Blue screen as call of ExDeleteNPagedLookasideList during unloading

NTDEV
1

Hi, All,

I got a strange problem as I am unloading my driver (on Win2K). If I attach
it to the windbg, it unloads fine. But if I don't attach it to windbg, I
will get blue screen (BAD_POOL_CALLER) as I am unloading the driver,
following is what I got:

Any suggestions?

Thanks

Lin

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000b8a, (reserved)
Arg3: 814c6060, Memory contents of the pool block
Arg4: 814c6068, Pointer to pool header

Debugging Details:

*814c6040 size: 60 previous size: 40
FREED_POOL_TAG: Port

BUGCHECK_STR: 0xc2_7_Port

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8042c507 to 80456488

STACK_TEXT:
eb4478f4 8042c507 00000004 ffdff408 eb447c08
nt!RtlpBreakWithStatusInstruction
eb447924 8042ca48 00000004 80476740 814c6060 nt!KiBugCheckDebugBreak+0x31
eb447cb0 8046b4e2 000000c2 00000007 00000b8a nt!KeBugCheckEx+0x5d7
eb447cec 8046b2e2 814c6068 00000000 80417e4e nt!ExFreePoolWithTag+0x18a
eb447cf8 80417e4e 814c6068 f8a69ba0 f8a69ba0 nt!ExFreePool+0xb
eb447d08 f5ab3475 f5ae2a00 80409700 818ac8a0
nt!ExDeleteNPagedLookasideList+0x34
eb447d30 f5a65ba1 00000200 818ac8a0 00447d70 dfs_bind!pthread_clean+0x1af
kthread.c @ 192]
eb447d5c 804d9206 81204210 f8a69ba0 8046dc5c dfs_bind!UnLoad+0x283
[dfs_fsd.c @ 1375]
eb447d78 804191b5 f8a69ba0 00000000 00000000 nt!IopLoadUnloadDriver+0x14
eb447da8 80455a16 f8a69ba0 00000000 00000000 nt!ExpWorkerThread+0xae
eb447ddc 80469bb2 804190f0 00000001 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
dfs_bind!pthread_clean+1af
f5ab3475 8b154015aef5 mov edx,[dfs_bind!DfsDebugMask (f5ae1540)]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: dfs_bind!pthread_clean+1af

MODULE_NAME: dfs_bind

IMAGE_NAME: dfs_bind.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3f4b8419

STACK_COMMAND: kb

BUCKET_ID: 0xc2_7_Port_dfs_bind!pthread_clean+1af

Followup: MachineOwner

2

You freed bogus memory to a lookaside list, and the error is only
showing up on unload because this is where the lookaside list is deleted
(which causes it to actually free the memory blocks that it owns).

Lin wrote:

Hi, All,

I got a strange problem as I am unloading my driver (on Win2K). If I attach
it to the windbg, it unloads fine. But if I don’t attach it to windbg, I
will get blue screen (BAD_POOL_CALLER) as I am unloading the driver,
following is what I got:

Any suggestions?

Thanks

Lin

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000b8a, (reserved)
Arg3: 814c6060, Memory contents of the pool block
Arg4: 814c6068, Pointer to pool header

Debugging Details:

*814c6040 size: 60 previous size: 40
FREED_POOL_TAG: Port

BUGCHECK_STR: 0xc2_7_Port

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8042c507 to 80456488

STACK_TEXT:
eb4478f4 8042c507 00000004 ffdff408 eb447c08
nt!RtlpBreakWithStatusInstruction
eb447924 8042ca48 00000004 80476740 814c6060 nt!KiBugCheckDebugBreak+0x31
eb447cb0 8046b4e2 000000c2 00000007 00000b8a nt!KeBugCheckEx+0x5d7
eb447cec 8046b2e2 814c6068 00000000 80417e4e nt!ExFreePoolWithTag+0x18a
eb447cf8 80417e4e 814c6068 f8a69ba0 f8a69ba0 nt!ExFreePool+0xb
eb447d08 f5ab3475 f5ae2a00 80409700 818ac8a0
nt!ExDeleteNPagedLookasideList+0x34
eb447d30 f5a65ba1 00000200 818ac8a0 00447d70 dfs_bind!pthread_clean+0x1af
kthread.c @ 192]
eb447d5c 804d9206 81204210 f8a69ba0 8046dc5c dfs_bind!UnLoad+0x283
[dfs_fsd.c @ 1375]
eb447d78 804191b5 f8a69ba0 00000000 00000000 nt!IopLoadUnloadDriver+0x14
eb447da8 80455a16 f8a69ba0 00000000 00000000 nt!ExpWorkerThread+0xae
eb447ddc 80469bb2 804190f0 00000001 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
dfs_bind!pthread_clean+1af
f5ab3475 8b154015aef5 mov edx,[dfs_bind!DfsDebugMask (f5ae1540)]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: dfs_bind!pthread_clean+1af

MODULE_NAME: dfs_bind

IMAGE_NAME: dfs_bind.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3f4b8419

STACK_COMMAND: kb

BUCKET_ID: 0xc2_7_Port_dfs_bind!pthread_clean+1af

Followup: MachineOwner


Nick Ryan (MVP for DDK)

3

If you have DebugPrints in your driver then attaching with windbg
drastically changes the overall timing on your target machine. This
may hide some race condition that exist in your driver on unload.

Try to use dbgview from www.sysinternals.com. Disable the
'passthrough' option. This will catch the DebugPrints on the target
and the timing is more closely to your 'no windbg' situation. May be
then the problem shows up again 'with windbg'.

Norbert.

"The difference between winning and losing is self-discipline."
---- snip ----

Hi, All,

I got a strange problem as I am unloading my driver (on Win2K). If I attach
it to the windbg, it unloads fine. But if I don't attach it to windbg, I
will get blue screen (BAD_POOL_CALLER) as I am unloading the driver,
following is what I got:

Any suggestions?

Thanks

Lin

kd>> !analyze -v

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000b8a, (reserved)
Arg3: 814c6060, Memory contents of the pool block
Arg4: 814c6068, Pointer to pool header

Debugging Details:

*814c6040 size: 60 previous size: 40
FREED_POOL_TAG: Port

BUGCHECK_STR: 0xc2_7_Port

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8042c507 to 80456488

STACK_TEXT:
eb4478f4 8042c507 00000004 ffdff408 eb447c08
nt!RtlpBreakWithStatusInstruction
eb447924 8042ca48 00000004 80476740 814c6060 nt!KiBugCheckDebugBreak+0x31
eb447cb0 8046b4e2 000000c2 00000007 00000b8a nt!KeBugCheckEx+0x5d7
eb447cec 8046b2e2 814c6068 00000000 80417e4e nt!ExFreePoolWithTag+0x18a
eb447cf8 80417e4e 814c6068 f8a69ba0 f8a69ba0 nt!ExFreePool+0xb
eb447d08 f5ab3475 f5ae2a00 80409700 818ac8a0
nt!ExDeleteNPagedLookasideList+0x34
eb447d30 f5a65ba1 00000200 818ac8a0 00447d70 dfs_bind!pthread_clean+0x1af
kthread.c @ 192]
eb447d5c 804d9206 81204210 f8a69ba0 8046dc5c dfs_bind!UnLoad+0x283
[dfs_fsd.c @ 1375]
eb447d78 804191b5 f8a69ba0 00000000 00000000 nt!IopLoadUnloadDriver+0x14
eb447da8 80455a16 f8a69ba0 00000000 00000000 nt!ExpWorkerThread+0xae
eb447ddc 80469bb2 804190f0 00000001 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
dfs_bind!pthread_clean+1af
f5ab3475 8b154015aef5 mov edx,[dfs_bind!DfsDebugMask (f5ae1540)]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: dfs_bind!pthread_clean+1af

MODULE_NAME: dfs_bind

IMAGE_NAME: dfs_bind.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3f4b8419

STACK_COMMAND: kb

BUCKET_ID: 0xc2_7_Port_dfs_bind!pthread_clean+1af

Followup: MachineOwner

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stollmann.de
To unsubscribe send a blank email to xxxxx@lists.osr.com

---- snip ----