PFN_LIST_CORRUPT Param 9a

Gentlefolk

Can anyone advise the meaning of Param1 value 0x9a in PFN_LIST_CORRUPT? This
value isnt mentioned in the windbg help page and isnt decoded by windb
(6.5.0003.7). Here is the bugcheck code and parameters “BugCheck 4E, {9a,
1b02, 6, 2}”.

Thanks in advance
Lyndon

You have a bad reference count on a page that is being freed from a pool.
This is one of those nasty internal bugs, that say you probably did
something bad to the memory managers databases.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Lyndon J Clarke” wrote in message
news:xxxxx@windbg…
> Gentlefolk
>
> Can anyone advise the meaning of Param1 value 0x9a in PFN_LIST_CORRUPT?
> This value isnt mentioned in the windbg help page and isnt decoded by
> windb (6.5.0003.7). Here is the bugcheck code and parameters “BugCheck 4E,
> {9a, 1b02, 6, 2}”.
>
> Thanks in advance
> Lyndon
>
>
>
>

Lyndon,

I had a similar issue, which was due to allocating an MDL then
(stupidly) freeing it via ExFreePool() without unlocking and freeing the
MDL. This only showed up on Windows 2003 Server with SP1, but I did
check it against a checked build of XP and came up with this assert:

MM: MiFreePoolPages - deleting pool locked for I/O 8186C1F8

*** Assertion failed: Pfn1->u3.e2.ReferenceCount == 1
*** Source File: d:\xpsprtm\base\ntos\mm\allocpag.c, line 2340

Break repeatedly, break Once, Ignore, terminate Process, or terminate
Thread (boipt)? b
b

which pointed me straight away at the problem…

So I would run your driver against a checked build of XP or W2K3…

  • Ian

Lyndon J Clarke wrote:

Gentlefolk

Can anyone advise the meaning of Param1 value 0x9a in PFN_LIST_CORRUPT? This
value isnt mentioned in the windbg help page and isnt decoded by windb
(6.5.0003.7). Here is the bugcheck code and parameters “BugCheck 4E, {9a,
1b02, 6, 2}”.

Thanks in advance
Lyndon


You are currently subscribed to windbg as: xxxxx@sgi.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

probably a bad reference count on a page that was being freed from a pool.
in your code somewhere you are corrupting the memory managers
databases. I had this problem at one time also, and if I remember
correctly, there was a trhead on this, where gurus helped me.

On 8/17/05, Lyndon J Clarke wrote:
> Gentlefolk
>
> Can anyone advise the meaning of Param1 value 0x9a in PFN_LIST_CORRUPT? This
> value isnt mentioned in the windbg help page and isnt decoded by windb
> (6.5.0003.7). Here is the bugcheck code and parameters “BugCheck 4E, {9a,
> 1b02, 6, 2}”.
>
> Thanks in advance
> Lyndon
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>



- Developer

Gentlefolk

Thanks for the responses which seem to me sort of confirmed from this part
of the stack trace…

STACK_TEXT:
f61c4b4c 808821b9 0000004e 0000009a 00001b02 nt!KeBugCheckEx+0x1b
f61c4b68 80894a33 81428830 808b0a60 00c8f600 nt!MiBadRefCount+0x33
f61c4b9c 80896091 81b02000 8083ed57 82e46660 nt!MiFreePoolPages+0x5a8
f61c4bf0 808960b3 7264664e 00000000 f61c4c28 nt!ExFreePoolWithTag+0x277
f61c4c00 f6222937 81b02000 f6229ba8 f61c4c98 nt!ExFreePool+0xf

… and …

kd> !pte 81b02000
VA 81b02000
PDE at C0300818 PTE at C0206C08
contains 018001E3 contains 00000000
pfn 1800 -GLDA–KWEV LARGE PAGE 1b02

… and …

kd> !pfn 1800
PFN 00001800 at address 81424000
flink 00000000 blink / share count 00000000 pteaddress 00000000
reference count 0001 Cached color 0
restore pte 00000000 containing page 000000 Zeroed

… with reference count 0001 (?).

Cheers
Lyndon