BSOD PAGE_FAULT_IN_NONPAGED_AREA

how DEVICE_EXTENSION is defined?

On Sun, Feb 28, 2016 at 1:36 AM, Sergey Pisarev
wrote:

> disregard my previous message
>
> On Sun, Feb 28, 2016 at 1:16 AM, Sergey Pisarev
> wrote:
>
>> If this is your actual code you call iocreatedevice with extension size
>> null and dereference device extension(null) in dispatch routine
>>
>>
>> On Sunday, 28 February 2016, wrote:
>>
>>> Well, if you’re DeviceOject from a dispatch entry point, it always WILL
>>> be your device object… Right? It can’t be anything else.
>>>
>>> I’d like to help you, Mr Ahmed, I really would. But I’d need to see the
>>> whole of what you’re doing and sit down and study what’s happening and
>>> exactly what the crash dump says. That would take a considerable amount of
>>> time. Its not the kind of thing I can do in a forum, answering posts on a
>>> Saturday afternoon while lying on my couch.
>>>
>>> I’m sorry…
>>>
>>> Peter
>>> OSR
>>> @OSRDrivers
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list online at: <
>>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>
>>
>>
>> –
>> Sent from Gmail Mobile
>>
>
></http:>

check IoAttachDeviceToDeviceStackSafe call
note that third parameter is PDEVICE_OBJECT* and not just PDEVICE_OBJECT

On Sun, Feb 28, 2016 at 1:37 AM, Sergey Pisarev
wrote:

> how DEVICE_EXTENSION is defined?
>
> On Sun, Feb 28, 2016 at 1:36 AM, Sergey Pisarev
> wrote:
>
>> disregard my previous message
>>
>> On Sun, Feb 28, 2016 at 1:16 AM, Sergey Pisarev >> > wrote:
>>
>>> If this is your actual code you call iocreatedevice with extension size
>>> null and dereference device extension(null) in dispatch routine
>>>
>>>
>>> On Sunday, 28 February 2016, wrote:
>>>
>>>> Well, if you’re DeviceOject from a dispatch entry point, it always WILL
>>>> be your device object… Right? It can’t be anything else.
>>>>
>>>> I’d like to help you, Mr Ahmed, I really would. But I’d need to see
>>>> the whole of what you’re doing and sit down and study what’s happening and
>>>> exactly what the crash dump says. That would take a considerable amount of
>>>> time. Its not the kind of thing I can do in a forum, answering posts on a
>>>> Saturday afternoon while lying on my couch.
>>>>
>>>> I’m sorry…
>>>>
>>>> Peter
>>>> OSR
>>>> @OSRDrivers
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> Visit the list online at: <
>>>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>>>
>>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>> software drivers!
>>>> Details at http:
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at <
>>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>>
>>>
>>>
>>> –
>>> Sent from Gmail Mobile
>>>
>>
>>
></http:>

Peter Viscarola, man i seriously think you are the real man. You really wanted to help and I seriously respect that.
Sergey Pisarev, You are love. seriously you saw a very little mistake and pointed out. in IoAttachDeviceToDeviceStackSafe call i was not passing the pointer and that was causing a trouble. Now my driver is working really fine. Seriously love you all. Love you.

Only problem left is, My Driver is only attaching to the FileSystem CDO and not VDO. Can you please guide me hot to attach my driver to VDO.

I seriously owe you guys. Thank you really very much for your time guys. Love you.

you need to dispatch irp_mj_filesystem_control with minor code
mn_mount_volume that comes to fs cdo.

https://msdn.microsoft.com/en-us/library/windows/hardware/ff548670(v=vs.85).aspx?f=255&MSPPError=-2147217396

there was sfilter legacy fs filter example in wdk 6001.

But you shouldn’t do that. just go with minifilter. filter manager handles
all that for you

On Sun, Feb 28, 2016 at 6:02 PM, wrote:

> Peter Viscarola, man i seriously think you are the real man. You really
> wanted to help and I seriously respect that.
> Sergey Pisarev, You are love. seriously you saw a very little mistake and
> pointed out. in IoAttachDeviceToDeviceStackSafe call i was not passing the
> pointer and that was causing a trouble. Now my driver is working really
> fine. Seriously love you all. Love you.
>
> Only problem left is, My Driver is only attaching to the FileSystem CDO
> and not VDO. Can you please guide me hot to attach my driver to VDO.
>
> I seriously owe you guys. Thank you really very much for your time guys.
> Love you.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Actually for file system minifilter, i have to learn that from the beginning. I am working on filter driver for over a month and tomorrow i have to submit the working driver. Thats why I am sticking to this. By the way thank you really very much for the time.

can you help me again. sorry to bother you guys. I have added the code in my driver to attach VDO when IoRegisterFsRegistrationChange notification callback is called.
PDEVICE_OBJECT devices[64];
ULONG i = 0,num = 0;
for (i = 0; i < 64; i++)
devices[i] = NULL;
status = IoEnumerateDeviceObjectList(
DeviceObject->DriverObject,
devices,
sizeof(devices),
&num
);
if (!NT_SUCCESS(status))
{
return status;
}
for (i = 0; i < num; i++)
{
if (devices[i] != DeviceObject && DeviceObject->DeviceType == devices[i]->DeviceType && !FsFilterIsAttachedToDevice(devices[i]))
{
status = Attach(devices[i]);
ObDereferenceObject(devices[i]);
}
}
This code gives me BSOD PAGE_FAULT_IN_NON_PAGED_AREA.
Here is the portion of crash dump.
STACK_TEXT:
9693bac4 82a7baa8 00000000 fffffff7 00000000 nt!MmAccessFault+0x104
9693bac4 82c71235 00000000 fffffff7 00000000 nt!KiTrap0E+0xdc
9693bb78 82cbcaa2 0169efc4 852f4518 8533b701 nt!ObOpenObjectByName+0x253
9693bd24 82a788c6 0169efc4 0169ef8c 0169eff4 nt!NtQueryFullAttributesFile+0x136
9693bd24 770b70f4 0169efc4 0169ef8c 0169eff4 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0169eff4 00000000 00000000 00000000 00000000 0x770b70f4

Where is it crashing in your code?

Showing us a tiny bit of the !analuze -v really doesn’t help much…

Peter
OSR
@OSRDrivers

This is the complete crash dump …

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory. The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 8fd3d890, Virtual address for the attempted execute.
Arg2: 883f5963, PTE contents.
Arg3: 8fd3d7ac, (reserved)
Arg4: 00000002, (reserved)

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: OptiPlex 760

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A16

BIOS_DATE: 08/06/2013

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0R230R

BASEBOARD_VERSION: A00

DUMP_TYPE: 2

BUGCHECK_P1: ffffffff8fd3d890

BUGCHECK_P2: ffffffff883f5963

BUGCHECK_P3: ffffffff8fd3d7ac

BUGCHECK_P4: 2

CPU_COUNT: 4

CPU_MHZ: a64

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B’00000000 (cache) A0B’00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xFC

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MAMOONAHMED-PC

ANALYSIS_SESSION_TIME: 02-29-2016 22:31:49.0121

ANALYSIS_VERSION: 10.0.10586.567 x86fre

TRAP_FRAME: 8fd3d7ac – (.trap 0xffffffff8fd3d7ac)
ErrCode = 00000011
eax=00000000 ebx=00000000 ecx=00020001 edx=00020000 esi=bdf2ad78 edi=00000023
eip=8fd3d890 esp=8fd3d820 ebp=8545f600 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
8fd3d890 8cd9 mov ecx,ds
Resetting default scope

LAST_CONTROL_TRANSFER: from 82a77aa8 to 82ac4879

STACK_TEXT:
8fd3d794 82a77aa8 00000008 8fd3d890 00000000 nt!MmAccessFault+0x104
8fd3d794 8fd3d890 00000008 8fd3d890 00000000 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
8fd3d820 8c103fee 03db625c bdf2ad78 87a7e490 0x8fd3d890
8fd3d890 8c103b66 87a7e490 bdf2ac88 00000080 Ntfs+0xb6fee
8fd3d98c 8c069426 87a7e490 bdf2ac88 9e37b108 Ntfs+0xb6b66
8fd3da04 8c05d65a 87a7e490 87a87b18 87e84908 Ntfs+0x1c426
8fd3db24 8c06187a 87a7e490 87a87b18 03db6150 Ntfs+0x1065a
8fd3db9c 82a6dc1e 8622b020 87a87b18 87a87b18 Ntfs+0x1487a
8fd3dbb4 8c00e20c 861ce5a8 87a87b18 00000000 nt!IofCallDriver+0x63
8fd3dbd8 8c00e3cb 8fd3dbf8 861ce5a8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
8fd3dc10 82a6dc1e 861ce5a8 87a87b18 8545f600 fltmgr!FltpDispatch+0xc5
8fd3dc28 9f3e05b1 8545f6b8 8fd3dc4c 82a6dc1e nt!IofCallDriver+0x63
8fd3dc34 82a6dc1e 8545f600 87a87b18 87a87b18 MyDriver3+0x15b1
8fd3dc4c 82c61bf9 87e84908 87a87b18 87a87cf0 nt!IofCallDriver+0x63
8fd3dc6c 82ca79a0 8545f600 87e84908 00000001 nt!IopSynchronousServiceTail+0x1f8
8fd3dd08 82a748c6 8545f600 00000000 00000000 nt!NtWriteFile+0x6e8
8fd3dd08 779870f4 8545f600 00000000 00000000 nt!KiSystemServicePostCall
037bf810 00000000 00000000 00000000 00000000 0x779870f4

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: b18d7682f4d1713b22e36b1f4a429a97397aac34

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4f9bead2fff155e34aee1e8a46d3370011ada196

THREAD_SHA1_HASH_MOD: 8e8788c8dab8357844833a7c0f255f5797f3e1e1

FOLLOWUP_IP:
MyDriver3+15b1
9f3e05b1 ?? ???

SYMBOL_STACK_INDEX: c

SYMBOL_NAME: MyDriver3+15b1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MyDriver3

IMAGE_NAME: MyDriver3.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 56d47bd1

FAILURE_BUCKET_ID: 0xFC_MyDriver3+15b1

BUCKET_ID: 0xFC_MyDriver3+15b1

PRIMARY_PROBLEM_CLASS: 0xFC_MyDriver3+15b1

TARGET_TIME: 2016-02-29T17:15:58.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 7

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2013-08-29 05:58:30

BUILDDATESTAMP_STR: 130828-1532

BUILDLAB_STR: win7sp1_gdr

BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532

ANALYSIS_SESSION_ELAPSED_TIME: 5bc

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xfc_mydriver3+15b1

FAILURE_ID_HASH: {112bb59a-38df-1de8-e4da-53c5577a6f03}

Followup: MachineOwner

Kind of a cool crash. This is NOT the same crash you posted the partial stack dump of previously.

It would sort of be nice if you had symbols for your own driver available. Looks like you’re getting a write operation, and you’ve got an issue at “MyDriver3+0x15b1”?

Having said that, I have to quickly add I have no idea what’s gone wrong.

Peter
OSR
@OSRDrivers

xxxxx@gmail.com wrote:

This is the complete crash dump …

Notice that the code has attempted to jump to an address on the stack.
This suggests that you may have used an incorrect address for a callback
or a completion routine, or something like that.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

as Tim said, you probably registered a wrong callback address.

1. load the correct symbol of your driver and post the report out again.
2. post what .trap says.

and seriously, please follow what Peter and Scott suggested.

?H???: xxxxx@lists.osr.com ?N?? Tim Roberts
?H???: 2016?~3??1?? ?W?? 09:55
???: Windows System Software Devs Interest List
?D??: Re: [ntdev] BSOD PAGE_FAULT_IN_NONPAGED_AREA

xxxxx@gmail.com wrote:
> This is the complete crash dump …

Notice that the code has attempted to jump to an address on the stack.
This suggests that you may have used an incorrect address for a callback
or a completion routine, or something like that.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

In this ( http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial ) tutorial he ( the author ) implemented Fast I/O routines in which he simply check if the next driver supports fast io and fast io request is valid then passed that request to the next driver. On the other hand i just simply returned false in Fast Io routines except for fastIoDetach. According to msdn article ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff548576(v=vs.85).aspx ) simply returning false is valid. but when i run my code it give me PAGE_FAULT_IN_NON_PAGED_AREA on windows 10 it give ATTEMPTED_TO_WRITE_ON_READ_ONLY something like this error. (I am not posting both crash dumps because the comment will get too long ).
Can any body tell what wrong with my approach.
My code and the code given by codeproject article is same except fast io routines.
codeproject example is working fine.

Are you sure crash happens during fast io dispatch ?

Once again you should move to minifilter.
Effectively it will be much faster than debug legacy filter

On Tuesday, March 1, 2016, wrote:

> In this (
> http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial
> ) tutorial he ( the author ) implemented Fast I/O routines in which he
> simply check if the next driver supports fast io and fast io request is
> valid then passed that request to the next driver. On the other hand i just
> simply returned false in Fast Io routines except for fastIoDetach.
> According to msdn article (
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff548576(v=vs.85).aspx
> ) simply returning false is valid. but when i run my code it give me
> PAGE_FAULT_IN_NON_PAGED_AREA on windows 10 it give
> ATTEMPTED_TO_WRITE_ON_READ_ONLY something like this error. (I am not
> posting both crash dumps because the comment will get too long ).
> Can any body tell what wrong with my approach.
> My code and the code given by codeproject article is same except fast io
> routines.
> codeproject example is working fine.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>

–
Sent from Gmail Mobile</http:>

That’s the correct approach. What’s really funny is that in many cases, we’ve found that I/O operations on the underlying file system are actually faster when you DISABLE Fast I/O than with it. So, don’t hesitate to just return FALSE because you don’t want to impact the perf of the system.

Peter
OSR
@OSRDrivers

I am sure the crash happens due to fast io routines. Because my code and and codeproject example code is exactly same ( due to the only approach according to my understanding. ) except i just returned false in fast io dispatch routines. this is strange. and according to this ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff547172(v=vs.85).aspx ) article i just passed NULL in File System filter callback routines. which is the right way according to that article.

Sergey Pisarev, as you advised before, i went on to build minifilter. the simplest code i had created was just listening to IRP_MJ_READ and in preOperationCallback I just PT_DBG_PRINTed and returned FLT_PREOP_SUCCESS_NO_CALLBACK and that gave me BSOD. I am sure it is the simplest and buggless ( according to my understanding ). But i can be wrong. I figured out minifilter is simple but that did not worked for me sadly.
Explicitly, being a developer I feel ashamed to stuck here for over a month.