Hello, I have a boot start driver, and in that driver I am attempting to
handle IRP_MJ_CREATE and open requests. Part of the processing of these
requests involves checking if the file name meets certain requirements.
Unfortunately all checks must be done against the long file name only,
so I am writing some code that is attempting to expand short file paths
into long file paths. In order to do this, it is necessary to expand
each "segment" of the path separately. This is no problem, I parse the
string based on slashes, and use RtlIsNameLegalDOS8Dot3 on each one. If
the function returns true, I query the directory for the long file name.
Etc etc.
I have one particular machine on which this always, 100% of the time,
generates a bug check. !analyze -v gives this:
kd> !analyze -v
************************************************************************
*******
* *
* Bugcheck Analysis *
* *
************************************************************************
*******
KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused
by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
it means the disk subsystem has experienced a failure.
If the error status is 0xC000009A, then it means the request failed
because
a filesystem failed to make forward progress.
Arguments:
Arg1: c0202674, lock type that was held (value 1,2,3, or PTE address)
Arg2: c0000005, error status (normally i/o status code)
Arg3: 8099ddf4, current process (virtual address for lock type 3, or
PTE)
Arg4: 1693d860, virtual address that could not be in-paged (or PTE
contents if arg1 is a PTE address)
Debugging Details:
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
BUGCHECK_STR: 0x7a_c0000005
DEFAULT_BUCKET_ID: CODE_CORRUPTION
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 8099fe5b to 8099ddf4
TRAP_FRAME: b80b20d8 -- (.trap ffffffffb80b20d8)
ErrCode = 00000000
eax=b80b21dc ebx=00000000 ecx=b80b217c edx=b80b21dc esi=b80b216c
edi=00000000
eip=8099ddf4 esp=b80b214c ebp=b80b218c iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlUpcaseUnicodeStringToCountedOemString:
8099ddf4 b5b5 mov ch,0xb5
Resetting default scope
STACK_TEXT:
b80b2148 8099fe5b b80b216c b80b21dc 00000000
nt!RtlUpcaseUnicodeStringToCountedOemString
b80b218c b806a12d b80b21dc 00000000 00000000
nt!RtlIsNameLegalDOS8Dot3+0x55
b80b21f4 b8069229 82468fa8 81738d18 72636d66 cgwfunc!ExpandPath+0x33d
b80b2250 b80681b6 b8068110 00000001 819c23a8
cgwfunc!GetBasePreAccessInfo+0x149
b80b2284 b8065e0c 81738d18 83304e00 b80b22fc cgwfunc!PreCreate+0x96
b80b22a0 b804cd3e 81738d18 83304e00 b80b22fc cgwfunc!PreFMCallback+0x5c
b80b2368 809cc57d 81725ed0 83304e00 819c23a8
cgwfiltr!FilterCreateDispatch+0x33e
b80b2398 80853648 80907bfa b80b248c 80907bfa nt!IovCallDriver+0x112
b80b23a4 80907bfa b80b254c 81fb8de8 00000000 nt!IofCallDriver+0x13
b80b248c 80902fad 81fb8e00 00000000 81a17cb8 nt!IopParseDevice+0xa35
b80b250c 80906a15 00000000 b80b254c 00000040
nt!ObpLookupObjectName+0x5a9
b80b2560 8090613b 00000000 00000000 00000000 nt!ObOpenObjectByName+0xea
b80b25dc 8092b2c2 b80b278c 00000180 b80b275c nt!IopCreateFile+0x447
b80b2638 8091bd30 b80b278c 00000180 b80b275c nt!IoCreateFile+0xa3
b80b2678 8082337b b80b278c 00000180 b80b275c nt!NtOpenFile+0x27
b80b2678 80821aed b80b278c 00000180 b80b275c nt!KiFastCallEntry+0xf8
b80b2708 b95e2c38 b80b278c 00000180 b80b275c nt!ZwOpenFile+0x11
WARNING: Stack unwind information not available. Following frames may be
wrong.
b80b2784 b95e2ea3 e167e010 e2f9ec50 00000000 NAVAP+0x2cc38
b80b27ac b95bc106 816c8f88 b95bc050 b80b281c NAVAP+0x2cea3
b80b2800 b95bc34f 816c8f88 00003f80 b95bc050 NAVAP+0x6106
e22e1850 e22a1838 b95f33f0 e2330898 b95f33f4 NAVAP+0x634f
e22e1854 b95f33f0 e2330898 b95f33f4 817387b8 0xe22a1838
e22e1858 e2330898 b95f33f4 817387b8 00000001 SYMEVENT+0x3f0
e22e185c b95f33f4 817387b8 00000001 00000000 0xe2330898
e2330898 00000000 e22e1850 00000000 00000000 SYMEVENT+0x3f4
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80827968-8082796b 4 bytes - nt!KiServiceTable+6c
[58 55 90 80:18 58 40 f8]
808279a8-808279ab 4 bytes - nt!KiServiceTable+ac (+0x40)
[62 ad 92 80:d0 57 40 f8]
808279b8-808279bb 4 bytes - nt!KiServiceTable+bc (+0x10)
[01 57 8c 80:20 9a 3f f8]
80827a28-80827a2b 4 bytes - nt!KiServiceTable+12c (+0x70)
[07 42 92 80:a8 a2 3f f8]
80827a30-80827a33 4 bytes - nt!KiServiceTable+134 (+0x08)
[7b 45 92 80:10 59 40 f8]
80827af0-80827af3 4 bytes - nt!KiServiceTable+1f4 (+0xc0)
[24 d4 92 80:94 57 40 f8]
80827b98-80827b9b 4 bytes - nt!KiServiceTable+29c (+0xa8)
[2d e2 92 80:c8 a2 3f f8]
80827be0-80827be3 4 bytes - nt!KiServiceTable+2e4 (+0x48)
[bb c2 92 80:66 58 40 f8]
80827ce4-80827ce7 4 bytes - nt!KiServiceTable+3e8 (+0x104)
[74 6c 9c 80:b0 50 40 f8]
8099d000-8099d0ab 172 bytes - nt!RtlAllocateHeapSlowly+7f3
[3d 80 00 73 2e 0f b7 c8:00 01 b5 00 49 72 70 2b]
8099d0ad-8099d0d5 41 bytes - nt!RtlAllocateHeapSlowly+8a0 (+0xad)
[00 66 89 1e f6 46 05 10:0f 7e 83 08 40 78 81 e0]
8099d0d7-8099d128 82 bytes - nt!RtlAllocateHeapSlowly+8ca (+0x2a)
[ff ff ff 50 8d 46 10 50:80 59 7c 90 80 f0 e5 89]
8099d12a-8099d13e 21 bytes - nt!RtlAllocateHeapSlowly+91d (+0x53)
[33 c9 8a 0f 0b 8d 7c ff:00 00 88 e6 89 f8 b0 6d]
8099d140-8099d1d4 149 bytes - nt!RtlAllocateHeapSlowly+933 (+0x16)
[00 89 7d ac 33 d2 39 90:18 32 7a 81 48 36 85 80]
8099d1d7-8099d1f7 33 bytes - nt!RtlAllocateHeapSlowly+9ca (+0x97)
[8b 4d dc f6 41 0c 40 74:ff 5c e7 89 f8 ad 2f 90]
8099d1f9-8099d217 31 bytes - nt!RtlAllocateHeapSlowly+9ec (+0x22)
[74 1a b8 ab ab ab ab 8b:e7 89 f8 48 0e a4 81 00]
8099d219-8099d239 33 bytes - nt!RtlAllocateHeapSlowly+a0c (+0x20)
[f6 46 05 02 0f 84 20 01:77 60 e3 00 00 f8 00 0c]
8099d23c-8099d23f 4 bytes - nt!RtlAllocateHeapSlowly+a2f (+0x23)
[c7 45 98 17:d8 16 00 e1]
8099d242-8099d24e 13 bytes - nt!RtlAllocateHeapSlowly+a35 (+0x06)
[c0 e9 9b 00 00 00 f6 46:00 00 00 7c a1 81 00 00]
8099d250-8099d25f 16 bytes - nt!RtlAllocateHeapSlowly+a43 (+0x0e)
[00 00 89 7d c8 83 c0 18:04 01 00 00 78 e7 01 00]
8099d262-8099d2cd 108 bytes - nt!RtlAllocateHeapSlowly+a55 (+0x12)
[8d 45 d8 50 57 8d 45 c8:00 00 9c e7 89 f8 40 02]
8099d2cf-8099d2df 17 bytes - nt!RtlAllocateHeapSlowly+ac2 (+0x6d)
[45 b4 8b 45 d8 89 85 6c:f8 e8 e8 89 f8 00 00 00]
8099d2e2-8099d2f0 15 bytes - nt!RtlAllocateHeapSlowly+ad5 (+0x13)
[c0 f6 45 0c 04 74 5a c7:00 00 aa 75 88 80 00 e8]
8099d2f2-8099d300 15 bytes - nt!RtlAllocateHeapSlowly+ae5 (+0x10)
[c0 83 a5 98 fe ff ff 00:00 00 80 d1 25 82 60 d1]
8099d304-8099d309 6 bytes - nt!RtlAllocateHeapSlowly+af7 (+0x12)
[83 a5 94 fe ff ff:48 0e a4 81 00 00]
8099d30b-8099d317 13 bytes - nt!RtlAllocateHeapSlowly+afe (+0x07)
[8b 45 d8 89 85 a4 fe ff:00 00 00 00 00 d4 e7 89]
8099d31a-8099d345 44 bytes - nt!RtlAllocateHeapSlowly+b0d (+0x0f)
[50 e8 7b 3d e8 ff eb 21:ff ff 88 70 82 80 98 a2]
8099d347-8099d349 3 bytes - nt!RtlAllocateHeapSlowly+b30 (+0x2d)
[83 7d a8:00 00 00]
8099d34b-8099d368 30 bytes - nt!RtlAllocateHeapSlowly+b34 (+0x04)
[74 16 8b 4d a8 33 c0 8b:00 01 00 00 00 40 00 00]
8099d36c-8099d37e 19 bytes - nt!RtlAllocateHeapSlowly+b55 (+0x21)
[8b 45 b4 e8 fa 9c e8 ff:00 00 00 00 78 e9 89 f8]
8099d380-8099d3cf 80 bytes - nt!RtlAllocateHeapSlowly+b64 (+0x14)
[74 0e 8b 45 dc 8b 88 78:00 00 00 00 c8 e8 89 f8]
8099d3d2-8099d40f 62 bytes - nt!RtlCreateHeap+536 (+0x52)
[48 45 41 50 3a 20 46 72:00 00 80 e9 89 f8 98 e9]
8099d412-8099df30 2847 bytes - nt!RtlCreateHeap+576 (+0x40)
[48 45 41 50 3a 20 46 72:00 00 90 ea a6 80 a8 64]
8099df33-8099df5a 40 bytes - nt!RtlDnsHostNameToComputerName+64 (+0xb21)
[80 75 3c 8d 45 ec 89 45:00 00 00 00 00 00 00 00]
8099df5c-8099df60 5 bytes - nt!RtlDnsHostNameToComputerName+8d (+0x29)
[c0 eb 13 ff 75:00 00 00 00 24]
8099df62-8099df7d 28 bytes - nt!RtlDnsHostNameToComputerName+93 (+0x06)
[8d 45 dc 50 56 e8 99 23:7e 83 d0 64 ec 81 00 00]
8099df7f-8099dfac 46 bytes - nt!RtlDnsHostNameToComputerName+b0 (+0x1d)
[90 cc cc cc cc cc cc 90:00 00 00 00 00 00 00 00]
8099dfae-8099dfbd 16 bytes - nt!RtlCompareString+1b (+0x2f)
[3b c1 57 89 45 fc 89 4d:00 00 00 00 00 00 00 00]
8099dfbf-8099dfff 65 bytes - nt!RtlCompareString+2c (+0x11)
[8d 1c 30 89 5d 0c 74 4a:00 00 00 00 00 00 00 00]
4090 errors : !nt (80827968-8099dfff)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
STACK_COMMAND: .trap ffffffffb80b20d8 ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
I've run chkdsk /r which reported no errors. 50% of this smells like a
hardware bug, because it got ACCESS_VIOLATION of all things while trying
to read from the paging file. But the other 50% smells like a software
bug, because not only does the code crash in exactly the same location
every single time, but the line generating it looks like this
if (RtlIsNameLegalDOS8Dot3(&path, NULL, NULL))
//Do something
Which if I change to
if (true)
//Do something
The program never crashes, and it goes about merrily performing millions
of other operations successfully. One person suggested this might be an
error with the DMA Controller, so I disabled DMA for all hard drives on
the system, the error still exists.
Does anyone have any suggestions? (Also note that while !analyze -v
reports that this code is running at DISPATCH_LEVEL, I think this may be
a case of Windows' Lazy IRQL management feature, in which it is not
reporting the correct value. If this were really at DISPATCH_LEVEL, my
code should have crashed light years earlier in the handling of
IRP_MJ_CREATE.)