BSOD due to MmUnmapLockedPages

Hi,

I am working on a legacy driver, which crashes very rarely (once in a year) due to page table page corruption, this issue is seen only on Windows 2008 x86.

For mapping driver uses MmMapLockedPagesSpecifyCache routine in user mode and for unmapping MmUnmapLockedPages routine.

Dump analysis

MEMORY_MANAGEMENT (1a)

Any other values for parameter 1 must be individually examined.

Arguments:
Arg1: 00041790, The subtype of the bugcheck.
Arg2: c0802086
Arg3: 00000200
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x1a_41790

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: ClusTranspo

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from e1f15fe2 to e1d10979

STACK_TEXT:
da70ea14 e1f15fe2 0000001a 00041790 c0802086 nt!KeBugCheckEx+0x1e
da70eafc e1cc2b6b 02e00000 c4c4ac70 c45a24c0 nt!MiUnmapLockedPagesInUserSpace+0x315
da70eb34 d8fefcbb 02d40000 c633bbe0 028f7e03 nt!MmUnmapLockedPages+0x22
WARNING: Stack unwind information not available. Following frames may be wrong.
da70ebfc d8fef04f c45a24c0 c62ea208 000f6444 MncTransport+0x4cbb
da70ec2c e1c8797a c45a24c0 c62ea208 c62ea208 MncTransport+0x404f
da70ec44 e1e89e35 c4c4ac70 c62ea208 c62ea278 nt!IofCallDriver+0x63
da70ec64 e1e8a5da c45a24c0 c4c4ac70 00000000 nt!IopSynchronousServiceTail+0x1d9
da70ed00 e1e8b6a4 c45a24c0 c62ea208 00000000 nt!IopXxxControlFile+0x6b7
da70ed34 e1c8dc56 00000094 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
da70ed34 77ac5cd4 00000094 00000000 00000000 nt!KiSystemServicePostCall
0173f8e4 00000000 00000000 00000000 00000000 0x77ac5cd4

I tried verifier, and driver crashed , now I get

Arg1: 000000b5, MmUnmapLockedPages called on a partial MDL (created with IoBuildPartialMdl).
Arg2: 8def2ce0, MDL address.
Arg3: ffff8193, MDL flags.
Arg4: 00000100, Unexpected partial MDL flag.

Debugging Details:

Page 12fc93 not present in the dump file. Type “.hh dbgerr004” for details
Page 133ff3 not present in the dump file. Type “.hh dbgerr004” for details

BUGCHECK_STR: 0xc4_b5

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: ClusTranspo

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 81b205a7 to 819029bd

STACK_TEXT:
94deaad8 81b205a7 000000c4 000000b5 8def2ce0 nt!KeBugCheckEx+0x1e
94deaaf8 81b2467e 8def2ce0 ffff8193 8df0b430 nt!VerifierBugCheckIfAppropriate+0x32
94deab14 8c920cbb 00190000 8def2ce0 184c0285 nt!VerifierMmUnmapLockedPages+0x5c
WARNING: Stack unwind information not available. Following frames may be wrong.
94deabdc 8c92004f 81529bc8 97a8ea90 000f6444 MncTransport+0x4cbb
94deac0c 81b186be 81529bc8 97a8ea90 8de2d198 MncTransport+0x404f
94deac30 81879931 97a8eb00 97a8ea90 81529bc8 nt!IovCallDriver+0x23f
94deac44 81a7be25 8de2d198 97a8ea90 97a8eb00 nt!IofCallDriver+0x1b
94deac64 81a7c5ca 81529bc8 8de2d198 00000000 nt!IopSynchronousServiceTail+0x1d9
94dead00 81a7d694 81529bc8 97a8ea90 00000000 nt!IopXxxControlFile+0x6b7
94dead34 8187fc96 00000094 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
94dead34 77125d14 00000094 00000000 00000000 nt!KiSystemServicePostCall
0140fa74 00000000 00000000 00000000 00000000 0x77125d14

Should I use other routines for mapping and unmapping?

Thanks
Shiv

You should not unmap a partial MDL. Only the full MDL should be unmapped.

This raises questions:

(1) How are you constructing this MDL? Is it given to your driver? If so, you don’t know how it was built and cannot safely do what you are doing (mapping/unmapping). I’m guessing this isn’t the case, since there’s nothing else on that stack besides your driver.
(2) Do you construct any partial MDLs in your driver? If so, you should review that code/logic carefully for errors, because somewhere you are deciding to unmap a partial MDL - but the mapping (and unmapping) should only be done against the entire MDL.

MDL handling is notoriously unforgiving.

Tony
OSR

> For mapping driver uses MmMapLockedPagesSpecifyCache routine in user mode

You mean you are mapping the MDL into the user address space? In that case the verifier break is overactive. If you can’t work around it you can try testing on a more recent version of Windows (I believe this verifier check was removed in win8).

For the 1A/41790 bugcheck, I would suggest trying to reproduce this on a checked build of Windows.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, October 9, 2014 10:41 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] BSOD due to MmUnmapLockedPages

Hi,

I am working on a legacy driver, which crashes very rarely (once in a year) due to page table page corruption, this issue is seen only on Windows 2008 x86.

For mapping driver uses MmMapLockedPagesSpecifyCache routine in user mode and for unmapping MmUnmapLockedPages routine.

Dump analysis

MEMORY_MANAGEMENT (1a)

Any other values for parameter 1 must be individually examined.

Arguments:
Arg1: 00041790, The subtype of the bugcheck.
Arg2: c0802086
Arg3: 00000200
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x1a_41790

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: ClusTranspo

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from e1f15fe2 to e1d10979

STACK_TEXT:
da70ea14 e1f15fe2 0000001a 00041790 c0802086 nt!KeBugCheckEx+0x1e da70eafc e1cc2b6b 02e00000 c4c4ac70 c45a24c0 nt!MiUnmapLockedPagesInUserSpace+0x315
da70eb34 d8fefcbb 02d40000 c633bbe0 028f7e03 nt!MmUnmapLockedPages+0x22
WARNING: Stack unwind information not available. Following frames may be wrong.
da70ebfc d8fef04f c45a24c0 c62ea208 000f6444 MncTransport+0x4cbb da70ec2c e1c8797a c45a24c0 c62ea208 c62ea208 MncTransport+0x404f
da70ec44 e1e89e35 c4c4ac70 c62ea208 c62ea278 nt!IofCallDriver+0x63
da70ec64 e1e8a5da c45a24c0 c4c4ac70 00000000 nt!IopSynchronousServiceTail+0x1d9
da70ed00 e1e8b6a4 c45a24c0 c62ea208 00000000 nt!IopXxxControlFile+0x6b7
da70ed34 e1c8dc56 00000094 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
da70ed34 77ac5cd4 00000094 00000000 00000000 nt!KiSystemServicePostCall
0173f8e4 00000000 00000000 00000000 00000000 0x77ac5cd4

I tried verifier, and driver crashed , now I get

Arg1: 000000b5, MmUnmapLockedPages called on a partial MDL (created with IoBuildPartialMdl).
Arg2: 8def2ce0, MDL address.
Arg3: ffff8193, MDL flags.
Arg4: 00000100, Unexpected partial MDL flag.

Debugging Details:

Page 12fc93 not present in the dump file. Type “.hh dbgerr004” for details Page 133ff3 not present in the dump file. Type “.hh dbgerr004” for details

BUGCHECK_STR: 0xc4_b5

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: ClusTranspo

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 81b205a7 to 819029bd

STACK_TEXT:
94deaad8 81b205a7 000000c4 000000b5 8def2ce0 nt!KeBugCheckEx+0x1e
94deaaf8 81b2467e 8def2ce0 ffff8193 8df0b430 nt!VerifierBugCheckIfAppropriate+0x32
94deab14 8c920cbb 00190000 8def2ce0 184c0285 nt!VerifierMmUnmapLockedPages+0x5c
WARNING: Stack unwind information not available. Following frames may be wrong.
94deabdc 8c92004f 81529bc8 97a8ea90 000f6444 MncTransport+0x4cbb 94deac0c 81b186be 81529bc8 97a8ea90 8de2d198 MncTransport+0x404f
94deac30 81879931 97a8eb00 97a8ea90 81529bc8 nt!IovCallDriver+0x23f
94deac44 81a7be25 8de2d198 97a8ea90 97a8eb00 nt!IofCallDriver+0x1b
94deac64 81a7c5ca 81529bc8 8de2d198 00000000 nt!IopSynchronousServiceTail+0x1d9
94dead00 81a7d694 81529bc8 97a8ea90 00000000 nt!IopXxxControlFile+0x6b7
94dead34 8187fc96 00000094 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
94dead34 77125d14 00000094 00000000 00000000 nt!KiSystemServicePostCall
0140fa74 00000000 00000000 00000000 00000000 0x77125d14

Should I use other routines for mapping and unmapping?

Thanks
Shiv


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

If you didn’t make partial MDL’s from original then give a try to make partial mdl and do the processing.IoBuildPartialMdl () may help.