请教高手关于 afd.sys

做了一个中间层过滤passthru.sys，运行pplive有时会蓝屏。

DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb)
Caused by a driver not cleaning up completely after an I/O.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: f5bcffff, The calling address in the driver that locked the pages or if the
    IO manager locked the pages this points to the dispatch routine of
    the top driver on the stack to which the IRP was sent.
Arg2: f5bddecc, The caller of the calling address in the driver that locked the
    pages. If the IO manager locked the pages this points to the device
    object of the top driver on the stack to which the IRP was sent.
Arg3: 82264938, A pointer to the MDL containing the locked pages.
Arg4: 00000003, The number of locked pages.

Debugging Details:
------------------


FAULTING_IP:
afd!AfdAllocateMdlChain+b0
f5bcffff 8b45e4          mov     eax,dword ptr [ebp-1Ch]

BUGCHECK_STR:  0xCB_MINIPORT

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME:  PPLive.exe

LAST_CONTROL_TRANSFER:  from 80510d1b to 804f9c3f


看了下出错的函数

afd!AfdAllocateMdlChain+0xa3:
f5bcfff2 ff7514          push    dword ptr [ebp+14h]
f5bcfff5 ff75d4          push    dword ptr [ebp-2Ch]
f5bcfff8 56              push    esi
//下面的语句锁住一块内存
f5bcfff9 ff15a053bcf5    call    dword ptr [afd!_imp__MmProbeAndLockPages (f5bc53a0)]
f5bcffff 8b45e4          mov     eax,dword ptr [ebp-1Ch]
f5bd0002 8930            mov     dword ptr [eax],esi
f5bd0004 8975e4          mov     dword ptr [ebp-1Ch],esi

奇怪的是，在整个函数里找不到调用解锁函数的语句。然后查看调用AfdAllocateMdlChain的AfdSendDatagram 函数。

afd!AfdSendDatagram+0x70:
f5bddea7 8b03            mov     eax,dword ptr [ebx]
f5bddea9 8945c4          mov     dword ptr [ebp-3Ch],eax
f5bddeac 8b4b04          mov     ecx,dword ptr [ebx+4]
f5bddeaf 894dc0          mov     dword ptr [ebp-40h],ecx
f5bddeb2 8b5334          mov     edx,dword ptr [ebx+34h]
f5bddeb5 8955d0          mov     dword ptr [ebp-30h],edx
f5bddeb8 8b5330          mov     edx,dword ptr [ebx+30h]
f5bddebb 8955e0          mov     dword ptr [ebp-20h],edx
f5bddebe 8d55cc          lea     edx,[ebp-34h]
f5bddec1 52              push    edx
f5bddec2 6a00            push    0
f5bddec4 51              push    ecx
f5bddec5 50              push    eax
f5bddec6 56              push    esi
f5bddec7 e88a20ffff      call    afd!AfdAllocateMdlChain (f5bcff56)
f5bddecc 8945e4          mov     dword ptr [ebp-1Ch],eax
f5bddecf 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
f5bdded3 eb2d            jmp     afd!AfdSendDatagram+0xc1 (f5bddf02)

也找不到相应的解锁语句，莫非afd.sys设计的有问题？passthru.sys写的有问题会引发afd.sys故障吗？

请熟悉windows内核的大侠帮忙分析一下，感激不尽。

一般是在irp完成，调用IoCompleteRequest的时候，IoCompleteRequest内部来调用MmUnlockPages来解锁的，不要怀疑afd.sys,仔细检查你的驱动吧

谢谢楼上朋友指点，我再检查一下代码。