Hi.
I have encountered strange issue on our driver and I’m looking for some help to investigate the issue. The driver was working fine (more or less) for years. Lately after update to new Symantec antivirus the BSODs on some old PCs (with 256 MB RAM) started to happen.
Crash dump analysis shows that the issue is always related to address of the NDIS!ndisDummyIrpHandler function. It looks like the function is paged out because new antivirus is using a lot of memory.
I enabled Driver Verifier for the driver and was able to reproduce the issue on PCs with lots of mem and antivirus soft installed. The issue is reproducible on Vista and 2003 OS (these I tried). When I uninstall antivirus the issue goes away.
The issue seems strange because NDIS!ndisDummyIrpHandler is used to handle IRPs and it may be used from Dispatch level, why is it pageable code than? Or am I misunderstanding this, and the driver is doing something wrong?
If someone got some advices what to do next and how to fix that, I will be glad to hear from you.
Thanks,
Mirek
Some info from WinDbg:
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f9a14198, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f9a14198, address which referenced memory
Debugging Details:
READ_ADDRESS: f9a14198
CURRENT_IRQL: 2
FAULTING_IP:
NDIS!ndisDummyIrpHandler+0
f9a14198 8bff mov edi,edi
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: XXX.exe
TRAP_FRAME: f8804b38 – (.trap 0xfffffffff8804b38)
ErrCode = 00000000
eax=0000000f ebx=81650ab0 ecx=81650ab0 edx=81255208 esi=81690e90 edi=00000000
eip=f9a14198 esp=f8804bac ebp=f8804bbc iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
NDIS!ndisDummyIrpHandler:
f9a14198 8bff mov edi,edi
Resetting default scope
LAST_CONTROL_TRANSFER: from f9a14198 to 80826693
FAILED_INSTRUCTION_ADDRESS:
NDIS!ndisDummyIrpHandler+0
f9a14198 8bff mov edi,edi
STACK_TEXT:
f8804b38 f9a14198 badb0d00 81255208 816256a0 nt!KiTrap0E+0x2a1
f8804ba8 80828ec3 81650ab0 81255208 812f0960 NDIS!ndisDummyIrpHandler
f8804bbc f8c00de8 812f0960 81466398 812f08a8 nt!IofCallDriver+0x45
f8804bcc f8c018e5 812f08a8 81466398 812f08a8 MyDriver!HoldDeviceInReset+0x90
f8804bec 8081b473 812f0802 01466398 81466398 MyDriver!StartIo_gendspk+0x12b
f8804c10 f8bff531 812f08a8 81466398 00000000 nt!IoStartPacket+0xa6
f8804c24 f8bff7b3 812f08a8 81466398 81466398 MyDriver!HandleGetKmdRxNonVirtualDescTableContents_gendspk+0x1d
f8804c3c 80828ec3 812f08a8 81466398 8161f780 MyDriver!DispatchIoControl_gendspk+0x97
f8804c50 8090b6e3 81466408 814262e8 81466398 nt!IofCallDriver+0x45
f8804c64 8090e95f 812f08a8 81466398 814262e8 nt!IopSynchronousServiceTail+0x10b
f8804d00 8092e5f0 00000290 000002ac 00000000 nt!IopXxxControlFile+0x60f
f8804d34 8082350b 00000290 000002ac 00000000 nt!NtDeviceIoControlFile+0x2a
f8804d34 7c8285ec 00000290 000002ac 00000000 nt!KiFastCallEntry+0xf8
0759ea54 7c826fcb 77e417e5 00000290 000002ac ntdll!KiFastSystemCallRet
0759ea58 77e417e5 00000290 000002ac 00000000 ntdll!NtDeviceIoControlFile+0xc
0759eabc 00404f65 00000290 800f2008 00000000 kernel32!DeviceIoControl+0xd2
0759ead4 00000000 0759eaf0 0759eafc 00000001 XXX!BeginApplication+0x15
STACK_COMMAND: kb
FOLLOWUP_IP:
MyDriver!HoldDeviceInReset+90
f8c00de8 0fb74618 movzx eax,word ptr [esi+18h]
kd> .trap 0xfffffffff8804b38
ErrCode = 00000000
eax=0000000f ebx=81650ab0 ecx=81650ab0 edx=81255208 esi=81690e90 edi=00000000
eip=f9a14198 esp=f8804bac ebp=f8804bbc iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
NDIS!ndisDummyIrpHandler:
f9a14198 8bff mov edi,edi
kd> u NDIS!ndisDummyIrpHandler
NDIS!ndisDummyIrpHandler:
f9a14198 8bff mov edi,edi
f9a1419a 55 push ebp
f9a1419b 8bec mov ebp,esp
f9a1419d 8b4d0c mov ecx,dword ptr [ebp+0Ch]
f9a141a0 8b5160 mov edx,dword ptr [ecx+60h]
f9a141a3 56 push esi
f9a141a4 57 push edi
f9a141a5 8b7d08 mov edi,dword ptr [ebp+8]
kd> !address NDIS!ndisDummyIrpHandler
f8136000 - 02229000
Usage KernelSpaceUsageNonPagedSystem
kd> !pte NDIS!ndisDummyIrpHandler
VA f9a14198
PDE at C0300F98 PTE at C03E6850
contains 00AA5163 contains 0FDD6860
pfn aa5 -G-DA–KWEV not valid
Transition: fdd6
Protect: 3 - ExecuteRead
kd> !pool NDIS!ndisDummyIrpHandler
Pool page f9a14198 region is Unknown
f9a14000 is not a valid large pool allocation, checking large session pool…
f9a14000 is freed (or corrupt) pool
Bad previous allocation size @f9a14000, last size was 0
***
*** An error (or corruption) in the pool was detected;
*** Pool Region unknown (0xFFFFFFFFF9A14000)
***
*** Use !poolval f9a14000 for more details.
***