MessageHello all -
I am having a problem that I was hoping someone on this list may be able to
point me in the right direction of solving. I have an NDIS v4.0 deserialized
driver that has been in use on many servers for many years, running mostly
Win 2000 Advanced Server. The driver also appears to run correctly on Win XP
(although the Win 2000 servers are heavily loaded - running on XP has been
done only on client PC’s, not server-class PCs). I have been running it on a
quad-processor Windows 2003 server (enterprise edition) and it has been
bug-checking. The driver is a heavily modified version of the ImSamp sample.
What seems to be happening is that when my SendPacketsHandler is called, and
I internally queue the supplied packet for later processing (the driver
performs NAT, firewall, compression, and encryption functions), I call
NdisMSendComplete() on the original packet after setting the packet status
(via NDIS_SET_PACKET_STATUS()) to NDIS_STATUS_PENDING. This winds up
bugchecking in ExFreePoolWithTag().
I have copied a stack trace from the system that exhibits this behavior. I
cannot use a live debugger on this system, as it is several states away from
me, so I only have crash dumps to work with. I am assuming that I am missing
a subtle difference in the way NDIS operates on Win 2003, as this does not
seem to expose itself on any other systems. I realize that updating the
driver to an NDIS 5.x driver would be a good idea, but time constraints
don’t allow me to do that at this point in time.
Any hints on what direction to take in debugging this would be appreciated.
The stack trace follows. The name of the driver that is causing problems is
MPNAT2K.SYS (which is in the stack trace).
Thanks for any tips in advance,
Ed Lau
MidCore Software, Inc.
900 Straits Tpke.
Middlebury, CT 06762
****************************************************************************
***
* *
* Bugcheck Analysis *
* *
****************************************************************************
***
Use !analyze -v to get detailed debugging information.
BugCheck C5, {10fe, 2, 0, 8056726b}
*** ERROR: Module load completed but symbols could not be loaded for
e1000325.sys
Probably caused by : mpnat2k.sys ( mpnat2k!MPSendPackets+6d6 )
Followup: MachineOwner
0: kd> !analyze -v
****************************************************************************
***
* *
* Bugcheck Analysis *
* *
****************************************************************************
***
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn’t turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 000010fe, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8056726b, address which referenced memory
Debugging Details:
BUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExFreePoolWithTag+27b
8056726b 668b4602 mov ax,[esi+0x2]
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from f6db52e0 to 8056726b
TRAP_FRAME: f78a2330 – (.trap fffffffff78a2330)
ErrCode = 00000000
eax=00000000 ebx=00001104 ecx=00320001 edx=00310000 esi=000010fc
edi=85231038
eip=8056726b esp=f78a23a4 ebp=f78a23e8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0x27b:
8056726b 668b4602 mov ax,[esi+0x2] ds:0023:000010fe=???
Resetting default scope
STACK_TEXT:
f78a23e8 f6db52e0 00001104 00000000 00000000 nt!ExFreePoolWithTag+0x27b
f78a2404 f6d9f8b9 85d52128 00001104 00000000 tcpip!ICMPSendComplete+0x30
f78a243c f6d9fa83 859b5460 006b9da8 00000000 tcpip!IPSendComplete+0x124
f78a2460 f724f06e 85a79008 856b9da8 00000000 tcpip!ARPSendComplete+0xf4
f78a2484 f7044abb 859d6940 856b9da8 00000000 NDIS!ndisMSendCompleteX+0x6e
f78a25b8 f723604c 851d5008 f78a25e4 00000001 mpnat2k!MPSendPackets+0x6d6
[send_NT.c @ 665]
f78a25d8 f6d9fb9c 85b62f40 856b9da8 85a79008 NDIS!ndisMSendX+0x115
f78a2600 f6da3485 85a79008 856b9da8 855beb98 tcpip!ARPSendData+0x196
f78a262c f6da35de 855beb02 f78a2602 00000001 tcpip!ARPTransmit+0x7a
f78a2748 f6db56e3 f6de1140 02d52128 85295020 tcpip!IPTransmit+0x71f
f78a27cc f6db0228 8168923f 9b68923f 00000000 tcpip!SendEcho+0x325
f78a2828 f6da063f 859b5460 9b68923f 8168923f tcpip!ICMPRcv+0x173
f78a2888 f6da08dd 00000020 859b5460 00000000 tcpip!DeliverToUser+0x17b
f78a293c f6d9ef0f 859b5460 855ca99a 0000001a tcpip!IPRcvPacket+0x66c
f78a297c f6dac81c 00000000 851bf688 855ca978 tcpip!ARPRcvIndicationNew+0x147
f78a29ac f726381f 85a79008 851bf688 855ca978 tcpip!ARPRcv+0x40
f78a2a14 f7041c45 859d6940 f78a2d4c 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x352
f78a2d6c f72636bf 851d5008 8570bf10 8591910a
mpnat2k!CLReceiveIndication+0x1cc4 [recv_NT.c @ 880]
f78a2dd4 f7051a09 85ab6ad0 f78a2e4c 00000002
NDIS!ethFilterDprIndicateReceivePacket+0x209
WARNING: Stack unwind information not available. Following frames may be
wrong.
f78a2df4 f7051f3e f78a2e14 f78a2e4c 00000002 e1000325+0xa09
f78a2e0c f705881a 85b08348 f78a2e4c 00000002 e1000325+0xf3e
f78a2f58 f70562f2 85ac4160 f78a2f8b 85ab6ad0 e1000325+0x781a
f78a2f80 f70514f4 00ac4160 f7254025 85b08348 e1000325+0x52f2
f78a2ff4 804e5ea6 f694b674 00000000 00000000 e1000325+0x4f4
FOLLOWUP_IP:
mpnat2k!MPSendPackets+6d6 [send_NT.c @ 665]
f7044abb e96f060000 jmp mpnat2k!MPSendPackets+0xd4a (f704512f)
SYMBOL_STACK_INDEX: 5
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: mpnat2k!MPSendPackets+6d6
MODULE_NAME: mpnat2k
IMAGE_NAME: mpnat2k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41f15553
STACK_COMMAND: .trap fffffffff78a2330 ; kb
FAILURE_BUCKET_ID: 0xC5_2_mpnat2k!MPSendPackets+6d6
BUCKET_ID: 0xC5_2_mpnat2k!MPSendPackets+6d6
Followup: MachineOwner