I know from the crash dump analysis that there is a problem with memory usage. The function in question (IoBuildSynchronousFsdRequest(IRP_MJ_WRITE, DEVICE_OBJ, writeBuffer,
17, 0, &event, &iosb)) succeeds when IRQL = 0 and fails (crashes the system with IRQL_NOT_LESS_OR_EQUAL) when IRQL = 2. I assumed that memory for one of the inputs was getting paged out so I moved all of them into the FILTER_EXTENSION for my DEVICE_OBJECT. I expected that to resolve the problem but it didn’t.
The following is the latest minidump output:
Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\052316-27234-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 10586 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 10586.306.x86fre.th2_release_sec.160422-1850
Machine Name:
Kernel base = 0x8221b000 PsLoadedModuleList = 0x82421138
Debug session time: Mon May 23 09:41:45.815 2016 (UTC - 5:00)
System Uptime: 0 days 0:15:04.814
Loading Kernel Symbols
…
…
…
Loading User Symbols
Loading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {4, 2, 0, 8229d5ab}
Unable to load image \SystemRoot\System32\drivers\filter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for filter.sys
*** ERROR: Module load completed but symbols could not be loaded for filter.sys
Probably caused by : filter.sys ( filter+3b00 )
Followup: MachineOwner
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8229d5ab, address which referenced memory
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 10586.306.x86fre.th2_release_sec.160422-1850
SYSTEM_MANUFACTURER: TOSHIBA
SYSTEM_PRODUCT_NAME: Satellite A205
SYSTEM_VERSION: PSAF3U-0P900V
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 1.70
BIOS_DATE: 11/06/2007
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: SANTA ROSA CRB
BASEBOARD_VERSION: Not Applicable
DUMP_TYPE: 2
BUGCHECK_P1: 4
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: ffffffff8229d5ab
READ_ADDRESS: 82444174: Unable to get MiVisibleState
00000004
CURRENT_IRQL: 2
FAULTING_IP:
nt!IopQueueThreadIrp+3b
8229d5ab 397804 cmp dword ptr [eax+4],edi
CPU_COUNT: 2
CPU_MHZ: 63c
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: f
CPU_STEPPING: d
CPU_MICROCODE: 6,f,d,0 (F,M,S,R) SIG: A4’00000000 (cache) A4’00000000 (init)
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: DESKTOP-R0HPEF9
ANALYSIS_SESSION_TIME: 05-23-2016 11:03:36.0635
ANALYSIS_VERSION: 10.0.10586.567 x86fre
TRAP_FRAME: 838f65a8 – (.trap 0xffffffff838f65a8)
ErrCode = 00000000
eax=00000000 ebx=82456888 ecx=b1089de0 edx=82456900 esi=b1089df0 edi=82456814
eip=8229d5ab esp=838f661c ebp=838f662c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!IopQueueThreadIrp+0x3b:
8229d5ab 397804 cmp dword ptr [eax+4],edi ds:0023:00000004=???
Resetting default scope
LAST_CONTROL_TRANSFER: from 82344e1a to 82332f0c
STACK_TEXT:
838f6500 82344e1a 0000000a 00000004 00000002 nt!KiBugCheck2
838f6500 8229d5ab 0000000a 00000004 00000002 nt!KiTrap0E+0x1ca
838f662c 8253303e 960a290c 960a28b0 838f6668 nt!IopQueueThreadIrp+0x3b
838f663c 82532fff 00000004 960a28b0 976c6504 nt!IopBuildSynchronousFsdRequest+0x34
838f6668 b5033b00 00000004 960a28b0 976c6504 nt!IoBuildSynchronousFsdRequest+0x23
WARNING: Stack unwind information not available. Following frames may be wrong.
838f66c0 b5034d34 000000f0 69e4e7d0 00000041 filter+0x3b00
838f66e0 b50316a9 b825f2e9 00000010 69e4e7d0 filter+0x4d34
838f6718 8680afc5 69e4e7d0 69f4e0c8 838f673c filter+0x16a9
838f6778 8680ab47 b350a198 96199ef0 ccdf0650 Wdf01000!FxRequestBase::CompleteSubmitted+0x1e5 [d:\th\minkernel\wdf\framework\shared\core\fxrequestbase.cpp @ 523]
838f6790 82311410 96199ef0 00df0650 011b1828 Wdf01000!FxIoTarget::_RequestCompletionRoutine+0xa7 [d:\th\minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 2448]
838f67b4 82299590 96199ef0 ccdf0650 b350a198 nt!IopUnloadSafeCompletion+0x3c
838f6818 86e110e2 96004f78 9618a608 00000010 nt!IopfCompleteRequest+0x240
838f6848 86e18ee9 00000011 00000000 96002edf HIDCLASS!HidpDistributeInterruptReport+0xdc
838f6884 82299590 00000000 96002db8 9618a608 HIDCLASS!HidpInterruptReadComplete+0x6b2d
838f68e8 8ee10868 8b8a3028 ccdab010 8b8a3bf0 nt!IopfCompleteRequest+0x240
838f6aac 8ee0ec64 ccdab010 8b8a3bf0 8ee0cc02 USBPORT!USBPORT_Core_iCompleteDoneTransfer+0x858
838f6ae0 8ee0ba4b 8b8a3bf0 30600802 8b8a3028 USBPORT!USBPORT_Core_iIrpCsqCompleteDoneTransfer+0x204
838f6b1c 8ee0b89f 8b8a3028 8b8a3bf0 30600802 USBPORT!USBPORT_Core_UsbIocDpc_Worker+0x17b
838f6b68 8228c4f9 8b8a3bfc 8b8a3bf0 00000000 USBPORT!USBPORT_Xdpc_Worker_IocDpc+0x1df
838f6c20 8228c140 838f6c68 00000000 b115cb40 nt!KiExecuteAllDpcs+0x209
838f6d44 8234608c 00000000 00000000 00000000 nt!KiRetireDpcList+0xe0
838f6d48 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: b8d8e046d0f8e705d8162191d3afe8490b0a5364
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 69ed62acbd531ec5a3f80a5f65472a573b2e50e3
THREAD_SHA1_HASH_MOD: d0c8ebc4d3397884f0e77cd9d47f839605e0c795
FOLLOWUP_IP:
filter+3b00
b5033b00 8b15e07503b5 mov edx,dword ptr [filter+0x75e0 (b50375e0)]
FAULT_INSTR_CODE: 75e0158b
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: filter+3b00
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: filter
IMAGE_NAME: filter.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57431600
BUCKET_ID_FUNC_OFFSET: 3b00
FAILURE_BUCKET_ID: AV_filter!Unknown_Function
BUCKET_ID: AV_filter!Unknown_Function
PRIMARY_PROBLEM_CLASS: AV_filter!Unknown_Function
TARGET_TIME: 2016-05-23T14:41:45.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 784
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-04-22 23:03:31
BUILDDATESTAMP_STR: 160422-1850
BUILDLAB_STR: th2_release_sec
BUILDOSVER_STR: 10.0.10586.306.x86fre.th2_release_sec.160422-1850
ANALYSIS_SESSION_ELAPSED_TIME: 32e5
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_filter!unknown_function
FAILURE_ID_HASH: {f9f66cdc-c963-a425-c4cd-4e80361036a9}
Followup: MachineOwner