Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Crash while removing flow context

Pluto_KoderPluto_Koder Member - All Emails Posts: 7
Hi ,

In my WFP driver, I am getting BSOD while unloading driver. Following is the dump with driver verifier:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000018, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff802c9c517b0, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
0000000000000018

CURRENT_IRQL: 2

FAULTING_IP:
tcpip!TcpValidateReceive+64
fffff802`c9c517b0 837f1814 cmp dword ptr [rdi+18h],14h

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

TAG_NOT_DEFINED_c000000f: FFFFF80194081FB0

TRAP_FRAME: fffff801940809a0 -- (.trap 0xfffff801940809a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffdb0c07b68030 rbx=0000000000000000 rcx=0000000000000002
rdx=ffffdb0c03251000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff802c9c517b0 rsp=fffff80194080b30 rbp=ffffdb0c0310b8f0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff80194080990 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
tcpip!TcpValidateReceive+0x64:
fffff802`c9c517b0 837f1814 cmp dword ptr [rdi+18h],14h ds:00000000`00000018=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80191e16529 to fffff80191e03430

STACK_TEXT:

fffff801`94080b30 fffff802`c9c2c6dc : 00000000`00056069 00000000`00000001 ffffdb0c`03251000 00000000`00000000 : tcpip!TcpValidateReceive+0x64
fffff801`94080bd0 fffff802`c9c587b2 : ffffdb0c`0310b8f0 00000000`00000000 00000000`00000000 ffffdb0c`0310b890 : tcpip!TcpReceive+0x42c
fffff801`94080ca0 fffff802`c9c097fe : 00000000`00000000 fffff801`91c12356 00000000`00000000 00000000`00000000 : tcpip!TcpNlClientReceiveDatagrams+0x22
fffff801`94080ce0 fffff802`c9c09453 : 00000000`00000000 00000000`00000000 fffff801`94080e70 fffff802`c9da4000 : tcpip!IppDeliverListToProtocol+0x6a
fffff801`94080da0 fffff802`c9c29c8f : 00000000`00000000 fffff801`91e0455d ffffdb0c`03ec4180 00000000`00000000 : tcpip!IppProcessDeliverList+0x63
fffff801`94080e10 fffff802`c9c29767 : fffff802`c9da4000 ffffdb0c`0314a940 00000000`00000000 ffffdb0c`08188a00 : tcpip!IppReceiveHeaderBatch+0x25f
fffff801`94080f10 fffff802`c9be6b7c : ffffdb0c`08189530 ffffdb0c`07b68030 00000000`00000001 00000000`00000000 : tcpip!IppFlcReceivePacketsCore+0x317
fffff801`94081030 fffff802`c9be68b6 : ffffdb0c`07b68030 00000000`00000000 fffff801`94081148 00000000`00000000 : tcpip!IpFlcReceivePackets+0xc
fffff801`94081060 fffff802`c9c2a798 : ffffdb0c`08180002 fffff801`00000001 fffff802`c9c44c70 00000000`00000001 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x256
fffff801`94081140 fffff801`91d1e7fb : ffffdb0c`03129860 ffffdb0c`039c2700 fffff802`c9c2a640 fffff801`94081410 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x158
fffff801`94081270 fffff801`91d1e75d : ffffdb0c`03132980 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x8b
fffff801`940812c0 fffff802`c9c44907 : 00000000`00000000 fffff802`c904652d ffffdb0c`05aecb70 ffffdb0c`04bfffc0 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff801`94081300 fffff802`c9c43f83 : 00000000`00000001 fffff801`94081460 ffffdb0c`08187010 00000000`00000000 : tcpip!NetioExpandKernelStackAndCallout+0x87
fffff801`94081360 fffff802`c8f14fae : ffffdb0c`041051a0 ffffdb0c`08194561 00000000`00000001 00000000`00000001 : tcpip!FlReceiveNetBufferListChain+0x243
fffff801`94081590 fffff802`c8f14c81 : ffffdb0c`08157a01 fffff802`c83f0000 00000000`00000000 fffff802`00000001 : ndis!ndisMIndicateNetBufferListsToOpen+0x13e
fffff801`94081660 fffff802`c8f15583 : ffffdb0c`041051a0 fffff801`94081801 fffff802`c8f14a50 ffffdb0c`041051a0 : ndis!ndisMTopReceiveNetBufferLists+0x231
fffff801`94081760 fffff802`c8f1498e : 000a3078`30206e6f 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisCallReceiveHandler+0x43
fffff801`940817b0 fffff802`cad4f979 : ffffdb0c`04eb71c0 00000000`00000001 ffffdb0c`05603750 fffff802`cab93cf4 : ndis!NdisMIndicateReceiveNetBufferLists+0x5ae
fffff801`94081920 fffff802`cacdbc71 : ffffdb0c`04ec8120 00000000`00000000 00000000`00000000 ffffdb0c`0558a000 : NETwew01!doApiIndicateReceiveNbl+0x9d
fffff801`94081960 fffff802`cab94515 : ffffdb0c`03229930 00000000`3534a77c 00000000`00000001 ffffdb0c`009fd1ff : NETwew01!mStatFldConstructor+0x161
fffff801`940819d0 fffff802`cab8f662 : 00000000`00000001 fffff801`91d4c596 fffff801`91ffc5ff 00000000`00000000 : NETwew01!rfdQueueProcessFragments+0x1e5
fffff801`94081a70 fffff802`cab8ace0 : fffff801`91b7e100 ffffdb0c`05652b90 ffffdb0c`02250000 fffff801`91d42054 : NETwew01!isrHandlerRoutineInta+0x1f2
fffff801`94081af0 fffff802`cad56076 : ffffdb0c`05825000 fffff801`91d422df 00000000`00000002 ffffdb0c`01bfb040 : NETwew01!alonExInterruptHandlerRoutine+0x1c
fffff801`94081b20 fffff802`c8f0a4cd : ffffdb0c`01bfb040 fffff801`91d41e9c ffffdb0c`0582500e ffffdb0c`06155001 : NETwew01!oscHandleInterrupt+0x12
fffff801`94081b50 fffff801`91d53ee2 : 00000000`00000000 ffffdb0c`014df000 ffffdb0c`0614f5e0 fffff801`00000002 : ndis!ndisInterruptDpc+0x17d
fffff801`94081c70 fffff801`91d535df : 00000000`0000001c 00000000`00000000 00000000`0026a7c7 fffff801`91b7e180 : nt!KiExecuteAllDpcs+0x1d2
fffff801`94081db0 fffff801`91e0a725 : 00000000`00000000 fffff801`91b7e180 ffff9201`f52371f0 00000000`00000000 : nt!KiRetireDpcList+0xdf
fffff801`94081fb0 fffff801`91e0a530 : ffffa3e4`7397a97f ffff9908`1af17000 fffffecc`840f75a0 00000000`00006a8b : nt!KxRetireDpcList+0x5
ffff9201`f5237140 fffff801`91e07a56 : 00000000`00006a8b 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue
ffff9201`f5237170 fffff801`91cf132c : 00000000`00000002 fffff801`920146a0 3fffffff`ffffffff ffff9201`f52376c0 : nt!KiDpcInterrupt+0x3a6
ffff9201`f5237300 fffff801`91cf1670 : 00000000`00000000 fffff801`920146a0 00000000`00000000 00000000`00000000 : nt!MiWalkPageTablesRecursively+0x31c
ffff9201`f52373c0 fffff801`91cf1670 : 00000000`00000000 fffff801`920146a0 00000000`00000000 00000000`00000000 : nt!MiWalkPageTablesRecursively+0x660
ffff9201`f5237480 fffff801`91cf1670 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!MiWalkPageTablesRecursively+0x660
ffff9201`f5237540 fffff801`91cf0f4f : fffff801`92014300 00000000`00000300 ffff9600`00007000 ffff9201`f5237620 : nt!MiWalkPageTablesRecursively+0x660
ffff9201`f5237600 fffff801`91c9c8c9 : fffff801`00000000 fffff801`91c9f010 fffff801`920142b0 fffff801`91eb4b0c : nt!MiWalkPageTables+0x20f
ffff9201`f52376a0 fffff801`91ea81ae : 00000000`00000001 fffff801`920146a0 fffff801`920146a0 00000000`00000001 : nt!MiEmptyWorkingSet+0x105
ffff9201`f5237840 fffff801`91ea92ad : ffffb082`00000000 00000000`0000c99c 00000000`00000000 fffff801`91d31474 : nt!MiEmptyTargetedWorkingSet+0x6e
ffff9201`f5237890 fffff801`9242ea3a : 00000000`00000000 fffff801`00000000 fffff801`922035a0 ffffdb0c`0084be38 : nt!MiTrimAllSystemPagableMemory+0xdd
ffff9201`f52378e0 fffff801`92443555 : ffff9201`f5232000 ffff9201`f5238000 fffff801`8f413202 00000ae3`5fb30f8a : nt!MmVerifierTrimMemory+0x6a
ffff9201`f5237910 fffff801`92443206 : fffff801`8f413210 ffffdb0c`0a9cbe60 00000000`00000000 00000000`00000600 : nt!ViKeRaiseIrqlSanityChecks+0xa5
ffff9201`f5237950 fffff801`92441dd2 : 00000000`00000000 fffff801`9242f4ea ffffb082`cb52ef70 fffff801`8f410000 : nt!ViKeAcquireSpinLockRaiseToDpcCommon+0x2a
ffff9201`f5237980 fffff801`8f40de33 : 00000000`00000000 ffffdb0c`0a9cbe60 fffff801`8f4119f8 fffff801`8f3f0016 : nt!VerifierKeAcquireSpinLockRaiseToDpc+0x12
ffff9201`f52379c0 fffff801`8f40f90b : fffff801`8f4113c8 fffff801`0000010f fffff801`8f4119f8 00000000`00000043 : mydriver!EmptyFlowsContextQ+0xb3
ffff9201`f5237a20 fffff801`8f40daa6 : 00000007`00020018 00000000`00000043 fffff801`8f4119f8 00000000`00000000 : mydriver!UnregisterCallouts+0x9b
ffff9201`f5237a60 fffff802`c90fc43b : ffffdb0c`0a9cbe60 00000000`00000000 ffffdb0c`039c2700 fffff801`91cc98a4 : mydriver!DriverUnload+0x86
ffff9201`f5237ad0 fffff801`9244b661 : ffffdb0c`039c2700 00000000`00000000 ffffdb0c`0088e210 ffff9201`f8efb770 : VerifierExt!xdv_DriverUnload_wrapper+0x7b
ffff9201`f5237b00 fffff801`922eb96b : 00000000`00000010 fffff801`922035a0 00000000`00000010 00000000`00210246 : nt!ViGenericDriverUnload+0x31
ffff9201`f5237b40 fffff801`91cc94d5 : ffffdb0c`0088e210 ffffdb0c`039c2700 fffff802`c985cf00 ffffdb0c`039c2700 : nt!IopLoadUnloadDriver+0xe83cb
ffff9201`f5237b80 fffff801`91da4b87 : ffffdb0c`039c2700 00000000`00000080 ffffdb0c`0089b040 ffffdb0c`039c2700 : nt!ExpWorkerThread+0xf5
ffff9201`f5237c10 fffff801`91e0abe6 : ffff8000`d87e9180 ffffdb0c`039c2700 fffff801`91da4b40 00000000`00000000 : nt!PspSystemThreadStartup+0x47
ffff9201`f5237c60 00000000`00000000 : ffff9201`f5238000 ffff9201`f5232000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16.


Can any one suggest what could be the possible reason?

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,496
    "[email protected] windbg"@lists.osr.com wrote:
    > In my WFP driver, I am getting BSOD while unloading driver. Following is the dump with driver verifier:

    You are causing tcpip.sys to dereference a null pointer.  My guess is
    that you have allowed yourself to be unloaded without unhooking yourself
    from whatever callbacks you registered.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Pluto_KoderPluto_Koder Member - All Emails Posts: 7
    I have verified that all the callouts are unregistered before unloading driver.
    In the driver i have registered flow establish callout for "Stream layer" and "Datagram layer". So in driver unload before unregistering these callouts I am removing and freeing the previously associated flow context. And this is the point where crash happens.
    The line at which dump occurs is "KeAquireSpinlock()" . This is the lock acquired before accessing flow context list.

    In the dump following part of call stack is from my driver:
    fffff801`8f4119f8 00000000`00000043 : mydriver!EmptyFlowsContextQ+0xb3
    ffff9201`f5237a20 fffff801`8f40daa6 : 00000007`00020018 00000000`00000043
    fffff801`8f4119f8 00000000`00000000 : mydriver!UnregisterCallouts+0x9b
    ffff9201`f5237a60 fffff802`c90fc43b : ffffdb0c`0a9cbe60 00000000`00000000
    ffffdb0c`039c2700 fffff801`91cc98a4 : mydriver!DriverUnload+0x86
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302
    Enable Driver Verifier for your driver and tcpip.sys. You might be
    corrupting something that Verifier can catch earlier.

    -scott
    OSR
    @OSRDrivers

    wrote in message news:[email protected]

    I have verified that all the callouts are unregistered before unloading
    driver.
    In the driver i have registered flow establish callout for "Stream layer"
    and "Datagram layer". So in driver unload before unregistering these
    callouts I am removing and freeing the previously associated flow context.
    And this is the point where crash happens.
    The line at which dump occurs is "KeAquireSpinlock()" . This is the lock
    acquired before accessing flow context list.

    In the dump following part of call stack is from my driver:
    fffff801`8f4119f8 00000000`00000043 : mydriver!EmptyFlowsContextQ+0xb3
    ffff9201`f5237a20 fffff801`8f40daa6 : 00000007`00020018 00000000`00000043
    fffff801`8f4119f8 00000000`00000000 : mydriver!UnregisterCallouts+0x9b
    ffff9201`f5237a60 fffff802`c90fc43b : ffffdb0c`0a9cbe60 00000000`00000000
    ffffdb0c`039c2700 fffff801`91cc98a4 : mydriver!DriverUnload+0x86

    -scott
    OSR

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,496
    On Feb 20, 2018, at 9:54 PM, [email protected] [email protected] wrote:
    >
    > I have verified that all the callouts are unregistered before unloading driver.
    > In the driver i have registered flow establish callout for "Stream layer" and "Datagram layer". So in driver unload before unregistering these callouts I am removing and freeing the previously associated flow context. And this is the point where crash happens.

    I don't know the flow of a filter driver like this, but don't you need to guarantee that the contexts remain valid until the callouts are unregistered? Otherwise, you might get a callback, and here you've freed all of the structures.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Pluto_KoderPluto_Koder Member - All Emails Posts: 7
    Thanks for the helpful suggestions.

    I reviewed the code and found there was synchronization issue between "Emptyflowcontext" and "Flowdelete" function. So we corrected that and issue got solved.

    Thanks
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA