Bug check PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)

Manoj_Pattanaik · January 5, 2011, 2:08am

I am getting a bug check 000000CD with my driver. After analysis the pool tag of the corrupted memory is found to be ‘Irp+’. Please help me to identify the cause of the bug check.

15: kd> vertarget
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.091215-1207
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Dec 22 22:36:34.843 2010 (UTC + 1:00)
System Uptime: 0 days 0:16:29.386

15: kd> .bugcheck
Bugcheck code 000000CD
Arguments 8b94318c 00000000 80852dbd 00000000

15: kd> kb
ChildEBP RetAddr Args to Child
af000ac8 8085ed25 00000050 8b94318c 00000000 nt!KeBugCheckEx+0x1b
af000b40 8088c800 00000000 8b94318c 00000000 nt!MmAccessFault+0xb25
af000b40 80852dbd 00000000 8b94318c 00000000 nt!KiTrap0E+0xdc
af000bd8 8081c428 86ae4b68 8b71f250 86b93518 nt!MmUnmapLockedPages+0x49
af000bec 808216a8 8b71f250 86b93518 00000103 nt!IoFreeMdl+0x18
af000c3c 808f5473 86b93558 af000c80 af000c78 nt!IopCompleteRequest+0x10c
af000c64 808f61bf 89624a88 00000000 865ad640 nt!IopSynchronousServiceTail+0x147
af000d00 808eed3c 0000080c 00000000 00000000 nt!IopXxxControlFile+0x5e5
af000d34 808897cc 0000080c 00000000 00000000 nt!NtFsControlFile+0x2a
af000d34 7c82860c 0000080c 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012acc4 00000000 00000000 00000000 00000000 0x7c82860c

15: kd> !pool 8b94318c
Pool page 8b94318c region is Special pool
8b943000: Unable to get contents of special pool block

15: kd> dt nt!_pool_header 8b943000
+0x000 PreviousSize : ??
+0x000 PoolIndex : ??
+0x002 BlockSize : ??
+0x002 PoolType : ??
+0x000 Ulong1 : ??
+0x004 PoolTag : ??
+0x004 AllocatorBackTraceIndex : ??
+0x006 PoolTagHash : ??
Memory read error 8b943006

15: kd> dt nt!_pool_header 8b944000
+0x000 PreviousSize : 0y111111100 (0x1fc)
+0x000 PoolIndex : 0y0000000 (0)
+0x002 BlockSize : 0y011100001 (0xe1)
+0x002 PoolType : 0y0000000 (0)
+0x000 Ulong1 : 0xe101fc
+0x004 PoolTag : 0x2b707249
+0x004 AllocatorBackTraceIndex : 0x7249
+0x006 PoolTagHash : 0x2b70

15: kd> .formats 0x2b707249
Evaluate expression:
Hex: 2b707249
Decimal: 728789577
Octal: 05334071111
Binary: 00101011 01110000 01110010 01001001
Chars: +prI
Time: Thu Feb 04 02:32:57 1993
Float: low 8.54237e-013 high 0
Double: 3.6007e-315

Thanks
Manoj

Scott_Noone_OSR · January 5, 2011, 10:51am

>I am getting a bug check 000000CD with my driver. After analysis the pool

tag of the corrupted memory is found to be ‘Irp+’. Please >help me to
identify the cause of the bug check.

Your analysis of the pool tag is incorrect. Here’s your bogus address:

15: kd> !pool 8b94318c
Pool page 8b94318c region is Special pool
8b943000: Unable to get contents of special pool block

(Unrelated: this is on processor 15, nice!)

8b944000 is the address of the next pool block’s header and is unrelated to
your crash:

15: kd> dt nt!_pool_header 8b944000

The system crashed trying to tear down an MDL in a completed device control
IRP. What kind of driver do you have? Do you play with MDLs at all?

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Hope to see you at the next OSR kernel debugging class February 14th in
Columbia, MD!