I have following code snippet inside my driver and when I run driver verifier with special pool flag the code where I call RtlFreeAnsiString system bugchecks and when I move RtlFreeAnsiString outside of spin lock it works i.e. no bugchecks.
I am trying to understand why would verifier trigger bugcheck 0xC1 with parameter4 0x31 when I call memory deallocation routines while I have spin locks acquired. MSDN says that “A driver attempted to free pool at an incorrect IRQL” Does this means that once cannot call ExFreePoolWithTag at IRQL always set at PASSIVE_LEVEL ?
ANSI_STRING somestr = {0};
RtlUnicodeStringToAnsiString (&somestr, &UnicodeStr, TRUE);
KeAcquireSPinLock( ); // This is always at IRQL 0; PASSIVE_LEVEL
You are trying to free paged pool at DISPATCH_LEVEL. The
RtlUnicodeStringToAnsiString gives you a paged pool allocation, and the
KeAcquireSpinLock raises IRQL to DISPATCH_LEVEL, you cannot free paged pool
at DISPATCH_LEVEL.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, January 07, 2015 12:23 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Verifier bugcheck 0xC1 Parameter 4 0x31
I have following code snippet inside my driver and when I run driver
verifier with special pool flag the code where I call RtlFreeAnsiString
system bugchecks and when I move RtlFreeAnsiString outside of spin lock it
works i.e. no bugchecks.
I am trying to understand why would verifier trigger bugcheck 0xC1 with
parameter4 0x31 when I call memory deallocation routines while I have spin
locks acquired. MSDN says that “A driver attempted to free pool at an
incorrect IRQL” Does this means that once cannot call ExFreePoolWithTag at
IRQL always set at PASSIVE_LEVEL ?
ANSI_STRING somestr = {0};
RtlUnicodeStringToAnsiString (&somestr, &UnicodeStr, TRUE);
KeAcquireSPinLock( ); // This is always at IRQL 0; PASSIVE_LEVEL
I have following code snippet inside my driver and when I run driver verifier with special pool flag the code where I call RtlFreeAnsiString system bugchecks and when I move RtlFreeAnsiString outside of spin lock it works i.e. no bugchecks.
I am trying to understand why would verifier trigger bugcheck 0xC1 with parameter4 0x31 when I call memory deallocation routines while I have spin locks acquired. MSDN says that “A driver attempted to free pool at an incorrect IRQL” Does this means that once cannot call ExFreePoolWithTag at IRQL always set at PASSIVE_LEVEL ?
You have the nugget of the problem here, but your last statement is
backwards. The documentation for ExFreePoolWithTag says that it can be
called at DISPATCH_LEVEL, but only if the memory was from non-paged
pool. Otherwise, it must be called at PASSIVE_LEVEL or APC_LEVEL.
Grabbing the spinlock raises you to DISPATCH_LEVEL.
Philosophically, there’s no reason why you SHOULD want the code in your
original order. If the memory was acquired outside of a spinlock, then
it should be freed outside of a spinlock.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.