应该是要释放的指针出问题了,要释放的内存是0x8939e000,正好位于页边界,再往上就是无效数据,一般来说分配的内存指针前都有POOL HEADER的结构,释放的时候会检测头结构标志来检测是否被破坏,但这里的头结构地址显然无效所致。
唯一的解释就是释放的指针被人改过了,导致出了问题,RtkHDAud的可能比较大,建议升级下这个2013年的老驱动看看。
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_CORRUPTED_MMPOOL (d0)
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80549fbc, address which referenced memory
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool. You can also set
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ProtectNonPagedPool
to a DWORD 1 value and reboot. Then the system will unmap freed nonpaged pool,
preventing drivers (although not DMA-hardware) from corrupting the pool.
Debugging Details:
------------------
READ_ADDRESS: 00000008
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiFreePoolPages+41a
80549fbc 8b4608 mov eax,dword ptr [esi+8]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD0
PROCESS_NAME: System
TRAP_FRAME: a45ea640 -- (.trap 0xffffffffa45ea640)
ErrCode = 00000000
eax=8939e000 ebx=03ffffff ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=80549fbc esp=a45ea6b4 ebp=a45ea6d8 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
nt!MiFreePoolPages+0x41a:
80549fbc 8b4608 mov eax,dword ptr [esi+8] ds:0023:00000008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 80549fbc to 8054580c
STACK_TEXT:
a45ea640 80549fbc badb0d00 00000000 89619000 nt!KiTrap0E+0x180
a45ea6d8 8054c49a 8939e000 89727570 89727470 nt!MiFreePoolPages+0x41a
a45ea718 8054c95f 8939e000 00000000 a45ea750 nt!ExFreePoolWithTag+0x1ba
a45ea728 aecb2a55 8939e000 89727474 89727470 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
a45ea750 af151a81 89727478 a45ea770 aecbd745 RtkHDAud+0x1aa55
a45ea75c aecbd745 00000001 898b80f4 898b8008 RtkHDAud+0x4b9a81
a45ea770 aec9e631 89727474 a45ea79c aec37f01 RtkHDAud+0x25745
a45ea77c aec37f01 89727470 898b801c 898b8008 RtkHDAud+0x6631
a45ea790 aec22ec7 898b8020 a45ea7b0 aec1bfba portcls!CPortPinWaveCyclic::~CPortPinWaveCyclic+0x7a
a45ea79c aec1bfba 00000001 8ab1e0e8 898321e8 portcls!CPortPinWaveCyclic::`vector deleting destructor'+0xd
a45ea7b0 aec21fae 898b801c a45ea7d4 aec2c2ae portcls!CUnknown::NonDelegatingRelease+0x24
a45ea7bc aec2c2ae 898b8008 8ab1e030 89705a18 portcls!CPortPinWaveCyclic::Release+0x11
a45ea7d4 b59dc10c 8997a2d8 89705a18 a45ea7fc portcls!DispatchClose+0x44
a45ea7e4 aec2b8c0 8ab1e030 89705a18 89705a28 ks!KsDispatchIrp+0x71
a45ea7fc aec2b881 8ab1e030 89705a18 a45ea820 portcls!KsoDispatchIrp+0x43
a45ea80c af0d9225 8ab1e030 89705a18 8ad254f8 portcls!PcDispatchIrp+0x5f
a45ea820 804f01f9 8ab1e030 89705a18 89705a18 RtkHDAud+0x441225
a45ea830 80584b30 89cf0b78 00000000 00000000 nt!IopfCallDriver+0x31
a45ea868 805bc4de 00cf0b90 00000000 89cf0b78 nt!IopDeleteFile+0x132
a45ea884 805277e2 89cf0b90 00000000 000001d4 nt!ObpRemoveObjectRoutine+0xe0
a45ea89c 805bd3b3 89882768 e1002e00 898e6020 nt!ObfDereferenceObject+0x4c
a45ea8b4 805bd449 e1002e00 89cf0b90 000001d4 nt!ObpCloseHandleTableEntry+0x155
a45ea8fc 805bd581 000001d4 00000000 00000000 nt!ObpCloseHandle+0x87
a45ea910 805427e8 800001d4 a45ea9a4 80500f8d nt!NtClose+0x1d
a45ea910 80500f8d 800001d4 a45ea9a4 80500f8d nt!KiSystemServicePostCall
a45ea98c a806fef1 800001d4 e3ea32b8 a806b617 nt!ZwClose+0x11
a45ea998 a806b617 e4829670 a45ea9bc a8070226 sysaudio!CPinNodeInstance::~CPinNodeInstance+0x20
a45ea9a4 a8070226 00000001 e4829670 a8070269 sysaudio!CPinNodeInstance::`scalar deleting destructor'+0xd
a45ea9b0 a8070269 e4b1abec a45ea9d4 a8070253 sysaudio!CConnectNodeInstance::~CConnectNodeInstance+0x48
a45ea9bc a8070253 00000001 a806db7f e4b1abec sysaudio!CConnectNodeInstance::`scalar deleting destructor'+0xd
a45ea9c4 a806db7f e4b1abec 89b258b0 a45ea9f4 sysaudio!CConnectNodeInstance::Destroy+0x10
a45ea9d4 a806fcaf a8070243 e4b1abec a806fe80 sysaudio!CListMulti::EnumerateList+0x1a
a45ea9e0 a806fe80 e4b1abd0 a806b63d e4763d80 sysaudio!ListMultiDestroy<CConnectNodeInstance>::DestroyList+0xf
a45ea9e8 a806b63d e4763d80 a45eaa0c a806dbea sysaudio!CStartNodeInstance::~CStartNodeInstance+0x7e
a45ea9f4 a806dbea 00000001 e4763d80 a806dba2 sysaudio!CStartNodeInstance::`scalar deleting destructor'+0xd
a45eaa00 a806dba2 89b258a0 a45eaa1c a806e35c sysaudio!CPinInstance::~CPinInstance+0x2f
a45eaa0c a806e35c 00000001 8ac4ac08 a45eaa2c sysaudio!CPinInstance::`scalar deleting destructor'+0xd
a45eaa1c b59dc695 89d9d030 89b258a0 a45eaa74 sysaudio!CPinInstance::PinDispatchClose+0x26
a45eaa2c 804f01f9 89d9d030 89b258a0 89b258a0 ks!DispatchClose+0x32
a45eaa3c 80584b30 898e5d88 00000000 00000000 nt!IopfCallDriver+0x31
a45eaa74 805bc4de 008e5da0 00000000 898e5d88 nt!IopDeleteFile+0x132
a45eaa90 805277e2 898e5da0 00000000 89770000 nt!ObpRemoveObjectRoutine+0xe0
a45eaaa8 a65e6e8c a45eaac4 a65e6e5b 89770000 nt!ObfDereferenceObject+0x4c
a45eaab0 a65e6e5b 89770000 898e5da0 897708ac wdmaud!CloseSysAudio+0xe
a45eaac4 a65e6ed0 8adbb400 89633308 a45eaaf0 wdmaud!CloseWavePin+0x1f
a45eaad4 a65e6e2e 8977088c 0de29830 00000000 wdmaud!CloseTheWavePin+0x3e
a45eaaf0 a65e643e 89803a48 89770000 00000000 wdmaud!Dispatch_ClosePin+0x82
a45eab18 804f01f9 00000000 89770000 806e8410 wdmaud!SoundDispatch+0x1d7
a45eab28 805809a0 89803adc 899f39f0 89803a48 nt!IopfCallDriver+0x31
a45eab3c 8058182f 89e21f10 89803a48 899f39f0 nt!IopSynchronousServiceTail+0x70
a45eabd8 8057a292 00000b70 00000a00 00000000 nt!IopXxxControlFile+0x5c5
a45eac0c a313f289 00000b70 00000a00 00000000 nt!NtDeviceIoControlFile+0x2a
a45eacb0 805c2512 898fedd0 0012e501 00000001 FsWriteBack+0x7289
a45ead34 805427e8 00000b70 00000a00 00000000 nt!ObCreateObject+0x12a
a45ead34 7c92e514 00000b70 00000a00 00000000 nt!KiSystemServicePostCall
0012e57c 00000000 00000000 00000000 00000000 0x7c92e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePool+f
8054c95f 5d pop ebp
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ExFreePool+f
FOLLOWUP_NAME: Pool_corruption
IMAGE_NAME: Pool_Corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: Pool_Corruption
FAILURE_BUCKET_ID: 0xD0_nt!ExFreePool+f
BUCKET_ID: 0xD0_nt!ExFreePool+f
Followup: Pool_corruption
---------
0: kd> .process
Implicit process is now 8ae6b660
0: kd> d 8ae6b660=174
00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0: kd> d 8ae6b660+174
8ae6b7d4 53 79 73 74 65 6d 00 00-00 00 00 00 00 00 00 00 System..........
8ae6b7e4 00 00 00 00 00 00 00 00-00 00 00 00 0c b6 e6 8a ................
8ae6b7f4 cc ef 52 89 00 83 49 e3-20 30 67 b8 42 00 00 00 ..R...I. 0g.B...
8ae6b804 ff 0f 1f 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
8ae6b814 00 00 00 00 ae 23 00 00-00 00 00 00 9b 3a 00 00 .....#.......:..
8ae6b824 00 00 00 00 61 6a 01 00-00 00 00 00 87 78 e1 00 ....aj.......x..
8ae6b834 00 00 00 00 89 51 cb 01-00 00 00 00 fd fa 41 00 .....Q........A.
8ae6b844 00 00 00 00 00 00 00 00-2f 06 00 00 00 00 00 00 ......../.......
0: kd> u nt!ExFreePool
nt!ExFreePool:
8054c950 8bff mov edi,edi
8054c952 55 push ebp
8054c953 8bec mov ebp,esp
8054c955 6a00 push 0
8054c957 ff7508 push dword ptr [ebp+8]
8054c95a e881f9ffff call nt!ExFreePoolWithTag (8054c2e0)
8054c95f 5d pop ebp
8054c960 c20400 ret 4
0: kd> d 8939e000
8939e000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> d
8939e080 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e090 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e0a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e0b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e0c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e0d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e0e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e0f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> d
8939e100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e110 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> d 8939e000-16
Page 7edb not present in the dump file. Type ".hh dbgerr004" for details
8939dfea ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
8939dffa ?? ?? ?? ?? ?? ?? 00 00-00 00 00 00 00 00 00 00 ??????..........
8939e00a 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e01a 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e02a 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e03a 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e04a 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8939e05a 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|