Bugcheck in MmUnmapViewOfSection

NTFSD
1

I create section object like this:

PVOID SectionObjectPtr;
Status = MmCreateSection(
&SectionObjectPtr, SECTION_ALL_ACCESS, NULL,
&FileSize, PAGE_READWRITE, SEC_RESERVE, NULL, TargetFileObjectPtr);

After that I map view of section as follows:

PVOID BaseAddress;
ULONG ViewSize = 0x1000;
LARGE_INTEGER SectionOffset.QuadPart = 0;
Status = MmMapViewOfSection(
SectionObjectPtr, PsGetCurrentProcess(), &BaseAddress, 0, Length,
&SectionOffset, &ViewSize, ViewShare, 0, PAGE_READWRITE);

The problem is when I unmap view of section with
MmUnmapViewOfSection(PsGetCurrentProcess(), BaseAddress) I get
MEMORY_MANAGEMENT or PFN_LIST_CORRUPT bugcheck (it can work for couple of
times but it crashes anyway). What’s the problem?

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

MEMORY_MANAGEMENT (1a)

Any other values for parameter 1 must be individually examined.

Arguments:
Arg1: 00041284, A PTE or the working set list is corrupt.
Arg2: c0205000
Arg3: 00000000
Arg4: c0502000

Debugging Details:

BUGCHECK_STR: 0x1a_41284

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc

STACK_TEXT:
f56905a0 80438bab 00000003 f56905e8 00041284
nt!RtlpBreakWithStatusInstruction
f56905d0 8043919e 00000003 00000000 c0502000 nt!KiBugCheckDebugBreak+0x31
f569095c 80499d4a 0000001a 00041284 c0205000 nt!KeBugCheckEx+0x390
f569098c 8049b139 00000000 81561000 815ddc88 nt!MiLocateWsle+0x7c
f56909b8 8049ab9e c0300814 c0205000 00000000 nt!MiDeletePte+0x255
f5690a80 80480a48 81560000 81560fff 00000000
nt!MiDeleteVirtualAddresses+0x494
f5690b34 8056f58e 815ced60 00000001 81861758 nt!MiRemoveMappedView+0x29b
f5690b60 eb033a23 00000000 815cec88 00000400 nt!MmUnmapViewOfSection+0x17c
f5690bd0 eb0337ab a6545f68 00000003 81861810
Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
[r:\projects#vba4\products\monitor\filter\devices\rootdev.h @ 120]
f5690be4 eb035b29 81861758 a6545f68 81861810
Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
[r:\projects#vba4\products\monitor\filter\devices\rootdev.h @ 21]
f5690bf8 8060870f 81861758 a6545f68 80062f50
Vba32dNT!CDriverImpl::_DispatchHandler+0x29
[r:\projects#vba4\products\monitor\filter\template\driver.h @ 66]
f5690c44 8053444c a6545fd8 a6545f68 00000000 nt!IovSpecialIrpCallDriver+0xe4
f5690c58 8052ee27 81861758 a6545f68 818a9268
nt!IopSynchronousServiceTail+0x94
f5690d2c 804be60a 0000014c 00000000 00000000 nt!NtReadFile+0x62d
f5690d2c 77f7900f 0000014c 00000000 00000000 nt!KiSystemService+0x10a
021bf474 77e68a07 0000014c 00000000 00000000 ntdll!ZwReadFile+0xb
021bf4e8 01fd6a2b 0000014c 02220bf4 00000400 KERNEL32!ReadFile+0x181
WARNING: Stack unwind information not available. Following frames may be
wrong.
021bf5ec 0041917e 02032798 02220bf4 00000400
vba32prx!DllGetClassObject+0x743c
021bf6dc 10008d8d 00f80eb0 02220bf4 00000400 fsftest+0x1917e
021bf7ec 77d4a846 020b0fe4 01b30f10 021c0f28
vbasrvps!DllUnregisterServer+0x7c6a
021bf850 77a4cfda 020b0fe4 021c0f28 01b30f10
RPCRT4!CStdStubBuffer_Invoke+0x6b
021bf894 77a4d384 021c0f28 018b28a4 01d50af0 ole32!SyncStubInvoke+0x4f
021bf8e0 779a92e2 021c0f28 02090f2c 020b0fe4 ole32!StubInvoke+0x15b
021bfb44 77994b47 01b30f10 00000000 020b0fe4
ole32!CCtxComChnl::ContextInvoke+0x163
021bfb7c 77a4cebd 021c0f28 00000001 020b0fe4 ole32!MTAInvoke+0x69
021bfbb0 77a4d842 00132bf8 01b30f10 020b0fe4 ole32!AppInvoke+0xbf
021bfc70 77a4a4c2 00132bf8 00000000 018b2888
ole32!ComInvokeWithLockAndIPID+0x31e
021bfcf4 77d060d0 018b3010 018b2888 018b3010 ole32!ThreadInvoke+0x2fc
021bfd2c 77ceea14 77a4a1c6 018b3010 021bfe08 RPCRT4!DispatchToStubInC+0x32
021bfd80 77cee8ca 00000000 00000000 021bfe08
RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
021bfda0 77ceec3c 018b3010 00000000 021bfe08
RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
021bfdd0 77d0f07e 018b3010 018b2fd4 00000000
RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
021bfe0c 77d0d1a4 018b0070 018b2ad0 80020000
RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
021bfe28 77d0d7bb 018b2f18 021bfe50 018b2ad0
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
021bff74 77d0cd1a 021bffa8 77cf068a 018b0070
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
021bff7c 77cf068a 018b0070 00000000 018b0000
RPCRT4!RecvLotsaCallsWrapper+0xb
021bffa8 77cece68 017d2f80 021bffec 77e5d4f9
RPCRT4!BaseCachedThreadRoutine+0x98
021bffb4 77e5d4f9 018b2a28 00000000 018b0000 RPCRT4!ThreadStartRoutine+0x18
021bffec 00000000 77cece50 018b2a28 00000000 KERNEL32!BaseThreadStart+0x52

FOLLOWUP_IP:
Vba32dNT!CRootDeviceExtension::OnRead+1b3
eb033a23 8b4d08 mov ecx,[ebp+0x8]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3

MODULE_NAME: Vba32dNT

IMAGE_NAME: Vba32dNT.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808

STACK_COMMAND: kb

BUCKET_ID: 0x1a_41284_Vba32dNT!CRootDeviceExtension::OnRead+1b3

Followup: MachineOwner
---------

*******************************************************************


Bugcheck Analysis



*************************************************************************

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000099, A PTE or PFN is corrupt
Arg2: 00000909, page frame number
Arg3: 00000000, current page state
Arg4: 00000000, 0

Debugging Details:
------------------

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x4E

LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc

STACK_TEXT:
f588e5a8 80438bab 00000003 f588e5f0 00000099
nt!RtlpBreakWithStatusInstruction
f588e5d8 8043919e 00000003 00000909 818e08d8 nt!KiBugCheckDebugBreak+0x31
f588e964 80499425 0000004e 00000099 00000909 nt!KeBugCheckEx+0x390
f588e990 8049b10a 815c1000 81586bc8 c0300814 nt!MiDecrementShareCount+0x67
f588e9b8 8049ab9e c0300814 c0205000 00000000 nt!MiDeletePte+0x226
f588ea80 80480a48 815c0000 815c0fff 00000000
nt!MiDeleteVirtualAddresses+0x494
f588eb34 8056f58e 81583700 00000001 81861758 nt!MiRemoveMappedView+0x29b
f588eb60 eb033a23 00000000 8164e948 00000400 nt!MmUnmapViewOfSection+0x17c
f588ebd0 eb0337ab aa78df68 00000003 81861810
Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
[r:\projects#vba4\products\monitor\filter\devices\rootdev.h @ 120]
f588ebe4 eb035b29 81861758 aa78df68 81861810
Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
[r:\projects#vba4\products\monitor\filter\devices\rootdev.h @ 21]
f588ebf8 8060870f 81861758 aa78df68 80062f50
Vba32dNT!CDriverImpl::_DispatchHandler+0x29
[r:\projects#vba4\products\monitor\filter\template\driver.h @ 66]
f588ec44 8053444c aa78dfd8 aa78df68 00000000 nt!IovSpecialIrpCallDriver+0xe4
f588ec58 8052ee27 81861758 aa78df68 81687888
nt!IopSynchronousServiceTail+0x94
f588ed2c 804be60a 00000110 00000000 00000000 nt!NtReadFile+0x62d
f588ed2c 77f7900f 00000110 00000000 00000000 nt!KiSystemService+0x10a
0214f474 77e68a07 00000110 00000000 00000000 ntdll!ZwReadFile+0xb
0214f4e8 01fd6a2b 00000110 02350bf4 00000400 KERNEL32!ReadFile+0x181
WARNING: Stack unwind information not available. Following frames may be
wrong.
0214f5ec 0041917e 02032798 02350bf4 00000400
vba32prx!DllGetClassObject+0x743c
0214f6dc 10008d8d 00f80eb0 02350bf4 00000400 fsftest+0x1917e
0214f7ec 77d4a846 02200fe4 01b30f10 02310f28
vbasrvps!DllUnregisterServer+0x7c6a
0214f850 77a4cfda 02200fe4 02310f28 01b30f10
RPCRT4!CStdStubBuffer_Invoke+0x6b
0214f894 77a4d384 02310f28 018b2cdc 01d50af0 ole32!SyncStubInvoke+0x4f
0214f8e0 779a92e2 02310f28 021e0f2c 02200fe4 ole32!StubInvoke+0x15b
0214fb44 77994b47 01b30f10 00000000 02200fe4
ole32!CCtxComChnl::ContextInvoke+0x163
0214fb7c 77a4cebd 02310f28 00000001 02200fe4 ole32!MTAInvoke+0x69
0214fbb0 77a4d842 00132bf8 01b30f10 02200fe4 ole32!AppInvoke+0xbf
0214fc70 77a4a4c2 00132bf8 00000000 018b2cc0
ole32!ComInvokeWithLockAndIPID+0x31e
0214fcf4 77d060d0 018b3180 018b2cc0 018b3180 ole32!ThreadInvoke+0x2fc
0214fd2c 77ceea14 77a4a1c6 018b3180 0214fe08 RPCRT4!DispatchToStubInC+0x32
0214fd80 77cee8ca 00000000 00000000 0214fe08
RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
0214fda0 77ceec3c 018b3180 00000000 0214fe08
RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
0214fdd0 77d0f07e 018b3180 018b3144 00000000
RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
0214fe0c 77d0d1a4 018b0070 018b2f08 80030001
RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
0214fe28 77d0d7bb 018b3088 0214fe50 018b2f08
RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
0214ff74 77d0cd1a 0214ffa8 77cf068a 018b0070
RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
0214ff7c 77cf068a 018b0070 00000000 018b0000
RPCRT4!RecvLotsaCallsWrapper+0xb
0214ffa8 77cece68 017d2f80 0214ffec 77e5d4f9
RPCRT4!BaseCachedThreadRoutine+0x98
0214ffb4 77e5d4f9 018b1bb8 00000000 018b0000 RPCRT4!ThreadStartRoutine+0x18
0214ffec 00000000 77cece50 018b1bb8 00000000 KERNEL32!BaseThreadStart+0x52

FOLLOWUP_IP:
Vba32dNT!CRootDeviceExtension::OnRead+1b3
eb033a23 8b4d08 mov ecx,[ebp+0x8]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3

MODULE_NAME: Vba32dNT

IMAGE_NAME: Vba32dNT.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808

STACK_COMMAND: kb

BUCKET_ID: 0x4E_Vba32dNT!CRootDeviceExtension::OnRead+1b3

Followup: MachineOwner
---------

2

Why use undocumented APIs when documented ones are available? Try
ZwCreateSection/ZwMapViewOfSection.

Assuming the parameters are similar, your bug seems to be that you
aren’t initializing BaseAddress. To wit:

BaseAddress
Points to a variable that will receive the base address of the view. If
the initial value of this argument is nonNULL, the view is allocated
starting at the specified virtual address rounded down to the next
64-kilobyte address boundary.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
Sent: Monday, November 11, 2002 12:11 PM
To: File Systems Developers
Subject: [ntfsd] Bugcheck in MmUnmapViewOfSection

I create section object like this:

PVOID SectionObjectPtr;
Status = MmCreateSection(
&SectionObjectPtr, SECTION_ALL_ACCESS, NULL,
&FileSize, PAGE_READWRITE, SEC_RESERVE, NULL, TargetFileObjectPtr);

After that I map view of section as follows:

PVOID BaseAddress;
ULONG ViewSize = 0x1000;
LARGE_INTEGER SectionOffset.QuadPart = 0;
Status = MmMapViewOfSection(
SectionObjectPtr, PsGetCurrentProcess(), &BaseAddress, 0,
Length, &SectionOffset, &ViewSize, ViewShare, 0, PAGE_READWRITE);

The problem is when I unmap view of section with
MmUnmapViewOfSection(PsGetCurrentProcess(), BaseAddress) I
get MEMORY_MANAGEMENT or PFN_LIST_CORRUPT bugcheck (it can
work for couple of times but it crashes anyway). What’s the problem?

**************************************************************
**************
***
*
*
* Bugcheck Analysis
*
*
*
**************************************************************
**************
***

MEMORY_MANAGEMENT (1a)

Any other values for parameter 1 must be individually examined.

Arguments:
Arg1: 00041284, A PTE or the working set list is corrupt.
Arg2: c0205000
Arg3: 00000000
Arg4: c0502000

Debugging Details:

BUGCHECK_STR: 0x1a_41284

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc

STACK_TEXT:
f56905a0 80438bab 00000003 f56905e8 00041284
nt!RtlpBreakWithStatusInstruction f56905d0 8043919e 00000003
00000000 c0502000 nt!KiBugCheckDebugBreak+0x31 f569095c
80499d4a 0000001a 00041284 c0205000 nt!KeBugCheckEx+0x390
f569098c 8049b139 00000000 81561000 815ddc88
nt!MiLocateWsle+0x7c f56909b8 8049ab9e c0300814 c0205000
00000000 nt!MiDeletePte+0x255 f5690a80 80480a48 81560000
81560fff 00000000 nt!MiDeleteVirtualAddresses+0x494 f5690b34
8056f58e 815ced60 00000001 81861758
nt!MiRemoveMappedView+0x29b f5690b60 eb033a23 00000000
815cec88 00000400 nt!MmUnmapViewOfSection+0x17c f5690bd0
eb0337ab a6545f68 00000003 81861810
Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
[r:\projects#vba4\products\monitor\filter\devices\rootdev.h
@ 120] f5690be4 eb035b29 81861758 a6545f68 81861810
Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
[r:\projects#vba4\products\monitor\filter\devices\rootdev.h
@ 21] f5690bf8 8060870f 81861758 a6545f68 80062f50
Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> [r:\projects#vba4\products\monitor\filter\template\driver.h
> @ 66] f5690c44 8053444c a6545fd8 a6545f68 00000000
> nt!IovSpecialIrpCallDriver+0xe4 f5690c58 8052ee27 81861758
> a6545f68 818a9268 nt!IopSynchronousServiceTail+0x94 f5690d2c
> 804be60a 0000014c 00000000 00000000 nt!NtReadFile+0x62d
> f5690d2c 77f7900f 0000014c 00000000 00000000
> nt!KiSystemService+0x10a 021bf474 77e68a07 0000014c 00000000
> 00000000 ntdll!ZwReadFile+0xb 021bf4e8 01fd6a2b 0000014c
> 02220bf4 00000400 KERNEL32!ReadFile+0x181
> WARNING: Stack unwind information not available. Following
> frames may be wrong. 021bf5ec 0041917e 02032798 02220bf4
> 00000400 vba32prx!DllGetClassObject+0x743c 021bf6dc 10008d8d
> 00f80eb0 02220bf4 00000400 fsftest+0x1917e 021bf7ec 77d4a846
> 020b0fe4 01b30f10 021c0f28 vbasrvps!DllUnregisterServer+0x7c6a
> 021bf850 77a4cfda 020b0fe4 021c0f28 01b30f10
> RPCRT4!CStdStubBuffer_Invoke+0x6b 021bf894 77a4d384 021c0f28
> 018b28a4 01d50af0 ole32!SyncStubInvoke+0x4f 021bf8e0 779a92e2
> 021c0f28 02090f2c 020b0fe4 ole32!StubInvoke+0x15b 021bfb44
> 77994b47 01b30f10 00000000 020b0fe4
> ole32!CCtxComChnl::ContextInvoke+0x163
> 021bfb7c 77a4cebd 021c0f28 00000001 020b0fe4
> ole32!MTAInvoke+0x69 021bfbb0 77a4d842 00132bf8 01b30f10
> 020b0fe4 ole32!AppInvoke+0xbf 021bfc70 77a4a4c2 00132bf8
> 00000000 018b2888 ole32!ComInvokeWithLockAndIPID+0x31e
> 021bfcf4 77d060d0 018b3010 018b2888 018b3010
> ole32!ThreadInvoke+0x2fc 021bfd2c 77ceea14 77a4a1c6 018b3010
> 021bfe08 RPCRT4!DispatchToStubInC+0x32 021bfd80 77cee8ca
> 00000000 00000000 021bfe08
> RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> 021bfda0 77ceec3c 018b3010 00000000 021bfe08
> RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> 021bfdd0 77d0f07e 018b3010 018b2fd4 00000000
> RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> 021bfe0c 77d0d1a4 018b0070 018b2ad0 80020000
> RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> 021bfe28 77d0d7bb 018b2f18 021bfe50 018b2ad0
> RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> 021bff74 77d0cd1a 021bffa8 77cf068a 018b0070
> RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> 021bff7c 77cf068a 018b0070 00000000 018b0000
> RPCRT4!RecvLotsaCallsWrapper+0xb 021bffa8 77cece68 017d2f80
> 021bffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> 021bffb4 77e5d4f9 018b2a28 00000000 018b0000
> RPCRT4!ThreadStartRoutine+0x18 021bffec 00000000 77cece50
> 018b2a28 00000000 KERNEL32!BaseThreadStart+0x52
>
>
> FOLLOWUP_IP:
> Vba32dNT!CRootDeviceExtension::OnRead+1b3
> eb033a23 8b4d08 mov ecx,[ebp+0x8]
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
>
> MODULE_NAME: Vba32dNT
>
> IMAGE_NAME: Vba32dNT.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0x1a_41284_Vba32dNT!CRootDeviceExtension::OnRead+1b3
>
> Followup: MachineOwner
> ---------
>
>
>
>
>
>
>
>
>
> * Bugcheck Analysis
>
>
>
>******
> ***********
>
>
> PFN_LIST_CORRUPT (4e)
> Typically caused by drivers passing bad memory descriptor
> lists (ie: calling MmUnlockPages twice with the same list,
> etc). If a kernel debugger is available get the stack trace.
> Arguments:
> Arg1: 00000099, A PTE or PFN is corrupt
> Arg2: 00000909, page frame number
> Arg3: 00000000, current page state
> Arg4: 00000000, 0
>
> Debugging Details:
> ------------------
>
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x4E
>
> LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
>
> STACK_TEXT:
> f588e5a8 80438bab 00000003 f588e5f0 00000099
> nt!RtlpBreakWithStatusInstruction f588e5d8 8043919e 00000003
> 00000909 818e08d8 nt!KiBugCheckDebugBreak+0x31 f588e964
> 80499425 0000004e 00000099 00000909 nt!KeBugCheckEx+0x390
> f588e990 8049b10a 815c1000 81586bc8 c0300814
> nt!MiDecrementShareCount+0x67 f588e9b8 8049ab9e c0300814
> c0205000 00000000 nt!MiDeletePte+0x226 f588ea80 80480a48
> 815c0000 815c0fff 00000000 nt!MiDeleteVirtualAddresses+0x494
> f588eb34 8056f58e 81583700 00000001 81861758
> nt!MiRemoveMappedView+0x29b f588eb60 eb033a23 00000000
> 8164e948 00000400 nt!MmUnmapViewOfSection+0x17c f588ebd0
> eb0337ab aa78df68 00000003 81861810
> Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> @ 120] f588ebe4 eb035b29 81861758 aa78df68 81861810
> Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> @ 21] f588ebf8 8060870f 81861758 aa78df68 80062f50
> Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> [r:\projects#vba4\products\monitor\filter\template\driver.h
> @ 66] f588ec44 8053444c aa78dfd8 aa78df68 00000000
> nt!IovSpecialIrpCallDriver+0xe4 f588ec58 8052ee27 81861758
> aa78df68 81687888 nt!IopSynchronousServiceTail+0x94 f588ed2c
> 804be60a 00000110 00000000 00000000 nt!NtReadFile+0x62d
> f588ed2c 77f7900f 00000110 00000000 00000000
> nt!KiSystemService+0x10a 0214f474 77e68a07 00000110 00000000
> 00000000 ntdll!ZwReadFile+0xb 0214f4e8 01fd6a2b 00000110
> 02350bf4 00000400 KERNEL32!ReadFile+0x181
> WARNING: Stack unwind information not available. Following
> frames may be wrong. 0214f5ec 0041917e 02032798 02350bf4
> 00000400 vba32prx!DllGetClassObject+0x743c 0214f6dc 10008d8d
> 00f80eb0 02350bf4 00000400 fsftest+0x1917e 0214f7ec 77d4a846
> 02200fe4 01b30f10 02310f28 vbasrvps!DllUnregisterServer+0x7c6a
> 0214f850 77a4cfda 02200fe4 02310f28 01b30f10
> RPCRT4!CStdStubBuffer_Invoke+0x6b 0214f894 77a4d384 02310f28
> 018b2cdc 01d50af0 ole32!SyncStubInvoke+0x4f 0214f8e0 779a92e2
> 02310f28 021e0f2c 02200fe4 ole32!StubInvoke+0x15b 0214fb44
> 77994b47 01b30f10 00000000 02200fe4
> ole32!CCtxComChnl::ContextInvoke+0x163
> 0214fb7c 77a4cebd 02310f28 00000001 02200fe4
> ole32!MTAInvoke+0x69 0214fbb0 77a4d842 00132bf8 01b30f10
> 02200fe4 ole32!AppInvoke+0xbf 0214fc70 77a4a4c2 00132bf8
> 00000000 018b2cc0 ole32!ComInvokeWithLockAndIPID+0x31e
> 0214fcf4 77d060d0 018b3180 018b2cc0 018b3180
> ole32!ThreadInvoke+0x2fc 0214fd2c 77ceea14 77a4a1c6 018b3180
> 0214fe08 RPCRT4!DispatchToStubInC+0x32 0214fd80 77cee8ca
> 00000000 00000000 0214fe08
> RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> 0214fda0 77ceec3c 018b3180 00000000 0214fe08
> RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> 0214fdd0 77d0f07e 018b3180 018b3144 00000000
> RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> 0214fe0c 77d0d1a4 018b0070 018b2f08 80030001
> RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> 0214fe28 77d0d7bb 018b3088 0214fe50 018b2f08
> RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> 0214ff74 77d0cd1a 0214ffa8 77cf068a 018b0070
> RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> 0214ff7c 77cf068a 018b0070 00000000 018b0000
> RPCRT4!RecvLotsaCallsWrapper+0xb 0214ffa8 77cece68 017d2f80
> 0214ffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> 0214ffb4 77e5d4f9 018b1bb8 00000000 018b0000
> RPCRT4!ThreadStartRoutine+0x18 0214ffec 00000000 77cece50
> 018b1bb8 00000000 KERNEL32!BaseThreadStart+0x52
>
>
> FOLLOWUP_IP:
> Vba32dNT!CRootDeviceExtension::OnRead+1b3
> eb033a23 8b4d08 mov ecx,[ebp+0x8]
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
>
> MODULE_NAME: Vba32dNT
>
> IMAGE_NAME: Vba32dNT.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0x4E_Vba32dNT!CRootDeviceExtension::OnRead+1b3
>
> Followup: MachineOwner
> ---------
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to %%email.unsub%%
>

3

I’m using Mm API because I hate working with handles.

That’s true, I’m not initializing BaseAddress. That could be a problem.

DDK says: “BaseAddress points to a variable that will receive the base
address of the view. If the initial value of this argument is nonNULL, the
view is allocated starting at the specified virtual address rounded down to
the next 64-kilobyte address boundary”. I think docs are not clear enough.
As far as I understand, BaseAddress argument cannot be NULL. Otherwise, I
don’t see how BaseAddress can be returned. But saying “if initial value of
this argument is nonNULL” supposes that it can be NULL. May be it would be
more clear if docs would say “if initial value of variable this argument
points to is nonNULL…” Am I wrong?

----- Original Message -----
From: “Nicholas Ryan”
To: “File Systems Developers”
Sent: Monday, November 11, 2002 11:44 PM
Subject: [ntfsd] RE: Bugcheck in MmUnmapViewOfSection

> Why use undocumented APIs when documented ones are available? Try
> ZwCreateSection/ZwMapViewOfSection.
>
> Assuming the parameters are similar, your bug seems to be that you
> aren’t initializing BaseAddress. To wit:
>
> BaseAddress
> Points to a variable that will receive the base address of the view. If
> the initial value of this argument is nonNULL, the view is allocated
> starting at the specified virtual address rounded down to the next
> 64-kilobyte address boundary.
>
> - Nicholas Ryan
>
>
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
> > Sent: Monday, November 11, 2002 12:11 PM
> > To: File Systems Developers
> > Subject: [ntfsd] Bugcheck in MmUnmapViewOfSection
> >
> >
> > I create section object like this:
> >
> > PVOID SectionObjectPtr;
> > Status = MmCreateSection(
> > &SectionObjectPtr, SECTION_ALL_ACCESS, NULL,
> > &FileSize, PAGE_READWRITE, SEC_RESERVE, NULL, TargetFileObjectPtr);
> >
> > After that I map view of section as follows:
> >
> > PVOID BaseAddress;
> > ULONG ViewSize = 0x1000;
> > LARGE_INTEGER SectionOffset.QuadPart = 0;
> > Status = MmMapViewOfSection(
> > SectionObjectPtr, PsGetCurrentProcess(), &BaseAddress, 0,
> > Length, &SectionOffset, &ViewSize, ViewShare, 0, PAGE_READWRITE);
> >
> > The problem is when I unmap view of section with
> > MmUnmapViewOfSection(PsGetCurrentProcess(), BaseAddress) I
> > get MEMORY_MANAGEMENT or PFN_LIST_CORRUPT bugcheck (it can
> > work for couple of times but it crashes anyway). What’s the problem?
> >
> >
> >
> >
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >******
> > *****
> >
> >
> > MEMORY_MANAGEMENT (1a)
> > # Any other values for parameter 1 must be individually examined.
> > Arguments:
> > Arg1: 00041284, A PTE or the working set list is corrupt.
> > Arg2: c0205000
> > Arg3: 00000000
> > Arg4: c0502000
> >
> > Debugging Details:
> > ------------------
> >
> >
> > BUGCHECK_STR: 0x1a_41284
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
> >
> > STACK_TEXT:
> > f56905a0 80438bab 00000003 f56905e8 00041284
> > nt!RtlpBreakWithStatusInstruction f56905d0 8043919e 00000003
> > 00000000 c0502000 nt!KiBugCheckDebugBreak+0x31 f569095c
> > 80499d4a 0000001a 00041284 c0205000 nt!KeBugCheckEx+0x390
> > f569098c 8049b139 00000000 81561000 815ddc88
> > nt!MiLocateWsle+0x7c f56909b8 8049ab9e c0300814 c0205000
> > 00000000 nt!MiDeletePte+0x255 f5690a80 80480a48 81560000
> > 81560fff 00000000 nt!MiDeleteVirtualAddresses+0x494 f5690b34
> > 8056f58e 815ced60 00000001 81861758
> > nt!MiRemoveMappedView+0x29b f5690b60 eb033a23 00000000
> > 815cec88 00000400 nt!MmUnmapViewOfSection+0x17c f5690bd0
> > eb0337ab a6545f68 00000003 81861810
> > Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > @ 120] f5690be4 eb035b29 81861758 a6545f68 81861810
> > Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > @ 21] f5690bf8 8060870f 81861758 a6545f68 80062f50
> > Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> > [r:\projects#vba4\products\monitor\filter\template\driver.h
> > @ 66] f5690c44 8053444c a6545fd8 a6545f68 00000000
> > nt!IovSpecialIrpCallDriver+0xe4 f5690c58 8052ee27 81861758
> > a6545f68 818a9268 nt!IopSynchronousServiceTail+0x94 f5690d2c
> > 804be60a 0000014c 00000000 00000000 nt!NtReadFile+0x62d
> > f5690d2c 77f7900f 0000014c 00000000 00000000
> > nt!KiSystemService+0x10a 021bf474 77e68a07 0000014c 00000000
> > 00000000 ntdll!ZwReadFile+0xb 021bf4e8 01fd6a2b 0000014c
> > 02220bf4 00000400 KERNEL32!ReadFile+0x181
> > WARNING: Stack unwind information not available. Following
> > frames may be wrong. 021bf5ec 0041917e 02032798 02220bf4
> > 00000400 vba32prx!DllGetClassObject+0x743c 021bf6dc 10008d8d
> > 00f80eb0 02220bf4 00000400 fsftest+0x1917e 021bf7ec 77d4a846
> > 020b0fe4 01b30f10 021c0f28 vbasrvps!DllUnregisterServer+0x7c6a
> > 021bf850 77a4cfda 020b0fe4 021c0f28 01b30f10
> > RPCRT4!CStdStubBuffer_Invoke+0x6b 021bf894 77a4d384 021c0f28
> > 018b28a4 01d50af0 ole32!SyncStubInvoke+0x4f 021bf8e0 779a92e2
> > 021c0f28 02090f2c 020b0fe4 ole32!StubInvoke+0x15b 021bfb44
> > 77994b47 01b30f10 00000000 020b0fe4
> > ole32!CCtxComChnl::ContextInvoke+0x163
> > 021bfb7c 77a4cebd 021c0f28 00000001 020b0fe4
> > ole32!MTAInvoke+0x69 021bfbb0 77a4d842 00132bf8 01b30f10
> > 020b0fe4 ole32!AppInvoke+0xbf 021bfc70 77a4a4c2 00132bf8
> > 00000000 018b2888 ole32!ComInvokeWithLockAndIPID+0x31e
> > 021bfcf4 77d060d0 018b3010 018b2888 018b3010
> > ole32!ThreadInvoke+0x2fc 021bfd2c 77ceea14 77a4a1c6 018b3010
> > 021bfe08 RPCRT4!DispatchToStubInC+0x32 021bfd80 77cee8ca
> > 00000000 00000000 021bfe08
> > RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> > 021bfda0 77ceec3c 018b3010 00000000 021bfe08
> > RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> > 021bfdd0 77d0f07e 018b3010 018b2fd4 00000000
> > RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> > 021bfe0c 77d0d1a4 018b0070 018b2ad0 80020000
> > RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> > 021bfe28 77d0d7bb 018b2f18 021bfe50 018b2ad0
> > RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> > 021bff74 77d0cd1a 021bffa8 77cf068a 018b0070
> > RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> > 021bff7c 77cf068a 018b0070 00000000 018b0000
> > RPCRT4!RecvLotsaCallsWrapper+0xb 021bffa8 77cece68 017d2f80
> > 021bffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> > 021bffb4 77e5d4f9 018b2a28 00000000 018b0000
> > RPCRT4!ThreadStartRoutine+0x18 021bffec 00000000 77cece50
> > 018b2a28 00000000 KERNEL32!BaseThreadStart+0x52
> >
> >
> > FOLLOWUP_IP:
> > Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > eb033a23 8b4d08 mov ecx,[ebp+0x8]
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
> >
> > MODULE_NAME: Vba32dNT
> >
> > IMAGE_NAME: Vba32dNT.sys
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
> >
> > STACK_COMMAND: kb
> >
> > BUCKET_ID: 0x1a_41284_Vba32dNT!CRootDeviceExtension::OnRead+1b3
> >
> > Followup: MachineOwner
> > ---------
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
> > ***********
> >
> >
> > PFN_LIST_CORRUPT (4e)
> > Typically caused by drivers passing bad memory descriptor
> > lists (ie: calling MmUnlockPages twice with the same list,
> > etc). If a kernel debugger is available get the stack trace.
> > Arguments:
> > Arg1: 00000099, A PTE or PFN is corrupt
> > Arg2: 00000909, page frame number
> > Arg3: 00000000, current page state
> > Arg4: 00000000, 0
> >
> > Debugging Details:
> > ------------------
> >
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: 0x4E
> >
> > LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
> >
> > STACK_TEXT:
> > f588e5a8 80438bab 00000003 f588e5f0 00000099
> > nt!RtlpBreakWithStatusInstruction f588e5d8 8043919e 00000003
> > 00000909 818e08d8 nt!KiBugCheckDebugBreak+0x31 f588e964
> > 80499425 0000004e 00000099 00000909 nt!KeBugCheckEx+0x390
> > f588e990 8049b10a 815c1000 81586bc8 c0300814
> > nt!MiDecrementShareCount+0x67 f588e9b8 8049ab9e c0300814
> > c0205000 00000000 nt!MiDeletePte+0x226 f588ea80 80480a48
> > 815c0000 815c0fff 00000000 nt!MiDeleteVirtualAddresses+0x494
> > f588eb34 8056f58e 81583700 00000001 81861758
> > nt!MiRemoveMappedView+0x29b f588eb60 eb033a23 00000000
> > 8164e948 00000400 nt!MmUnmapViewOfSection+0x17c f588ebd0
> > eb0337ab aa78df68 00000003 81861810
> > Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > @ 120] f588ebe4 eb035b29 81861758 aa78df68 81861810
> > Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > @ 21] f588ebf8 8060870f 81861758 aa78df68 80062f50
> > Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> > [r:\projects#vba4\products\monitor\filter\template\driver.h
> > @ 66] f588ec44 8053444c aa78dfd8 aa78df68 00000000
> > nt!IovSpecialIrpCallDriver+0xe4 f588ec58 8052ee27 81861758
> > aa78df68 81687888 nt!IopSynchronousServiceTail+0x94 f588ed2c
> > 804be60a 00000110 00000000 00000000 nt!NtReadFile+0x62d
> > f588ed2c 77f7900f 00000110 00000000 00000000
> > nt!KiSystemService+0x10a 0214f474 77e68a07 00000110 00000000
> > 00000000 ntdll!ZwReadFile+0xb 0214f4e8 01fd6a2b 00000110
> > 02350bf4 00000400 KERNEL32!ReadFile+0x181
> > WARNING: Stack unwind information not available. Following
> > frames may be wrong. 0214f5ec 0041917e 02032798 02350bf4
> > 00000400 vba32prx!DllGetClassObject+0x743c 0214f6dc 10008d8d
> > 00f80eb0 02350bf4 00000400 fsftest+0x1917e 0214f7ec 77d4a846
> > 02200fe4 01b30f10 02310f28 vbasrvps!DllUnregisterServer+0x7c6a
> > 0214f850 77a4cfda 02200fe4 02310f28 01b30f10
> > RPCRT4!CStdStubBuffer_Invoke+0x6b 0214f894 77a4d384 02310f28
> > 018b2cdc 01d50af0 ole32!SyncStubInvoke+0x4f 0214f8e0 779a92e2
> > 02310f28 021e0f2c 02200fe4 ole32!StubInvoke+0x15b 0214fb44
> > 77994b47 01b30f10 00000000 02200fe4
> > ole32!CCtxComChnl::ContextInvoke+0x163
> > 0214fb7c 77a4cebd 02310f28 00000001 02200fe4
> > ole32!MTAInvoke+0x69 0214fbb0 77a4d842 00132bf8 01b30f10
> > 02200fe4 ole32!AppInvoke+0xbf 0214fc70 77a4a4c2 00132bf8
> > 00000000 018b2cc0 ole32!ComInvokeWithLockAndIPID+0x31e
> > 0214fcf4 77d060d0 018b3180 018b2cc0 018b3180
> > ole32!ThreadInvoke+0x2fc 0214fd2c 77ceea14 77a4a1c6 018b3180
> > 0214fe08 RPCRT4!DispatchToStubInC+0x32 0214fd80 77cee8ca
> > 00000000 00000000 0214fe08
> > RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> > 0214fda0 77ceec3c 018b3180 00000000 0214fe08
> > RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> > 0214fdd0 77d0f07e 018b3180 018b3144 00000000
> > RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> > 0214fe0c 77d0d1a4 018b0070 018b2f08 80030001
> > RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> > 0214fe28 77d0d7bb 018b3088 0214fe50 018b2f08
> > RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> > 0214ff74 77d0cd1a 0214ffa8 77cf068a 018b0070
> > RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> > 0214ff7c 77cf068a 018b0070 00000000 018b0000
> > RPCRT4!RecvLotsaCallsWrapper+0xb 0214ffa8 77cece68 017d2f80
> > 0214ffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> > 0214ffb4 77e5d4f9 018b1bb8 00000000 018b0000
> > RPCRT4!ThreadStartRoutine+0x18 0214ffec 00000000 77cece50
> > 018b1bb8 00000000 KERNEL32!BaseThreadStart+0x52
> >
> >
> > FOLLOWUP_IP:
> > Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > eb033a23 8b4d08 mov ecx,[ebp+0x8]
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
> >
> > MODULE_NAME: Vba32dNT
> >
> > IMAGE_NAME: Vba32dNT.sys
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
> >
> > STACK_COMMAND: kb
> >
> > BUCKET_ID: 0x4E_Vba32dNT!CRootDeviceExtension::OnRead+1b3
> >
> > Followup: MachineOwner
> > ---------
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to %%email.unsub%%
>

4

You’re right, they mean that the argument should be a pointer to a
location that is NULL, not that the argument itself is NULL.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
Sent: Monday, November 11, 2002 3:21 PM
To: File Systems Developers
Subject: [ntfsd] RE: Bugcheck in MmUnmapViewOfSection

I’m using Mm API because I hate working with handles.

That’s true, I’m not initializing BaseAddress. That could be
a problem.

DDK says: “BaseAddress points to a variable that will receive
the base address of the view. If the initial value of this
argument is nonNULL, the view is allocated starting at the
specified virtual address rounded down to the next
64-kilobyte address boundary”. I think docs are not clear
enough. As far as I understand, BaseAddress argument cannot
be NULL. Otherwise, I don’t see how BaseAddress can be
returned. But saying “if initial value of this argument is
nonNULL” supposes that it can be NULL. May be it would be
more clear if docs would say “if initial value of variable
this argument points to is nonNULL…” Am I wrong?

----- Original Message -----
From: “Nicholas Ryan”
> To: “File Systems Developers”
> Sent: Monday, November 11, 2002 11:44 PM
> Subject: [ntfsd] RE: Bugcheck in MmUnmapViewOfSection
>
>
> > Why use undocumented APIs when documented ones are available? Try
> > ZwCreateSection/ZwMapViewOfSection.
> >
> > Assuming the parameters are similar, your bug seems to be that you
> > aren’t initializing BaseAddress. To wit:
> >
> > BaseAddress
> > Points to a variable that will receive the base address of
> the view.
> > If the initial value of this argument is nonNULL, the view is
> > allocated starting at the specified virtual address rounded down to
> > the next 64-kilobyte address boundary.
> >
> > - Nicholas Ryan
> >
> >
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey
> > > Logachyov
> > > Sent: Monday, November 11, 2002 12:11 PM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Bugcheck in MmUnmapViewOfSection
> > >
> > >
> > > I create section object like this:
> > >
> > > PVOID SectionObjectPtr;
> > > Status = MmCreateSection(
> > > &SectionObjectPtr, SECTION_ALL_ACCESS, NULL,
> > > &FileSize, PAGE_READWRITE, SEC_RESERVE, NULL,
> TargetFileObjectPtr);
> > >
> > > After that I map view of section as follows:
> > >
> > > PVOID BaseAddress;
> > > ULONG ViewSize = 0x1000;
> > > LARGE_INTEGER SectionOffset.QuadPart = 0;
> > > Status = MmMapViewOfSection(
> > > SectionObjectPtr, PsGetCurrentProcess(), &BaseAddress, 0, Length,
> > > &SectionOffset, &ViewSize, ViewShare, 0, PAGE_READWRITE);
> > >
> > > The problem is when I unmap view of section with
> > > MmUnmapViewOfSection(PsGetCurrentProcess(), BaseAddress) I get
> > > MEMORY_MANAGEMENT or PFN_LIST_CORRUPT bugcheck (it can work for
> > > couple of times but it crashes anyway). What’s the problem?
> > >
> > >
> > >
> > >
> > >
> > >
> > > * Bugcheck Analysis
> > >
> > >
> > >
> > >******
> > > *****
> > >
> > >
> > > MEMORY_MANAGEMENT (1a)
> > > # Any other values for parameter 1 must be individually
> > > examined.
> > > Arguments:
> > > Arg1: 00041284, A PTE or the working set list is corrupt.
> > > Arg2: c0205000
> > > Arg3: 00000000
> > > Arg4: c0502000
> > >
> > > Debugging Details:
> > > ------------------
> > >
> > >
> > > BUGCHECK_STR: 0x1a_41284
> > >
> > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > >
> > > LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
> > >
> > > STACK_TEXT:
> > > f56905a0 80438bab 00000003 f56905e8 00041284
> > > nt!RtlpBreakWithStatusInstruction f56905d0 8043919e 00000003
> > > 00000000 c0502000 nt!KiBugCheckDebugBreak+0x31 f569095c 80499d4a
> > > 0000001a 00041284 c0205000 nt!KeBugCheckEx+0x390 f569098c
> 8049b139
> > > 00000000 81561000 815ddc88 nt!MiLocateWsle+0x7c f56909b8 8049ab9e
> > > c0300814 c0205000 00000000 nt!MiDeletePte+0x255 f5690a80 80480a48
> > > 81560000 81560fff 00000000 nt!MiDeleteVirtualAddresses+0x494
> > > f5690b34 8056f58e 815ced60 00000001 81861758
> > > nt!MiRemoveMappedView+0x29b f5690b60 eb033a23 00000000
> > > 815cec88 00000400 nt!MmUnmapViewOfSection+0x17c f5690bd0
> > > eb0337ab a6545f68 00000003 81861810
> > > Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > @ 120] f5690be4 eb035b29 81861758 a6545f68 81861810
> > > Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > @ 21] f5690bf8 8060870f 81861758 a6545f68 80062f50
> > > Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> > > [r:\projects#vba4\products\monitor\filter\template\driver.h
> > > @ 66] f5690c44 8053444c a6545fd8 a6545f68 00000000
> > > nt!IovSpecialIrpCallDriver+0xe4 f5690c58 8052ee27 81861758
> > > a6545f68 818a9268 nt!IopSynchronousServiceTail+0x94 f5690d2c
> > > 804be60a 0000014c 00000000 00000000 nt!NtReadFile+0x62d
> > > f5690d2c 77f7900f 0000014c 00000000 00000000
> > > nt!KiSystemService+0x10a 021bf474 77e68a07 0000014c 00000000
> > > 00000000 ntdll!ZwReadFile+0xb 021bf4e8 01fd6a2b 0000014c
> > > 02220bf4 00000400 KERNEL32!ReadFile+0x181
> > > WARNING: Stack unwind information not available. Following
> > > frames may be wrong. 021bf5ec 0041917e 02032798 02220bf4
> > > 00000400 vba32prx!DllGetClassObject+0x743c 021bf6dc 10008d8d
> > > 00f80eb0 02220bf4 00000400 fsftest+0x1917e 021bf7ec 77d4a846
> > > 020b0fe4 01b30f10 021c0f28 vbasrvps!DllUnregisterServer+0x7c6a
> > > 021bf850 77a4cfda 020b0fe4 021c0f28 01b30f10
> > > RPCRT4!CStdStubBuffer_Invoke+0x6b 021bf894 77a4d384 021c0f28
> > > 018b28a4 01d50af0 ole32!SyncStubInvoke+0x4f 021bf8e0 779a92e2
> > > 021c0f28 02090f2c 020b0fe4 ole32!StubInvoke+0x15b 021bfb44
> > > 77994b47 01b30f10 00000000 020b0fe4
> > > ole32!CCtxComChnl::ContextInvoke+0x163
> > > 021bfb7c 77a4cebd 021c0f28 00000001 020b0fe4
> > > ole32!MTAInvoke+0x69 021bfbb0 77a4d842 00132bf8 01b30f10
> > > 020b0fe4 ole32!AppInvoke+0xbf 021bfc70 77a4a4c2 00132bf8
> > > 00000000 018b2888 ole32!ComInvokeWithLockAndIPID+0x31e
> > > 021bfcf4 77d060d0 018b3010 018b2888 018b3010
> > > ole32!ThreadInvoke+0x2fc 021bfd2c 77ceea14 77a4a1c6 018b3010
> > > 021bfe08 RPCRT4!DispatchToStubInC+0x32 021bfd80 77cee8ca
> > > 00000000 00000000 021bfe08
> > > RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> > > 021bfda0 77ceec3c 018b3010 00000000 021bfe08
> > > RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> > > 021bfdd0 77d0f07e 018b3010 018b2fd4 00000000
> > > RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> > > 021bfe0c 77d0d1a4 018b0070 018b2ad0 80020000
> > > RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> > > 021bfe28 77d0d7bb 018b2f18 021bfe50 018b2ad0
> > > RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> > > 021bff74 77d0cd1a 021bffa8 77cf068a 018b0070
> > > RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> > > 021bff7c 77cf068a 018b0070 00000000 018b0000
> > > RPCRT4!RecvLotsaCallsWrapper+0xb 021bffa8 77cece68 017d2f80
> > > 021bffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> > > 021bffb4 77e5d4f9 018b2a28 00000000 018b0000
> > > RPCRT4!ThreadStartRoutine+0x18 021bffec 00000000 77cece50
> > > 018b2a28 00000000 KERNEL32!BaseThreadStart+0x52
> > >
> > >
> > > FOLLOWUP_IP:
> > > Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > eb033a23 8b4d08 mov ecx,[ebp+0x8]
> > >
> > > FOLLOWUP_NAME: MachineOwner
> > >
> > > SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > >
> > > MODULE_NAME: Vba32dNT
> > >
> > > IMAGE_NAME: Vba32dNT.sys
> > >
> > > DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
> > >
> > > STACK_COMMAND: kb
> > >
> > > BUCKET_ID: 0x1a_41284_Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > >
> > > Followup: MachineOwner
> > > ---------
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > * Bugcheck Analysis
> > >
> > >
> > >
> > >
> > > ***********
> > >
> > >
> > > PFN_LIST_CORRUPT (4e)
> > > Typically caused by drivers passing bad memory descriptor
> lists (ie:
> > > calling MmUnlockPages twice with the same list, etc). If
> a kernel
> > > debugger is available get the stack trace.
> > > Arguments:
> > > Arg1: 00000099, A PTE or PFN is corrupt
> > > Arg2: 00000909, page frame number
> > > Arg3: 00000000, current page state
> > > Arg4: 00000000, 0
> > >
> > > Debugging Details:
> > > ------------------
> > >
> > >
> > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > >
> > > BUGCHECK_STR: 0x4E
> > >
> > > LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
> > >
> > > STACK_TEXT:
> > > f588e5a8 80438bab 00000003 f588e5f0 00000099
> > > nt!RtlpBreakWithStatusInstruction f588e5d8 8043919e 00000003
> > > 00000909 818e08d8 nt!KiBugCheckDebugBreak+0x31 f588e964 80499425
> > > 0000004e 00000099 00000909 nt!KeBugCheckEx+0x390 f588e990
> 8049b10a
> > > 815c1000 81586bc8 c0300814 nt!MiDecrementShareCount+0x67 f588e9b8
> > > 8049ab9e c0300814 c0205000 00000000 nt!MiDeletePte+0x226 f588ea80
> > > 80480a48 815c0000 815c0fff 00000000
> > > nt!MiDeleteVirtualAddresses+0x494 f588eb34 8056f58e 81583700
> > > 00000001 81861758 nt!MiRemoveMappedView+0x29b f588eb60 eb033a23
> > > 00000000 8164e948 00000400 nt!MmUnmapViewOfSection+0x17c f588ebd0
> > > eb0337ab aa78df68 00000003 81861810
> > > Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > @ 120] f588ebe4 eb035b29 81861758 aa78df68 81861810
> > > Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > @ 21] f588ebf8 8060870f 81861758 aa78df68 80062f50
> > > Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> > > [r:\projects#vba4\products\monitor\filter\template\driver.h
> > > @ 66] f588ec44 8053444c aa78dfd8 aa78df68 00000000
> > > nt!IovSpecialIrpCallDriver+0xe4 f588ec58 8052ee27 81861758
> > > aa78df68 81687888 nt!IopSynchronousServiceTail+0x94 f588ed2c
> > > 804be60a 00000110 00000000 00000000 nt!NtReadFile+0x62d
> > > f588ed2c 77f7900f 00000110 00000000 00000000
> > > nt!KiSystemService+0x10a 0214f474 77e68a07 00000110 00000000
> > > 00000000 ntdll!ZwReadFile+0xb 0214f4e8 01fd6a2b 00000110
> > > 02350bf4 00000400 KERNEL32!ReadFile+0x181
> > > WARNING: Stack unwind information not available. Following
> > > frames may be wrong. 0214f5ec 0041917e 02032798 02350bf4
> > > 00000400 vba32prx!DllGetClassObject+0x743c 0214f6dc 10008d8d
> > > 00f80eb0 02350bf4 00000400 fsftest+0x1917e 0214f7ec 77d4a846
> > > 02200fe4 01b30f10 02310f28 vbasrvps!DllUnregisterServer+0x7c6a
> > > 0214f850 77a4cfda 02200fe4 02310f28 01b30f10
> > > RPCRT4!CStdStubBuffer_Invoke+0x6b 0214f894 77a4d384 02310f28
> > > 018b2cdc 01d50af0 ole32!SyncStubInvoke+0x4f 0214f8e0 779a92e2
> > > 02310f28 021e0f2c 02200fe4 ole32!StubInvoke+0x15b 0214fb44
> > > 77994b47 01b30f10 00000000 02200fe4
> > > ole32!CCtxComChnl::ContextInvoke+0x163
> > > 0214fb7c 77a4cebd 02310f28 00000001 02200fe4
> > > ole32!MTAInvoke+0x69 0214fbb0 77a4d842 00132bf8 01b30f10
> > > 02200fe4 ole32!AppInvoke+0xbf 0214fc70 77a4a4c2 00132bf8
> > > 00000000 018b2cc0 ole32!ComInvokeWithLockAndIPID+0x31e
> > > 0214fcf4 77d060d0 018b3180 018b2cc0 018b3180
> > > ole32!ThreadInvoke+0x2fc 0214fd2c 77ceea14 77a4a1c6 018b3180
> > > 0214fe08 RPCRT4!DispatchToStubInC+0x32 0214fd80 77cee8ca
> > > 00000000 00000000 0214fe08
> > > RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> > > 0214fda0 77ceec3c 018b3180 00000000 0214fe08
> > > RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> > > 0214fdd0 77d0f07e 018b3180 018b3144 00000000
> > > RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> > > 0214fe0c 77d0d1a4 018b0070 018b2f08 80030001
> > > RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> > > 0214fe28 77d0d7bb 018b3088 0214fe50 018b2f08
> > > RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> > > 0214ff74 77d0cd1a 0214ffa8 77cf068a 018b0070
> > > RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> > > 0214ff7c 77cf068a 018b0070 00000000 018b0000
> > > RPCRT4!RecvLotsaCallsWrapper+0xb 0214ffa8 77cece68 017d2f80
> > > 0214ffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> > > 0214ffb4 77e5d4f9 018b1bb8 00000000 018b0000
> > > RPCRT4!ThreadStartRoutine+0x18 0214ffec 00000000 77cece50
> > > 018b1bb8 00000000 KERNEL32!BaseThreadStart+0x52
> > >
> > >
> > > FOLLOWUP_IP:
> > > Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > eb033a23 8b4d08 mov ecx,[ebp+0x8]
> > >
> > > FOLLOWUP_NAME: MachineOwner
> > >
> > > SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > >
> > > MODULE_NAME: Vba32dNT
> > >
> > > IMAGE_NAME: Vba32dNT.sys
> > >
> > > DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
> > >
> > > STACK_COMMAND: kb
> > >
> > > BUCKET_ID: 0x4E_Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > >
> > > Followup: MachineOwner
> > > ---------
> > >
> > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@nryan.com To
> > > unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to %%email.unsub%%
>

5

Thanks a lot, Nicholas. Properly initializing BaseAddress before calling
MmMapViewOfSection solved the problem.

----- Original Message -----
From: “Nicholas Ryan”
To: “File Systems Developers”
Sent: Tuesday, November 12, 2002 1:29 AM
Subject: [ntfsd] RE: Bugcheck in MmUnmapViewOfSection

> You’re right, they mean that the argument should be a pointer to a
> location that is NULL, not that the argument itself is NULL.
>
> - Nicholas Ryan
>
>
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey Logachyov
> > Sent: Monday, November 11, 2002 3:21 PM
> > To: File Systems Developers
> > Subject: [ntfsd] RE: Bugcheck in MmUnmapViewOfSection
> >
> >
> > I’m using Mm API because I hate working with handles.
> >
> > That’s true, I’m not initializing BaseAddress. That could be
> > a problem.
> >
> > DDK says: “BaseAddress points to a variable that will receive
> > the base address of the view. If the initial value of this
> > argument is nonNULL, the view is allocated starting at the
> > specified virtual address rounded down to the next
> > 64-kilobyte address boundary”. I think docs are not clear
> > enough. As far as I understand, BaseAddress argument cannot
> > be NULL. Otherwise, I don’t see how BaseAddress can be
> > returned. But saying “if initial value of this argument is
> > nonNULL” supposes that it can be NULL. May be it would be
> > more clear if docs would say “if initial value of variable
> > this argument points to is nonNULL…” Am I wrong?
> >
> >
> >
> > ----- Original Message -----
> > From: “Nicholas Ryan”
> > To: “File Systems Developers”
> > Sent: Monday, November 11, 2002 11:44 PM
> > Subject: [ntfsd] RE: Bugcheck in MmUnmapViewOfSection
> >
> >
> > > Why use undocumented APIs when documented ones are available? Try
> > > ZwCreateSection/ZwMapViewOfSection.
> > >
> > > Assuming the parameters are similar, your bug seems to be that you
> > > aren’t initializing BaseAddress. To wit:
> > >
> > > BaseAddress
> > > Points to a variable that will receive the base address of
> > the view.
> > > If the initial value of this argument is nonNULL, the view is
> > > allocated starting at the specified virtual address rounded down to
> > > the next 64-kilobyte address boundary.
> > >
> > > - Nicholas Ryan
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com] On Behalf Of Alexey
> > > > Logachyov
> > > > Sent: Monday, November 11, 2002 12:11 PM
> > > > To: File Systems Developers
> > > > Subject: [ntfsd] Bugcheck in MmUnmapViewOfSection
> > > >
> > > >
> > > > I create section object like this:
> > > >
> > > > PVOID SectionObjectPtr;
> > > > Status = MmCreateSection(
> > > > &SectionObjectPtr, SECTION_ALL_ACCESS, NULL,
> > > > &FileSize, PAGE_READWRITE, SEC_RESERVE, NULL,
> > TargetFileObjectPtr);
> > > >
> > > > After that I map view of section as follows:
> > > >
> > > > PVOID BaseAddress;
> > > > ULONG ViewSize = 0x1000;
> > > > LARGE_INTEGER SectionOffset.QuadPart = 0;
> > > > Status = MmMapViewOfSection(
> > > > SectionObjectPtr, PsGetCurrentProcess(), &BaseAddress, 0, Length,
> > > > &SectionOffset, &ViewSize, ViewShare, 0, PAGE_READWRITE);
> > > >
> > > > The problem is when I unmap view of section with
> > > > MmUnmapViewOfSection(PsGetCurrentProcess(), BaseAddress) I get
> > > > MEMORY_MANAGEMENT or PFN_LIST_CORRUPT bugcheck (it can work for
> > > > couple of times but it crashes anyway). What’s the problem?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > * Bugcheck Analysis
> > > >
> > > >
> > > >
> > > >******
> > > > *****
> > > >
> > > >
> > > > MEMORY_MANAGEMENT (1a)
> > > > # Any other values for parameter 1 must be individually
> > > > examined.
> > > > Arguments:
> > > > Arg1: 00041284, A PTE or the working set list is corrupt.
> > > > Arg2: c0205000
> > > > Arg3: 00000000
> > > > Arg4: c0502000
> > > >
> > > > Debugging Details:
> > > > ------------------
> > > >
> > > >
> > > > BUGCHECK_STR: 0x1a_41284
> > > >
> > > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > > >
> > > > LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
> > > >
> > > > STACK_TEXT:
> > > > f56905a0 80438bab 00000003 f56905e8 00041284
> > > > nt!RtlpBreakWithStatusInstruction f56905d0 8043919e 00000003
> > > > 00000000 c0502000 nt!KiBugCheckDebugBreak+0x31 f569095c 80499d4a
> > > > 0000001a 00041284 c0205000 nt!KeBugCheckEx+0x390 f569098c
> > 8049b139
> > > > 00000000 81561000 815ddc88 nt!MiLocateWsle+0x7c f56909b8 8049ab9e
> > > > c0300814 c0205000 00000000 nt!MiDeletePte+0x255 f5690a80 80480a48
> > > > 81560000 81560fff 00000000 nt!MiDeleteVirtualAddresses+0x494
> > > > f5690b34 8056f58e 815ced60 00000001 81861758
> > > > nt!MiRemoveMappedView+0x29b f5690b60 eb033a23 00000000
> > > > 815cec88 00000400 nt!MmUnmapViewOfSection+0x17c f5690bd0
> > > > eb0337ab a6545f68 00000003 81861810
> > > > Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> > > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > > @ 120] f5690be4 eb035b29 81861758 a6545f68 81861810
> > > > Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> > > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > > @ 21] f5690bf8 8060870f 81861758 a6545f68 80062f50
> > > > Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> > > > [r:\projects#vba4\products\monitor\filter\template\driver.h
> > > > @ 66] f5690c44 8053444c a6545fd8 a6545f68 00000000
> > > > nt!IovSpecialIrpCallDriver+0xe4 f5690c58 8052ee27 81861758
> > > > a6545f68 818a9268 nt!IopSynchronousServiceTail+0x94 f5690d2c
> > > > 804be60a 0000014c 00000000 00000000 nt!NtReadFile+0x62d
> > > > f5690d2c 77f7900f 0000014c 00000000 00000000
> > > > nt!KiSystemService+0x10a 021bf474 77e68a07 0000014c 00000000
> > > > 00000000 ntdll!ZwReadFile+0xb 021bf4e8 01fd6a2b 0000014c
> > > > 02220bf4 00000400 KERNEL32!ReadFile+0x181
> > > > WARNING: Stack unwind information not available. Following
> > > > frames may be wrong. 021bf5ec 0041917e 02032798 02220bf4
> > > > 00000400 vba32prx!DllGetClassObject+0x743c 021bf6dc 10008d8d
> > > > 00f80eb0 02220bf4 00000400 fsftest+0x1917e 021bf7ec 77d4a846
> > > > 020b0fe4 01b30f10 021c0f28 vbasrvps!DllUnregisterServer+0x7c6a
> > > > 021bf850 77a4cfda 020b0fe4 021c0f28 01b30f10
> > > > RPCRT4!CStdStubBuffer_Invoke+0x6b 021bf894 77a4d384 021c0f28
> > > > 018b28a4 01d50af0 ole32!SyncStubInvoke+0x4f 021bf8e0 779a92e2
> > > > 021c0f28 02090f2c 020b0fe4 ole32!StubInvoke+0x15b 021bfb44
> > > > 77994b47 01b30f10 00000000 020b0fe4
> > > > ole32!CCtxComChnl::ContextInvoke+0x163
> > > > 021bfb7c 77a4cebd 021c0f28 00000001 020b0fe4
> > > > ole32!MTAInvoke+0x69 021bfbb0 77a4d842 00132bf8 01b30f10
> > > > 020b0fe4 ole32!AppInvoke+0xbf 021bfc70 77a4a4c2 00132bf8
> > > > 00000000 018b2888 ole32!ComInvokeWithLockAndIPID+0x31e
> > > > 021bfcf4 77d060d0 018b3010 018b2888 018b3010
> > > > ole32!ThreadInvoke+0x2fc 021bfd2c 77ceea14 77a4a1c6 018b3010
> > > > 021bfe08 RPCRT4!DispatchToStubInC+0x32 021bfd80 77cee8ca
> > > > 00000000 00000000 021bfe08
> > > > RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> > > > 021bfda0 77ceec3c 018b3010 00000000 021bfe08
> > > > RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> > > > 021bfdd0 77d0f07e 018b3010 018b2fd4 00000000
> > > > RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> > > > 021bfe0c 77d0d1a4 018b0070 018b2ad0 80020000
> > > > RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> > > > 021bfe28 77d0d7bb 018b2f18 021bfe50 018b2ad0
> > > > RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> > > > 021bff74 77d0cd1a 021bffa8 77cf068a 018b0070
> > > > RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> > > > 021bff7c 77cf068a 018b0070 00000000 018b0000
> > > > RPCRT4!RecvLotsaCallsWrapper+0xb 021bffa8 77cece68 017d2f80
> > > > 021bffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> > > > 021bffb4 77e5d4f9 018b2a28 00000000 018b0000
> > > > RPCRT4!ThreadStartRoutine+0x18 021bffec 00000000 77cece50
> > > > 018b2a28 00000000 KERNEL32!BaseThreadStart+0x52
> > > >
> > > >
> > > > FOLLOWUP_IP:
> > > > Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > > eb033a23 8b4d08 mov ecx,[ebp+0x8]
> > > >
> > > > FOLLOWUP_NAME: MachineOwner
> > > >
> > > > SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > >
> > > > MODULE_NAME: Vba32dNT
> > > >
> > > > IMAGE_NAME: Vba32dNT.sys
> > > >
> > > > DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
> > > >
> > > > STACK_COMMAND: kb
> > > >
> > > > BUCKET_ID: 0x1a_41284_Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > >
> > > > Followup: MachineOwner
> > > > ---------
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > * Bugcheck Analysis
> > > >
> > > >
> > > >
> > > >
> > > > ***********
> > > >
> > > >
> > > > PFN_LIST_CORRUPT (4e)
> > > > Typically caused by drivers passing bad memory descriptor
> > lists (ie:
> > > > calling MmUnlockPages twice with the same list, etc). If
> > a kernel
> > > > debugger is available get the stack trace.
> > > > Arguments:
> > > > Arg1: 00000099, A PTE or PFN is corrupt
> > > > Arg2: 00000909, page frame number
> > > > Arg3: 00000000, current page state
> > > > Arg4: 00000000, 0
> > > >
> > > > Debugging Details:
> > > > ------------------
> > > >
> > > >
> > > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > > >
> > > > BUGCHECK_STR: 0x4E
> > > >
> > > > LAST_CONTROL_TRANSFER: from 80438bab to 804a9bcc
> > > >
> > > > STACK_TEXT:
> > > > f588e5a8 80438bab 00000003 f588e5f0 00000099
> > > > nt!RtlpBreakWithStatusInstruction f588e5d8 8043919e 00000003
> > > > 00000909 818e08d8 nt!KiBugCheckDebugBreak+0x31 f588e964 80499425
> > > > 0000004e 00000099 00000909 nt!KeBugCheckEx+0x390 f588e990
> > 8049b10a
> > > > 815c1000 81586bc8 c0300814 nt!MiDecrementShareCount+0x67 f588e9b8
> > > > 8049ab9e c0300814 c0205000 00000000 nt!MiDeletePte+0x226 f588ea80
> > > > 80480a48 815c0000 815c0fff 00000000
> > > > nt!MiDeleteVirtualAddresses+0x494 f588eb34 8056f58e 81583700
> > > > 00000001 81861758 nt!MiRemoveMappedView+0x29b f588eb60 eb033a23
> > > > 00000000 8164e948 00000400 nt!MmUnmapViewOfSection+0x17c f588ebd0
> > > > eb0337ab aa78df68 00000003 81861810
> > > > Vba32dNT!CRootDeviceExtension::OnRead+0x1b3
> > > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > > @ 120] f588ebe4 eb035b29 81861758 aa78df68 81861810
> > > > Vba32dNT!CRootDeviceExtension::_DispatchHandler+0x5b
> > > > [r:\projects#vba4\products\monitor\filter\devices\rootdev.h
> > > > @ 21] f588ebf8 8060870f 81861758 aa78df68 80062f50
> > > > Vba32dNT!CDriverImpl::_DispatchHandler+0x29
> > > > [r:\projects#vba4\products\monitor\filter\template\driver.h
> > > > @ 66] f588ec44 8053444c aa78dfd8 aa78df68 00000000
> > > > nt!IovSpecialIrpCallDriver+0xe4 f588ec58 8052ee27 81861758
> > > > aa78df68 81687888 nt!IopSynchronousServiceTail+0x94 f588ed2c
> > > > 804be60a 00000110 00000000 00000000 nt!NtReadFile+0x62d
> > > > f588ed2c 77f7900f 00000110 00000000 00000000
> > > > nt!KiSystemService+0x10a 0214f474 77e68a07 00000110 00000000
> > > > 00000000 ntdll!ZwReadFile+0xb 0214f4e8 01fd6a2b 00000110
> > > > 02350bf4 00000400 KERNEL32!ReadFile+0x181
> > > > WARNING: Stack unwind information not available. Following
> > > > frames may be wrong. 0214f5ec 0041917e 02032798 02350bf4
> > > > 00000400 vba32prx!DllGetClassObject+0x743c 0214f6dc 10008d8d
> > > > 00f80eb0 02350bf4 00000400 fsftest+0x1917e 0214f7ec 77d4a846
> > > > 02200fe4 01b30f10 02310f28 vbasrvps!DllUnregisterServer+0x7c6a
> > > > 0214f850 77a4cfda 02200fe4 02310f28 01b30f10
> > > > RPCRT4!CStdStubBuffer_Invoke+0x6b 0214f894 77a4d384 02310f28
> > > > 018b2cdc 01d50af0 ole32!SyncStubInvoke+0x4f 0214f8e0 779a92e2
> > > > 02310f28 021e0f2c 02200fe4 ole32!StubInvoke+0x15b 0214fb44
> > > > 77994b47 01b30f10 00000000 02200fe4
> > > > ole32!CCtxComChnl::ContextInvoke+0x163
> > > > 0214fb7c 77a4cebd 02310f28 00000001 02200fe4
> > > > ole32!MTAInvoke+0x69 0214fbb0 77a4d842 00132bf8 01b30f10
> > > > 02200fe4 ole32!AppInvoke+0xbf 0214fc70 77a4a4c2 00132bf8
> > > > 00000000 018b2cc0 ole32!ComInvokeWithLockAndIPID+0x31e
> > > > 0214fcf4 77d060d0 018b3180 018b2cc0 018b3180
> > > > ole32!ThreadInvoke+0x2fc 0214fd2c 77ceea14 77a4a1c6 018b3180
> > > > 0214fe08 RPCRT4!DispatchToStubInC+0x32 0214fd80 77cee8ca
> > > > 00000000 00000000 0214fe08
> > > > RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11e
> > > > 0214fda0 77ceec3c 018b3180 00000000 0214fe08
> > > > RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
> > > > 0214fdd0 77d0f07e 018b3180 018b3144 00000000
> > > > RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xd8
> > > > 0214fe0c 77d0d1a4 018b0070 018b2f08 80030001
> > > > RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1bf
> > > > 0214fe28 77d0d7bb 018b3088 0214fe50 018b2f08
> > > > RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x140
> > > > 0214ff74 77d0cd1a 0214ffa8 77cf068a 018b0070
> > > > RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x292
> > > > 0214ff7c 77cf068a 018b0070 00000000 018b0000
> > > > RPCRT4!RecvLotsaCallsWrapper+0xb 0214ffa8 77cece68 017d2f80
> > > > 0214ffec 77e5d4f9 RPCRT4!BaseCachedThreadRoutine+0x98
> > > > 0214ffb4 77e5d4f9 018b1bb8 00000000 018b0000
> > > > RPCRT4!ThreadStartRoutine+0x18 0214ffec 00000000 77cece50
> > > > 018b1bb8 00000000 KERNEL32!BaseThreadStart+0x52
> > > >
> > > >
> > > > FOLLOWUP_IP:
> > > > Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > > eb033a23 8b4d08 mov ecx,[ebp+0x8]
> > > >
> > > > FOLLOWUP_NAME: MachineOwner
> > > >
> > > > SYMBOL_NAME: Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > >
> > > > MODULE_NAME: Vba32dNT
> > > >
> > > > IMAGE_NAME: Vba32dNT.sys
> > > >
> > > > DEBUG_FLR_IMAGE_TIMESTAMP: 3dcfc808
> > > >
> > > > STACK_COMMAND: kb
> > > >
> > > > BUCKET_ID: 0x4E_Vba32dNT!CRootDeviceExtension::OnRead+1b3
> > > >
> > > > Followup: MachineOwner
> > > > ---------
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: xxxxx@nryan.com To
> > > > unsubscribe send a blank email to %%email.unsub%%
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to %%email.unsub%%
>