WDFTIMER callback cause sometime crash

acrux · January 22, 2020, 10:29pm

Hi,

I have WDFTIMER for implementation I/O request Timeout.
It calls function:

VOID SerialReadTimeout( IN WDFTIMER Timer)
{
PFDO_DATA DevExt = ddFdoGetData(WdfTimerGetParentObject(Timer));
WDFREQUEST NextQueuerequest ;
NTSTATUS status = STATUS_SUCCESS;

if (STATUS_SUCCESS == WdfIoQueueRetrieveNextRequest(DevExt->ReadQueue, &NextQueuerequest))
{
	if (NextQueuerequest != NULL)
	{
		WdfRequestComplete(NextQueuerequest, status);
	}
}

}

if its called from timer cb, it sometimes (1 per 1000) calls crashed on the WdfRequestComplete

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001e, Type of memory safety violation
Arg2: fffff804630f72f0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff804630f7248, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

DUMP_TYPE: 0

BUGCHECK_P1: 1e

BUGCHECK_P2: fffff804630f72f0

BUGCHECK_P3: fffff804630f7248

BUGCHECK_P4: 0

TRAP_FRAME: fffff804630f72f0 – (.trap 0xfffff804630f72f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff830a4b5a0040 rbx=0000000000000000 rcx=000000000000001e
rdx=fffff80460200000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff804603fc096 rsp=fffff804630f7480 rbp=fffff804630f7500
r8=8000000000000000 r9=0000000000000000 r10=fffff8045b881100
r11=ffff830a4b691080 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
nt!KiDeferredReadyThread+0x1b32e6:
fffff804`603fc096 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffff804630f7248 – (.exr 0xfffff804630f7248)
ExceptionAddress: fffff804603fc096 (nt!KiDeferredReadyThread+0x00000000001b32e6)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001e
Subcode: 0x1e FAST_FAIL_INVALID_NEXT_THREAD

CPU_COUNT: 2

CPU_MHZ: b79

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: 9

CPU_MICROCODE: 6,9e,9,0 (F,M,S,R) SIG: 1’00000000 (cache) 1’00000000 (init)

BUGCHECK_STR: 0x139

PROCESS_NAME: System

CURRENT_IRQL: 2

DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_NEXT_THREAD

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 000000000000001e

ANALYSIS_SESSION_HOST: DESKTOP-FMGRFN0

ANALYSIS_SESSION_TIME: 01-22-2020 21:43:01.0115

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff804604a9422 to fffff804603c90b0

STACK_TEXT:
fffff804630f6828 fffff804604a9422 : 000000000000001e 0000000000000003 fffff804630f6990 fffff8046031db20 : nt!DbgBreakPointWithStatus
fffff804630f6830 fffff804604a8b12 : 0000000000000003 fffff804630f6990 fffff804603d5960 0000000000000139 : nt!KiBugCheckDebugBreak+0x12
fffff804630f6890 fffff804603c1327 : ffff830a4bcd1000 0000000000000000 ffff830a4b691080 0000000000000000 : nt!KeBugCheck2+0x952
fffff804630f6f90 fffff804603d30e9 : 0000000000000139 000000000000001e fffff804630f72f0 fffff804630f7248 : nt!KeBugCheckEx+0x107
fffff804630f6fd0 fffff804603d3510 : 0000000000000401 fffff804630f7398 0000000000000001 0000000000000000 : nt!KiBugCheckDispatch+0x69
fffff804630f7110 fffff804603d18a5 : 010800000001000e 0000000000000000 fffff804630f7370 00000000c0010000 : nt!KiFastFailDispatch+0xd0
fffff804630f72f0 fffff804603fc096 : ffff2f436698b0a6 0000000000000000 0000000200010000 fffff804630f7850 : nt!KiRaiseSecurityCheckFailure+0x325
fffff804630f7480 fffff80460248c93 : fffff8045b881180 0000000000000000 0000000000000000 0000000000000000 : nt!KiDeferredReadyThread+0x1b32e6
fffff804630f7540 fffff80460248a75 : ffff830a4b6911f0 0000000000000000 0000000000000002 0000000000000000 : nt!KiReadyThread+0x33
fffff804630f7570 fffff80460247b9b : ffff830a531859e0 fffff8046025d144 ffff830a4b691080 fffff804630f76e0 : nt!KiExitDispatcher+0x105
fffff804630f75d0 fffff80460247667 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 : nt!IopfCompleteRequest+0x51b
fffff804630f76e0 fffff80461c983f8 : 0000000000000000 ffff830a4ecf38e0 0000000000000002 fffff80461c9a4c0 : nt!IofCompleteRequest+0x17
fffff804630f7710 fffff80461c97ecb : fffff80460791402 0000000000000000 ffff830a52e6e5c0 0000000000000000 : Wdf01000!FxRequest::CompleteInternal+0x228 [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 869]
fffff804630f77a0 fffff802bd5e2545 : 00007cf5b1745708 ffff830a4ecf38e0 0000000000000000 ffff830a4e8baa28 : Wdf01000!imp_WdfRequestComplete+0x8b [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436]
fffff804630f7800 fffff802bd5e3339 : 00007cf5b130c718 fffff80400000000 0000000000000001 0000000000000000 : dd_device!WdfRequestComplete+0x45 [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.25\wdfrequest.h @ 1025]
fffff804630f7840 fffff80461c9200e : 00007cf5b1745708 0000000000000000 ffff907ff5474c41 fffff804630f78c8 : dd_device!SerialReadTimeout+0x79 [c:\users\user\projects\dd_drivers\dd_device\uart_utils.c @ 23]
fffff804630f7890 fffff804602682ba : fffff804630f7989 fffff80461c91f50 fffff80461c91f50 fffff804630f7be0 : Wdf01000!FxTimer::_FxTimerExtCallbackThunk+0xbe [minkernel\wdf\framework\shared\core\fxtimer.cpp @ 440]
fffff804630f78e0 fffff804602688c3 : fffff804630f7a28 ffff830a52c1ecf8 fffff804630f7a28 0000000000000002 : nt!KiExpireTimer2+0x3ea
fffff804630f79f0 fffff8046026a9b7 : 0000000000000006 0000000000369e99 fffff804630f7bb0 0000000000000089 : nt!KiTimer2Expiration+0x163
fffff804630f7ab0 fffff804603c4d64 : 0000000000000000 fffff8045b881180 fffff80460791400 ffff830a4b68a080 : nt!KiRetireDpcList+0x6c7
fffff804630f7ce0 0000000000000000 : fffff804630f8000 fffff804630f2000 0000000000000000 0000000000000000 : nt!KiIdleLoop+0x84

THREAD_SHA1_HASH_MOD_FUNC: 97a1cac6bfb93e6ecc382435ef8e0b89865851f2

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 72f51d27dd57d6004b2d3876986cd6ec5c5b22ab

THREAD_SHA1_HASH_MOD: daca4372dfa0a4b50d09a31b77c61c429821638c

FOLLOWUP_IP:
dd_device!WdfRequestComplete+45 [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.25\wdfrequest.h @ 1025]
fffff802`bd5e2545 4883c438 add rsp,38h

FAULT_INSTR_CODE: 38c48348

FAULTING_SOURCE_LINE: c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.25\wdfrequest.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.25\wdfrequest.h

FAULTING_SOURCE_LINE_NUMBER: 1025

FAULTING_SOURCE_CODE:
1021: NTSTATUS Status
1022: )
1023: {
1024: ((PFN_WDFREQUESTCOMPLETE) WdfFunctions[WdfRequestCompleteTableIndex])(WdfDriverGlobals, Request, Status);

1025: }
1026:
1027: //
1028: // WDF Function: WdfRequestCompleteWithPriorityBoost
1029: //
1030: typedef

SYMBOL_STACK_INDEX: e

SYMBOL_NAME: dd_device!WdfRequestComplete+45

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: dd_device

IMAGE_NAME: dd_device.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5e28b361

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 45

FAILURE_BUCKET_ID: 0x139_1e_INVALID_NEXT_THREAD_dd_device!WdfRequestComplete

BUCKET_ID: 0x139_1e_INVALID_NEXT_THREAD_dd_device!WdfRequestComplete

PRIMARY_PROBLEM_CLASS: 0x139_1e_INVALID_NEXT_THREAD_dd_device!WdfRequestComplete

TARGET_TIME: 2020-01-22T19:42:39.000Z

OSBUILD: 18362

OSSERVICEPACK: 418

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 190318-1202

BUILDLAB_STR: 19h1_release

BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME: 2c18

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x139_1e_invalid_next_thread_dd_device!wdfrequestcomplete

FAILURE_ID_HASH: {5af8c457-6a1c-8c86-1972-e17b6b6cf98b}

Followup: MachineOwner

Tim_Roberts · January 23, 2020, 1:51am

Did you read through the analysis? The problem with this kind of crash is that the problem occurred some time in the past. Someone, somewhere, overwrite a system data structure. As part of completing your request, the system had to look at its scheduling tables to find the next ready thread, and that data structure was corrupted.

So, it’s likely that whatever operation you just completed overran a buffer or used a dead pointer and trashed a system data structure.