DRIVER_CORRUPTED_EXPOOL (c5) 原因分析

Windbg信息如下：

DRIVER_CORRUPTED_EXPOOL (c5)

An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: e1293000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8088d689, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_D0000002

CURRENT_IRQL:  2

FAULTING_IP:
nt!ExAllocatePoolWithTag+b5b
8088d689 832700          and     dword ptr [edi],0

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  Idle

TRAP_FRAME:  808938c4 -- (.trap 0xffffffff808938c4)
ErrCode = 00000002
eax=e1293000 ebx=825d3060 ecx=e1293000 edx=00000000 esi=00001000 edi=e1293000
eip=8088d689 esp=80893938 ebp=80893974 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ExAllocatePoolWithTag+0xb5b:
8088d689 832700          and     dword ptr [edi],0    ds:0023:e1293000=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8088d689 to 80886a69

STACK_TEXT:  
808938c4 8088d689 badb0d00 00000000 00000000 nt!KiTrap0E+0x2a1
80893974 80879593 00000001 00000000 656e6f4e nt!ExAllocatePoolWithTag+0xb5b
80893988 f78ae517 00000001 00000400 00000391 nt!ExAllocatePool+0x15
WARNING: Stack unwind information not available. Following frames may be wrong.
808939a4 f78ae0d4 00000006 c0a8364e 0000008b tdi32+0x2517
808939d4 f78ae1f1 82213c38 81fdae70 81fdaee0 tdi32+0x20d4
808939f0 f78ade83 82213c38 81fdae70 81fdaee0 tdi32+0x21f1
80893a44 8081d5a3 82213c38 81fdae70 81fdae70 tdi32+0x1e83
80893a58 f78ed35b 81fe08bc 8204b008 81fe07c8 nt!IofCallDriver+0x45
80893a70 f78ec224 81f1be70 f77f8350 81fe08bc netbt!TdiConnect+0xd8
80893aa8 f78ede6b 02fe07c8 c0a8364e 825efd08 netbt!TcpSessionStart+0x9c
80893ae8 f78edf28 825efd08 00000000 00000000 netbt!SessionSetupContinue+0x27f
80893b10 f78eb717 f78edc49 81fe07c8 00000000 netbt!CompleteClientReq+0x92
80893b98 f78ebc4a 825efd08 80893c98 8227b02a netbt!QueryFromNet+0x836
80893bc4 f78ebc6f 825efd08 80893c98 8227b02a netbt!NameSrvHndlrNotOs+0xa7
80893c18 f79335e4 825efd08 00000016 80893c98 netbt!TdiRcvNameSrvHandler+0x28b
80893cb4 f79279a9 82088a80 4e36a8c0 00008900 tcpip!UDPDeliver+0x1be
80893d0c f792c236 82241870 f136a8c0 4e36a8c0 tcpip!UDPRcv+0x164
80893d6c f794ecb9 00000020 82241870 f7933238 tcpip!DeliverToUser+0x189
80893de8 f793d9d8 82237690 82241870 8227b00e tcpip!DeliverToUserEx+0x951
80893e7c f792a684 82241870 8227b022 00000046 tcpip!IPRcvPacket+0x6e1
80893ebc f792a517 00000000 8226a9a0 8227b000 tcpip!ARPRcvIndicationNew+0x167
80893f14 f812b605 8234aad8 8226a9a0 8232400c tcpip!ARPRcvPacket+0x2f9
80893f68 f8759da4 8236fab0 80893f88 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x209
80894598 f8120466 000000d9 ffdffa40 823252cc vmxnet+0x2da4
808945b0 8082f928 823252cc 823252b8 00000000 NDIS!ndisMDpcX+0x21
80894600 80887d97 00000000 0000000e 00000000 nt!KiRetireDpcList+0xca
80894604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x2f


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ExAllocatePool+15
80879593 5d              pop     ebp

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!ExAllocatePool+15

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  0xC5_D0000002_nt!ExAllocatePool+15

BUCKET_ID:  0xC5_D0000002_nt!ExAllocatePool+15

Followup: Pool_corruption

对应代码：spath = ExAllocatePool(PagedPool,MAX_PATH_LEN);

原因分析：这里是申请PagedPool，而从错误信息看，这时候的IRQL是2，不应该使用分页内存，所以应该改为NonPagedPool