Memory leak of VfUs

danny · January 8, 2011, 12:38am

Hello!

When I unload my driver with verifier enabled, I got a memory leak BSOD.
Windbg indicates 10 bytes of memory with pool tag VfUs has not been properly
freed during the unload.

PoolAddress SizeInBytes Tag CallersAddress
b2710ff0 0x00000010 VfUs ac1abfce

the address of “ac1abfce” points to my source code:

IoSetCompletionRoutineEx(DeviceObject,
Irp,(PIO_COMPLETION_ROUTINE)CompletionRoutines, Event, TRUE, TRUE, TRUE);

KeClearEvent(Event);
ntStatus = IoCallDriver(NextStackDevice, Irp);

if (STATUS_PENDING == ntStatus)
{
ntStatus = KeWaitForSingleObject(Event, Executive, KernelMode,
FALSE, NULL);
}

Does this means that the driver is unload before the CompletionRoutines has
been executed?

How can I fix this? thanks.

–
Danny

mm1 · January 8, 2011, 8:02am

Hard to say what it means exactly without more information. How about
posting the results of ‘!analyze -v.’

Also:

Is ‘Vfus’ one of your tags?
What exactly does ‘ac1abfce’ point to in your code?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dang XiaoHui
Sent: Saturday, January 08, 2011 12:38 AM
To: Kernel Debugging Interest List
Subject: [windbg] Memory leak of VfUs

Hello!

When I unload my driver with verifier enabled, I got a memory leak BSOD.
Windbg indicates 10 bytes of memory with pool tag VfUs has not been properly
freed during the unload.

PoolAddress SizeInBytes Tag CallersAddress

b2710ff0 0x00000010 VfUs ac1abfce

the address of “ac1abfce” points to my source code:

IoSetCompletionRoutineEx(DeviceObject,
Irp,(PIO_COMPLETION_ROUTINE)CompletionRoutines, Event, TRUE, TRUE, TRUE);

KeClearEvent(Event);

ntStatus = IoCallDriver(NextStackDevice, Irp);

if (STATUS_PENDING == ntStatus)

{

ntStatus = KeWaitForSingleObject(Event, Executive, KernelMode,
FALSE, NULL);

}

Does this means that the driver is unload before the CompletionRoutines has
been executed?

How can I fix this? thanks.

–
Danny

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Pavel_Lebedinsky · January 8, 2011, 5:01pm

> 1. Is ‘VfUs’ one of your tags?

VfUs is the tag used by the verifier hook for IoSetCompletionRoutineEx
to allocate the structure mentioned in MSDN docs for this API:

If the IoCompletion routine is successfully registered,
IoSetCompletionRoutineEx allocates memory that remains allocated until
the IoCompletion routine executes. Drivers must ensure that their
IoCompletion routine executes by calling IoCallDriver; otherwise,
the kernel will leak memory.

Verifier charges this memory to the calling driver to make sure such
leaks get exposed when the driver unloads.

danny · January 9, 2011, 8:25pm

To Martin:

Is ?Vfus? one of your tags?

No, it’s a tag used by IoSetCompletionRoutineEx

What exactly does ?ac1abfce? point to in your code?

the address point to : IoSetCompletionRoutineEx(DeviceObject,
Irp,(PIO_COMPLETION_ROUTINE)CompletionRoutines, Event, TRUE, TRUE, TRUE);

To Pavel:

I use KdPrint to print the message, and It seems the IoCompletion routine
has been executed before verifier BSOD my system.

The IoSetCompletionRoutineEx add a reference to DeviceObject to ensure that
Device can not be removed before IoCompletion has been executed. If I can
ensure that, can I use IoSetCompletionRoutine instead of
IoSetCompletionRoutineEx
to prevent this memory leak??

Thanks~

2011/1/8 Martin O’Brien

> Hard to say what it means exactly without more information. How about
> posting the results of ?!analyze ?v.?
>
>
>
> Also:
>
> 1. Is ?Vfus? one of your tags?
>
> 2. What exactly does ?ac1abfce? point to in your code?
>
>
>
>
>
> mm
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Dang XiaoHui
> Sent: Saturday, January 08, 2011 12:38 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Memory leak of VfUs
>
>
>
> Hello!
>
>
>
> When I unload my driver with verifier enabled, I got a memory leak BSOD.
> Windbg indicates 10 bytes of memory with pool tag VfUs has not been properly
> freed during the unload.
>
>
>
> PoolAddress SizeInBytes Tag CallersAddress
>
> b2710ff0 0x00000010 VfUs ac1abfce
>
>
>
> the address of “ac1abfce” points to my source code:
>
>
>
>
>
> IoSetCompletionRoutineEx(DeviceObject,
> Irp,(PIO_COMPLETION_ROUTINE)CompletionRoutines, Event, TRUE, TRUE, TRUE);
>
>
>
> KeClearEvent(Event);
>
> ntStatus = IoCallDriver(NextStackDevice, Irp);
>
>
>
> if (STATUS_PENDING == ntStatus)
>
> {
>
> ntStatus = KeWaitForSingleObject(Event, Executive, KernelMode,
> FALSE, NULL);
>
> }
>
>
>
> Does this means that the driver is unload before the CompletionRoutines has
> been executed?
>
>
>
> How can I fix this? thanks.
>
>
>
>
> –
> Danny
>
> — WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
Danny