Hi
I got the above BSOD while calling ExFreePool() to free memory
previously allocated in my driver with ExAllocatedPoolWithTag()…
Does that’s means that the memory i allocated in kernel points to a user
mode space ? (and if so how can it be?)
Or maybe the problem is because a context switch or something like that
?
Thanks for any help…
Omer B wrote:
Hi
I got the above BSOD while calling ExFreePool() to free memory
previously allocated in my driver with ExAllocatedPoolWithTag()…Does that’s means that the memory i allocated in kernel points to a user
mode space ? (and if so how can it be?)Or maybe the problem is because a context switch or something like that
?Thanks for any help…
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
I guess that “free kernel pool at user-mode address” is the tag you have
supplied when callinc ExAllocatePoolWithTag.
In case you have allocated memory from NONPAGED pool you can free it at
any context.
If you have allocated PAGED pool at system process context then if you
try to free that memory in a call from
dispatch I/O you will get a BSOD.
Paged pool is context specific.
> If you have allocated PAGED pool at system process context then if you
try to free that memory in a call from
dispatch I/O you will get a BSOD.
Paged pool is context specific.
Absolutely not so. Please point at MSDN Library article where you have found
such a statement.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
The problem is that the buffer address is a user mode address - which means
that you are handing garbage back to the kernel pool.
Bug Check 0xC2: BAD_POOL_CALLER
Parameter 1 - 0x40 - “The current thread attempted to free kernel pool at
user-mode address.”
Parameter 2 - starting address - the page address you are freeing.
Parameter 3 - start of system address space - any address less than this is
bogus.
Parameter 4 - 0.
=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Monday, August 15, 2005 4:06 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at
user-mode address”Hi
I got the above BSOD while calling ExFreePool() to free
memory previously allocated in my driver with
ExAllocatedPoolWithTag()…Does that’s means that the memory i allocated in kernel
points to a user
mode space ? (and if so how can it be?)Or maybe the problem is because a context switch or something
like that
?Thanks for any help…
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
But how can it be a user mode address if the allocation is from the kernel ?
Maxim - are you sure Nikolas is wrong ?
NONPAGED memory can be freed in any scope ?
On 8/15/05, Mark Roddy wrote:
> The problem is that the buffer address is a user mode address - which means
> that you are handing garbage back to the kernel pool.
>
> Bug Check 0xC2: BAD_POOL_CALLER
> Parameter 1 - 0x40 - “The current thread attempted to free kernel pool at
> user-mode address.”
> Parameter 2 - starting address - the page address you are freeing.
> Parameter 3 - start of system address space - any address less than this is
> bogus.
> Parameter 4 - 0.
>
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting
> Hollis Technology Solutions 603-321-1032
> www.hollistech.com
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
> > Sent: Monday, August 15, 2005 4:06 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at
> > user-mode address”
> >
> > Hi
> >
> > I got the above BSOD while calling ExFreePool() to free
> > memory previously allocated in my driver with
> > ExAllocatedPoolWithTag()…
> >
> >
> > Does that’s means that the memory i allocated in kernel
> > points to a user
> > mode space ? (and if so how can it be?)
> >
> >
> > Or maybe the problem is because a context switch or something
> > like that
> > ?
> >
> >
> > Thanks for any help…
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: unknown lmsubst tag
> > argument: ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
While you believe that you are freeing the memory you previously
allocated, that cannot be the case - the pool allocator will never
return a user mode address to you.
My guess is that you’ve overwritten the local variable you were using on
the stack. You might want to analyze the contents of stack to see if
you can confirm stack corruption and if so perhaps you’ll notice
something in the pattern of corruption (e.g., an ASCII string copied
over the buffer).
If this is reproducible, walk through with the debugger until you see
the value in the variable change. If this is NOT reproducible, you’ll
have to dig through the crash to see if you can figure out how the
memory was trounced.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Monday, August 15, 2005 4:06 AM
To: ntdev redirect
Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode address”
Hi
I got the above BSOD while calling ExFreePool() to free memory
previously allocated in my driver with ExAllocatedPoolWithTag()…
Does that’s means that the memory i allocated in kernel points to a user
mode space ? (and if so how can it be?)
Or maybe the problem is because a context switch or something like that
?
Thanks for any help…
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Why don’t you cut and paste the output from windbg analyze -v. The
address you are handing back is bogus. There are several possible
explanations: you’ve corrupted your own data structures and are using a
pointer-to-garbage as the value you hand back; you’ve corrupted pool
headers/lists and as a result, while your pointer is fine, the internal
pool headers/lists are corrupt and the consequence is this crash. Other
explanations are possible.
All kernel pool allocations can be freed from any process context. The
bugcheck is complaining about the address used for the free: it is a
user mode address not a kernel mode address.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Monday, August 15, 2005 8:48 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
address”
But how can it be a user mode address if the allocation is from the
kernel ?
Maxim - are you sure Nikolas is wrong ?
NONPAGED memory can be freed in any scope ?
On 8/15/05, Mark Roddy wrote:
> The problem is that the buffer address is a user mode address - which
means
> that you are handing garbage back to the kernel pool.
>
> Bug Check 0xC2: BAD_POOL_CALLER
> Parameter 1 - 0x40 - “The current thread attempted to free kernel
pool at
> user-mode address.”
> Parameter 2 - starting address - the page address you are freeing.
> Parameter 3 - start of system address space - any address less than
this is
> bogus.
> Parameter 4 - 0.
>
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting
> Hollis Technology Solutions 603-321-1032
> www.hollistech.com
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
> > Sent: Monday, August 15, 2005 4:06 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at
> > user-mode address”
> >
> > Hi
> >
> > I got the above BSOD while calling ExFreePool() to free
> > memory previously allocated in my driver with
> > ExAllocatedPoolWithTag()…
> >
> >
> > Does that’s means that the memory i allocated in kernel
> > points to a user
> > mode space ? (and if so how can it be?)
> >
> >
> > Or maybe the problem is because a context switch or something
> > like that
> > ?
> >
> >
> > Thanks for any help…
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: unknown lmsubst tag
> > argument: ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
The bugcheck means that you are passing an address to ExFreePoolWithTag that
never, ever came out of ExAllocatePoolWithTag. Pool addresses are always
kernel-mode-only addresses. On x86, this means that the high bit is set to
1; the address is within the range 0x80000000 - 0xFFFFFFF, inclusive.
User-mode addresses, on x86, are 0 - 0x7FFFFFFF. (This assumption is not
guaranteed to be true on other platforms, and is not something you should
hard-code into your driver.)
You have called ExFreePoolWithTag with a user-mode address. This is bogus
because it’s simply *impossible* for the pool allocator to allocate an
address in this range. Your driver has somehow corrupted the pointer that
you are passing.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Monday, August 15, 2005 8:48 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode address”
But how can it be a user mode address if the allocation is from the kernel
?
Maxim - are you sure Nikolas is wrong ?
NONPAGED memory can be freed in any scope ?
On 8/15/05, Mark Roddy wrote:
> The problem is that the buffer address is a user mode address - which
> means that you are handing garbage back to the kernel pool.
>
> Bug Check 0xC2: BAD_POOL_CALLER
> Parameter 1 - 0x40 - “The current thread attempted to free kernel
> pool at user-mode address.”
> Parameter 2 - starting address - the page address you are freeing.
> Parameter 3 - start of system address space - any address less than
> this is bogus.
> Parameter 4 - 0.
>
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting
> Hollis Technology Solutions 603-321-1032 www.hollistech.com
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
> > Sent: Monday, August 15, 2005 4:06 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
> > address”
> >
> > Hi
> >
> > I got the above BSOD while calling ExFreePool() to free memory
> > previously allocated in my driver with ExAllocatedPoolWithTag()…
> >
> >
> > Does that’s means that the memory i allocated in kernel points to a
> > user mode space ? (and if so how can it be?)
> >
> >
> > Or maybe the problem is because a context switch or something like
> > that ?
> >
> >
> > Thanks for any help…
Note that these ranges are adjusted if /3GB is on the boot.ini line and
all of kernel VA is shoved into the top 1GB instead of the top 2 GB.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Monday, August 15, 2005 9:35 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
address”
The bugcheck means that you are passing an address to ExFreePoolWithTag
that
never, ever came out of ExAllocatePoolWithTag. Pool addresses are
always
kernel-mode-only addresses. On x86, this means that the high bit is set
to
1; the address is within the range 0x80000000 - 0xFFFFFFF, inclusive.
User-mode addresses, on x86, are 0 - 0x7FFFFFFF. (This assumption is
not
guaranteed to be true on other platforms, and is not something you
should
hard-code into your driver.)
You have called ExFreePoolWithTag with a user-mode address. This is
bogus
because it’s simply *impossible* for the pool allocator to allocate an
address in this range. Your driver has somehow corrupted the pointer
that
you are passing.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Monday, August 15, 2005 8:48 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
address”
But how can it be a user mode address if the allocation is from the
kernel
?
Maxim - are you sure Nikolas is wrong ?
NONPAGED memory can be freed in any scope ?
On 8/15/05, Mark Roddy wrote:
> The problem is that the buffer address is a user mode address - which
> means that you are handing garbage back to the kernel pool.
>
> Bug Check 0xC2: BAD_POOL_CALLER
> Parameter 1 - 0x40 - “The current thread attempted to free kernel
> pool at user-mode address.”
> Parameter 2 - starting address - the page address you are freeing.
> Parameter 3 - start of system address space - any address less than
> this is bogus.
> Parameter 4 - 0.
>
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting
> Hollis Technology Solutions 603-321-1032 www.hollistech.com
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
> > Sent: Monday, August 15, 2005 4:06 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
> > address”
> >
> > Hi
> >
> > I got the above BSOD while calling ExFreePool() to free memory
> > previously allocated in my driver with ExAllocatedPoolWithTag()…
> >
> >
> > Does that’s means that the memory i allocated in kernel points to a
> > user mode space ? (and if so how can it be?)
> >
> >
> > Or maybe the problem is because a context switch or something like
> > that ?
> >
> >
> > Thanks for any help…
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
And that the bugcheck parameters nicely give you the actual demarcating
address as well as the bogus one you supplied.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Monday, August 15, 2005 12:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
address”
Note that these ranges are adjusted if /3GB is on the boot.ini line and
all of kernel VA is shoved into the top 1GB instead of the top 2 GB.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Monday, August 15, 2005 9:35 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
address”
The bugcheck means that you are passing an address to ExFreePoolWithTag
that
never, ever came out of ExAllocatePoolWithTag. Pool addresses are
always
kernel-mode-only addresses. On x86, this means that the high bit is set
to
1; the address is within the range 0x80000000 - 0xFFFFFFF, inclusive.
User-mode addresses, on x86, are 0 - 0x7FFFFFFF. (This assumption is
not
guaranteed to be true on other platforms, and is not something you
should
hard-code into your driver.)
You have called ExFreePoolWithTag with a user-mode address. This is
bogus
because it’s simply *impossible* for the pool allocator to allocate an
address in this range. Your driver has somehow corrupted the pointer
that
you are passing.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
Sent: Monday, August 15, 2005 8:48 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
address”
But how can it be a user mode address if the allocation is from the
kernel
?
Maxim - are you sure Nikolas is wrong ?
NONPAGED memory can be freed in any scope ?
On 8/15/05, Mark Roddy wrote:
> The problem is that the buffer address is a user mode address - which
> means that you are handing garbage back to the kernel pool.
>
> Bug Check 0xC2: BAD_POOL_CALLER
> Parameter 1 - 0x40 - “The current thread attempted to free kernel
> pool at user-mode address.”
> Parameter 2 - starting address - the page address you are freeing.
> Parameter 3 - start of system address space - any address less than
> this is bogus.
> Parameter 4 - 0.
>
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting
> Hollis Technology Solutions 603-321-1032 www.hollistech.com
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
> > Sent: Monday, August 15, 2005 4:06 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode
> > address”
> >
> > Hi
> >
> > I got the above BSOD while calling ExFreePool() to free memory
> > previously allocated in my driver with ExAllocatedPoolWithTag()…
> >
> >
> > Does that’s means that the memory i allocated in kernel points to a
> > user mode space ? (and if so how can it be?)
> >
> >
> > Or maybe the problem is because a context switch or something like
> > that ?
> >
> >
> > Thanks for any help…
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
> If you have allocated PAGED pool at system process
context then if you
try to free that memory in a call from
dispatch I/O you will get a BSOD.
Paged pool is context specific.
This is completely new to me. Where do you get it?
Calvin Guan (Windows DDK MVP)
NetXtreme Longhorn Miniport Prime
Broadcom Corp. www.broadcom.com
Find your next car at http://autos.yahoo.ca
From what I know, any kernel pool and lookaside allocations can be freed
from any thread context in the kernel.
The only limitation is IRQL - you cannot free paged memory from >=
DISPATCH_LEVEL.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Omer B”
To: “Windows System Software Devs Interest List”
Sent: Monday, August 15, 2005 4:48 PM
Subject: Re: [ntdev] BAD_POOL_CALLER “free kernel pool at user-mode address”
But how can it be a user mode address if the allocation is from the kernel ?
Maxim - are you sure Nikolas is wrong ?
NONPAGED memory can be freed in any scope ?
On 8/15/05, Mark Roddy wrote:
> The problem is that the buffer address is a user mode address - which means
> that you are handing garbage back to the kernel pool.
>
> Bug Check 0xC2: BAD_POOL_CALLER
> Parameter 1 - 0x40 - “The current thread attempted to free kernel pool at
> user-mode address.”
> Parameter 2 - starting address - the page address you are freeing.
> Parameter 3 - start of system address space - any address less than this is
> bogus.
> Parameter 4 - 0.
>
> =====================
> Mark Roddy DDK MVP
> Windows 2003/XP/2000 Consulting
> Hollis Technology Solutions 603-321-1032
> www.hollistech.com
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Omer B
> > Sent: Monday, August 15, 2005 4:06 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] BAD_POOL_CALLER “free kernel pool at
> > user-mode address”
> >
> > Hi
> >
> > I got the above BSOD while calling ExFreePool() to free
> > memory previously allocated in my driver with
> > ExAllocatedPoolWithTag()…
> >
> >
> > Does that’s means that the memory i allocated in kernel
> > points to a user
> > mode space ? (and if so how can it be?)
> >
> >
> > Or maybe the problem is because a context switch or something
> > like that
> > ?
> >
> >
> > Thanks for any help…
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: unknown lmsubst tag
> > argument: ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com