Bug Check : PANIC_STACK_SWITCH (2b)

NTDEV
1

Hi Folks,

I am trying to debug a bug-check. I see a message saying my driver (DriverA) is overlapping with WUDFRd.sys (OVERLAPPED_MODULE: Address regions for ‘DriverA’ and ‘WUDFRd.sys’ overlap).

But I see DriverB?s code being executed. Not sure how driverA is involved here.

Also, I see something like an interrupt storm in the stack trace. nt!KiInterruptException beging executed multiple times.

Any inputs on how to debug this issue? Is my driverA causing stack overflow ?

Kindly let me know.

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PANIC_STACK_SWITCH (2b)
This error indicates that the kernel mode stack was overrun. This normally
occurs when a kernel-mode driver uses too much stack space. It can also
occur when serious data corruption occurs in the kernel.
Arguments:
Arg1: 8379dde0, Trap Frame
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

OVERLAPPED_MODULE: Address regions for ‘DriverA’ and ‘WUDFRd.sys’ overlap

TRAP_FRAME: 8379dde0 – (.trap 0xffffffff8379dde0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
r0=8d0390d0 r1=00000e01 r2=0000000e r3=0000000c r4=00000000 r5=00000000
r6=00000000 r7=00000000 r8=00000000 r9=00000000 r10=00000000 r11=8379dee4
r12=796a20cd sp=8379de68 lr=8289b5e7 pc=8291bba8 psr=600f01b3 -ZC-- Thumb
nt!KiDataAbortException+0x48:
8291bba8 9400 str r4,[sp] 8379de68=00000000
Resetting default scope

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x2B

PROCESS_NAME: System

CURRENT_IRQL: e

LAST_CONTROL_TRANSFER: from 829778d4 to 82977300

STACK_TEXT:
8379dac8 829778d4 : 00000000 8379db48 860a3380 82976fb9 : nt!KeBugCheck2+0x100
8379dd90 8291c6ce : 00000000 00000000 00000000 8281de91 : nt!KeBugCheckEx+0x14
8379dda8 8291bfda : 00000000 00000000 00000000 00000000 : nt!KiBugCheckDispatch+0x12
8379dde0 8291bba8 : 00000000 00000000 00000000 00000000 : nt!KiDataAbortPanicBugcheck+0xc2
8379de68 8289b5ee : 00000000 00000000 00000000 00000000 : nt!KiDataAbortException+0x48
8d038fb0 8289b5d2 : 00000000 00000000 00000000 00000000 : nt!KiPlayInterrupt+0x16
8d039080 8291c0ee : 00000400 0fc00300 003c0c0e 8d0390d0 : nt!KiProcessInterrupt+0x1e6
8d0390d0 8289be7c : 82a194f0 00f0c003 001e1e00 8291b6e0 : nt!KiInterruptException+0x10e
8d039270 8289bac4 : 00000000 000000e8 8281aa15 000c0201 : nt!PerfInfoLogInterrupt+0xd8
8d0392d0 8289b5d2 : 8d0392e8 00000001 8d039600 00000c02 : nt!KiPlayInterrupt+0x4ec
8d0393a0 8291c0ee : 00000082 828f5c4b 828f0a0c 8d0393f0 : nt!KiProcessInterrupt+0x1e6
8d0393f0 828213b8 : 82a194f0 8291d0d3 1ffeffff 8291b6e0 : nt!KiInterruptException+0x10e
8d039590 82872198 : 86173000 8607e090 00000000 86173000 : hal!KfRaiseIrql
8d039590 82871f4c : 86173000 8607e090 00000000 86173000 : nt!EtwpDequeueFreeBuffer+0x40
8d0395c0 8289c47e : 00000000 86173000 86084080 8607e090 : nt!EtwpSwitchBuffer+0x14
8d0395e8 8289c18e : 00400a02 00000002 00001000 00000002 : nt!EtwpReserveTraceBuffer+0x14e
8d039628 8289be5a : 00400a02 00000002 00000f43 00000002 : nt!EtwpLogKernelEvent+0x8e
8d039670 8289b968 : 00400a02 8d039000 8afdaf01 000a0500 : nt!PerfInfoLogInterrupt+0xb6
8d0396d0 8289b5d2 : 00000000 00000001 ffffff00 00000a05 : nt!KiPlayInterrupt+0x390
8d0397a0 8291c0ee : 00000088 01400b02 8d03000a 8d0397f0 : nt!KiProcessInterrupt+0x1e6
8d0397f0 8b4fbc6a : 82a194f0 8b5743c3 8b579f73 8291b6e0 : nt!KiInterruptException+0x10e
8d039990 8b4fb6e2 : 05044cab 00000006 8d0399f8 8289b5d3 : Ntfs!NtfsCommonRead+0x4ea
8d039aa0 828bc16a : 8d039ac8 95db9e08 00f8070a 00000000 : Ntfs!NtfsFsdRead+0x366
8d039c10 8b42f07a : 9a4522c8 000000e0 828bc129 00000000 : nt!IofCallDriver+0x42
8d039c28 8b42ed9e : 8d039c60 8b437eb7 00000001 8d039c68 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21a
8d039c68 828bc16a : 95d98ad8 9a4522c8 9b6ed420 ffffffff : fltmgr!FltpDispatch+0x7e
8d039c90 828d3ade : 9a4522c8 00001fff 00000001 9a4522c8 : nt!IofCallDriver+0x42
8d039ca8 828d3982 : 95e8db98 95e8dbc0 95e8db98 95e8db80 : nt!IoPageRead+0x11a
8d039cd8 82878cca : 95e8dbb8 00000002 00000000 8d039d08 : nt!MiIssueHardFaultIO+0x4e
8d039cf8 8287b2d0 : 00001000 c2df5000 95db9e08 860a3380 : nt!MiIssueHardFault+0x10a
8d039d70 828df0a0 : 00000000 00000000 8d039d8c 8d039da8 : nt!MmAccessFault+0x20c
8d039de0 828de756 : 8d039e50 8293a94b 01401b11 c144f6d4 : nt!MmCheckCachedPageStates+0x5e0
8d039eb0 828de038 : 00000000 00000000 00000001 9a445660 : nt!CcMapAndRead+0x7e
8d039ee0 82b05932 : 8d039f0c 8d039f1c 00000000 00000000 : nt!CcPinFileData+0x410
8d039f88 8b574b6e : 00000000 00000001 8d039fa4 8d039fa8 : nt!CcPinRead+0xfa
8d03a000 8b57494a : 8d03a070 8d03a080 015b5078 00000000 : Ntfs!NtfsPinStream+0x6e
8d03a040 8b574570 : 00000078 8d03a070 8d03a080 00000000 : Ntfs!NtOfsPutData+0x352
8d03a120 8b5743c2 : 00000078 831327b8 ffffff00 00000010 : Ntfs!NtfsWriteFcbUsnRecordToJournal+0xb4
8d03a1a0 8b579f72 : 07644461 00000000 86010100 83132798 : Ntfs!NtfsWriteUsnJournalChanges+0x1ee
8d03a1f0 8b503d36 : 829f0100 83130008 00000000 00000000 : Ntfs!NtfsPostUsnChangeWithOverrideOption+0x4ca
8d03a270 8b501a6c : 00000000 00000001 8d03a290 95d98ad8 : Ntfs!NtfsCommonWrite+0x221a
8d03a3d0 828bc16a : 8d03a3ec 8d03a468 95d98a00 00000000 : Ntfs!NtfsFsdWrite+0x3d8
8d03a450 8b42f07a : 9a445008 000000e0 828bc129 00000008 : nt!IofCallDriver+0x42
8d03a468 8b42ed9e : 8d03a4a0 8b437eb7 00000001 8d03a4a8 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21a
8d03a4a8 828bc16a : 95d98ad8 9a445008 9a444670 ffffffff : fltmgr!FltpDispatch+0x7e
8d03a4d0 82adaf4a : 9a445008 9a445008 00000000 00000001 : nt!IofCallDriver+0x42
8d03a4e8 82a742da : 00000000 00000000 00000250 000001e0 : nt!IopSynchronousServiceTail+0x11e
8d03a538 8291c640 : 00000000 00000001 00000001 00000000 : nt!NtWriteFile+0x872
8d03a5f0 8291c302 : 8d03a700 8d03a770 00000020 00000000 : nt!KiSystemService+0x100
8d03a630 9a337edc : 00000000 00000000 00000000 31324646 : nt!KiServiceInternal+0x42
8d03a6b8 9a3384b6 : 8d03a700 8d03a770 00000020 00000000 : DriverB+0xbedc
8d03b990 9a339e8c : 00000000 9a3494a8 00000000 00000000 : DriverB+0xc4b6
8d03bb28 9a33e510 : 8d030000 00000000 00000051 c0000034 : DriverB +0xde8c
8d03bba8 9a33247c : 8d03bc10 9a32dfb3 00000004 9a349024 : DriverB+0x12510
8d03bbe0 9a331738 : 00000002 00000000 00000000 829f6204 : DriverB+0x647c
8d03bc28 9a331674 : 00000000 9a414778 9a414778 9a414778 : DriverB+0x5738
8d03bc58 9a36f31a : 9a414778 00000000 00000000 9a414778 : DriverB+0x5674
8d03bc90 8adcf99c : 860a3382 00000000 64b47c78 9b4a3c98 : DriverB+0x4331a
8d03bcc8 8adceb34 : 9b607890 8d03bcf8 00000000 828bbd0d : Wdf01000!FxPkgPnp::PnpPrepareHardware+0xd0
8d03bcf0 8adcea14 : 00000000 00000008 8adcea01 00000108 : Wdf01000!FxPkgPnp::PnpEventHardwareAvailable+0x70
8d03bd18 8adce846 : 8ade0ba0 64b5c4d8 9b607630 00000108 : Wdf01000!FxPkgPnp::PnpEnterNewState+0x114
8d03bd68 8adce746 : 8d03bd78 828213b5 8282138d 00000000 : Wdf01000!FxPkgPnp::PnpProcessEventInner+0xce
8d03bda8 8add4aea : 00000000 8adce701 9b4a3e40 9b607890 : Wdf01000!FxPkgPnp::_PnpProcessEventInner+0x46
8d03bdc8 8add5c5a : 860a33ac ffff9018 860a3458 829eed38 : Wdf01000!FxEventQueue::EventQueueWorker+0x76
8d03be00 828f7b78 : 9b607540 86025568 8d03be48 828f7b79 : Wdf01000!FxWorkItemEventQueue::_WorkItemCallback+0x16
8d03be10 828f5c4a : 00000000 860a3380 829eed38 00000000 : nt!IopProcessWorkItem+0x3c
8d03be50 828f5616 : 8d03be58 00000001 9b607540 00000000 : nt!ExpWorkerThread+0x146
8d03bea0 8291d0d2 : 860a3380 8282138d 86064d00 860a3380 : nt!PspSystemThreadStartup+0xaa
8d03bec8 00000000 : 00010000 828f5b05 828f556d 00000000 : nt!KiStartSystemThread+0x12

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiDataAbortPanicBugcheck+c2
8291bfda defe __debugbreak

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!KiDataAbortPanicBugcheck+c2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4ff08840

BUCKET_ID_FUNC_OFFSET: c2

FAILURE_BUCKET_ID: ARM_0x2B_nt!KiDataAbortPanicBugcheck

BUCKET_ID: ARM_0x2B_nt!KiDataAbortPanicBugcheck

Followup: MachineOwner

2

Fix your symbols, please send the stack to your ecosystem pm for help at MSFT since this is arm.

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/24/2012 8:47 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Bug Check : PANIC_STACK_SWITCH (2b)

3

I’m not sure the OP speeks Microsoftish. ‘ecosystem’ - is that what they talk about on Natural Geographic?

4

Thanks Doron. So the stack doesn’t appear to be right ?

5

xxxxx@gmail.com wrote:

I am trying to debug a bug-check. I see a message saying my driver (DriverA) is overlapping with WUDFRd.sys (OVERLAPPED_MODULE: Address regions for ‘DriverA’ and ‘WUDFRd.sys’ overlap).

But I see DriverB?s code being executed. Not sure how driverA is involved here.

Also, I see something like an interrupt storm in the stack trace. nt!KiInterruptException beging executed multiple times.

Any inputs on how to debug this issue? Is my driverA causing stack overflow ?

The stack shows 12k bytes. Stack overflow seems like a good possibility.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

6

It IS a cool stack dump.

To translate on Doron’s behalf:

Send ALL the output from !analyze -v to your official Microsoft contact.

We’re very limited in terms of what we can talk about regarding ARM on this forum, given that most ARM information is still under NDA. There is no generally-released WDK for ARM at this time, and we make it a policy NOT to discuss confidential or proprietary intellectual property on this forum.

Peter
OSR

7

got it, thanks!