10 : fltmgr!FltpDispatch+0x1c2 fffffadf`90e71900 fffffadf`9031d922 : 00000000`00000000 00000000`00000000 fffffadf`975fb010 fffffadf`99b7fa30 : sis!SiClose+0x9a fffffadf`90e71940 fffffadf`9031d922 : 00000000`00000000 fffffadf`975fb010 fffffadf`975fb010 fffffadf`95ce76e0 : fltmgr!FltpDispatch+0x1c2 fffffadf`90e719a0 fffff800`012831a0 : fffffadf`96ec1350 fffffadf`96ec1350 fffffadf`96ec1350 fffffadf`975fb010 : fltmgr!FltpDispatch+0x1c2 fffffadf`90e71a00 fffff800`01283eb0 : fffffadf`96ec1320 fffffadf`96ec1350 fffffadf`96ec1350 00000000`00000000 : nt!IopDeleteFile+0x301 fffffadf`90e71aa0 fffff800`0103c2ae : fffffadf`96ec1320 fffffadf`9590ce40 fffffadf`96ec1350 00000000`00000000 : nt!ObpRemoveObjectRoutine+0x14f fffffadf`90e71b10 fffff800`0103a18f : fffffadf`96ec1350 fffffadf`96ec1350 00000000`00000000 00000000`00000000 : nt!ObfDereferenceObject+0x83 fffffadf`90e71b40 fffff800`01033d94 : fffffadf`9590ce40 fffffadf`90e71ca0 00000000`00000000 fffffadf`9590ce40 : nt!CcDeleteSharedCacheMap+0x3da fffffadf`90e71bc0 fffff800`01032ba9 : fffff800`00000000 fffffadf`90e71ca0 fffffadf`9cc5d6b0 fffff800`01032a20 : nt!CcWriteBehind+0xc51 fffffadf`90e71c60 fffff800`010375ca : fffffadf`9cc5d6b0 fffffadf`9cc5d6b0 fffffadf`9cc79040 fffff800`011cd9c0 : nt!CcWorkerThread+0xa19 fffffadf`90e71d00 fffff800`0124a972 : fffffadf`9cc79040 00000000`00000080 fffffadf`9cc79040 fffffadf`90ac3680 : nt!ExpWorkerThread+0x13b fffffadf`90e71d70 fffff800`01020226 : fffffadf`90abb180 fffffadf`9cc79040 fffffadf`90ac3680 00000000`00000000 : nt!PspSystemThreadStartup+0x3e fffffadf`90e71dd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 -- Best Regards, Steve Cheng
From: Maxim S. Shatskih on 14 Jan 2010 02:57 > The crash code are DRIVER_CORRUPTED_MMPOOL (d0), DRIVER_CORRUPTED_EXPOOL > (c5) or BAD_POOL_CALLER (c2). Sometimes, it crashed at allocating memory in > our driver. Sometimes, it crashed at deallocating memory in our driver. > Most of the time, it crashed out of our code. > > Any hints how to debug? Enable Verifier with Special Pool and re-run the tests. -- Maxim S. Shatskih Windows DDK MVP maxim(a)storagecraft.com http://www.storagecraft.com
From: Steve Cheng on 15 Jan 2010 05:06
Thanks Maxim, bugs identified with verified turned on. -- Best Regards, Steve Cheng "Maxim S. Shatskih" <maxim(a)storagecraft.com.no.spam> wrote in message news:%235iMD9OlKHA.4872(a)TK2MSFTNGP05.phx.gbl... > The crash code are DRIVER_CORRUPTED_MMPOOL (d0), DRIVER_CORRUPTED_EXPOOL > (c5) or BAD_POOL_CALLER (c2). Sometimes, it crashed at allocating memory > in > our driver. Sometimes, it crashed at deallocating memory in our driver. > Most of the time, it crashed out of our code. > > Any hints how to debug? Enable Verifier with Special Pool and re-run the tests. -- Maxim S. Shatskih Windows DDK MVP maxim(a)storagecraft.com http://www.storagecraft.com |