Hi,
I am developing a TDI driver to filter TCP communication. The filtering part works fine but the driver is causing 8e crash because of unhandled exception. I some help to analyse the root cause of the exception.
I suspect that the the crash seems is happening because of unavailability of parameter to KeAcquireInStackQueuedSpinLock(). I have stored the RuleSpinlock in device extension and I am not able to understand why it will not be available to the device at any point in time.
Here is the code which crashes
NTSTATUS tdi_Dispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
// variable init
pirp_stack = IoGetCurrentIrpStackLocation(Irp);
if (DeviceObject->DeviceType == FILE_DEVICE_NETWORK)
{
pDeviceExt = ((PDEVICE_EXTENSION) DeviceObject->DeviceExtension);
if( (pirp_stack->MajorFunction == IRP_MJ_INTERNAL_DEVICE_CONTROL)&&
(pirp_stack->MinorFunction == TDI_CONNECT) )
{
PTDI_REQUEST_KERNEL_SENDDG pParams = (PTDI_REQUEST_KERNEL_SENDDG)(&pirp_stack->Parameters);
TA_ADDRESS *pRemoteAddress = ((TRANSPORT_ADDRESS *)(pParams->SendDatagramInformation->RemoteAddress))->Address;
TDI_ADDRESS_IP *pAddrr = (TDI_ADDRESS_IP*)pRemoteAddress->Address;
Port = (pAddrr->sin_port >> 8) | (pAddrr->sin_port << 8);
IoGetRequestorSessionId(Irp, &lSessionID);
//Some time this runs at DISPATCH level therefore using Spinlog instead of mutex here
KeAcquireInStackQueuedSpinLock(&(pDeviceExt->RuleSpinlock), &LockQueueHandle);
// do the filtering
KeReleaseInStackQueuedSpinLock (&LockQueueHandle);
}
}
//
// Pass the IRP to the target without touching the IRP
//
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(pDeviceExt->TopOfStack, Irp);
}
Here is !analyze -v
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8085647e, The address that the exception occurred at
Arg3: f69f4900, Trap Frame
Arg4: 00000000
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MmGetSessionId+8
8085647e f680f801000004 test byte ptr [eax+1F8h],4
TRAP_FRAME: f69f4900 – (.trap 0xfffffffff69f4900)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=823fb240 edx=00bd0100 esi=82381a28 edi=81f90978
eip=8085647e esp=f69f4974 ebp=f69f4974 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!MmGetSessionId+0x8:
8085647e f680f801000004 test byte ptr [eax+1F8h],4 ds:0023:000001f8=00
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x8E
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8081c948 to 8085647e
STACK_TEXT:
f69f4974 8081c948 00000000 f69f49f4 f7860550 nt!MmGetSessionId+0x8
f69f4980 f7860550 823fb240 f69f49f0 81f90978 nt!IoGetRequestorSessionId+0x1a
f69f49f4 8081d5a3 82354020 823fb240 823fb240 XcdmTDIFlt!tdi_Dispatch+0xf0 [c:\development\cvsrepository\tdifilter\tdidriver.c @ 296]
f69f4a08 f6d1f35b 81ff0fcc 823ef008 81ff0ed8 nt!IofCallDriver+0x45
f69f4a20 f6d1e224 81feb008 f6cca350 81ff0fcc netbt!TdiConnect+0xd8
f69f4a58 f6d1fe6b 00ff0ed8 0a010a6e 82240290 netbt!TcpSessionStart+0x9c
f69f4a98 f6d1ff28 82240290 00000000 00000000 netbt!SessionSetupContinue+0x27f
f69f4ac0 f6d3a3b4 f6d1fc49 81ff0ed8 00000000 netbt!CompleteClientReq+0x92
f69f4b64 f6d2042e 82439b80 f7a8d29c 00000001 netbt!NbtCompleteLmhSvcRequest+0x29b
f69f4ba4 f6d39282 820c3d08 f7a8d090 00000278 netbt!NtProcessLmHSvcIrp+0x130
f69f4bfc f6d391e2 820c3d08 f7a8d090 00000278 netbt!DispatchIoctls+0x586
f69f4c3c 8081d5a3 820c3d08 81ed6cc8 81f2bd20 netbt!NbtDispatchDevCtrl+0xce
f69f4c50 808ed3e1 81ed6d38 81fa6f58 81ed6cc8 nt!IofCallDriver+0x45
f69f4c64 808ee169 820c3d08 81ed6cc8 81fa6f58 nt!IopSynchronousServiceTail+0x10b
f69f4d00 808e6cca 00000158 00000124 00000000 nt!IopXxxControlFile+0x5e5
f69f4d34 80883908 00000158 00000124 00000000 nt!NtDeviceIoControlFile+0x2a
f69f4d34 7c8285ec 00000158 00000124 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0095fb54 00000000 00000000 00000000 00000000 0x7c8285ec
STACK_COMMAND: kb
FOLLOWUP_IP:
XcdmTDIFlt!tdi_Dispatch+f0 [c:\development\cvsrepository\tdifilter\tdidriver.c @ 296]
f7860550 8b4dc8 mov ecx,dword ptr [ebp-38h]
FAULTING_SOURCE_CODE:
292: //check it while installation of SFA
293: IoGetRequestorSessionId(Irp, &lSessionID);
294:
295: //Some time this runs at DISPATCH level therefore using Spinlog instead of mutex here
296: KeAcquireInStackQueuedSpinLock(&(pDeviceExt->RuleSpinlock), &LockQueueHandle);
297:
298: pTmpRulesList = pDeviceExt->pSessRulesHead;
299: while(pTmpRulesList != NULL)
300: {
301: if(pTmpRulesList->WTSSessionID == lSessionID)
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: XcdmTDIFlt!tdi_Dispatch+f0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: XcdmTDIFlt
IMAGE_NAME: XcdmTDIFlt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4d5b012f
FAILURE_BUCKET_ID: 0x8E_XcdmTDIFlt!tdi_Dispatch+f0
BUCKET_ID: 0x8E_XcdmTDIFlt!tdi_Dispatch+f0
Followup: MachineOwner
Thanks in advance for the help…
Nilesh