Help with IRQL_NOT_LESS_OR_EQUAL nt!ExpScanGeneralLookasideList

TheMSsForum.com: The Microsoft Software Forum

Hi,

A bit of a longshot but....

I'm hitting this bugcheck while developing an NDIS intermediate driver.
I'm pretty sure the bug is in my driver, but since its not in the
stack, i cant figure out where the offending code is.

Any ideas' how i can debug this, or where to look ? I tried Driver
Verifier but that didnt catch anything.

Thanks,

Gaurav


1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00300010, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80540e3e, address which referenced memory

Debugging Details:
------------------


OVERLAPPED_MODULE: vmm

READ_ADDRESS: 00300010

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpScanGeneralLookasideList+20
80540e3e 8b51e0 mov edx,[ecx-0x20]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8054142c to 80540e3e

TRAP_FRAME: bad2fc84 -- (.trap ffffffffbad2fc84)
ErrCode = 00000000
eax=00000000 ebx=0000006f ecx=00300030 edx=00000000 esi=ffed0005
edi=0000006e
eip=80540e3e esp=bad2fcf8 ebp=bad2fd08 iopl=0 nv up ei pl nz ac
pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
nt!ExpScanGeneralLookasideList+0x20:
80540e3e 8b51e0 mov edx,[ecx-0x20]
Resetting default scope

STACK_TEXT:
bad2fd08 8054142c 8056f568 8056f560 80548fe5
nt!ExpScanGeneralLookasideList+0x20
bad2fd14 80548fe5 00000000 898156d8 00000000
nt!ExAdjustLookasideDepth+0x32
bad2fdac 80601b50 00000000 00000000 00000000
nt!KeBalanceSetManager+0xbf
bad2fddc 8054e98e 80548f26 00000000 00000000
nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
nt!ExpScanGeneralLookasideList+20
80540e3e 8b51e0 mov edx,[ecx-0x20]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExpScanGeneralLookasideList+20

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3e800013

STACK_COMMAND: .trap ffffffffbad2fc84 ; kb

FAILURE_BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+20

BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+20

Followup: MachineOwner
---------
Top

Re: Help with IRQL_NOT_LESS_OR_EQUAL nt!ExpScanGeneralLookasideList by Mark

Mark
Thu Aug 11 20:51:24 CDT 2005

gauravl@gmail.com wrote:
> Hi,
>
> A bit of a longshot but....
>
> I'm hitting this bugcheck while developing an NDIS intermediate driver.
> I'm pretty sure the bug is in my driver, but since its not in the
> stack, i cant figure out where the offending code is.
>
> Any ideas' how i can debug this, or where to look ? I tried Driver
> Verifier but that didnt catch anything.
>

Looks like you corrupted memory in the heap and that the general
lookaside list management code is the victim. Did you try the verifier
special memory pool tracking options? Also running against the checked
build can help.

You could also have a stale pointer problem - you are using a buffer
freed and reallocted to another kernel component.

Runtime tracing is your friend here: you need to understand what your
driver was doing before the crash, for some value of 'before'. If you
haven't instrumented some sort of runtime tracing yet, now would be a
good time to do so, and you should probably go with the ETW trace
facility as it is more or less standard.


> Thanks,
>
> Gaurav
>
>
> 1: kd> !analyze -v
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid)
> address at an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: 00300010, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write operation
> Arg4: 80540e3e, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> OVERLAPPED_MODULE: vmm
>
> READ_ADDRESS: 00300010
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!ExpScanGeneralLookasideList+20
> 80540e3e 8b51e0 mov edx,[ecx-0x20]
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> LAST_CONTROL_TRANSFER: from 8054142c to 80540e3e
>
> TRAP_FRAME: bad2fc84 -- (.trap ffffffffbad2fc84)
> ErrCode = 00000000
> eax=00000000 ebx=0000006f ecx=00300030 edx=00000000 esi=ffed0005
> edi=0000006e
> eip=80540e3e esp=bad2fcf8 ebp=bad2fd08 iopl=0 nv up ei pl nz ac
> pe cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010213
> nt!ExpScanGeneralLookasideList+0x20:
> 80540e3e 8b51e0 mov edx,[ecx-0x20]
> Resetting default scope
>
> STACK_TEXT:
> bad2fd08 8054142c 8056f568 8056f560 80548fe5
> nt!ExpScanGeneralLookasideList+0x20
> bad2fd14 80548fe5 00000000 898156d8 00000000
> nt!ExAdjustLookasideDepth+0x32
> bad2fdac 80601b50 00000000 00000000 00000000
> nt!KeBalanceSetManager+0xbf
> bad2fddc 8054e98e 80548f26 00000000 00000000
> nt!PspSystemThreadStartup+0x2e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> nt!ExpScanGeneralLookasideList+20
> 80540e3e 8b51e0 mov edx,[ecx-0x20]
>
> SYMBOL_STACK_INDEX: 0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!ExpScanGeneralLookasideList+20
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrpamp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3e800013
>
> STACK_COMMAND: .trap ffffffffbad2fc84 ; kb
>
> FAILURE_BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+20
>
> BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+20
>
> Followup: MachineOwner
> ---------
>


--

=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com
Top

Re: Help with IRQL_NOT_LESS_OR_EQUAL nt!ExpScanGeneralLookasideList by gauravl

gauravl
Fri Aug 12 23:54:06 CDT 2005

Maxim helped me debug this - the problem was that i wasnt calling
ExDelete(N)PagedLookasideList while destroying the structure containing
the lookaside.

Thanks !

Top