BAD_POOL_HEADER 19, {3, fffffa80034ab920, fffffa80034ab920, 0}

Hi,
I got the follows BSOD on windows 7 64 bit,I’m trying to find the root cause of that (which driver cause that).
Can you please assist how to debug this ?
Thanks

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffffa80034ab920, the pool entry being checked.
Arg3: fffffa80034ab920, the read back flink freelist value (should be the same as 2).
Arg4: 0000000000000000, the read back blink freelist value (should be the same as 2).

Debugging Details:

BUGCHECK_STR: 0x19_3

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80002c0e4b3 to fffff80002ae0c40

STACK_TEXT:
fffff880173ddff8 fffff80002c0e4b3 : 0000000000000019 0000000000000003 fffffa80034ab920 fffffa80034ab920 : nt!KeBugCheckEx
fffff880173de000 fffff80002da19d7 : 0000000000000002 0000000010000000 0000000000000001 0000000000000000 : nt!ExDeferredFreePool+0xa53
fffff880173de0f0 fffff80002dddfdc : fffff8a001d42170 fffff880173de2e8 0000000000000115 0000000000000000 : nt!MiRelocateImage+0x347
fffff880173de260 fffff80002dbc596 : fffff880173de4b0 fffff880173de700 fffff880173de558 0000000000000001 : nt!MmCreateSection+0x8bc
fffff880173de460 fffff80002f3d9c3 : 0000000000000000 fffff8a00ce94828 0000000000000000 0000000000000001 : nt!NtCreateSection+0x171
fffff880173de4e0 fffff80002f3df51 : 0000000000000000 fffff8a00ce94828 fffffa8007c40d40 fffff88000000060 : nt!PfpFileBuildReadSupport+0x163
fffff880173de5d0 fffff80002f4606e : fffff8a000000000 fffff8a000000009 fffff8a000000127 0000000000000000 : nt!PfpPrefetchFilesTrickle+0x121
fffff880173de6d0 fffff80002f46c07 : 0000000000000000 fffff880173deb60 fffff880173de8c8 fffff8a0011e3630 : nt!PfpPrefetchRequestPerform+0x30e
fffff880173de820 fffff80002f531de : fffff880173de8c8 fffff880173dea01 fffffa8008605cc0 0000000000000000 : nt!PfpPrefetchRequest+0x176
fffff880173de890 fffff80002f57a0a : 0000000000000000 000000000000004f 0000000000000000 ffffffffffffff01 : nt!PfSetSuperfetchInformation+0x1ad
fffff880173de970 fffff80002adfed3 : fffffa8006bd9b60 0000000000000000 0000000004c10190 0000000009ce87a0 : nt!NtSetSystemInformation+0xc8d
fffff880173deae0 00000000775b2a0a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
0000000001e8f888 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x775b2a0a

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExDeferredFreePool+a53
fffff800`02c0e4b3 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExDeferredFreePool+a53

FOLLOWUP_NAME: Pool_corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID: X64_0x19_3_nt!ExDeferredFreePool+a53

BUCKET_ID: X64_0x19_3_nt!ExDeferredFreePool+a53

Followup: Pool_corruption

Is this a minidump or full kernel dump?
Do you know the steps to reproduce this?
Do you suspect some specific driver, recent update or system change?

– pa

On 10-Nov-2014 10:23, xxxxx@kodak.com wrote:

Hi,
I got the follows BSOD on windows 7 64 bit,I’m trying to find the root cause of that (which driver cause that).
Can you please assist how to debug this ?
Thanks

it a kernel dump.
i don’t know how to reproduce this.
Also i don’t suspect specific driver.

These are hard to debug, there’s no doubt about that.

But, hmmmm… I would say, as first steps that

“The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.”

Take a look at and around the blocks of pool to see if the structures “look like anything” you recognize.

Then, as advised by the !analyzer -v above, enable special pool for *every driver in the system* and try to repro the problem.

Peter
OSR
@OSRDrivers

Peter ,
is there a way to get the pool owner from a pool enrty ?
Pool enrty = fffffa80034ab920
Thanks

Post the output of:

!pool fffffa80034ab920

That will walk the links in the pool page and show the corruption. From
there we can try to guess who might be involved just based on allocations
adjacent to the corruption, though ultimately it’s a memory corruption so it
could be anyone’s fault.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

Peter ,
is there a way to get the pool owner from a pool enrty ?
Pool enrty = fffffa80034ab920
Thanks

That what i got:
2: kd> !pool fffffa80034ab920
Pool page fffffa80034ab920 region is Nonpaged pool
fffffa80034ab000 size: 4a0 previous size: 0 (Allocated) … (Protected)
*fffffa80034a9000 : large page allocation, Tag is Pool, size is 0x5650 bytes
Pooltag Pool : Pool tables, etc.
Any idea how to proceed ?

A hint :

From my experience , BAD_POOL_HEADER may occur when a driver forgets to free ist occupied memory when it unloads. . The BSOD may
occur a lot of time after the driver was unloaded.

Chtistiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, November 10, 2014 4:49 PM
Subject: RE:[ntdev] BAD_POOL_HEADER 19, {3, fffffa80034ab920, fffffa80034ab920, 0}

> That what i got:
> 2: kd> !pool fffffa80034ab920
> Pool page fffffa80034ab920 region is Nonpaged pool
> fffffa80034ab000 size: 4a0 previous size: 0 (Allocated) … (Protected)
> *fffffa80034a9000 : large page allocation, Tag is Pool, size is 0x5650 bytes
> Pooltag Pool : Pool tables, etc.
> Any idea how to proceed ?
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Unfortunately that’s not overly helpful. According to the bugcheck, you have
a zero somewhere there shouldn’t be. This could be a pool double free, use
after free, overrun, underrun, etc. Your best best at this point is to run
Driver Verifier on your driver and see what happens.

In the meantime I would do a code review and check your allocations for any
of the above potential issues.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

That what i got:
2: kd> !pool fffffa80034ab920
Pool page fffffa80034ab920 region is Nonpaged pool
fffffa80034ab000 size: 4a0 previous size: 0 (Allocated) …
(Protected)
*fffffa80034a9000 : large page allocation, Tag is Pool, size is 0x5650 bytes
Pooltag Pool : Pool tables, etc.
Any idea how to proceed ?

On which driver verifier test you recommend to focus on ?

Thanks

Why focus on ONE? Just enable them all.

If you MUST “focus” on a single option, the one to select would be Special Pool.

Again, I would enable this for all drivers in the system… NOT just your driver.

Peter
OSR
@OSRDrivers

>Why focus on ONE? Just enable them all.

DO NOT enable low resource simulation.

Absolutely right. I’m so used to just ignoring that (except for special-case testing) I don’t even think about it anymore.

Thanks, Mr. Grig, for clarifying for the OP.

Peter
OSR
@OSRDrivers