Hi All,
I currently facing problem in my volume filter driver. I get the SPECIAL
POOL CORRUPTION BSOD on one my test machines. The problem is that same
machine is giving me the BSOD after every two or three days. The machine
works fine meanwhile with no BSODs even after several reboots. The machine
is a AMD 64 machine and have WinXP 32-bit installed on it. I have set the
verifier settings for the Special pool tracking. The problem is that the
BSOD is not appearing on any other machine and not even reandomly.
Looks like my driver is corrupitng the memory by accessing the memory
withing the special pool page wich is not within the allocated range. While
freein this memory the machine is giving me the BSOD. So set the
verify_start flag using gflags.exe so I get the BSOD at the time this
invalid access is done. Even this is not helping. I don’t get any BSOD after
that.
Is there any way I can track down the code where this type of invalid
access is going on? I used verify start but no luck. The !poolval is giving
me the following output
Thanks,
Giri.
!poolval 868e6f68
Pool page 868e6f68 region is Unknown
Validating Pool headers for pool page: 868e6f68
Pool page [868e6000] is __inVALID.
Analyzing linked list…
[868e6000]: invalid previous size [0x94] should be [0x0]
[868e6000 –> 868e6008 (size = 0x8 bytes)]: Corrupt region
Scanning for single bit errors…
None found
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack backtrace will reveal the guilty party.
Arguments:
Arg1: 868e6f68, address trying to free
Arg2: 868e6131, address where bits are corrupted
Arg3: 00e10094, (reserved)
Arg4: 00000023, caller is freeing an address where nearby bytes within the
same page have been corrupted
Debugging Details:
The call to LoadLibrary(kext) failed, Win32 error 193
“%1 is not a valid Win32 application.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kext) failed, Win32 error 193
“%1 is not a valid Win32 application.”
Please check your debugger configuration and/or network access.
BUGCHECK_STR: 0xC1_23
SPECIAL_POOL_CORRUPTION_TYPE: 23
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 80660325 to 804f8925
STACK_TEXT:
ba745c04 80660325 000000c1 868e6f68 868e6131 nt!KeBugCheckEx+0x1b
ba745c50 80543a30 868e6f68 ba745cd3 85ce78e0 nt!MmFreeSpecialPool+0x2e3
ba745c90 80652690 868e6f68 00000000 8065282b nt!ExFreePoolWithTag+0x4a
ba745c9c 8065282b ffff0000 868e6f68 00000000 nt!VfIrpFree+0xc
ba745cb8 8064b4f1 00e49984 00000000 ba745d48 nt!VerifierIoFreeIrp+0x129
ba745cc8 8056bf6a 868e6f68 ba745d64 0110fec8 nt!IovFreeIrpPrivate+0x41
ba745d48 8053c808 00000190 0110ff00 0110fef0 nt!NtRemoveIoCompletion+0x12a
ba745d48 7c90eb94 00000190 0110ff00 0110fef0 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0110fed8 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MmFreeSpecialPool+2e3
80660325 8b4708 mov eax,[edi+0x8]
FAULTING_SOURCE_CODE:
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!MmFreeSpecialPool+2e3
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 42250a1d
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2e3
BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2e3
Followup: MachineOwner
kd> kb
ChildEBP RetAddr Args to Child
ba745c04 80660325 000000c1 868e6f68 868e6131 nt!KeBugCheckEx+0x1b
ba745c50 80543a30 868e6f68 ba745cd3 85ce78e0 nt!MmFreeSpecialPool+0x2e3
ba745c90 80652690 868e6f68 00000000 8065282b nt!ExFreePoolWithTag+0x4a
ba745c9c 8065282b ffff0000 868e6f68 00000000 nt!VfIrpFree+0xc
ba745cb8 8064b4f1 00e49984 00000000 ba745d48 nt!VerifierIoFreeIrp+0x129
ba745cc8 8056bf6a 868e6f68 ba745d64 0110fec8 nt!IovFreeIrpPrivate+0x41
ba745d48 8053c808 00000190 0110ff00 0110fef0 nt!NtRemoveIoCompletion+0x12a
ba745d48 7c90eb94 00000190 0110ff00 0110fef0 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0110fed8 00000000 00000000 00000000 00000000 0x7c90eb94
kd> !process
The call to LoadLibrary(kext) failed, Win32 error 193
“%1 is not a valid Win32 application.”
Please check your debugger configuration and/or network access.
GetPointerFromAddress: unable to read from 80557bb4
PROCESS 855976e8 SessionId: none Cid: 0398 Peb: 7ffde000 ParentCid:
02e4
DirBase: 17720060 ObjectTable: e1743710 HandleCount: Accessible>
Image: winlogon.exe
VadRoot 85e9d328 Vads 200 Clone 0 Private 1320. Modified 1860. Locked 0.
DeviceMap e1005440
Token e1968030
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 107108
QuotaPoolUsage[NonPagedPool] 518168
Working Set Sizes (now,min,max) (2067, 50, 345) (8268KB, 200KB, 1380KB)
PeakWorkingSetSize 3541
VirtualSize 61 Mb
PeakVirtualSize 66 Mb
PageFaultCount 8523
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 2039
Error in in reading nt!_ETHREAD @ 855836f0
kd> !process 0 0
The call to LoadLibrary(kext) failed, Win32 error 193
“%1 is not a valid Win32 application.”
Please check your debugger configuration and/or network access.
* NT ACTIVE PROCESS DUMP *
GetPointerFromAddress: unable to read from 80557bb4
Error in reading nt!_EPROCESS at 00000000
kd> !process
The call to LoadLibrary(kext) failed, Win32 error 193
“%1 is not a valid Win32 application.”
Please check your debugger configuration and/or network access.
GetPointerFromAddress: unable to read from 80557bb4
PROCESS 855976e8 SessionId: none Cid: 0398 Peb: 7ffde000 ParentCid:
02e4
DirBase: 17720060 ObjectTable: e1743710 HandleCount: Accessible>
Image: winlogon.exe
VadRoot 85e9d328 Vads 200 Clone 0 Private 1320. Modified 1860. Locked 0.
DeviceMap e1005440
Token e1968030
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 107108
QuotaPoolUsage[NonPagedPool] 518168
Working Set Sizes (now,min,max) (2067, 50, 345) (8268KB, 200KB, 1380KB)
PeakWorkingSetSize 3541
VirtualSize 61 Mb
PeakVirtualSize 66 Mb
PageFaultCount 8523
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 2039
Error in in reading nt!_ETHREAD @ 855836f0