[Question] What's the frink and brink free-list?

x BlueRobot

x BlueRobot

Administrator
Staff member
Joined
May 7, 2013
Posts
10,400
Hey everyone,

I have a quick question, I've noticed a few bugchecks mention things like the frink and brink free-list address/chain (correct me if I'm wrong), and I was wondering what they meant? I've searched everywhere and haven't been able to find anything about them.

Any answers will be appreciated.

Thanks as always,

Harry
 
The free list I believe is referring to the free page list, which is a linked list of unallocated memory blocks which have previously been used but are now available. Free pages are memory blocks that happens to still have data left over from when it was released by a process and has not been scrubbed with zeroes by Windows memory manager prior to being ready for use again.

As for that particular example you gave, the corruption is because a byte in one of the freelist entries got overwritten with a '36'. That would be one of those "too late" scenarios where the culprit has already escaped. Driver Verifier helps quite often with pool fudging.
 
To answer your original question with a technical answer, the "flink" and "blink" you were questioning describe a Forward Link and Backward Link in a linked list. Lots of structures in Windows use linked lists to keep track of things, especially the memory manager, but the FLink and the BLink are ways of validating that a linked list is still valid, what's around, etc. It can be useful for debugging, but that's what it means.
 
cluberti said:
To answer your original question with a technical answer, the "flink" and "blink" you were questioning describe a Forward Link and Backward Link in a linked list. Lots of structures in Windows use linked lists to keep track of things, especially the memory manager, but the FLink and the BLink are ways of validating that a linked list is still valid, what's around, etc. It can be useful for debugging, but that's what it means.
Click to expand...

I've been curious as to why the bugcheck description says that the Flink and Blink should be identical to the pool entry address itself, and not rather pointing to any other allocations below and above it in the list like what is expected in a double linked list:

Code: 
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffff88002301350, the pool entry being checked.
Arg3: fffff88002301350, the read back flink freelist value (should be the same as 2).
Arg4: 36fff88002301350, the read back blink freelist value (should be the same as 2).


The pool freelist is corrupt.

(In a healthy list, the values of Parameters 2, 3, and 4 should be identical.)
Click to expand...

I assume that because they are free and therefore unused allocations that they shouldn't be chained in any way? But then that wouldn't make much of a list, would it?
 
If I remember correctly, this is the way a pool list entry is determined to be "free" and available for use. What you're seeing in that bugcheck scenario is that an address is on the free list (and thus should be available for allocation), but further basic checking for consistency says the address is actually coming back as non-free (it no longer has one address entry for the pool entry itself, and it's flink and blink). Something has either overrun, underrun, or simply sprayed into the wrong address range.
 
Last edited:

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top