bugcheck 0xA win32k.sys??

Marten_Lootsma · August 6, 2005, 6:18am

Hello everybody,

I have a problem with my USB device. When I connect it for the SECOND
time I get a bugcheck 0xA.

It sais that it’s not allowed to WRITE to address 0x00000004. Ofcourse
it’s not allowed!!! But the problem is, it’s not my driver who
(directly) does it.

The wrong write action is done by win32k.sys, as far as I know it’s a
grafical driver (I don’t use it). My driver just transfer data from USB
to user applications and back.

Is there maybe a connection with win32k.sys what I don’t see, or is it
probably a fault in my driver and the debugger just points to the wrong
place???

Anyone with similair problems? Can you give me a hint in what direction
I have to search for the bug??

Thanks in advance.

Marten Lootsma

*** ERROR: Module load completed but symbols could not be loaded for
win32k.sys
Probably caused by : win32k.sys ( win32k+b1e )

Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
804dc592 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804d4e9b, address which referenced memory

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

MODULE_NAME: win32k

FAULTING_MODULE: 804d0000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 422511a2

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiDispatchInterrupt+627
804d4e9b 894204 mov [edx+0x4],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8052bd2e to 804dc592

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
fc09c528 8052bd2e 00000003 00000004 804d4e9b nt!DbgBreakPointWithStatus+0x4
fc09c908 804da87f 0000000a 00000004 00000002
nt!KeDeregisterBugCheckReasonCallback+0x6c7
fc09c938 804d6519 00000008 00000203 bf86e5d7 nt!Kei386EoiHelper+0x2823
fc09c9a4 804d4eff ffb3b4c0 ffffffff 6e6a3dd2 nt!ZwReadFile+0x11
fc09c9c0 804d1afa ffb3b4c0 ffffffff 00000000 nt!KiDispatchInterrupt+0x68b
fc09c9f0 804dd86c 00000000 00000000 00000000
nt!FsRtlLegalAnsiCharacterArray+0x1426
fc09ca28 804dd89e 804dca0d e1807220 fc09ca5c nt!PsGetCurrentProcess+0x21d
fc09ca38 bf800b1e 811d7ca0 00000001 bf808d66 nt!PsGetCurrentProcess+0x24f
fc09ca5c bf8847e4 00000002 811c70a8 bf887742 win32k+0xb1e
fc09cd30 bf86d7dc bf9a8b00 00000001 fc09cd54 win32k+0x847e4
fc09cd40 bf8010ba bf9a8b00 fc09cd64 0071fff4 win32k+0x6d7dc
fc09cd54 804d77ec 00000000 00000022 00000000 win32k+0x10ba
fc09cd64 7c90eb93 badb0d00 0071ffec 00000000 nt!ZwYieldExecution+0xb78
00000000 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet+0x4

FOLLOWUP_IP:
win32k+b1e
bf800b1e ff15e0a798bf call dword ptr [win32k+0x18a7e0 (bf98a7e0)]

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k+b1e

IMAGE_NAME: win32k.sys

STACK_COMMAND: kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

OSR_Community_User · August 6, 2005, 6:27am

Here’s the big hint:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

If you want the debugger to provide useful information, fix the kernel
symbols. For recent versions you can do this by typing “.symfix”.
Alternatively you can manually set the symbol path
(srv**http://msdl.microsoft.com/download/symbols). But until you have
symbols the output from the debugger is basically of no use to anyone -
including you - in analyzing the problem.

Well, except to know that you have a NULL pointer dereference.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marten Lootsma
Sent: Saturday, August 06, 2005 6:18 AM
To: ntdev redirect
Subject: [ntdev] bugcheck 0xA win32k.sys??

Hello everybody,

I have a problem with my USB device. When I connect it for the SECOND
time I get a bugcheck 0xA.

It sais that it’s not allowed to WRITE to address 0x00000004. Ofcourse
it’s not allowed!!! But the problem is, it’s not my driver who
(directly) does it.

The wrong write action is done by win32k.sys, as far as I know it’s a
grafical driver (I don’t use it). My driver just transfer data from USB
to user applications and back.

Is there maybe a connection with win32k.sys what I don’t see, or is it
probably a fault in my driver and the debugger just points to the wrong
place???

Anyone with similair problems? Can you give me a hint in what direction
I have to search for the bug??

Thanks in advance.

Marten Lootsma

*** ERROR: Module load completed but symbols could not be loaded for
win32k.sys
Probably caused by : win32k.sys ( win32k+b1e )

Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
804dc592 cc int 3
kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address

at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804d4e9b, address which referenced memory

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

MODULE_NAME: win32k

FAULTING_MODULE: 804d0000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 422511a2

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiDispatchInterrupt+627
804d4e9b 894204 mov [edx+0x4],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8052bd2e to 804dc592

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be

wrong.
fc09c528 8052bd2e 00000003 00000004 804d4e9b
nt!DbgBreakPointWithStatus+0x4
fc09c908 804da87f 0000000a 00000004 00000002
nt!KeDeregisterBugCheckReasonCallback+0x6c7
fc09c938 804d6519 00000008 00000203 bf86e5d7 nt!Kei386EoiHelper+0x2823
fc09c9a4 804d4eff ffb3b4c0 ffffffff 6e6a3dd2 nt!ZwReadFile+0x11
fc09c9c0 804d1afa ffb3b4c0 ffffffff 00000000
nt!KiDispatchInterrupt+0x68b
fc09c9f0 804dd86c 00000000 00000000 00000000
nt!FsRtlLegalAnsiCharacterArray+0x1426
fc09ca28 804dd89e 804dca0d e1807220 fc09ca5c
nt!PsGetCurrentProcess+0x21d
fc09ca38 bf800b1e 811d7ca0 00000001 bf808d66
nt!PsGetCurrentProcess+0x24f
fc09ca5c bf8847e4 00000002 811c70a8 bf887742 win32k+0xb1e
fc09cd30 bf86d7dc bf9a8b00 00000001 fc09cd54 win32k+0x847e4
fc09cd40 bf8010ba bf9a8b00 fc09cd64 0071fff4 win32k+0x6d7dc
fc09cd54 804d77ec 00000000 00000022 00000000 win32k+0x10ba
fc09cd64 7c90eb93 badb0d00 0071ffec 00000000 nt!ZwYieldExecution+0xb78
00000000 00000000 00000000 00000000 00000000
ntdll!KiFastSystemCallRet+0x4

FOLLOWUP_IP:
win32k+b1e
bf800b1e ff15e0a798bf call dword ptr [win32k+0x18a7e0 (bf98a7e0)]

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k+b1e

IMAGE_NAME: win32k.sys

STACK_COMMAND: kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Marten_Lootsma · August 6, 2005, 7:20am

Hello Tony,

My symbol path is:
D:\code\driver\projects\windows\hs3d\i386;srv*D:\websymbols*http:\msdl.microsoft.com\download\symbols

This includes the dir of my own driver and the downloaded symbols.

Isn’t that right?

Tony Mason wrote:

Here’s the big hint:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

If you want the debugger to provide useful information, fix the kernel
symbols. For recent versions you can do this by typing “.symfix”.
Alternatively you can manually set the symbol path
(srv**http://msdl.microsoft.com/download/symbols). But until you have
symbols the output from the debugger is basically of no use to anyone -
including you - in analyzing the problem.

Well, except to know that you have a NULL pointer dereference.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marten Lootsma
Sent: Saturday, August 06, 2005 6:18 AM
To: ntdev redirect
Subject: [ntdev] bugcheck 0xA win32k.sys??

Hello everybody,

I have a problem with my USB device. When I connect it for the SECOND
time I get a bugcheck 0xA.

It sais that it’s not allowed to WRITE to address 0x00000004. Ofcourse
it’s not allowed!!! But the problem is, it’s not my driver who
(directly) does it.

The wrong write action is done by win32k.sys, as far as I know it’s a
grafical driver (I don’t use it). My driver just transfer data from USB
to user applications and back.

Is there maybe a connection with win32k.sys what I don’t see, or is it
probably a fault in my driver and the debugger just points to the wrong
place???

Anyone with similair problems? Can you give me a hint in what direction
I have to search for the bug??

Thanks in advance.

Marten Lootsma

*** ERROR: Module load completed but symbols could not be loaded for
win32k.sys
Probably caused by : win32k.sys ( win32k+b1e )

Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
804dc592 cc int 3
kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address

at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804d4e9b, address which referenced memory

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

MODULE_NAME: win32k

FAULTING_MODULE: 804d0000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 422511a2

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiDispatchInterrupt+627
804d4e9b 894204 mov [edx+0x4],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8052bd2e to 804dc592

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be

wrong.
fc09c528 8052bd2e 00000003 00000004 804d4e9b
nt!DbgBreakPointWithStatus+0x4
fc09c908 804da87f 0000000a 00000004 00000002
nt!KeDeregisterBugCheckReasonCallback+0x6c7
fc09c938 804d6519 00000008 00000203 bf86e5d7 nt!Kei386EoiHelper+0x2823
fc09c9a4 804d4eff ffb3b4c0 ffffffff 6e6a3dd2 nt!ZwReadFile+0x11
fc09c9c0 804d1afa ffb3b4c0 ffffffff 00000000
nt!KiDispatchInterrupt+0x68b
fc09c9f0 804dd86c 00000000 00000000 00000000
nt!FsRtlLegalAnsiCharacterArray+0x1426
fc09ca28 804dd89e 804dca0d e1807220 fc09ca5c
nt!PsGetCurrentProcess+0x21d
fc09ca38 bf800b1e 811d7ca0 00000001 bf808d66
nt!PsGetCurrentProcess+0x24f
fc09ca5c bf8847e4 00000002 811c70a8 bf887742 win32k+0xb1e
fc09cd30 bf86d7dc bf9a8b00 00000001 fc09cd54 win32k+0x847e4
fc09cd40 bf8010ba bf9a8b00 fc09cd64 0071fff4 win32k+0x6d7dc
fc09cd54 804d77ec 00000000 00000022 00000000 win32k+0x10ba
fc09cd64 7c90eb93 badb0d00 0071ffec 00000000 nt!ZwYieldExecution+0xb78
00000000 00000000 00000000 00000000 00000000
ntdll!KiFastSystemCallRet+0x4

FOLLOWUP_IP:
win32k+b1e
bf800b1e ff15e0a798bf call dword ptr [win32k+0x18a7e0 (bf98a7e0)]

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k+b1e

IMAGE_NAME: win32k.sys

STACK_COMMAND: kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Rod_Widdowson-1 · August 6, 2005, 8:19am

> My symbol path is:

D:\code\driver\projects\windows\hs3d\i386;srv*D:\websymbols*http:\msdl.microsoft.com\download\symbols

That last doesn’t look like a valid URL to me (back slashes instead of
forward). Symsrv might handle it of course…

Marten_Lootsma · August 6, 2005, 8:48am

You’re right about back-slashes. But indeed symsrv handles it, the
d:\websymbols dir is filled with pdb dirs. To make sure, I changed the
backslashes into forward, but no change.

Now I type this I realize this question belongs to ‘windbg’ newsgroup.

Thanks,
Marten

Rod Widdowson wrote:

>My symbol path is:
>D:\code\driver\projects\windows\hs3d\i386;srv*D:\websymbols*http:\msdl.microsoft.com\download\symbols

That last doesn’t look like a valid URL to me (back slashes instead of
forward). Symsrv might handle it of course…

OSR_Community_User · August 6, 2005, 4:57pm

> I have a problem with my USB device. When I connect it for the SECOND

time I get a bugcheck 0xA.

The first problem I see is your symbols don’t match your images. I need to
see REAL data, which without correct symbols doesn’t happen. I request you
fix the symbol lookup (like use the MS symbol server), reproduce the crash,
and resubmit this posting. Perhaps others are more skilled at Ouija board
debugging techniques than me…

Jan

Marten_Lootsma · August 8, 2005, 2:39am

When I have like the followin line in the symbol path it uses the MS
symbol server, doesn’t it?

D:\code\driver\projects\windows\hs3d\i386;srv*D:\websymbols*http://msdl.microsoft.com/download/symbols

I cleared the d:\websymbols, to make sure all symbols came ‘fresh’ from
the server. It looks better with the symbols now.

I included the new debug output, now it complains about ntoskrnl.exe…

But the bug is still unclear for me, anybody suggestion?

Thanks in advance

Marten

Then dump this time:
*** Fatal System Error: 0x0000000a
(0x00000004,0x00000002,0x00000001,0x804D4E9B)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
…
Loading unloaded module list
…
Loading User Symbols
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {4, 2, 1, 804d4e9b}

Probably caused by : ntoskrnl.exe ( nt!KiInsertTimerTable+4e )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804dc592 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804d4e9b, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiInsertTimerTable+4e
804d4e9b 894204 mov [edx+0x4],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 804d4eff to 804d4e9b

TRAP_FRAME: fc8d7df8 – (.trap fffffffffc8d7df8)
ErrCode = 00000002
eax=fb734b28 ebx=fc8d7eb0 ecx=8117b8a0 edx=00000000 esi=fb734b10
edi=80552bf8
eip=804d4e9b esp=fc8d7e6c ebp=fc8d7e74 iopl=0 nv up ei pl nz ac
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
nt!KiInsertTimerTable+0x4e:
804d4e9b 894204 mov [edx+0x4],eax
ds:0023:00000004=???
Resetting default scope

STACK_TEXT:
fc8d7e74 804d4eff fff0bdc0 ffffffff fc5c484a nt!KiInsertTimerTable+0x4e
fc8d7e90 804dcbe7 fff0bdc0 ffffffff fc5c6f59 nt!KiInsertTreeTimer+0x7d
fc8d7fa4 804d5378 fc5c484a 00000000 ffdff000 nt!KiTimerListExpire+0xa3
fc8d7fd0 804d4bd4 80552280 00000000 000069d8 nt!KiTimerExpiration+0xaf
fc8d7ff4 804d489e fc90f63c 00000000 00000000 nt!KiRetireDpcList+0x46
fc8d7ff8 fc90f63c 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
WARNING: Frame IP not in any known module. Following frames may be wrong.
804d489e 00000000 00000009 bb835675 00000128 0xfc90f63c

FOLLOWUP_IP:
nt!KiInsertTimerTable+4e
804d4e9b 894204 mov [edx+0x4],eax

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiInsertTimerTable+4e

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

STACK_COMMAND: .trap fffffffffc8d7df8 ; kb

FAILURE_BUCKET_ID: 0xA_W_nt!KiInsertTimerTable+4e

BUCKET_ID: 0xA_W_nt!KiInsertTimerTable+4e

Followup: MachineOwner

Jan Bottorff wrote:

>I have a problem with my USB device. When I connect it for the SECOND
>time I get a bugcheck 0xA.

The first problem I see is your symbols don’t match your images. I need to
see REAL data, which without correct symbols doesn’t happen. I request you
fix the symbol lookup (like use the MS symbol server), reproduce the crash,
and resubmit this posting. Perhaps others are more skilled at Ouija board
debugging techniques than me…

Jan

Tim_Roberts · August 8, 2005, 12:43pm

Marten Lootsma wrote:

I cleared the d:\websymbols, to make sure all symbols came ‘fresh’
from the server. It looks better with the symbols now.

I included the new debug output, now it complains about ntoskrnl.exe…

But the bug is still unclear for me, anybody suggestion?

You said this happens on your second invocation, right?

You’re getting a null pointer dereference during timer DPC processing.
If I had to take a wild guess, which is what lots of debugging ends up
being, I’d guess that you queued up a timer DPC and didn’t delete it
properly when your first device was removed. I’ve also seen this kind
of crash when a driver relies on a global variable, and a second
invocation starts up with the global as zero.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Marten_Lootsma · August 9, 2005, 3:21am

Hello Tim,

Your ‘wild’ guess was correct! Thank you very much.

Thanks to EVERYBODY who gave advice, I learn a lot here.

Marten

Tim Roberts wrote:

You said this happens on your second invocation, right?

You’re getting a null pointer dereference during timer DPC processing.
If I had to take a wild guess, which is what lots of debugging ends up
being, I’d guess that you queued up a timer DPC and didn’t delete it
properly when your first device was removed. I’ve also seen this kind
of crash when a driver relies on a global variable, and a second
invocation starts up with the global as zero.