OSRLogoOSRLogoOSRLogo x Subscribe to The NT Insider

Everything Windows Driver Development

GoToHomePage xLoginx

    Thu, 14 Mar 2019     118020 members


  Online Dump Analyzer
OSR Dev Blog
The NT Insider
The Basics
File Systems
ListServer / Forum
  Express Links
  · The NT Insider Digital Edition - May-June 2016 Now Available!
  · Windows 8.1 Update: VS Express Now Supported
  · HCK Client install on Windows N versions
  · There's a WDFSTRING?
  · When CAN You Call WdfIoQueueP...ously

Bugchecks Explained: PFN_LIST_CORRUPT

What Happened?

Windows tracks physical pages of memory using a table called the Page Frame Database. This database (which actually is just a big one-dimensional array) is indexed by physical page number. As a result, the page frame database is typically referred to as the Page Frame Number list or PFN.

Every page of physical memory has an associated PFN entry. Each PFN entry contains information about the state of its corresponding physical page in the system. This state includes information about whether the corresponding physical page is in use, how it’s being used, a count of active users of the page, and a count of pending I/O operations on the page.

Depending on the pages state, a PFN entry may be on one of several lists that the Memory Manager maintains. The listheads for these lists are simple global variables that are used for quick access to PFN entries of certain types. For example, one such list would be the list that contains all the modified pages that need to be written to disk.

Because all the PFN lists and entries are present in the high half of kernel virtual address space, they are subject to corruption through stray pointer accesses (such as by errant drivers or other similar kernel-mode modules). Also, the count in the PFN that tracks the number of I/O related accesses to a given physical page can be corrupted by improper MDL handling.

Whenever Windows detects that any of the PFN lists or any of the PFN entries themselves have become invalid, the system halts with a PFN_LIST_CORRUPT bugcheck.

Who Did It?

This bugcheck usually occurs for one of two reasons, the first reason being memory corruption. If there is a buggy driver in the system that is writing on memory that it does not own, it could easily corrupt one of the PFN lists or entries. In order to rule this out, you should run Driver Verifier with Special Pool enabled for suspect drivers in the system. This will hopefully allow you to catch the misbehaving driver in the act of scribbling memory, instead of receiving a crash sometime later when the O/S discovers the damage.

The second cause for this bugcheck is incorrect MDL handling. For example, one use of MDLs is to allow you to "lock" the physical memory that backs a virtual address range so that the memory stays resident while your driver is accessing it. This is achieved by using the MmProbeAndLockPages DDI. One of the things that this DDI does is take out a reference on the PFN entries of the underlying physical pages, ensuring that the Memory Manager does not page them out. The corresponding DDI to undo this operation, MmUnlockPages, is responsible for decrementing the reference counts taken out in the previous call. If a driver happens to call MmUnlockPages too many times on an MDL, the reference count on the underlying PFN entries could drop to below zero (to 0xFFFFFFFF). The system considers this to be a critical error, as one or more of the PFN entries is obviously invalid. Therefore, this bugcheck will occur.

If your driver or a driver in your stack is being blamed for a PFN_LIST_CORRUPT bugcheck, go over your code and make sure that you are properly handling your MDLs . Remember that even if you do not create or destroy any MDLs directly, you play a part in the creation and destruction of them if you handle IRPs whose buffers are described with DIRECT_IO. Driver Verifier and the checked build of Windows can help pinpoint IRP and MDL handling errors.

How Should I Fix It?

How this is fixed varies depending on the reason of the bugcheck. Using Driver Verifier and the checked build of the O/S should allow you to pinpoint the driver that is either corrupting memory or mishandling MDLs. If the offending driver is not a driver that you have any control over, the only available option is disabling the driver until a fixed version is available.

Related WinDBG Commands

· !memusage

· !pfn

Related O/S Structures

· nt!_MMPFN



Related O/S Variables

· nt!MmBadPageListHead

· nt!MmStandbyPageListHead

· nt!MmModifiedNoWritePageListHead

· nt!MmModifiedPageListHead

· nt!MmFreePageListHead

· nt!MmZeroedPageListHead

· nt!MmRomPageListHead

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
Post Your Comment

"Quick Question"
Hello all, I am new to this site so thanks for having me. I was just wonder about this PFN_LIST_CORRUPT error I am getting. I am an MCSE on the 2000 platform but i am not a developer. i read up and down about this error and I get the two common reasons explained in this site about houw this occurs but what I dont get is the solutions. I am getting a stop error so i am unable to even post my machine. This is a clients laptop and I would prefer not to have to pull the drive and run data extraction if I dont have to. Is there anyway to get intot he machine to run these test you speak of? I have allready tried Safe mode as well as a Windows Repair. This system was running Vista 32 bit Uoltimate edition. Thanks in advanced for any help!

13-Jul-08, Neil Kelley

Liked you artical; very thoughly. I am having this issue.

One thing is funn though; I am reformating like I have so

Many times before and never had to handle this issue.

How since I have NO OS (operating system can I tackle this mess.

I am using the "Intel D975XBX2 motherboard and as I see it so far after yest being at it around 12 hours it must be in the BIOS. How do I clear it and start new.

Now this is what I came up with after 2 days in the salt mine.

What are your thoughts on this issue?

11-Jun-08, jim long

"Getting PFN_LIST_CORRUPT with fresh W2K install"
I am getting PFN_LIST_CORRUPT on a fresh install of W2K. Nothing else installed yet. Any ideas? I'm think possibly bad memory. Ü

19-Dec-05, Jax cook

"Missing a real-life debugging sample"
I would like to suggest to include each bugcheck explanation with at least one sample debugging session showing how to approach the particular bugcheck. Although I understand that a multitude of possible causes could exist, even one example can be very helpful.

29-Aug-04, Erwin Zoer

Post Your Comments.
Print this article.
Email this article.
bottom nav links