Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


BugCheck c4 - Deleting uninitialized lookaside list.

_Lost_bit__Lost_bit_ Member Posts: 21

Hello,

After reading through all the info available on this, I can't tell why this is happening. In the driver we have a lookAsideList for our event queue, we use the non paged version of the function:

ExInitializeNPagedLookasideList

Then we call ExAllocateFromNPagedLookasideList to allocate, we got valid addresses.

After using that memory we called ExFreeToNPagedLookasideList to free the allocated.

Then finally call ExDeleteNPagedLookasideList. With the verifier enabled we get the

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
...
Arguments:
Arg1: 00000000000000cb, Deleting uninitialized lookaside list.
Arg2: ffff900fc84f9520, Lookaside list address.
Arg3: 0000000000000000
Arg4: 0000000000000000

Analyzing the dump I don't see what could be the problem, the list was initialized:

It doesn't look like it's corrupted and I can't find much info on this error: Deleting uninitialized lookaside list.

Clearly it was initialized and used. Any clue on how to follow. The number of total allocates matches the number of total frees.

Thanks in advance, I am out of ideas.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,695

    Is it possible you are deleting the list twice?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • _Lost_bit__Lost_bit_ Member Posts: 21

    @Tim_Roberts said:
    Is it possible you are deleting the list twice?

    Hi Tim,

    I don't think so, we are setting to NULL the pointer after calling ExDeleteNPagedLookasideList, so next time it won't do it again, as we just call the function if the pointer is not NULL.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,695

    If it were me, I suppose my next step would be to trace backwards into the routine that triggered the bugcheck and figure out which field it didn't like. The structure looks normal to me, too.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 354
    via Email
    That is not a guarantee that a race condition is not causing you to try
    freeing it again, if that code could be ran twice. Unless you are using
    atomic Exchange to NULL the value for othera before freeing it.
  • _Lost_bit__Lost_bit_ Member Posts: 21

    @Tim_Roberts said:
    If it were me, I suppose my next step would be to trace backwards into the routine that triggered the bugcheck and figure out which field it didn't like. The structure looks normal to me, too.

    Yes, I wish Microsoft would offer more specific info about this bugcheck. I moved to use the Ex functions, suggested by the documentation, but still the same.

    @Dejan_Maksimovic said:
    That is not a guarantee that a race condition is not causing you to try
    freeing it again, if that code could be ran twice. Unless you are using
    atomic Exchange to NULL the value for othera before freeing it.

    This is happening on the shutdown flow, is just one thread doing this, so we are pretty sure is not an issue with concurrency. Not sure what to do now.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,158

    Walk into the code (single step in the debugger). Set a breakpoint on the tear-down routine.

    IIRC (and it's been years since I've looked at the source code for this)... Verifier makes some sort of list entry when you initialize the lookaside list and removes that entry when you tear-down the lookaside list. But, walking into the code should make this clear.

    I'm sorry, but that's almost certainly the only way you're going to solve this.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE