I have created a volume device object and set the IO mode to direct IO.
Mounted that device object by sending
IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION to mount manager. The volume is
mounted using a file, Whenever a read or write IRP comes, i just read and
write from a file. Before reading or writing i append the IRP into a queue
and sends status pending from read/write dispatch routine. Now using
separate thread remove the IRP from the queue, process the IRP and complete
the IRP.
Now i encountered a crash page fault in non paged area. This crash i
observed only once in a long time. I have appended the bug analysis. I have
analysed that some another thread of system process was executing my volume
driver read routine for processig queued IRPs and context switch occured
while executing IOCompleteRequest. I am posting this bug on ntfsd becaz the
file system driver is just above the volume driver. so i feel this group is
more appropriate for this bug
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: de800000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80882613, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
READ_ADDRESS: de800000
FAULTING_IP:
nt!memmove+33
80882613 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
CURRENT_IRQL: 1
TRAP_FRAME: f78be804 -- (.trap fffffffff78be804)
ErrCode = 00000000
eax=de7c00c0 ebx=00000000 ecx=3fff0030 edx=00000002 esi=de7ffffe
edi=de7fabf8
eip=80882613 esp=f78be878 ebp=f78be880 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
nt!memmove+0x33:
80882613 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
es:0023:de7fabf8=00000000 ds:0023:de7ffffe=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8085ecf1 to 80827c63
STACK_TEXT:
f78be774 8085ecf1 00000050 de800000 00000000 nt!KeBugCheckEx+0x1b
f78be7ec 8088c798 00000000 de800000 00000000 nt!MmAccessFault+0xb25
f78be7ec 80882613 00000000 de800000 00000000 nt!KiTrap0E+0xdc
f78be880 f71ccfab de7c00c0 de7c54c6 ffffabfa nt!memmove+0x33
WARNING: Stack unwind information not available. Following frames may be
wrong.
f78be89c f7214262 de7c00c0 de7c0000 85773ed8 Ntfs+0x3efab
f78be938 f7214bb1 85f64788 858707f8 cfa0a9b8 Ntfs+0x86262
f78bea20 f71f7e1f 85f64788 858707f8 026c15b8 Ntfs+0x86bb1
f78beacc f71b4a54 85f64788 858707f8 f78becd7 Ntfs+0x69e1f
f78becf0 f71b4098 85f64788 8740ced8 85f64788 Ntfs+0x26a54
f78bed80 80880441 85f64788 00000000 86b12020 Ntfs+0x26098
f78bed80 80880441 85f64788 00000000 86b12020 nt!ExpWorkerThread+0xeb
f78bedac 80949b7c 85f64788 00000000 00000000 nt!ExpWorkerThread+0xeb
f78beddc 8088e062 80880356 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiTrap0E+dc
8088c798 85c0 test eax,eax
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiTrap0E+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69710
FAILURE_BUCKET_ID: 0x50_VRF_nt!KiTrap0E+dc
BUCKET_ID: 0x50_VRF_nt!KiTrap0E+dc
Followup: MachineOwner
--
Regards
Rohit Gauba