I built a simple NDIS 6.30 protocol driver based on the ndisprot.
Unfortunately there is a BSOD problem of my driver when load in, says IRQL_NOT_LESS_OR_EQUAL, following is the analysis of windbg.
The problem doesn’t happen every time the driver is loading in, it usually happens once after about ten runs.
Strangely enough, I didn’t have any function calls to so called LookasideList, so I have no idea where is the buggy point.
My driver only calls the following NT functions:
- IoCreateDevice
- IoCreateSymbolicLink
- NdisRegisterProtocolDriver
- NdisInitializeEvent
- NdisAllocateSpinLock
- NdisAllocateMemoryWithTagPriority
Please help me figure it out, thanks in advance!
0: kd> !analyze -v
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffffffffffffd8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80202f257a0, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on A190511569-A
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 1
Key : Analysis.Memory.CommitPeak.Mb
Value: 79
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: a
BUGCHECK_P1: ffffffffffffffd8
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80202f257a0
READ_ADDRESS: ffffffffffffffd8
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: System
TRAP_FRAME: ffff80026b56a920 -- (.trap 0xffff80026b56a920)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000004 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80202f257a0 rsp=ffff80026b56aab0 rbp=000000000000001e
r8=0000000000000000 r9=0000000000000100 r10=0000000000000004
r11=000000000000ffff r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe cy
nt!ExpScanGeneralLookasideList+0x40:
fffff802`02f257a0 418b48d8 mov ecx,dword ptr [r8-28h] ds:ffffffff`ffffffd8=????????
Resetting default scope
STACK_TEXT:
ffff8002`6b56a7d8 fffff802`03009169 : 00000000`0000000a ffffffff`ffffffd8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffff8002`6b56a7e0 fffff802`03005469 : fffff802`03816880 fffff802`02e0bd2f ffffffff`00000008 00000000`00000005 : nt!KiBugCheckDispatch+0x69
ffff8002`6b56a920 fffff802`02f257a0 : 00000000`00000001 fffff802`03816880 00000000`00000000 00000000`0000014a : nt!KiPageFault+0x469
ffff8002`6b56aab0 fffff802`02fb5bfd : 00000000`00000006 00000000`ffffffff fffff802`03850b00 ffffe381`ac200180 : nt!ExpScanGeneralLookasideList+0x40
ffff8002`6b56aae0 fffff802`02f55855 : ffff8d8a`b18ba040 00000000`00000080 fffff802`02fb5ae0 00000000`00000000 : nt!KeBalanceSetManager+0x11d
ffff8002`6b56abd0 fffff802`02ffe808 : ffffe381`ac143180 ffff8d8a`b18ba040 fffff802`02f55800 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffff8002`6b56ac20 00000000`00000000 : ffff8002`6b56b000 ffff8002`6b564000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!ExpScanGeneralLookasideList+40
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 40
FAILURE_BUCKET_ID: AV_nt!ExpScanGeneralLookasideList
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {76f24b7e-30bf-766a-9788-497c3826355f}
Followup: MachineOwner