Bug check 0xC2

While running the driver verifier on my FSD, a 0xC2 bug check occurs. The
entire bug check analysis is shown below. It occurs after my FSD completes
and returns from IRP_MJ_SET_INFORMATION. Any input appritiated.

  • Jeremy

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000c3e, (reserved)
Arg3: 85a229f8, Memory contents of the pool block
Arg4: 85a7d1ec, Address of the block of pool being deallocated

Debugging Details:

BUGCHECK_STR: 0xc2_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 805226a5 to 8050d064

IRP_ADDRESS: 9e455e90

DEVICE_OBJECT: 85b49828

DRIVER_OBJECT: 85d5b330

IMAGE_NAME: RelianceFS

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: RelianceFS

FAULTING_MODULE: 00000000

STACK_TEXT:
f75467b4 805226a5 00000003 00000000 000000c2
nt!RtlpBreakWithStatusInstruction
f7546800 80522dea 00000003 85a7d1e4 85a7d1ec nt!KiBugCheckDebugBreak+0x19
f7546bc8 804fc1bb 000000c2 00000007 00000c3e nt!KeBugCheck2+0x43c
f7546be8 8053757e 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x19
f7546c30 804ed2d1 85a7d1ec 00000000 00000000 nt!ExFreePoolWithTag+0x237
f7546c84 8055ec9c 9e455ed0 f7546cb4 f7546cb8 nt!IopCompleteRequest+0xf4
f7546d48 804d4e91 00000768 000690a8 000690b4 nt!NtSetInformationFile+0x780
f7546d48 7ffe0304 00000768 000690a8 000690b4 nt!KiSystemService+0xc4
0006905c 77f7f1bf 008cc774 00000768 000690a8
SharedUserData!SystemCallStub+0x4
00069060 008cc774 00000768 000690a8 000690b4 ntdll!NtSetInformationFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
000690f4 008cc43e 00089400 00069124 000d3cb0
opcreatg!TestGroupBuildNumber+0x13034
0006aacc 008cc3f1 01038880 00089400 0006c7c0
opcreatg!TestGroupBuildNumber+0x12cfe
0006c4a4 008b8bd8 01038880 00089e80 0006de04
opcreatg!TestGroupBuildNumber+0x12cb1
0006dcd4 010243c8 01038880 0006f8d8 00000000
opcreatg!TestGroupEntryPoint+0x628
0006f658 01021f29 01038880 01034aa8 00000000 ifstest+0x243c8
0006ff44 0102a865 00000016 00263788 00262998 ifstest+0x21f29
0006ffc0 77e7eb69 00000000 00000000 7ffdf000 ifstest+0x2a865
0006fff0 00000000 0102a73a 00000000 78746341 kernel32!BaseProcessStart+0x23

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

STACK_COMMAND: kb

BUCKET_ID: 0xc2_7_IMAGE_RelianceFS

Followup: MachineOwner

ReadMemoryError d0000001 at 9e456000

Someone has freed the system buffer. While you don’t mention the
version of the OS, here is what I can see on my laptop for this routine:

804eb55e 6a00 push 0x0
804eb560 ff730c push dword ptr [ebx+0xc]
804eb563 e8f04b0400 call nt!ExFreePoolWithTag (80530158)
804eb568 836308cf and dword ptr [ebx+0x8],0xffffffcf

(the last instruction is at offset f4 in IopCompleteRequest).

Note the push dword ptr [ebx+0xc]? EBX is the IRP, and so 0xc is the
system buffer (can’t be the master irp, since that is cleaned up in
IoCompleteRequest, and that’s done by completing the IRP, not freeing
the buffer.)

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Sherrill
Sent: Wednesday, March 17, 2004 3:01 PM
To: ntfsd redirect
Subject: [ntfsd] Bug check 0xC2

While running the driver verifier on my FSD, a 0xC2 bug check occurs.
The
entire bug check analysis is shown below. It occurs after my FSD
completes
and returns from IRP_MJ_SET_INFORMATION. Any input appritiated.

  • Jeremy

kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a
bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000c3e, (reserved)
Arg3: 85a229f8, Memory contents of the pool block
Arg4: 85a7d1ec, Address of the block of pool being deallocated

Debugging Details:

BUGCHECK_STR: 0xc2_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 805226a5 to 8050d064

IRP_ADDRESS: 9e455e90

DEVICE_OBJECT: 85b49828

DRIVER_OBJECT: 85d5b330

IMAGE_NAME: RelianceFS

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: RelianceFS

FAULTING_MODULE: 00000000

STACK_TEXT:
f75467b4 805226a5 00000003 00000000 000000c2
nt!RtlpBreakWithStatusInstruction
f7546800 80522dea 00000003 85a7d1e4 85a7d1ec
nt!KiBugCheckDebugBreak+0x19
f7546bc8 804fc1bb 000000c2 00000007 00000c3e nt!KeBugCheck2+0x43c
f7546be8 8053757e 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x19
f7546c30 804ed2d1 85a7d1ec 00000000 00000000 nt!ExFreePoolWithTag+0x237
f7546c84 8055ec9c 9e455ed0 f7546cb4 f7546cb8 nt!IopCompleteRequest+0xf4
f7546d48 804d4e91 00000768 000690a8 000690b4
nt!NtSetInformationFile+0x780
f7546d48 7ffe0304 00000768 000690a8 000690b4 nt!KiSystemService+0xc4
0006905c 77f7f1bf 008cc774 00000768 000690a8
SharedUserData!SystemCallStub+0x4
00069060 008cc774 00000768 000690a8 000690b4
ntdll!NtSetInformationFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
000690f4 008cc43e 00089400 00069124 000d3cb0
opcreatg!TestGroupBuildNumber+0x13034
0006aacc 008cc3f1 01038880 00089400 0006c7c0
opcreatg!TestGroupBuildNumber+0x12cfe
0006c4a4 008b8bd8 01038880 00089e80 0006de04
opcreatg!TestGroupBuildNumber+0x12cb1
0006dcd4 010243c8 01038880 0006f8d8 00000000
opcreatg!TestGroupEntryPoint+0x628
0006f658 01021f29 01038880 01034aa8 00000000 ifstest+0x243c8
0006ff44 0102a865 00000016 00263788 00262998 ifstest+0x21f29
0006ffc0 77e7eb69 00000000 00000000 7ffdf000 ifstest+0x2a865
0006fff0 00000000 0102a73a 00000000 78746341
kernel32!BaseProcessStart+0x23

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

STACK_COMMAND: kb

BUCKET_ID: 0xc2_7_IMAGE_RelianceFS

Followup: MachineOwner

ReadMemoryError d0000001 at 9e456000


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks for the input. Found the problem, fixed it. I was incrementing
Irp->AssociatedIrp.IrpCount for each call made to IoMakeAssociatedIrp, but
never decrementing it. When an associated IRP existed, the AssociatedIrp
union is actually a pointer to the associated IRP, not a count of associated
IRPs, so incrementing IrpCount actually offset the pointer to the associated
IRP and caused the bug check upon IRP completion.

Jeremy

“Tony Mason” wrote in message news:xxxxx@ntfsd…
Someone has freed the system buffer. While you don’t mention the
version of the OS, here is what I can see on my laptop for this routine:

804eb55e 6a00 push 0x0
804eb560 ff730c push dword ptr [ebx+0xc]
804eb563 e8f04b0400 call nt!ExFreePoolWithTag (80530158)
804eb568 836308cf and dword ptr [ebx+0x8],0xffffffcf

(the last instruction is at offset f4 in IopCompleteRequest).

Note the push dword ptr [ebx+0xc]? EBX is the IRP, and so 0xc is the
system buffer (can’t be the master irp, since that is cleaned up in
IoCompleteRequest, and that’s done by completing the IRP, not freeing
the buffer.)

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeremy Sherrill
Sent: Wednesday, March 17, 2004 3:01 PM
To: ntfsd redirect
Subject: [ntfsd] Bug check 0xC2

While running the driver verifier on my FSD, a 0xC2 bug check occurs.
The
entire bug check analysis is shown below. It occurs after my FSD
completes
and returns from IRP_MJ_SET_INFORMATION. Any input appritiated.

- Jeremy

kd> !analyze -v





Bugcheck Analysis



*******
*


BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a
bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000c3e, (reserved)
Arg3: 85a229f8, Memory contents of the pool block
Arg4: 85a7d1ec, Address of the block of pool being deallocated

Debugging Details:
------------------

BUGCHECK_STR: 0xc2_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 805226a5 to 8050d064

IRP_ADDRESS: 9e455e90

DEVICE_OBJECT: 85b49828

DRIVER_OBJECT: 85d5b330

IMAGE_NAME: RelianceFS

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: RelianceFS

FAULTING_MODULE: 00000000

STACK_TEXT:
f75467b4 805226a5 00000003 00000000 000000c2
nt!RtlpBreakWithStatusInstruction
f7546800 80522dea 00000003 85a7d1e4 85a7d1ec
nt!KiBugCheckDebugBreak+0x19
f7546bc8 804fc1bb 000000c2 00000007 00000c3e nt!KeBugCheck2+0x43c
f7546be8 8053757e 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x19
f7546c30 804ed2d1 85a7d1ec 00000000 00000000 nt!ExFreePoolWithTag+0x237
f7546c84 8055ec9c 9e455ed0 f7546cb4 f7546cb8 nt!IopCompleteRequest+0xf4
f7546d48 804d4e91 00000768 000690a8 000690b4
nt!NtSetInformationFile+0x780
f7546d48 7ffe0304 00000768 000690a8 000690b4 nt!KiSystemService+0xc4
0006905c 77f7f1bf 008cc774 00000768 000690a8
SharedUserData!SystemCallStub+0x4
00069060 008cc774 00000768 000690a8 000690b4
ntdll!NtSetInformationFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
000690f4 008cc43e 00089400 00069124 000d3cb0
opcreatg!TestGroupBuildNumber+0x13034
0006aacc 008cc3f1 01038880 00089400 0006c7c0
opcreatg!TestGroupBuildNumber+0x12cfe
0006c4a4 008b8bd8 01038880 00089e80 0006de04
opcreatg!TestGroupBuildNumber+0x12cb1
0006dcd4 010243c8 01038880 0006f8d8 00000000
opcreatg!TestGroupEntryPoint+0x628
0006f658 01021f29 01038880 01034aa8 00000000 ifstest+0x243c8
0006ff44 0102a865 00000016 00263788 00262998 ifstest+0x21f29
0006ffc0 77e7eb69 00000000 00000000 7ffdf000 ifstest+0x2a865
0006fff0 00000000 0102a73a 00000000 78746341
kernel32!BaseProcessStart+0x23

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

STACK_COMMAND: kb

BUCKET_ID: 0xc2_7_IMAGE_RelianceFS

Followup: MachineOwner
---------

ReadMemoryError d0000001 at 9e456000


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com