All,
Platform: Win2k8R2, Multi core CPU
We have a volume filter which is assisted by a user mode service. This duo
has a few meta data files which are maintained by the driver and used by the
service.
This driver has been put to high stress before, where these meta data files
are created and accessed at very high frequencies and updated too.
The driver opens a file and passes on the Kernel mode handle to the user for
book keeping. When ever the user mode service needs to operate on the files,
it send the handle down to the driver. The user mode code *never* uses this
handle directly.
On win2k8R2 we are running verifier tests on the duo. We encounter a strange
crash. Verifier options enabled are:
0: kd> !verifier
Verify Level 804 … enabled options are:
Inject random low-resource API failures
Miscellaneous checks enabled
Summary of All Verifier Statistics
RaiseIrqls 0x0
AcquireSpinLocks 0x0
Synch Executions 0x0
Trims 0x0
Pool Allocations Attempted 0x1a5e
Pool Allocations Succeeded 0x1a5e
Pool Allocations Succeeded SpecialPool 0xb8
Pool Allocations With NO TAG 0x0
Pool Allocations Failed 0x0
Resource Allocations Failed Deliberately 0x0
Current paged pool allocations 0x0 for 00000000 bytes
Peak paged pool allocations 0x0 for 00000000 bytes
Current nonpaged pool allocations 0x0 for 00000000 bytes
Peak nonpaged pool allocations 0x0 for 00000000 bytes
Only these two unique combinations make the crash happen. QA has tried all
other combinations, and we are sure. Even, these two when enabled
independently, doesnt make it crash.
The files are opened using the IoCreateFileSpecifyDeviceObjectHint API.
Object attributes are:
InitializeObjectAttributes(&oa,
&FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
FileAttribs = FILE_ATTRIBUTE_NORMAL;
// set up the “share mode” we need to allow other clients to read or write
the target file, but not to delete it
ShareAccess = FILE_SHARE_READ | FILE_SHARE_WRITE;
// set up the “open mode” we need for synchronous write-through un-buffered
file access to our workfiles
// NOTES: a) we do not need or want the system to cache our file data – we
want direct, immediate access to our file data on disk;
// b) our use of “no intermediate buffering” requires all read/write
ops to be SECTOR-MULTIPLE-ALIGNED in the file on disk;
// c) “no intermediate buffering” also requires a further alignment
of the data buffers used by this driver for read/write ops
CreateOptions = FILE_WRITE_THROUGH | FILE_RANDOM_ACCESS |
FILE_NO_INTERMEDIATE_BUFFERING | FILE_SYNCHRONOUS_IO_NONALERT;
BOOLEAN bFileBeingCreated = (CreateDisposition & FILE_CREATE) ||
(CreateDisposition & FILE_SUPERSEDE) ||
(CreateDisposition & FILE_OVERWRITE) ||
(CreateDisposition & FILE_OVERWRITE_IF);
if(bFileBeingCreated)
{
FileAttribs = FileAttribs|FILE_ATTRIBUTE_SYSTEM;
}
status = IoCreateFileSpecifyDeviceObjectHint(
&hFile,
DesiredAccess | SYNCHRONIZE,
&oa,
&IoStatus,
AllocationSize,
FileAttribs,
ShareAccess,
CreateDisposition,
CreateOptions,
0,
0,
CreateFileTypeNone,
NULL,
IO_IGNORE_SHARE_ACCESS_CHECK,
FsVolumeDeviceObject
);
after a while we get a blue screen saying that NtClose tried closing an
invalid Kernel handle. The handle value shown is actually an user mode
handle value (the high bit cleared) and as you can see (below) the other
parameters of the dump are gibberish. Also, the line where where it shows
the crash in the code is actually a ZwWriteFile call. Please note, that the
handle passed to ZwWriteFile through pIOParams->hFile is 0xffffffff`80000788
and ARG1 has the bits cleared.
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
INVALID_KERNEL_HANDLE (93)
This message occurs if kernel code (server, redirector, other driver, etc.)
attempts to close a handle that is not a valid handle.
Arguments:
Arg1: 0000000000000788, The handle that NtClose was called with.
Arg2: fffff8a000001a40,
Arg3: fffff8a0014bbe20
Arg4: 0000000000000001
Debugging Details:
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x93
PROCESS_NAME: MyProc64x.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff800017c3d92 to fffff800016d4490
STACK_TEXT:
fffff88004c926d8 fffff800
017c3d92 : 0000000000000788 fffffa80
04ffa060
0000000000000065 fffff800
01718178 : nt!RtlpBreakWithStatusInstruction
fffff88004c926e0 fffff800
017c4b7e : fffff8a000000003 00000000
00000000
fffff800017189d0 00000000
00000093 : nt!KiBugCheckDebugBreak+0x12
fffff88004c92740 fffff800
016dc744 : 0000000000000000 fffff880
01969b9d
0000000000000788 00000000
00000000 : nt!KeBugCheck2+0x71e
fffff88004c92e10 fffff800
019364db : 0000000000000093 00000000
00000788
fffff8a000001a40 fffff8a0
014bbe20 : nt!KeBugCheckEx+0x104
fffff88004c92e50 fffff800
016db8d3 : 0000000000000000 00000000
00000000
0000000000000000 00000000
00000000 : nt! ?? ::NNGAKEGL::string'+0x54c34 fffff880
04c92f50 fffff800016d7e70 : fffff800
01b6709e fffff88004c935e0 fffff800
01b74d3d fffffa800462dc60 : nt!KiSystemServiceCopyEnd+0x13 fffff880
04c93158 fffff80001b6709e : fffff880
04c935e0 fffff80001b74d3d fffffa80
0462dc60 fffff88004c93c60 : nt!KiServiceLinkage fffff880
04c93160 fffff88001969b9d : ffffffff
80000788 fffffa800462dc60 fffff880
04c93c60 fffffa8004903030 : nt!VfZwWriteFile+0xce fffff880
04c931e0 fffff8800196505d : fffffa80
04903030 fffffa8005102acc fffff880
04c93870 fffff88004c93844 : MyDrv!MyDrvIO+0xead fffff880
04c937f0 fffff88001965c34 : fffffa80
04903030 fffffa800462dc60 fffff880
04c938e0 fffff88004c938e0 : MyDrv!MyDrvIoCtl+0x6fd fffff880
04c938d0 fffff80001b7f750 : fffffa80
04903030 fffffa800462dc60 fffffa80
0462dc60 0000000000000000 : MyDrv!MyDrvDispatchDeviceControl+0x1f4@ 962] fffff880
04c93970 fffff800019f6f97 : fffffa80
045ee7d0 fffff88004c93c60 fffffa80
045ee7d0 fffffa800462dc60 : nt!IovCallDriver+0xa0 fffff880
04c939d0 fffff800019f77f6 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : nt!IopXxxControlFile+0x607 fffff880
04c93b00 fffff800016db8d3 : fffffa80
04f86060 0000000000000001 fffffa80
04ffa060 fffff800019d3a34 : nt!NtDeviceIoControlFile+0x56 fffff880
04c93b70 000000007740138a : 000007fe
fd5ab939 0000000000000000 00000000
00000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 00000000
0012d528 000007fefd5ab939 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : ntdll!NtDeviceIoControlFile+0xa 00000000
0012d530 00000000772a683f : 00000000
90ff2818 000000000012ece0 00000000
00000000 00000001400189cb : KERNELBASE!DeviceIoControl+0x75 00000000
0012d5a0 0000000140016563 : 00000000
00000000 000000000012ece0 00000000
00000000 000000000012ece0 : kernel32!DeviceIoControlImplementation+0x7f 00000000
0012d5f0 000000014000ef67 : 00000000
0012dee0 0000000000000000 00000001
90ff2818 0000000000552250 : MyProc64x!MyProc64xDeviceIoControl+0x443 @ 274] <stack trimmed><br><br>STACK_COMMAND: kb<br><br>FOLLOWUP_IP:<br>MyDrv!MyDrvIO+ead<br>fffff880
01969b9d 89842488000000 mov dword ptr [rsp+88h],eax
FAULTING_SOURCE_CODE:
status = ZwWriteFile(pIOParams->hFile,
NULL,
NULL,
NULL,
1149: &IoStatus,
1150: pBuff,
1151: MyDrv_FILESIZE_CHUNK,
1152: &Pos,
> 1153: NULL);
1154:
1155: Pos.QuadPart += MyDrv_FILESIZE_CHUNK;
1156:
1157: if (!NT_SUCCESS(status)||!NT_SUCCESS(IoStatus.Status))
1158: {
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: MyDrv!MyDrvIO+ead
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MyDrv
IMAGE_NAME: MyDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4e23de0b
FAILURE_BUCKET_ID: X64_0x93_VRF_MyDrv!MyDrvIO+ead
BUCKET_ID: X64_0x93_VRF_MyDrv!MyDrvIO+ead
Followup: MachineOwner
---------
I could really use some help with this…
Amit