Upper filter driver waitlock

I only want to know if this is necessary to make the code safe

We really can’t tell you that, without seeing all your code (and, no, that is not an invitation to post it here). In general, any time you share data between multiple separate threads of processing, you need a lock to ensure that both threads don’t attempt to update the same data data at the same time. For example, you don’t want one routine trying to put something ON a list, while at the same time you have another routine trying to take something OFF that same list. If the timing is “unlucky”, the two threads can interfere with each other, right? So, each thread takes out a lock before manipulating the shared data (the list, in the example I just cited)… THEN does the manipulation (insert or remove from the list, for example)… and then releases the lock. The lock ensures that the manipulation of the shared data is done without the other thread of processing interfering, that is it ensures the manipulation is done “atomically.”

This is a general precept of how one makes things thread-safe. It’s not a driver specific thing. Though the TYPES of locks you can use (wait or spin) are definitely specific to the world of drivers.

Hope that helps,

Peter

Peter, I am a developer on the user land since many years and I know for what we need locks. The problem is that I have not so much knowledge how in general the concept in the driver land are. Sometimes it can be unnecessary to use locks because the system serialize the things. This was the reason for my question.
Doron answered my question already very well.

Since I use the locks I get the following bugcheck and have no idea where I must look in the code:
Loading unloaded module list
…Unable to enumerate user-mode unloaded modules, Win32 error 0n30


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {ffffffffc0000005, fffff801fbd24c7b, ffff970dc858e598, ffff970dc858dde0}

*** ERROR: Module load completed but symbols could not be loaded for Ch64USB.sys
Probably caused by : Ch64USB.sys ( Ch64USB+14c7b )

Followup: MachineOwner

nt!DbgBreakPointWithStatus:
fffff800`f68598d0 cc int 3
0: kd> !analyze -v


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff801fbd24c7b, The address that the exception occurred at
Arg3: ffff970dc858e598, Exception Record Address
Arg4: ffff970dc858dde0, Context Record Address

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804

DUMP_TYPE: 0

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff801fbd24c7b

BUGCHECK_P3: ffff970dc858e598

BUGCHECK_P4: ffff970dc858dde0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP:
Ch64USB+14c7b
fffff801`fbd24c7b 0fb616 movzx edx,byte ptr [rsi]

EXCEPTION_RECORD: ffff970dc858e598 – (.exr 0xffff970dc858e598)
ExceptionAddress: fffff801fbd24c7b (Ch64USB+0x0000000000014c7b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000000b02e6a50
Attempt to read from address 00000000b02e6a50

CONTEXT: ffff970dc858dde0 – (.cxr 0xffff970dc858dde0)
rax=ffffd98db0e46030 rbx=0000000000000001 rcx=fffff801fbd2eb40
rdx=00000000b02e6a50 rsi=00000000b02e6a50 rdi=fffff801fbd2ba90
rip=fffff801fbd24c7b rsp=ffff970dc858e7d0 rbp=fffff801fbd29630
r8=0000000000000009 r9=0000000000000000 r10=ffffd98db17d0fa0
r11=ffff970dc858e8a0 r12=ffffd98db0e46180 r13=ffffd98db0e46030
r14=0000000000000009 r15=fffff801fbd29600
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
Ch64USB+0x14c7b:
fffff801fbd24c7b 0fb616 movzx edx,byte ptr [rsi] ds:002b:00000000b02e6a50=??
Resetting default scope

CPU_COUNT: 4

CPU_MHZ: 5da

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5c

CPU_STEPPING: 9

CPU_MICROCODE: 6,5c,9,0 (F,M,S,R) SIG: 32’00000000 (cache) 32’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

FOLLOWUP_IP:
Ch64USB+14c7b
fffff801`fbd24c7b 0fb616 movzx edx,byte ptr [rsi]

BUGCHECK_STR: AV

READ_ADDRESS: 00000000b02e6a50

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 00000000b02e6a50

ANALYSIS_SESSION_HOST: WIN10WORK

ANALYSIS_SESSION_TIME: 11-06-2018 09:38:07.0276

ANALYSIS_VERSION: 10.0.17763.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff801fbd1558a to fffff801fbd24c7b

STACK_TEXT:
ffff970dc858e7d0 fffff801fbd1558a : ffffd98db0e46030 fffff801fbd2eb40 ffffd98db0e46180 0000000000000000 : Ch64USB+0x14c7b
ffff970dc858e830 fffff801fbd14012 : ffffd98db4b3b450 fffff800f676a560 ffffd98db52e8498 ffffd98db0e46180 : Ch64USB+0x558a
ffff970dc858e940 fffff801fbd11fc4 : ffffd98db0e46030 ffffd98db61f31e0 ffffd98db4b3b450 0000000000000000 : Ch64USB+0x4012
ffff970dc858e990 fffff800f66c2199 : 0000000000000000 ffff970dc858eb18 0000000000000000 ffff970dc858ea70 : Ch64USB+0x1fc4
ffff970dc858e9d0 fffff801fc215c2f : 0000000000000000 0000000000000000 ffffea9826d1f5cc 0000000000000000 : nt!IofCallDriver+0x59
ffff970dc858ea10 fffff801fc2161f1 : ffffd98db530c280 0000000000000000 fffff801f860a6c0 fffff801f836e4cc : hidusb!HumGetPortStatus+0x8f
ffff970dc858eaa0 fffff800f67c5a9c : ffffd98db61f31e0 0000000000000000 0000000000000000 0000000000000100 : hidusb!HumResetWorkItem+0x61
ffff970dc858eb10 fffff800f671f285 : 0000000000000100 ffffd98db0736040 fffff800f67c5970 7f2222220000000c : nt!IopProcessWorkItem+0x12c
ffff970dc858eb80 fffff800f67a2e37 : ffffd98db0736040 0000000000000080 ffffd98db0303440 ffffd98db0736040 : nt!ExpWorkerThread+0xf5
ffff970dc858ec10 fffff800f6859116 : ffffc28123179180 ffffd98db0736040 fffff800f67a2df0 6cc1166ccb2be5c0 : nt!PspSystemThreadStartup+0x47
ffff970dc858ec60 0000000000000000 : ffff970dc858f000 ffff970dc8589000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

THREAD_SHA1_HASH_MOD_FUNC: f5b4ace2adf39990f92c24669368e0ec71708e59

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: e3eb8ce004d8d64f72274c1e0ef735d7b84651cf

THREAD_SHA1_HASH_MOD: dcb03cc04fbc0323c9cf8317ab1160cd6291736a

FAULT_INSTR_CODE: 4c16b60f

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ch64USB+14c7b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ch64USB

IMAGE_NAME: Ch64USB.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50868011

STACK_COMMAND: .cxr 0xffff970dc858dde0 ; kb

BUCKET_ID_FUNC_OFFSET: 14c7b

FAILURE_BUCKET_ID: AV_Ch64USB!unknown_function

BUCKET_ID: AV_Ch64USB!unknown_function

PRIMARY_PROBLEM_CLASS: AV_Ch64USB!unknown_function

TARGET_TIME: 2018-11-06T08:37:27.000Z

OSBUILD: 17134

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2018-08-03 05:10:45

BUILDDATESTAMP_STR: 180410-1804

BUILDLAB_STR: rs4_release

BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME: 12f6

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_ch64usb!unknown_function

FAILURE_ID_HASH: {f0a075df-a4e3-29fb-7038-fd226ffd6fc4}

Followup: MachineOwner

I am a developer on the user land since many years and I know for what we need locks

Good for you. Wait… are you taking offense and scolding me, because I spent time answering your question and trying to be sure you understood the underlying concepts?

:o

Peter

Can we see some source around the bugcheck?

On Tue, Nov 6, 2018 at 11:01 AM Peter_Viscarola_(OSR)
wrote:

> OSR https://community.osr.com/
> Peter_Viscarola_(OSR) commented on Upper filter driver waitlock
>
> > I am a developer on the user land since many years and I know for what
> we need locks
>
> Good for you. Wait… are you taking offense and scolding me, because I
> spent time answering your question and trying to be sure you understood the
> underlying concepts?
>
>
>
> Peter
>
> –
> Reply to this email directly or follow the link below to check it out:
> https://community.osr.com/discussion/comment/291310#Comment_291310
>
> Check it out:
> https://community.osr.com/discussion/comment/291310#Comment_291310
>

Peter, sorry if I answered in a way that bother you. I thank you very much and the others to answer my sometimes not so deeply grounded questions.

Fix your OS and private driver symbols first

Also, where possible the interlocked family of functions can / should be used to create so called

Jamey_Kirby: Can we see some source around the bugcheck?
That is the problem. I can not say at the moment where in the code the bugcheck occurres exactly. If I can reproduce the bug, I will come back.

Well, it is somewhere around here:

ffff970dc858e7d0 fffff801fbd1558a : ffffd98db0e46030 fffff801fbd2eb40
ffffd98db0e46180 0000000000000000 : Ch64USB+0x14c7b
ffff970dc858e830 fffff801fbd14012 : ffffd98db4b3b450 fffff800f676a560
ffffd98db52e8498 ffffd98db0e46180 : Ch64USB+0x558a
ffff970dc858e940 fffff801fbd11fc4 : ffffd98db0e46030 ffffd98db61f31e0
ffffd98db4b3b450 0000000000000000 : Ch64USB+0x4012
ffff970dc858e990 fffff800f66c2199 : 0000000000000000 ffff970dc858eb18
0000000000000000 ffff970dc858ea70 : Ch64USB+0x1fc4
ffff970dc858e9d0 fffff801fc215c2f : 0000000000000000 0000000000000000
ffffea9826d1f5cc 0000000000000000 : nt!IofCallDriver+0x59

Start with your IoCallDriver() and work your way down.

On Tue, Nov 6, 2018 at 11:46 AM Mak
wrote:

> OSR https://community.osr.com/
> Mak commented on Upper filter driver waitlock
>
> Jamey_Kirby: Can we see some source around the bugcheck?
>
> That is the problem. I can not say at the moment where in the code the
> bugcheck occurres exactly. If I can reproduce the bug, I will come back.
>
> –
> Reply to this email directly or follow the link below to check it out:
> https://community.osr.com/discussion/comment/291316#Comment_291316
>
> Check it out:
> https://community.osr.com/discussion/comment/291316#Comment_291316
>

If I search my code, I cant find a function with the name IofCallDriver or more reduced “CallDriver”.

IofCallDriver == IoCallDriver. You need to fix the symbols for your driver to have any chance at root causing the issue

Fix your symbols. Read or watch this. Unless you already know how to do that, too.

Peter

I set the symbols path to:
_NT_SYMBOL_PATH=symsrvsymsrv.dllD:\Symbols*http://msdl.microsoft.com/download/symbols
but If I look on the driver the symbols are always loaded to “C:\ProgramData\dbg\sym”.
I checked the environment variable in VS and under System.
The symbols loading summary is:
************* Symbol Loading Error Summary **************
Module name Error
clipsp No error - symbol load deferred
WdFilter The system cannot find the file specified
igdkmd64 The system cannot find the file specified
drmk The system cannot find the file specified
TeeDriverW8x64 The system cannot find the file specified
RtsP2Stor The system cannot find the file specified
Netwtw04 The system cannot find the file specified
iaLPSS2_UART2 The system cannot find the file specified
iaLPSS2_SPI The system cannot find the file specified
IntcDAud The system cannot find the file specified
kbfiltr No error - symbol load deferred
ibtusb The system cannot find the file specified
Ch64USB The system cannot find the file specified
peauth The system cannot find the file specified
WdNisDrv The system cannot find the file specified

Is this ok?

Mak wrote:

Since I use the locks I get the following bugcheck and have no idea where I must look in the code:

* *
* Bugcheck Analysis *
* *

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff801fbd24c7b, The address that the exception occurred at
Arg3: ffff970dc858e598, Exception Record Address
Arg4: ffff970dc858dde0, Context Record Address

Attempt to read from address 00000000b02e6a50

CONTEXT: ffff970dc858dde0 – (.cxr 0xffff970dc858dde0)
rax=ffffd98db0e46030 rbx=0000000000000001 rcx=fffff801fbd2eb40
rdx=00000000b02e6a50 rsi=00000000b02e6a50 rdi=fffff801fbd2ba90
rip=fffff801fbd24c7b rsp=ffff970dc858e7d0 rbp=fffff801fbd29630
r8=0000000000000009 r9=0000000000000000 r10=ffffd98db17d0fa0
r11=ffff970dc858e8a0 r12=ffffd98db0e46180 r13=ffffd98db0e46030
r14=0000000000000009 r15=fffff801fbd29600
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
Ch64USB+0x14c7b:
fffff801fbd24c7b 0fb616 movzx edx,byte ptr [rsi] ds:002b:00000000b02e6a50=??

That seems crystal clear.  You’re trying to read a user-mode address
within your driver.

I set the symbols path to:
_NT_SYMBOL_PATH=symsrv*symsrv.dll*D:\Symbols*http://msdl.microsoft.com/download/symbols
but If I look on the driver the symbols are always loaded to “C:\ProgramData\dbg\sym”.

Did you copy your own driver’s symbols there?  I’m guessing you didn’t. 
In that case, you probably want to add the directory containing your
driver’s symbols to the .sympath.

Is this ok?

If you examine the kernel stack and it has symbols resolved, then yes. If not, then no.

Let me guess: You didn’t read that page I sent you to, or watch that video… did you. No, I bet you didn’t.

Seems I’m pretty much wasting my time here. Good luck, OP…

Peter

In Mak’s defense, the link did not come through in the email posting. I
looked for it as I always want to read what you recommend :slight_smile:

On Tue, Nov 6, 2018 at 4:23 PM Peter_Viscarola_(OSR)
wrote:

> OSR https://community.osr.com/
> Peter_Viscarola_(OSR) commented on Upper filter driver waitlock
>
> > Is this ok?
>
> If you examine the kernel stack and it has symbols resolved, then yes. If
> not, then no.
>
> Let me guess: You didn’t read that page I sent you to, or watch that
> video… did you. No, I bet you didn’t.
>
> Seems I’m pretty much wasting my time here. Good luck, OP…
>
> Peter
>
> –
> Reply to this email directly or follow the link below to check it out:
> https://community.osr.com/discussion/comment/291325#Comment_291325
>
> Check it out:
> https://community.osr.com/discussion/comment/291325#Comment_291325
>

In Mak’s defense, the link did not come through in the email

Yet YOU managed to figure it out. And I’ll wager that you need a tutorial about how to setup the WinDbg symbol search path even less than I do.

Yeah.

P

LOL. Well, I surely know how to do my job :slight_smile: Others may be better, and I
rarely need the kernel symbols. Usually, my own symbols suffice. I guess it
is a matter of knowing your environment and your code.

On Tue, Nov 6, 2018 at 8:33 PM Peter_Viscarola_(OSR)
wrote:

> OSR https://community.osr.com/
> Peter_Viscarola_(OSR) commented on Upper filter driver waitlock
>
> > In Mak’s defense, the link did not come through in the email
>
> Yet YOU managed to figure it out. And I’ll wager that you need a tutorial
> about how to setup the WinDbg symbol search path even less than I do.
>
> Yeah.
>
> P
>
> –
> Reply to this email directly or follow the link below to check it out:
> https://community.osr.com/discussion/comment/291328#Comment_291328
>
> Check it out:
> https://community.osr.com/discussion/comment/291328#Comment_291328
>

Peter, I read and watched that article. The search path is set correctly but as I mentioned above the pdb are loaded on the c drive. If I delete the symbols on the c drive they are loaded again. It seems my settings are ignored “d:\Symbols”.
If I open the symbol path in windbg I also see the path to my driver pdb. By the way if the program crashes on other places I see in the stack trace my functions and part of my function code. The things are not totally wrong.
This is from the symbol path dialog:
srvD:\symbolshttps://msdl.microsoft.com/download/symbols;D:\project\sys\x64\Debug