[0xf0f]

Hi friends I post here have trouble with MM bug check issue. Win10 x64

I have scenario erase vad from vad tree for specified mapped file then unload driver. Because cannot reload driver after some time to restore vad before system reboot I am trying reduce share count on dirbase so unload driver possible.

Problem seem be present check in MM for leaked pages so hit bug check that must bypass.

Here I give dump, maybe way for this work?

Code: Select all

kd> .bugcheck
Bugcheck code 000000F7
Arguments 00004380`301659d0 00006136`0a7902a5 ffff9ec9`f586fd5a 00000000`00000000

kd> kn
 # Child-SP          RetAddr           Call Site
00 ffffba80`347599d8 fffff801`c1dec92e nt!DbgBreakPointWithStatus
01 ffffba80`347599e0 fffff801`c1dec31d nt!KiBugCheckDebugBreak+0x12
02 ffffba80`34759a40 fffff801`c1d62614 nt!KeBugCheck2+0x8a5
03 ffffba80`3475a150 fffff801`c1dca529 nt!KeBugCheckEx+0x104
04 ffffba80`3475a190 fffff801`c1c5f099 nt!_report_gsfailure+0x25
05 ffffba80`3475a1d0 fffff801`c1c633ba nt!MiGetTopLevelPfn+0x139
06 ffffba80`3475a260 fffff801`c1c6171c nt!MiStealPage+0x90e
07 ffffba80`3475a5e0 fffff801`c1c5fa47 nt!MiClaimPhysicalRun+0x480
08 ffffba80`3475a660 fffff801`c1d9514c nt!MiFindContiguousPages+0x297
09 ffffba80`3475a7f0 fffff801`c1c5f6ac nt! ?? ::FNODOBFM::`string'+0x237ac
0a ffffba80`3475a8c0 fffff801`c1c5f22f nt!MiAllocatePagesForMdl+0xfc
0b ffffba80`3475a950 fffff801`c1c5f17a nt!MmAllocatePartitionNodePagesForMdlEx+0xaf
0c ffffba80`3475a9a0 fffff80a`7fae3434 nt!MmAllocateNodePagesForMdlEx+0x2a
0d ffffba80`3475a9f0 fffff80a`7fae2504 dmvsc!DmcRemovePages+0xd8
0e ffffba80`3475aa60 fffff80a`7fae2c09 dmvsc!DmcWorkerIoReady+0x948
0f ffffba80`3475aae0 fffff80a`7fae1e59 dmvsc!DmcWorkerIoReady+0x104d
10 ffffba80`3475abd0 fffff801`c1c1a729 dmvsc!DmcWorkerIoReady+0x29d
11 ffffba80`3475ac10 fffff801`c1d679d6 nt!PspSystemThreadStartup+0x41
12 ffffba80`3475ac60 00000000`00000000 nt!KiStartSystemThread+0x16

Thank all

[raiden]

It's a typical sign of stack buffer overflow (Bug check 0xF7 and nt!_report_gsfailure in your stack trace).

[0xf0f]

thank for reply, any way around this bugcheck trigger? code seem to be correct.

[0xf0f]

i thought about this some more maybe i make additional reference on process object so it not terminated forever and on reboot this additional checks in memory manager will be ok and avoid bugcheck?

thanks

[Vrtule]

I doubt making an extra reference on the process object would be enough. AFAIK if you wish to prevent process' address space from deletion, you should acquire process' rundown protection (PsAcquireProcessRundownProtection or something like that, it is undocumented). However, such an approach has dangerous consequences since it probably suspends thread doing the process cleanup which may be holding some other important system locks.

[0xf0f]

thankyou friend for advice i look at this too. i cant see other way to achieve this than hack. patchguard too deep.