What could be the reason for the driver to get unloaded before loading the
driver properly.
The most likely reason is that you are not returning STATUS_SUCCESS from
DriverEntry. I would bet you $1 that was the root issue here but doing so
violates the list rules about discussing rates ?
But seriously, do you have a debugger? Have you stepped through your
DriverEntry? Do you have the very simplest of diagnostics possible in a
DriverEntry?
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTAUS ntStatus;
DbgPrint(“MyDrv!++DriverEntry(%p,%p)\n”, DriverObject,
RegistryPath);
// Somewhere, you better be setting ntStatus to a return value…
ASSERT(NT_SUCCESS(ntStatus));
DbgPrint(“MyDrv!–DriverEntry(%p,%p)->%#x\n”, DriverObject,
RegistryPath, ntStatus);
return ntStatus;
}
What you keep saying is that DriverEntry() returns STATUS_SUCCESS and that
for some unknown reason your driver is getting unloaded. Look, that is not
likely and that has been pointed out to you. You have not added any detail
to this discussion which would lead me to believe you really know the return
value of DriverEntry() because you have not done the simplest of thing -
post a debug trace showing a DbgPrint() on DriverEntry() ‘entry’ and ‘exit’
that spews out the result or any other substantive evidence.
So stop asking the same question with no further information. How do you
expect *us* to know what is going on in *your* driver unless you help.
Do a little debugging. It will seriously help your cause.
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of SatheeshBabu
Muthupandi
Sent: Monday, February 16, 2009 3:45 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BSOD with
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS -Intermediate driver
David,
Thanks for your reply.
FYI, I’m installing my driver on fresh OS(Windows 2003 server SP2). My
miniportinitialize is not at all getting called. MiniportInitialize gets
called in the context of ProtocolBindAdapter. In my scenario
protocolbinadapter itself is not called.
I’m returning NDIS_STATUS_SUCCESS from my DriverEntry if my registration of
miniport and protocol characteristics happens success.
What could be the reason for the driver to get unloaded before loading the
driver properly.
Though registration happens properly, why nt!IoPLoadDriver fails in loading
the driver and comes for DriverEntry call, second time…
Am I doing any mistake in callback registration of miniport or protocol?
regards
satheesh
On Mon, Feb 16, 2009 at 11:57 AM, David R. Cattley wrote:
DriverEntry only gets called once per loading of your driver.? So, your
driver is getting loaded, unloaded, and loaded again.
?
If you return STATUS_SUCCESS (or NDIS_STATUS_SUCCESS) from DriverEntry, and
have registered a MiniportUnload handler then be sure that you are cleaning
up your protocol registration properly.
?
Does your MiniportInitialize() get called for some number of (virtual)
miniports?? Does your MiniportHalt() get called too?
?
Are you by chance running on Vista?
?
The bottom line is that your driver is leaving behind a ‘callback’
potential.? At this point I would guess that you are not removing the
Protocol Registration on unload and so the next time your driver is loaded
and NDIS triggers binding, it is binding to an ‘old’ protocol registration
pointing into space.
?
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
?
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of SatheeshBabu
Muthupandi
Sent: Monday, February 16, 2009 12:26 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BSOD with
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS -Intermediate driver
?
All,
While debugging, I found that my DriverEntry gets called twice…meaning
first time after DriverEntry returns success, nt!IopLoadDriver fails and
second time DriverEntry gets called.
When the nt!IopLoadDriver fails, all my entry points are freed (null) and
protocolbindadapter entry point is called (which is NULL) leads to crash.
I dont have any reference count for my driver instance. Also dont have any
DPC’s, timers, workitems etc…
thanks
satheesh
On Fri, Feb 13, 2009 at 8:52 PM, David R. Cattley wrote:
Satheesh,
?
Yes, I have a clue.? Better, you provided evidence that the problem is
with your driver.? Windows has identified that your driver unloaded from
memory while it was still possible (neah, actual) that a code execution path
could occur through where your driver was previously loaded.? This can only
occur because your driver left behind:
?
1.??? ?A timer.
2.??? A DPC
3.??? A work item.
4.??? A callback registered with another driver.
5.??? Etc., etc.
?
Now regardless of the vindication you might feel that it only happens
because driver is loaded and when you remove driver it
no longer happens, that is not nearly as strong a bit of evidence as the
crash dump saying your (now unloaded) driver is in the code path.
?
The driver is simply changing the test so that some curious bit
of timing no longer occurs and your driver just happens to be in memory just
long enough for whatever bit of dangling callback you have to complete
before the loader unmaps the image.
?
Use .reload /unl to load your symbols against the ‘unloaded’ location of
your driver, analyze the stack back trace very carefully looking at the
state of the system (and the locals on the stack) owned by the activation
frame in your driver.? Figure out why execution is running through your
driver after it has unloaded.
?
Don’t call just yet until you prove that the driver
improperly cached a pointer to your code and tried to call your driver after
it unloaded for no good reason. ???Actually, you should be thankful that you
have a definitive way to cause the crash.? It will make it easier to find
what is likely a bug in your driver.
?
So, do you have any, Timers, DPCs, Work Items, or Callbacks??? Do you
reference count your ‘module’ to prevent DriverUnload() from completing
until all of these callback capable resources have been drained and
released?
?
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
?
?
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of SatheeshBabu
Muthupandi
Sent: Friday, February 13, 2009 7:09 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] BSOD with
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS -Intermediate driver
?
Dave,
bnadimd5.sys is my driver which is under development. What I’m doing is thru
notify object DLL (took the one from sample MUL driver) installing my
Intermediate driver. I can see my driver entry gets called but after that it
immediately crashes.
Point here is, I won’t see the crash if there is no TrendMicro
Software(antivirus software) installed in the system. BSOD occurs only when
the TrendMicro Software is present.
Protocolbindadapter itself is not get called. BSOD occurs prior to that.
Any clue?
Regards
Satheesh
On Fri, Feb 13, 2009 at 3:38 PM, David R. Cattley wrote:
What driver is bnadimd5.sys? ?Yours?
Turn on driver verifier for your driver and NDIS.SYS. ? Turn it on for the
3rd party driver too.
The bugcheck is (as it says) a case where a module has been unloaded
(bnadimd5.sys) yet a callback occurred (or return through a call occurred)
in that driver.
The driver did not correctly synchronize its and allowed itself to be
unloaded when it was not safe to do so. ?The crash occurred after the
unload. ? Since you don’t say exactly all of what you were doing, it could
be that you had installed your IM driver and that it was being loaded /
unloaded / reloaded. ?It might be that the unload prior to the load is where
the real problem is.
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, February 13, 2009 6:01 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] BSOD with
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS -Intermediate driver
Hi All,
When I tried to install my Intermediate driver, right after Driver Entry I’m
seeing BSOD. This happens only when there is a trend micro filter driver
(antivirus) software is enabled.
Below are the BSOD logs. Can anybody help me to debug this crash.
Use !analyze -v to get detailed debugging information.
BugCheck CE, {f4c72680, 8, f4c72680, 0}
Probably caused by : bnadimd5.sys ( bnadimd5+2680 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
807584dc cc ? ? ? ? ? ? ?int ? ? 3
kd> !analyze -v
*******************************************************************
? ? ? ? ? ? ? ? ? ? ? ?Bugcheck Analysis
*************************************************************************
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.
Arguments:
Arg1: f4c72680, memory referenced
Arg2: 00000008, value 0 = read operation, 1 = write operation
Arg3: f4c72680, If non-zero, the instruction address which referenced the
bad memory
? ? ? ?address.
Arg4: 00000000, Mm internal code.
Debugging Details:
------------------
WRITE_ADDRESS: ?f4c72680
FAULTING_IP:
bnadimd5+2680
f4c72680 ?? ? ? ? ? ? ? ???
DEFAULT_BUCKET_ID: ?DRIVER_FAULT
BUGCHECK_STR: ?0xCE
PROCESS_NAME: ?System
CURRENT_IRQL: ?1
TRAP_FRAME: ?f5b2ab80 – (.trap 0xfffffffff5b2ab80)
ErrCode = 00000010
eax=f5b2ac80 ebx=87397008 ecx=00000000 edx=00000000 esi=87838334
edi=87418350
eip=f4c72680 esp=f5b2abf4 ebp=f5b2ac84 iopl=0 ? ? ? ? nv up ei pl zr na pe
nc
cs=0008 ?ss=0010 ?ds=0023 ?es=0023 ?fs=0030 ?gs=0000
efl=00010246
<unloaded_bnadimd5.sys>+0x2680:
f4c72680 ?? ? ? ? ? ? ? ???
Resetting default scope
IP_MODULE_UNLOADED:
bnadimd5+2680
f4c72680 ?? ? ? ? ? ? ? ???
LAST_CONTROL_TRANSFER: ?from 806377bf to 807584dc
STACK_TEXT:
f5b2a6f0 806377bf 00000003 00000000 00000000
nt!RtlpBreakWithStatusInstruction
f5b2a73c 80638743 00000003 c07a6390 00000000 nt!KiBugCheckDebugBreak+0x19
f5b2aad4 80638b7d 00000050 f4c72680 00000008 nt!KeBugCheck2+0x5e1
f5b2aaf4 8070f3b1 00000050 f4c72680 00000008 nt!KeBugCheckEx+0x1b
f5b2ab68 8077ad54 00000008 f4c72680 00000000 nt!MmAccessFault+0x1bd3
f5b2ab68 f4c72680 00000008 f4c72680 00000000 nt!KiTrap0E+0xe4
WARNING: Frame IP not in any known module. Following frames may be wrong.
f5b2abf0 f6f0a9d5 f5b2ac80 f5b2ac18 87838334 <unloaded_bnadimd5.sys>+0x2680
f5b2ac84 f6f0d073 87418350 8760d518 80bbf460
NDIS!ndisInitializeBinding+0x1a1
f5b2ad0c f6f15a03 87418350 87397008 87397098
NDIS!ndisCheckAdapterBindings+0xf5
f5b2ad94 f6f08df5 87397008 00000000 86d89020
NDIS!ndisCheckProtocolBindings+0x13d
f5b2adac 80a0041e 87397088 00000000 00000000 NDIS!ndisWorkerThread+0xdd
f5b2addc 8077cb86 f6f08d18 87397088 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: ?kb
FOLLOWUP_IP:
bnadimd5+2680
f4c72680 ?? ? ? ? ? ? ? ???
SYMBOL_STACK_INDEX: ?6
SYMBOL_NAME: ?bnadimd5+2680
FOLLOWUP_NAME: ?MachineOwner
MODULE_NAME: bnadimd5
IMAGE_NAME: ?bnadimd5.sys
DEBUG_FLR_IMAGE_TIMESTAMP: ?0
FAILURE_BUCKET_ID: ?0xCE_W_bnadimd5+2680
BUCKET_ID: ?0xCE_W_bnadimd5+2680
Followup: MachineOwner
---------
kd> .trap 0xfffffffff5b2ab80
ErrCode = 00000010
eax=f5b2ac80 ebx=87397008 ecx=00000000 edx=00000000 esi=87838334
edi=87418350
eip=f4c72680 esp=f5b2abf4 ebp=f5b2ac84 iopl=0 ? ? ? ? nv up ei pl zr na pe
nc
cs=0008 ?ss=0010 ?ds=0023 ?es=0023 ?fs=0030 ?gs=0000
efl=00010246
<unloaded_bnadimd5.sys>+0x2680:
f4c72680 ?? ? ? ? ? ? ? ???
thanks
satheesh
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</unloaded_bnadimd5.sys></unloaded_bnadimd5.sys></unloaded_bnadimd5.sys>