Who freed the memory

Hi All,

I have a SCSI driver which enumerates and creates a virtual library devices. There is a bugcheck that is occuring when ever i try to configure the virtual library.

: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 0010e0c5, page frame number
Arg3: 00000001, current share count
Arg4: 00000000, 0

Debugging Details:

Page 129359 not present in the dump file. Type ".hh dbgerr004" for details
Page c9737 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details

BUGCHECK_STR: 0x4E_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: tapeeng.exe

CURRENT_IRQL: 2

IRP_ADDRESS: 88c27d58

DEVICE_OBJECT: 88cd6810

DRIVER_OBJECT: 8b2a7860

IMAGE_NAME: mydriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49c8f54c

MODULE_NAME: mydriver

FAULTING_MODULE: b9c72000 mydriver

LAST_CONTROL_TRANSFER: from 808659d4 to 80827c83

STACK_TEXT:
b8dec7e8 808659d4 0000004e 00000007 0010e0c5 nt!KeBugCheckEx+0x1b
b8dec814 8083e852 00000000 814f05f4 8895b000 nt!MiDecrementReferenceCount+0x42
b8dec86c 8089174a 8b3dddc0 808aeae0 029c7d60 nt!MiDeferredUnlockPages+0x20c
b8dec8a4 808925bb 8895b000 88d461a0 8895b000 nt!MiFreePoolPages+0x59a
b8dec8fc 80821695 20206f49 00000000 88c27d98 nt!ExFreePoolWithTag+0x277 --> trying to free a memory pool with a TAG.
b8dec950 8082dfe3 88c27d98 b8dec99c b8dec990 nt!IopCompleteRequest+0xf9
b8dec9a0 80a60199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
b8dec9c0 80a603d9 88a22401 00000000 00000000 hal!HalpDispatchSoftwareInterrupt+0x49
b8dec9dc 80a60456 00000001 88a22400 b8deca08 hal!HalpCheckForSoftwareInterrupt+0x81
b8dec9ec 808312be 88a22428 88c27d98 000007ff hal!KfLowerIrql+0x62
b8deca08 8082ab9b 88c27d98 88c27d58 00000000 nt!KiExitDispatcher+0x130
b8deca28 8081e257 88c27d98 88d461a0 00000000 nt!KeInsertQueueApc+0x57
b8deca5c b9c768d8 b9c768a9 88c27d58 8b2a7860 nt!IopfCompleteRequest+0x201
b8deca60 b9c768a9 88c27d58 8b2a7860 88c27d58 mydriver!+0xb84
b8decc3c 8081df85 88cd6810 88c27d58 88d461a0 mydriver!+0xb55
b8decc50 808f5437 88c27dc8 88d461a0 88c27d58 nt!IofCallDriver+0x45
b8decc64 808f61bf 88cd6810 88c27d58 88d461a0 nt!IopSynchronousServiceTail+0x10b
b8decd00 808eed08 000003dc 00000000 00000000 nt!IopXxxControlFile+0x5e5
b8decd34 808897bc 000003dc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b8decd34 7c8285ec 000003dc 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
030aff28 00000000 00000000 00000000 00000000 0x7c8285ec

STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x4E_7_IMAGE_mydriver.sys_RECENT

BUCKET_ID: 0x4E_7_IMAGE_mydriver.sys_RECENT

Followup: MachineOwner

From the stack it looks like a PAGE is being freed more than once. However the page that is being freed is a pool resource with a tag. In my driver all the pool resource allocation and deallocation is done with out specifying any tag.

I need assistance on the following two questions regarding this crash:

1. Since mydriver is not doing any pool allocations or deallocations with tag, I believe that nt!ExFreePoolWithTag is not called by my driver. Is this right?

2. I also see that a queued APC is being processed before the crash. Is there a chance that the pool resource with TAG is being freed in the APC context. If yes, how do i avoid this from my driver? Is there any way we can get more information about this APC like which thread queued it and who is the owner of this APC.

I appreciate your help on this.

Thx,
Gautham

Looks like crashed in ExFreePool( irp->AssociatedIrp.SystemBuffer ) in APC.

Regards
Haibo

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, April 03, 2009 1:36 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Who freed the memory

Hi All,

I have a SCSI driver which enumerates and creates a virtual library devices.
There is a bugcheck that is occuring when ever i try to configure the
virtual library.

: kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 0010e0c5, page frame number
Arg3: 00000001, current share count
Arg4: 00000000, 0

Debugging Details:

Page 129359 not present in the dump file. Type ".hh dbgerr004" for details
Page c9737 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details

BUGCHECK_STR: 0x4E_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: tapeeng.exe

CURRENT_IRQL: 2

IRP_ADDRESS: 88c27d58

DEVICE_OBJECT: 88cd6810

DRIVER_OBJECT: 8b2a7860

IMAGE_NAME: mydriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49c8f54c

MODULE_NAME: mydriver

FAULTING_MODULE: b9c72000 mydriver

LAST_CONTROL_TRANSFER: from 808659d4 to 80827c83

STACK_TEXT:
b8dec7e8 808659d4 0000004e 00000007 0010e0c5 nt!KeBugCheckEx+0x1b
b8dec814 8083e852 00000000 814f05f4 8895b000
nt!MiDecrementReferenceCount+0x42
b8dec86c 8089174a 8b3dddc0 808aeae0 029c7d60 nt!MiDeferredUnlockPages+0x20c
b8dec8a4 808925bb 8895b000 88d461a0 8895b000 nt!MiFreePoolPages+0x59a
b8dec8fc 80821695 20206f49 00000000 88c27d98 nt!ExFreePoolWithTag+0x277 -->
trying to free a memory pool with a TAG.
b8dec950 8082dfe3 88c27d98 b8dec99c b8dec990 nt!IopCompleteRequest+0xf9
b8dec9a0 80a60199 00000000 00000000 00000000 nt!KiDeliverApc+0xbb
b8dec9c0 80a603d9 88a22401 00000000 00000000
hal!HalpDispatchSoftwareInterrupt+0x49
b8dec9dc 80a60456 00000001 88a22400 b8deca08
hal!HalpCheckForSoftwareInterrupt+0x81
b8dec9ec 808312be 88a22428 88c27d98 000007ff hal!KfLowerIrql+0x62
b8deca08 8082ab9b 88c27d98 88c27d58 00000000 nt!KiExitDispatcher+0x130
b8deca28 8081e257 88c27d98 88d461a0 00000000 nt!KeInsertQueueApc+0x57
b8deca5c b9c768d8 b9c768a9 88c27d58 8b2a7860 nt!IopfCompleteRequest+0x201
b8deca60 b9c768a9 88c27d58 8b2a7860 88c27d58 mydriver!+0xb84
b8decc3c 8081df85 88cd6810 88c27d58 88d461a0 mydriver!+0xb55
b8decc50 808f5437 88c27dc8 88d461a0 88c27d58 nt!IofCallDriver+0x45
b8decc64 808f61bf 88cd6810 88c27d58 88d461a0
nt!IopSynchronousServiceTail+0x10b
b8decd00 808eed08 000003dc 00000000 00000000 nt!IopXxxControlFile+0x5e5
b8decd34 808897bc 000003dc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b8decd34 7c8285ec 000003dc 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
030aff28 00000000 00000000 00000000 00000000 0x7c8285ec

STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x4E_7_IMAGE_mydriver.sys_RECENT

BUCKET_ID: 0x4E_7_IMAGE_mydriver.sys_RECENT

Followup: MachineOwner

From the stack it looks like a PAGE is being freed more than once. However
the page that is being freed is a pool resource with a tag. In my driver all
the pool resource allocation and deallocation is done with out specifying
any tag.

I need assistance on the following two questions regarding this crash:

1. Since mydriver is not doing any pool allocations or deallocations with
   tag, I believe that nt!ExFreePoolWithTag is not called by my driver. Is this
   right?

2. I also see that a queued APC is being processed before the crash. Is
   there a chance that the pool resource with TAG is being freed in the APC
   context. If yes, how do i avoid this from my driver? Is there any way we can
   get more information about this APC like which thread queued it and who is
   the owner of this APC.

I appreciate your help on this.

Thx,
Gautham

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

To unsubscribe, visit the List Server section of OSR Online at

I hope you’re not freeing Irp->SystemBuffer yourself?

Another reason could be that you return wrong STATUS_PENDING not matched with IoMarkIrpPending, and the IRP gets deleted twice. Run it under DriverVerifier.

> PFN_LIST_CORRUPT (4e)

MDL mismanagement.

Something like destroying the master MDL before its partial MDL or like.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Hi Gautham,

As Maxim suggested you are doing something wrong while allocating the MDL. If you can provide us with some code fragment (atleast the one where you are doing pool allocations or mdl creation) we might be able to pin point the problem.

I would also agree about the MDL, but before looking in to that, I’m wondering if you’re symbols are
correct; it doesn’t look like they are (mydriver!+0xABCDEFGH, et. c.).

Good luck,

mm

xxxxx@yahoo.com wrote:

Hi Gautham,

As Maxim suggested you are doing something wrong while allocating the MDL. If you can provide us with some code fragment (atleast the one where you are doing pool allocations or mdl creation) we might be able to pin point the problem.