Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FltAllocateContext causes IRQL_NOT_LESS_OR_EQUAL

noamasfnoamasf Member Posts: 1
in NTFSD

Hi, I'm developing an FSFilterSystem driver, and I get an "IRQL_NOT_LESS_OR_EQUAL" BSOD when I'm trying to allocate the instance context (in the InstanceSetupCallback).
I added a test to check the IRQL and it seems like the IRQL was at passive level before calling FltAllocateContext so it was probably raised while allocating the buffer... I also tried to replace the call with ExAllocatePoolWithTag but the behavior stays the same.
Does anyone know what can cause this BSOD and how to avoid it?

  • *
  • Bugcheck Analysis *
  • *

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffe38410eb5022, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8053ac57ce8, address which referenced memory

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 6562

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-V7FOB5H

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.mSec
Value: 227576

Key  : Analysis.Memory.CommitPeak.Mb
Value: 78

Key  : Analysis.System
Value: CreateObject

Key  : WER.OS.Branch
Value: rs5_release

Key  : WER.OS.Timestamp
Value: 2018-09-14T14:34:00Z

Key  : WER.OS.Version
Value: 10.0.17763.1

ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: a

BUGCHECK_P1: ffffe38410eb5022

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8053ac57ce8

READ_ADDRESS: ffffe38410eb5022 Nonpaged pool

PROCESS_NAME: System

TRAP_FRAME: fffff40a38405b40 -- (.trap 0xfffff40a38405b40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000002bed rbx=0000000000000000 rcx=00000000000ae000
rdx=78616fec48ad0a4e rsi=0000000000000000 rdi=0000000000000000
rip=fffff8053ac57ce8 rsp=fffff40a38405cd0 rbp=fffff40a38405d70
r8=0000000078616fec r9=0000000000000000 r10=ffffe38410eb5000
r11=0000000000ff0000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!RtlpHpVsContextAllocateInternal+0x208:
fffff8053ac57ce8 410fb74a22 movzx ecx,word ptr [r10+22h] ds:ffffe38410eb5022=????
Resetting default scope

LOCK_ADDRESS: fffff8053aed9ee0 -- (!locks fffff8053aed9ee0)

Resource @ nt!PiEngineLock (0xfffff8053aed9ee0) Exclusively owned
Contention Count = 7
Threads: ffffe38419143080-01<*>
1 total locks

PNP_TRIAGE_DATA:
Lock address : 0xfffff8053aed9ee0
Thread Count : 1
Thread address: 0xffffe38419143080
Thread wait : 0x2773a

STACK_TEXT:
fffff40a38405238 fffff8053ad34402 : ffffe38410eb5022 0000000000000003 fffff40a384053a0 fffff8053ac03cb0 : nt!DbgBreakPointWithStatus
fffff40a38405240 fffff8053ad33b87 : 0000000000000003 fffff40a384053a0 fffff8053ac70ae0 000000000000000a : nt!KiBugCheckDebugBreak+0x12
fffff40a384052a0 fffff8053ac5cc07 : ffffb988eae4a000 ffffb988f0efda24 ffffe38410f63fe8 0000000000000000 : nt!KeBugCheck2+0x957
fffff40a384059c0 fffff8053ac6e2e9 : 000000000000000a ffffe38410eb5022 0000000000000002 0000000000000000 : nt!KeBugCheckEx+0x107
fffff40a38405a00 fffff8053ac6a6d4 : ffffb988fa126790 fffff40a384055e0 fffff40a38405e40 ffffb988eb236d00 : nt!KiBugCheckDispatch+0x69
fffff40a38405b40 fffff8053ac57ce8 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x454
fffff40a38405cd0 fffff8053abb3926 : ffffe38411000000 00000000000000a0 fffff40a0000000c fffff8053ad9f1b2 : nt!RtlpHpVsContextAllocateInternal+0x208
fffff40a38405d40 fffff8053abb2126 : ffffe38411000000 fffff40a38405e49 0000000046534100 0000000000032670 : nt!RtlpHpVsContextAllocate+0x46
fffff40a38405dc0 fffff8053adee06d : 0000000000000000 0000000000000088 0000000046534100 ffffe384158aa660 : nt!ExAllocateHeapPool+0x9d6
fffff40a38405eb0 fffff8053dd6a0c6 : ffffe384158aa660 0000000000000000 ffffe384119e0520 fffff8053feb23e1 : nt!ExAllocatePoolWithTag+0x3d
fffff40a38405f90 fffff8053feb241e : ffffe384158aa660 0000000000000001 ffffe3841e2ddcb0 0000000000000000 : FLTMGR!FltAllocateContext+0x246
fffff40a38405fd0 fffff8053dda2634 : fffff40a38406090 ffffe38400000001 ffffe38400000008 0000000000000002 : SBox!SBox::MiniFilter::StaticAdapters::InstanceSetup+0x6e [C:\Projects\sbox\RSBox\SBox\MiniFilter\Filter.cpp @ 83]
fffff40a38406060 fffff8053dda0cbf : 0000000000000000 fffff40a38406221 ffffe3841518e5a0 0000000000000000 : FLTMGR!FltpDoInstanceSetupNotification+0x8c
fffff40a384060d0 fffff8053dda1e98 : ffffe3841e2ddcb0 ffffe3841518e5a0 ffffb98800000001 fffff40a384061f0 : FLTMGR!FltpInitInstance+0x357
fffff40a38406190 fffff8053dda2165 : 0000000000000000 ffffe3841518e5a0 0000000000000000 000000000000001a : FLTMGR!FltpCreateInstanceFromName+0x1c4
fffff40a38406270 fffff8053ddad5fc : ffffe3841518e5a0 ffffe38411f9c848 ffffe3841518e5b0 ffffe38400000022 : FLTMGR!FltpEnumerateRegistryInstances+0x15d
fffff40a38406310 fffff8053ddad4dc : ffffe38411f9c780 0000000000000000 ffffe38419aef2c0 fffff40a38406454 : FLTMGR!FltpDoVolumeNotificationForNewFilter+0xe0
fffff40a38406370 fffff8053feb15db : ffffe3841e2ddcb0 fffff40a00000000 fffff80500000001 ffffe38419aef2c0 : FLTMGR!FltStartFiltering+0x2c
fffff40a384063c0 fffff8053febb149 : fffff8053feb8017 fffff40a38406418 ffffe38416463000 0400000000020020 : SBox!DrvEnv::FLT::FilterRegisteration::StartFiltering+0x1b [C:\Projects\sbox\RSBox\ASF\DrvEnv\FLT.cpp @ 20]
fffff40a384063f0 fffff8053febb1e0 : ffffe38419aef2c0 ffffe38416463000 000000000000000a ffff56cf5bf306a6 : SBox!DriverEntry+0x149 [C:\Projects\sbox\RSBox\SBox\DriverSetup.cpp @ 41]
fffff40a38406480 fffff8053b08a2b9 : 0000000000000000 0000000000000000 ffffe38419aef2c0 0000000000001000 : SBox!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmodefastfail\gs_driverentry.c @ 47]
fffff40a384064b0 fffff8053b19da6b : 0000000000000000 0000000000000000 0000000000000004 ffffb98800000004 : nt!IopLoadDriver+0x4bd
fffff40a38406690 fffff8053b17f3f2 : fffff8053adfb301 0000000000000000 ffffe38417c860a0 ffffffff80002678 : nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
fffff40a38406730 fffff8053b17ee79 : 0000000000000000 fffff40a38406840 ffffe38421fdc9a0 000000000000000a : nt!PnpCallDriverQueryServiceHelper+0xda
fffff40a384067e0 fffff8053b17dfab : ffffe38421fdc9a0 fffff40a38406a18 ffffe38421fdc9a0 0000000000000000 : nt!PipCallDriverAddDevice+0x98d
fffff40a384069a0 fffff8053b1f555f : ffffe38421fdc900 ffffe38415639401 fffff40a38406ab0 ffffe38400000000 : nt!PipProcessDevNodeTree+0x1af
fffff40a38406a60 fffff8053ac02f91 : ffffe30100000003 ffffe38421fdc9a0 ffffa80000000000 0000000000000000 : nt!PiRestartDevice+0xab
fffff40a38406ab0 fffff8053abacdea : ffffe38419143080 fffff8053aed8780 ffffe3841144c730 ffffe38400000000 : nt!PnpDeviceActionWorker+0x421
fffff40a38406b70 fffff8053ab1f015 : ffffe38419143080 ffffe38411483040 ffffe38419143080 00002425b19bbdff : nt!ExpWorkerThread+0x16a
fffff40a38406c10 fffff8053ac63f7c : ffffa800258d9180 ffffe38419143080 fffff8053ab1efc0 ff004e98ff004e98 : nt!PspSystemThreadStartup+0x55
fffff40a38406c60 0000000000000000 : fffff40a38407000 fffff40a38401000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x1c

FAULTING_SOURCE_LINE: ...\Filter.cpp

FAULTING_SOURCE_FILE: ...\Filter.cpp

FAULTING_SOURCE_LINE_NUMBER: 83

FAULTING_SOURCE_CODE:
79: FLT_FILESYSTEM_TYPE volumeFilesystemType)
80: {
81: if (FLT_FSTYPE_NTFS != volumeFilesystemType) return STATUS_FLT_DO_NOT_ATTACH;
82: PFLT_CONTEXT context = nullptr;

83: const NTSTATUS status = FltAllocateContext(

84:         fltObjects->Filter, FLT_INSTANCE_CONTEXT,
85:         sizeof(SBox::MiniFilter::Filter), NonPagedPool, &context);
86:     __debugbreak();
87:     if (context)
88:     {

SYMBOL_NAME: SBox!SBox::MiniFilter::StaticAdapters::InstanceSetup+6e

MODULE_NAME: SBox

IMAGE_NAME: SBox.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 6e

FAILURE_BUCKET_ID: AV_SBox!SBox::MiniFilter::StaticAdapters::InstanceSetup

OS_VERSION: 10.0.17763.1

BUILDLAB_STR: rs5_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {8959c2e9-c730-29c3-8da3-53f0f9a13422}

Followup: MachineOwner

· Share on Facebook

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online
Internals & Software Drivers 4-8 Dec 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online

Categories