FltAllocateContext causes IRQL_NOT_LESS_OR_EQUAL

NTFSD
1

Hi, I’m developing an FSFilterSystem driver, and I get an “IRQL_NOT_LESS_OR_EQUAL” BSOD when I’m trying to allocate the instance context (in the InstanceSetupCallback).
I added a test to check the IRQL and it seems like the IRQL was at passive level before calling FltAllocateContext so it was probably raised while allocating the buffer… I also tried to replace the call with ExAllocatePoolWithTag but the behavior stays the same.
Does anyone know what can cause this BSOD and how to avoid it?

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffe38410eb5022, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8053ac57ce8, address which referenced memory

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 6562

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-V7FOB5H

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.mSec
Value: 227576

Key  : Analysis.Memory.CommitPeak.Mb
Value: 78

Key  : Analysis.System
Value: CreateObject

Key  : WER.OS.Branch
Value: rs5_release

Key  : WER.OS.Timestamp
Value: 2018-09-14T14:34:00Z

Key  : WER.OS.Version
Value: 10.0.17763.1

ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: a

BUGCHECK_P1: ffffe38410eb5022

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8053ac57ce8

READ_ADDRESS: ffffe38410eb5022 Nonpaged pool

PROCESS_NAME: System

TRAP_FRAME: fffff40a38405b40 – (.trap 0xfffff40a38405b40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000002bed rbx=0000000000000000 rcx=00000000000ae000
rdx=78616fec48ad0a4e rsi=0000000000000000 rdi=0000000000000000
rip=fffff8053ac57ce8 rsp=fffff40a38405cd0 rbp=fffff40a38405d70
r8=0000000078616fec r9=0000000000000000 r10=ffffe38410eb5000
r11=0000000000ff0000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!RtlpHpVsContextAllocateInternal+0x208:
fffff8053ac57ce8 410fb74a22 movzx ecx,word ptr [r10+22h] ds:ffffe38410eb5022=???
Resetting default scope

LOCK_ADDRESS: fffff8053aed9ee0 – (!locks fffff8053aed9ee0)

Resource @ nt!PiEngineLock (0xfffff8053aed9ee0) Exclusively owned
Contention Count = 7
Threads: ffffe38419143080-01<*>
1 total locks

PNP_TRIAGE_DATA:
Lock address : 0xfffff8053aed9ee0
Thread Count : 1
Thread address: 0xffffe38419143080
Thread wait : 0x2773a

STACK_TEXT:
fffff40a38405238 fffff8053ad34402 : ffffe38410eb5022 0000000000000003 fffff40a384053a0 fffff8053ac03cb0 : nt!DbgBreakPointWithStatus
fffff40a38405240 fffff8053ad33b87 : 0000000000000003 fffff40a384053a0 fffff8053ac70ae0 000000000000000a : nt!KiBugCheckDebugBreak+0x12
fffff40a384052a0 fffff8053ac5cc07 : ffffb988eae4a000 ffffb988f0efda24 ffffe38410f63fe8 0000000000000000 : nt!KeBugCheck2+0x957
fffff40a384059c0 fffff8053ac6e2e9 : 000000000000000a ffffe38410eb5022 0000000000000002 0000000000000000 : nt!KeBugCheckEx+0x107
fffff40a38405a00 fffff8053ac6a6d4 : ffffb988fa126790 fffff40a384055e0 fffff40a38405e40 ffffb988eb236d00 : nt!KiBugCheckDispatch+0x69
fffff40a38405b40 fffff8053ac57ce8 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x454
fffff40a38405cd0 fffff8053abb3926 : ffffe38411000000 00000000000000a0 fffff40a0000000c fffff8053ad9f1b2 : nt!RtlpHpVsContextAllocateInternal+0x208
fffff40a38405d40 fffff8053abb2126 : ffffe38411000000 fffff40a38405e49 0000000046534100 0000000000032670 : nt!RtlpHpVsContextAllocate+0x46
fffff40a38405dc0 fffff8053adee06d : 0000000000000000 0000000000000088 0000000046534100 ffffe384158aa660 : nt!ExAllocateHeapPool+0x9d6
fffff40a38405eb0 fffff8053dd6a0c6 : ffffe384158aa660 0000000000000000 ffffe384119e0520 fffff8053feb23e1 : nt!ExAllocatePoolWithTag+0x3d
fffff40a38405f90 fffff8053feb241e : ffffe384158aa660 0000000000000001 ffffe3841e2ddcb0 0000000000000000 : FLTMGR!FltAllocateContext+0x246
fffff40a38405fd0 fffff8053dda2634 : fffff40a38406090 ffffe38400000001 ffffe38400000008 0000000000000002 : SBox!SBox::MiniFilter::StaticAdapters::InstanceSetup+0x6e [C:\Projects\sbox\RSBox\SBox\MiniFilter\Filter.cpp @ 83]
fffff40a38406060 fffff8053dda0cbf : 0000000000000000 fffff40a38406221 ffffe3841518e5a0 0000000000000000 : FLTMGR!FltpDoInstanceSetupNotification+0x8c
fffff40a384060d0 fffff8053dda1e98 : ffffe3841e2ddcb0 ffffe3841518e5a0 ffffb98800000001 fffff40a384061f0 : FLTMGR!FltpInitInstance+0x357
fffff40a38406190 fffff8053dda2165 : 0000000000000000 ffffe3841518e5a0 0000000000000000 000000000000001a : FLTMGR!FltpCreateInstanceFromName+0x1c4
fffff40a38406270 fffff8053ddad5fc : ffffe3841518e5a0 ffffe38411f9c848 ffffe3841518e5b0 ffffe38400000022 : FLTMGR!FltpEnumerateRegistryInstances+0x15d
fffff40a38406310 fffff8053ddad4dc : ffffe38411f9c780 0000000000000000 ffffe38419aef2c0 fffff40a38406454 : FLTMGR!FltpDoVolumeNotificationForNewFilter+0xe0
fffff40a38406370 fffff8053feb15db : ffffe3841e2ddcb0 fffff40a00000000 fffff80500000001 ffffe38419aef2c0 : FLTMGR!FltStartFiltering+0x2c
fffff40a384063c0 fffff8053febb149 : fffff8053feb8017 fffff40a38406418 ffffe38416463000 0400000000020020 : SBox!DrvEnv::FLT::FilterRegisteration::StartFiltering+0x1b [C:\Projects\sbox\RSBox\ASF\DrvEnv\FLT.cpp @ 20]
fffff40a384063f0 fffff8053febb1e0 : ffffe38419aef2c0 ffffe38416463000 000000000000000a ffff56cf5bf306a6 : SBox!DriverEntry+0x149 [C:\Projects\sbox\RSBox\SBox\DriverSetup.cpp @ 41]
fffff40a38406480 fffff8053b08a2b9 : 0000000000000000 0000000000000000 ffffe38419aef2c0 0000000000001000 : SBox!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmodefastfail\gs_driverentry.c @ 47]
fffff40a384064b0 fffff8053b19da6b : 0000000000000000 0000000000000000 0000000000000004 ffffb98800000004 : nt!IopLoadDriver+0x4bd
fffff40a38406690 fffff8053b17f3f2 : fffff8053adfb301 0000000000000000 ffffe38417c860a0 ffffffff80002678 : nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
fffff40a38406730 fffff8053b17ee79 : 0000000000000000 fffff40a38406840 ffffe38421fdc9a0 000000000000000a : nt!PnpCallDriverQueryServiceHelper+0xda
fffff40a384067e0 fffff8053b17dfab : ffffe38421fdc9a0 fffff40a38406a18 ffffe38421fdc9a0 0000000000000000 : nt!PipCallDriverAddDevice+0x98d
fffff40a384069a0 fffff8053b1f555f : ffffe38421fdc900 ffffe38415639401 fffff40a38406ab0 ffffe38400000000 : nt!PipProcessDevNodeTree+0x1af
fffff40a38406a60 fffff8053ac02f91 : ffffe30100000003 ffffe38421fdc9a0 ffffa80000000000 0000000000000000 : nt!PiRestartDevice+0xab
fffff40a38406ab0 fffff8053abacdea : ffffe38419143080 fffff8053aed8780 ffffe3841144c730 ffffe38400000000 : nt!PnpDeviceActionWorker+0x421
fffff40a38406b70 fffff8053ab1f015 : ffffe38419143080 ffffe38411483040 ffffe38419143080 00002425b19bbdff : nt!ExpWorkerThread+0x16a
fffff40a38406c10 fffff8053ac63f7c : ffffa800258d9180 ffffe38419143080 fffff8053ab1efc0 ff004e98ff004e98 : nt!PspSystemThreadStartup+0x55
fffff40a38406c60 0000000000000000 : fffff40a38407000 fffff40a38401000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x1c

FAULTING_SOURCE_LINE: …\Filter.cpp

FAULTING_SOURCE_FILE: …\Filter.cpp

FAULTING_SOURCE_LINE_NUMBER: 83

FAULTING_SOURCE_CODE:
79: FLT_FILESYSTEM_TYPE volumeFilesystemType)
80: {
81: if (FLT_FSTYPE_NTFS != volumeFilesystemType) return STATUS_FLT_DO_NOT_ATTACH;
82: PFLT_CONTEXT context = nullptr;

83: const NTSTATUS status = FltAllocateContext(
84: fltObjects->Filter, FLT_INSTANCE_CONTEXT,
85: sizeof(SBox::MiniFilter::Filter), NonPagedPool, &context);
86: __debugbreak();
87: if (context)
88: {

SYMBOL_NAME: SBox!SBox::MiniFilter::StaticAdapters::InstanceSetup+6e

MODULE_NAME: SBox

IMAGE_NAME: SBox.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 6e

FAILURE_BUCKET_ID: AV_SBox!SBox::MiniFilter::StaticAdapters::InstanceSetup

OS_VERSION: 10.0.17763.1

BUILDLAB_STR: rs5_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {8959c2e9-c730-29c3-8da3-53f0f9a13422}

Followup: MachineOwner

2

Corruption in the pool? Try turning on Driver Verifier for your driver as well as FltMgr.sys.