Fatal system error - RemoveHeadList how do think?

juho_louis · June 5, 2014, 7:33am

i have some problem about RemoveHeadList.

BSOD dump is here.

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xBE

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME: fffff88005848390 -- (.trap 0xfffff88005848390)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff80002f074a0 rbx=0000000000000000 rcx=fffff88003817060
rdx=fffffa80029b2240 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880038138e8 rsp=fffff88005848520 rbp=fffff880058486b0
r8=fffff80002f074a0 r9=0000000000000003 r10=0000000000000000
r11=fffff88005848180 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
msnmntr!RemoveHeadList+0x78:
fffff880038138e8 48894808 mov qword ptr [rax+8],rcx ds:fffff80002f074a8=9090909090909090
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002d79a12 to fffff80002c809f0

STACK_TEXT:
fffff88005847ab8 fffff80002d79a12 : fffff80002f074a8 fffffa8002f23060 0000000000000065 fffff80002cc3878 : nt!RtlpBreakWithStatusInstruction
fffff88005847ac0 fffff80002d7a7fe : fffff88000000003 0000000000000000 fffff80002cc4120 fffff88005848120 : nt!KiBugCheckDebugBreak+0x12
fffff88005847b20 fffff80002c88cc4 : 0000000000000000 0000000000000000 0000000000000000 fffff80002e18588 : nt!KeBugCheck2+0x71e
fffff880058481f0 fffff80002d0514b : 00000000000000be fffff80002f074a8 0e60000002f07121 fffff88005848390 : nt!KeBugCheckEx+0x104
fffff88005848230 fffff80002c86cee : fffffa80029b2240 fffff80002f074a0 0000000000000003 fffffa80037b2e70 : nt! ?? ::FNODOBFM::string'+0x4333b fffff88005848390 fffff880038138e8 : fffff88003817060 fffffa80029b2240 fffff80002f074a0 0000057ffc84d188 : nt!KiPageFault+0x16e fffff88005848520 fffff8800381365f : fffff88003817060 fffff88003817060 fffffa80029b2240 0000000000000003 : msnmntr!RemoveHeadList+0x78 [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564] fffff88005848560 fffff88003813b01 : fffffa8002e3a040 0000000000000830 fffff88005848640 fffff88005848650 : msnmntr!MonitorSendNetworEventToUserApp+0x8f fffff88005848600 fffff88000e2fb7c : 0000057ffd5b8b88 0000057ffc84d188 0000000000000830 0000000000000000 : msnmntr!MonitorEvtDeviceControl+0x111 fffff88005848670 fffff88000e2f1ff : fffffa8002a47400 fffffa8000000000 fffffa8002a47470 fffffa8002a4b228 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488 fffff880058486f0 fffff88000e3a2fb : fffffa8002a512f0 fffffa80037b2e00 0000000000000000 fffffa80037b2e70 : Wdf01000!FxIoQueue::DispatchEvents+0x66f fffff88005848770 fffff88000e3051a : fffffa8002a51200 fffffa80037b2e70 fffffa800380b5f0 fffff88005848850 : Wdf01000!FxIoQueue::QueueRequest+0x2ab fffff880058487e0 fffff88000e2c79a : fffffa80037b2e70 fffffa800380b5f0 fffff88005848b60 fffffa800380b5f0 : Wdf01000!FxPkgIo::Dispatch+0x4da fffff88005848850 fffff88000e2c866 : fffffa800380b5f0 fffff88005848b60 fffffa8002a47060 0000000000000001 : Wdf01000!FxDevice::Dispatch+0x19a fffff88005848890 fffff80002fa53a7 : fffffa80037702e0 fffff88005848b60 fffffa80037702e0 fffffa800380b5f0 : Wdf01000!FxDevice::DispatchWithLock+0xa6 fffff880058488d0 fffff80002fa5c06 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x607 fffff88005848a00 fffff80002c87e53 : fffffa8001c8c700 0000000000000001 0000000000001f80 0000000000000000 : nt!NtDeviceIoControlFile+0x56 fffff88005848a70 0000000077a7132a : 000007fefd979af9 cccccccccccccccc cccccccccccccccc cccccccccccccccc : nt!KiSystemServiceCopyEnd+0x13 00000000042aedd8 000007fefd979af9 : cccccccccccccccc cccccccccccccccc cccccccccccccccc cccccccccccccccc : ntdll!ZwDeviceIoControlFile+0xa 00000000042aede0 000000007781683f : 000000000012000c 000000013fb97000 cccccccccccccccc cccccccccccccccc : KERNELBASE!DeviceIoControl+0x75 00000000042aee50 000000013f0fa758 : 0000000000000000 0000000000000003 0000000000000000 0000000000000000 : kernel32!DeviceIoControlImplementation+0x7f 00000000042aeea0 0000000000000000 : 0000000000000003 0000000000000000 0000000000000000 00000000`042aef40 : PCMonitor!CNetworkMon::GetNetworkEventFromKernel+0x518

STACK_COMMAND: kb

FOLLOWUP_IP:
msnmntr!RemoveHeadList+78 [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564]
fffff880`038138e8 48894808 mov qword ptr [rax+8],rcx

FAULTING_SOURCE_LINE: c:\program files (x86)\windows kits\8.1\include\km\wdm.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows kits\8.1\include\km\wdm.h

FAULTING_SOURCE_LINE_NUMBER: 9564

FAULTING_SOURCE_CODE:
9560: (PVOID)NextEntry);
9561: }
9562:
9563: ListHead->Flink = NextEntry;

9564: NextEntry->Blink = ListHead;
9565:
9566: return Entry;
9567: }
9568:
9569: FORCEINLINE

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: msnmntr!RemoveHeadList+78

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: msnmntr

IMAGE_NAME: msnmntr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 539020ba

FAILURE_BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78

BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0xbe_msnmntr!removeheadlist+78

FAILURE_ID_HASH: {c13b7753-0c9b-c33d-1abc-c7489eb3ce72}

Followup: MachineOwner

before KiPageFault and BugCheckEx, my dirver call RemoveHeadList
at this time BSOD has up!

msnmntr!RemoveHeadList+0x78:
fffff880038138e8 48894808 mov qword ptr [rax+8],rcx ds:fffff80002f074a8=9090909090909090

inter code in RemoveListHead()

Entry = ListHead->Flink;
..
if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {

compare rutine is here. now i understand
when i access empty Entry->Blink, the BSOD is up because of ListHead(flowcontextlist)->Flink are not exist

the function MonitorSendNetworkEventToUserApp is here.

NTSTATUS MonitorSendNetworEventToUserApp(Inout PNETWORK_EVENT networkEvent)
{
//DbgPrint("Enterd MonitorSendNetworEventToUserApp function\n");
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status = STATUS_SUCCESS;

KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);
// flowContextList is global LIST_ENTRY struct and this list are added data use
// InsertTailList(&flowContextList, &flowContext->listEntry) function.

if (!IsListEmpty(&flowContextList))
{
FLOW_DATA* flowContext;
LIST_ENTRY* entry;

DbgPrint("1flowContextList.Blink : %x, flowContextList.Flink : %x \n", flowContextList.Blink, flowContextList.Flink);

entry = RemoveHeadList(&flowContextList);

DbgPrint("2flowContextList.Blink : %x, flowContextList.Flink : %x \n", flowContextList.Blink, flowContextList.Flink);

flowContext = CONTAINING_RECORD(entry, FLOW_DATA, listEntry);

networkEvent->inoutBound = flowContext->inoutBound;
networkEvent->ipProto = flowContext->ipProto;
networkEvent->localAddr = flowContext->localAddressV4;
networkEvent->localPort = flowContext->localPort;
networkEvent->remoteAddr = flowContext->remoteAddressV4;
networkEvent->remotePort = flowContext->remotePort;
networkEvent->processId = flowContext->processId;
RtlCopyBytes(networkEvent->procPath, flowContext->processPath, 1024);
networkEvent->time = flowContext->time;
networkEvent->dataSize = flowContext->dataSize;

ExFreePool(flowContext);
//ExFreePoolWithTag(flowContext->processPath, TAG_NAME_CALLOUT);

status = STATUS_SUCCESS;
}
else
{
//DbgPrint("list is empty!");
status = STATUS_INVALID_PARAMETER;
}

KeReleaseInStackQueuedSpinLock(&lockHandle);

return status;
}

but dump faulting source is not my supposition.

FAULTING_SOURCE_CODE:
9560: (PVOID)NextEntry);
9561: }
9562:
9563: ListHead->Flink = NextEntry;

9564: NextEntry->Blink = ListHead;
9565:
9566: return Entry;
9567: }
9568:
9569: FORCEINLINE

i think if ListHead->Flink = NextEntry is correct then NextEntry->Blist = ListHead must be correct.
what i miss? here are RemoveHeadList function in wdm.h

FORCEINLINE
PLIST_ENTRY
RemoveHeadList(
Inout PLIST_ENTRY ListHead
)

{

PLIST_ENTRY Entry;
PLIST_ENTRY NextEntry;

Entry = ListHead->Flink;

#if DBG

RtlpCheckListEntry(ListHead);

#endif

NextEntry = Entry->Flink;
if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {
FatalListEntryError((PVOID)ListHead,
(PVOID)Entry,
(PVOID)NextEntry);
}

ListHead->Flink = NextEntry;
NextEntry->Blink = ListHead;

return Entry;
}

Thomas_Divine · June 5, 2014, 9:03am

Just some thoughts...

Consider using an ordinary spinlock instead of queued spinlock - at least
until you have this basic issue sorted out.

Add ASSERT after RemoveHeadList:

ASSERT( entry != &flowContextListEntry );

To protect against double removes add this code after RemoveHeadList:

InitializeListHead(&flowContext->listEntry);

Insure that the code used to insert entry into list is protected by the same
spinlock.

You are certainly having a hard time with linked lists, locking and multiple
processors.

Good luck,

Thomas F. Divine
http://www.pcausa.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, June 5, 2014 7:33 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Fatal system error - RemoveHeadList how do think?

i have some problem about RemoveHeadList.

BSOD dump is here.

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xBE

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME: fffff88005848390 -- (.trap 0xfffff88005848390)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff80002f074a0 rbx=0000000000000000 rcx=fffff88003817060
rdx=fffffa80029b2240 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880038138e8 rsp=fffff88005848520 rbp=fffff880058486b0
r8=fffff80002f074a0 r9=0000000000000003 r10=0000000000000000
r11=fffff88005848180 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
msnmntr!RemoveHeadList+0x78:
fffff880038138e8 48894808 mov qword ptr [rax+8],rcx ds:fffff80002f074a8=9090909090909090
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002d79a12 to fffff80002c809f0

STACK_TEXT:
fffff88005847ab8 fffff80002d79a12 : fffff80002f074a8 fffffa8002f23060
0000000000000065 fffff80002cc3878 : nt!RtlpBreakWithStatusInstruction
fffff88005847ac0 fffff80002d7a7fe : fffff88000000003 0000000000000000
fffff80002cc4120 fffff88005848120 : nt!KiBugCheckDebugBreak+0x12
fffff88005847b20 fffff80002c88cc4 : 0000000000000000 0000000000000000
0000000000000000 fffff80002e18588 : nt!KeBugCheck2+0x71e
fffff880058481f0 fffff80002d0514b : 00000000000000be fffff80002f074a8
0e60000002f07121 fffff88005848390 : nt!KeBugCheckEx+0x104
fffff88005848230 fffff80002c86cee : fffffa80029b2240 fffff80002f074a0
0000000000000003 fffffa80037b2e70 : nt! ?? ::FNODOBFM::string'+0x4333b fffff88005848390 fffff880038138e8 : fffff88003817060 fffffa80029b2240 fffff80002f074a0 0000057ffc84d188 : nt!KiPageFault+0x16e fffff88005848520 fffff8800381365f : fffff88003817060 fffff88003817060 fffffa80029b2240 0000000000000003 : msnmntr!RemoveHeadList+0x78 [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564] fffff88005848560 fffff88003813b01 : fffffa8002e3a040 0000000000000830 fffff88005848640 fffff88005848650 : msnmntr!MonitorSendNetworEventToUserApp+0x8f fffff88005848600 fffff88000e2fb7c : 0000057ffd5b8b88 0000057ffc84d188 0000000000000830 0000000000000000 : msnmntr!MonitorEvtDeviceControl+0x111 fffff88005848670 fffff88000e2f1ff : fffffa8002a47400 fffffa8000000000 fffffa8002a47470 fffffa8002a4b228 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488 fffff880058486f0 fffff88000e3a2fb : fffffa8002a512f0 fffffa80037b2e00 0000000000000000 fffffa80037b2e70 : Wdf01000!FxIoQueue::DispatchEvents+0x66f fffff88005848770 fffff88000e3051a : fffffa8002a51200 fffffa80037b2e70 fffffa800380b5f0 fffff88005848850 : Wdf01000!FxIoQueue::QueueRequest+0x2ab fffff880058487e0 fffff88000e2c79a : fffffa80037b2e70 fffffa800380b5f0 fffff88005848b60 fffffa800380b5f0 : Wdf01000!FxPkgIo::Dispatch+0x4da fffff88005848850 fffff88000e2c866 : fffffa800380b5f0 fffff88005848b60 fffffa8002a47060 0000000000000001 : Wdf01000!FxDevice::Dispatch+0x19a fffff88005848890 fffff80002fa53a7 : fffffa80037702e0 fffff88005848b60 fffffa80037702e0 fffffa800380b5f0 : Wdf01000!FxDevice::DispatchWithLock+0xa6 fffff880058488d0 fffff80002fa5c06 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x607 fffff88005848a00 fffff80002c87e53 : fffffa8001c8c700 0000000000000001 0000000000001f80 0000000000000000 : nt!NtDeviceIoControlFile+0x56 fffff88005848a70 0000000077a7132a : 000007fefd979af9 cccccccccccccccc cccccccccccccccc cccccccccccccccc : nt!KiSystemServiceCopyEnd+0x13 00000000042aedd8 000007fefd979af9 : cccccccccccccccc cccccccccccccccc cccccccccccccccc cccccccccccccccc : ntdll!ZwDeviceIoControlFile+0xa 00000000042aede0 000000007781683f : 000000000012000c 000000013fb97000 cccccccccccccccc cccccccccccccccc : KERNELBASE!DeviceIoControl+0x75 00000000042aee50 000000013f0fa758 : 0000000000000000 0000000000000003 0000000000000000 0000000000000000 : kernel32!DeviceIoControlImplementation+0x7f 00000000042aeea0 0000000000000000 : 0000000000000003 0000000000000000 0000000000000000 00000000`042aef40 :
PCMonitor!CNetworkMon::GetNetworkEventFromKernel+0x518

STACK_COMMAND: kb

FOLLOWUP_IP:
msnmntr!RemoveHeadList+78 [c:\program files (x86)\windows
kits\8.1\include\km\wdm.h @ 9564]
fffff880`038138e8 48894808 mov qword ptr [rax+8],rcx

FAULTING_SOURCE_LINE: c:\program files (x86)\windows
kits\8.1\include\km\wdm.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows
kits\8.1\include\km\wdm.h

FAULTING_SOURCE_LINE_NUMBER: 9564

FAULTING_SOURCE_CODE:
9560: (PVOID)NextEntry);
9561: }
9562:
9563: ListHead->Flink = NextEntry;

9564: NextEntry->Blink = ListHead;
9565:
9566: return Entry;
9567: }
9568:
9569: FORCEINLINE

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: msnmntr!RemoveHeadList+78

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: msnmntr

IMAGE_NAME: msnmntr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 539020ba

FAILURE_BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78

BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0xbe_msnmntr!removeheadlist+78

FAILURE_ID_HASH: {c13b7753-0c9b-c33d-1abc-c7489eb3ce72}

Followup: MachineOwner

before KiPageFault and BugCheckEx, my dirver call RemoveHeadList at this
time BSOD has up!

msnmntr!RemoveHeadList+0x78:
fffff880038138e8 48894808 mov qword ptr [rax+8],rcx ds:fffff80002f074a8=9090909090909090

inter code in RemoveListHead()

Entry = ListHead->Flink;
..
if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {

compare rutine is here. now i understand when i access empty Entry->Blink,
the BSOD is up because of ListHead(flowcontextlist)->Flink are not exist

the function MonitorSendNetworkEventToUserApp is here.

NTSTATUS MonitorSendNetworEventToUserApp(Inout PNETWORK_EVENT
networkEvent) {
//DbgPrint("Enterd MonitorSendNetworEventToUserApp function\n");
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status = STATUS_SUCCESS;

KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);
// flowContextList is global LIST_ENTRY struct and this list are
added data use
// InsertTailList(&flowContextList, &flowContext->listEntry)
function.

if (!IsListEmpty(&flowContextList))
{
FLOW_DATA* flowContext;
LIST_ENTRY* entry;

DbgPrint("1flowContextList.Blink : %x,
flowContextList.Flink : %x \n", flowContextList.Blink,
flowContextList.Flink);

entry = RemoveHeadList(&flowContextList);

DbgPrint("2flowContextList.Blink : %x,
flowContextList.Flink : %x \n", flowContextList.Blink,
flowContextList.Flink);

flowContext = CONTAINING_RECORD(entry, FLOW_DATA,
listEntry);

networkEvent->inoutBound = flowContext->inoutBound;
networkEvent->ipProto = flowContext->ipProto;
networkEvent->localAddr = flowContext->localAddressV4;
networkEvent->localPort = flowContext->localPort;
networkEvent->remoteAddr = flowContext->remoteAddressV4;
networkEvent->remotePort = flowContext->remotePort;
networkEvent->processId = flowContext->processId;
RtlCopyBytes(networkEvent->procPath,
flowContext->processPath, 1024);
networkEvent->time = flowContext->time;
networkEvent->dataSize = flowContext->dataSize;

ExFreePool(flowContext);
//ExFreePoolWithTag(flowContext->processPath,
TAG_NAME_CALLOUT);

status = STATUS_SUCCESS;
}
else
{
//DbgPrint("list is empty!");
status = STATUS_INVALID_PARAMETER;
}

KeReleaseInStackQueuedSpinLock(&lockHandle);

return status;
}

but dump faulting source is not my supposition.

FAULTING_SOURCE_CODE:
9560: (PVOID)NextEntry);
9561: }
9562:
9563: ListHead->Flink = NextEntry;

9564: NextEntry->Blink = ListHead;
9565:
9566: return Entry;
9567: }
9568:
9569: FORCEINLINE

i think if ListHead->Flink = NextEntry is correct then NextEntry->Blist =
ListHead must be correct.
what i miss? here are RemoveHeadList function in wdm.h

FORCEINLINE
PLIST_ENTRY
RemoveHeadList(
Inout PLIST_ENTRY ListHead
)

{

PLIST_ENTRY Entry;
PLIST_ENTRY NextEntry;

Entry = ListHead->Flink;

#if DBG

RtlpCheckListEntry(ListHead);

#endif

NextEntry = Entry->Flink;
if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {
FatalListEntryError((PVOID)ListHead,
(PVOID)Entry,
(PVOID)NextEntry);
}

ListHead->Flink = NextEntry;
NextEntry->Blink = ListHead;

return Entry;
}

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See Careers – OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

To unsubscribe, visit the List Server section of OSR Online at

Mark_Roddy · June 5, 2014, 1:44pm

While queued spinlocks might not give you any performance improvement, it
isn’t like they don’t work.

Mark Roddy

On Thu, Jun 5, 2014 at 9:01 AM, Thomas F. Divine wrote:

> Just some thoughts…
>
> Consider using an ordinary spinlock instead of queued spinlock - at least
> until you have this basic issue sorted out.
>
> Add ASSERT after RemoveHeadList:
>
> ASSERT( entry != &flowContextListEntry );
>
> To protect against double removes add this code after RemoveHeadList:
>
> InitializeListHead(&flowContext->listEntry);
>
> Insure that the code used to insert entry into list is protected by the
> same
> spinlock.
>
> You are certainly having a hard time with linked lists, locking and
> multiple
> processors.
>
> Good luck,
>
> Thomas F. Divine
> http://www.pcausa.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Thursday, June 5, 2014 7:33 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Fatal system error - RemoveHeadList how do think?
>
> i have some problem about RemoveHeadList.
>
> BSOD dump is here.
>
> DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
>
> BUGCHECK_STR: 0xBE
>
> CURRENT_IRQL: 2
>
> ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
>
> TRAP_FRAME: fffff88005848390 – (.trap 0xfffff88005848390)
> NOTE: The trap frame does not contain all registers.
> Some register values may be zeroed or incorrect.
> rax=fffff80002f074a0 rbx=0000000000000000 rcx=fffff88003817060
> rdx=fffffa80029b2240 rsi=0000000000000000 rdi=0000000000000000
> rip=fffff880038138e8 rsp=fffff88005848520 rbp=fffff880058486b0
> r8=fffff80002f074a0 r9=0000000000000003 r10=0000000000000000
> r11=fffff88005848180 r12=0000000000000000 r13=0000000000000000
> r14=0000000000000000 r15=0000000000000000
> iopl=0 nv up ei ng nz na po nc
> msnmntr!RemoveHeadList+0x78:
> fffff880038138e8 48894808 mov qword ptr [rax+8],rcx > ds:fffff80002f074a8=9090909090909090
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from fffff80002d79a12 to fffff80002c809f0
>
> STACK_TEXT:
> fffff88005847ab8 fffff80002d79a12 : fffff80002f074a8 fffffa8002f23060
> 0000000000000065 fffff80002cc3878 : nt!RtlpBreakWithStatusInstruction
> fffff88005847ac0 fffff80002d7a7fe : fffff88000000003 0000000000000000
> fffff80002cc4120 fffff88005848120 : nt!KiBugCheckDebugBreak+0x12
> fffff88005847b20 fffff80002c88cc4 : 0000000000000000 0000000000000000
> 0000000000000000 fffff80002e18588 : nt!KeBugCheck2+0x71e
> fffff880058481f0 fffff80002d0514b : 00000000000000be fffff80002f074a8
> 0e60000002f07121 fffff88005848390 : nt!KeBugCheckEx+0x104
> fffff88005848230 fffff80002c86cee : fffffa80029b2240 fffff80002f074a0
> 0000000000000003 fffffa80037b2e70 : nt! ?? ::FNODOBFM::string'+0x4333b > fffff88005848390 fffff880038138e8 : fffff88003817060 fffffa80029b2240 > fffff80002f074a0 0000057ffc84d188 : nt!KiPageFault+0x16e > fffff88005848520 fffff8800381365f : fffff88003817060 fffff88003817060 > fffffa80029b2240 0000000000000003 : msnmntr!RemoveHeadList+0x78 > [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564] > fffff88005848560 fffff88003813b01 : fffffa8002e3a040 0000000000000830 > fffff88005848640 fffff88005848650 : > msnmntr!MonitorSendNetworEventToUserApp+0x8f > fffff88005848600 fffff88000e2fb7c : 0000057ffd5b8b88 0000057ffc84d188 > 0000000000000830 0000000000000000 : msnmntr!MonitorEvtDeviceControl+0x111 > fffff88005848670 fffff88000e2f1ff : fffffa8002a47400 fffffa8000000000 > fffffa8002a47470 fffffa8002a4b228 : > Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488 > fffff880058486f0 fffff88000e3a2fb : fffffa8002a512f0 fffffa80037b2e00 > 0000000000000000 fffffa80037b2e70 : > Wdf01000!FxIoQueue::DispatchEvents+0x66f > fffff88005848770 fffff88000e3051a : fffffa8002a51200 fffffa80037b2e70 > fffffa800380b5f0 fffff88005848850 : > Wdf01000!FxIoQueue::QueueRequest+0x2ab > fffff880058487e0 fffff88000e2c79a : fffffa80037b2e70 fffffa800380b5f0 > fffff88005848b60 fffffa800380b5f0 : Wdf01000!FxPkgIo::Dispatch+0x4da > fffff88005848850 fffff88000e2c866 : fffffa800380b5f0 fffff88005848b60 > fffffa8002a47060 0000000000000001 : Wdf01000!FxDevice::Dispatch+0x19a > fffff88005848890 fffff80002fa53a7 : fffffa80037702e0 fffff88005848b60 > fffffa80037702e0 fffffa800380b5f0 : > Wdf01000!FxDevice::DispatchWithLock+0xa6 > fffff880058488d0 fffff80002fa5c06 : 0000000000000000 0000000000000000 > 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x607 > fffff88005848a00 fffff80002c87e53 : fffffa8001c8c700 0000000000000001 > 0000000000001f80 0000000000000000 : nt!NtDeviceIoControlFile+0x56 > fffff88005848a70 0000000077a7132a : 000007fefd979af9 cccccccccccccccc > cccccccccccccccc cccccccccccccccc : nt!KiSystemServiceCopyEnd+0x13 > 00000000042aedd8 000007fefd979af9 : cccccccccccccccc cccccccccccccccc > cccccccccccccccc cccccccccccccccc : ntdll!ZwDeviceIoControlFile+0xa > 00000000042aede0 000000007781683f : 000000000012000c 000000013fb97000 > cccccccccccccccc cccccccccccccccc : KERNELBASE!DeviceIoControl+0x75 > 00000000042aee50 000000013f0fa758 : 0000000000000000 0000000000000003 > 0000000000000000 0000000000000000 : > kernel32!DeviceIoControlImplementation+0x7f > 00000000042aeea0 0000000000000000 : 0000000000000003 0000000000000000 > 0000000000000000 00000000042aef40 : > PCMonitor!CNetworkMon::GetNetworkEventFromKernel+0x518 > > > STACK_COMMAND: kb > > FOLLOWUP_IP: > msnmntr!RemoveHeadList+78 [c:\program files (x86)\windows > kits\8.1\include\km\wdm.h @ 9564] > fffff880038138e8 48894808 mov qword ptr [rax+8],rcx
>
> FAULTING_SOURCE_LINE: c:\program files (x86)\windows
> kits\8.1\include\km\wdm.h
>
> FAULTING_SOURCE_FILE: c:\program files (x86)\windows
> kits\8.1\include\km\wdm.h
>
> FAULTING_SOURCE_LINE_NUMBER: 9564
>
> FAULTING_SOURCE_CODE:
> 9560: (PVOID)NextEntry);
> 9561: }
> 9562:
> 9563: ListHead->Flink = NextEntry;
> > 9564: NextEntry->Blink = ListHead;
> 9565:
> 9566: return Entry;
> 9567: }
> 9568:
> 9569: FORCEINLINE
>
>
> SYMBOL_STACK_INDEX: 6
>
> SYMBOL_NAME: msnmntr!RemoveHeadList+78
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: msnmntr
>
> IMAGE_NAME: msnmntr.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 539020ba
>
> FAILURE_BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78
>
> BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78
>
> ANALYSIS_SOURCE: KM
>
> FAILURE_ID_HASH_STRING: km:x64_0xbe_msnmntr!removeheadlist+78
>
> FAILURE_ID_HASH: {c13b7753-0c9b-c33d-1abc-c7489eb3ce72}
>
> Followup: MachineOwner
> ---------
>
> before KiPageFault and BugCheckEx, my dirver call RemoveHeadList at this
> time BSOD has up!
>
> msnmntr!RemoveHeadList+0x78:
> fffff880038138e8 48894808 mov qword ptr [rax+8],rcx > ds:fffff80002f074a8=9090909090909090
>
> inter code in RemoveListHead()
>
> Entry = ListHead->Flink;
> …
> if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {
>
> compare rutine is here. now i understand when i access empty Entry->Blink,
> the BSOD is up because of ListHead(flowcontextlist)->Flink are not exist
>
> the function MonitorSendNetworkEventToUserApp is here.
>
> NTSTATUS MonitorSendNetworEventToUserApp(Inout PNETWORK_EVENT
> networkEvent) {
> //DbgPrint(“Enterd MonitorSendNetworEventToUserApp function\n”);
> KLOCK_QUEUE_HANDLE lockHandle;
> NTSTATUS status = STATUS_SUCCESS;
>
> KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);
> // flowContextList is global LIST_ENTRY struct and this list are
> added data use
> // InsertTailList(&flowContextList, &flowContext->listEntry)
> function.
>
> if (!IsListEmpty(&flowContextList))
> {
> FLOW_DATA* flowContext;
> LIST_ENTRY* entry;
>
>
> DbgPrint(“1flowContextList.Blink : %x,
> flowContextList.Flink : %x \n”, flowContextList.Blink,
> flowContextList.Flink);
>
> entry = RemoveHeadList(&flowContextList);
>
> DbgPrint(“2flowContextList.Blink : %x,
> flowContextList.Flink : %x \n”, flowContextList.Blink,
> flowContextList.Flink);
>
> flowContext = CONTAINING_RECORD(entry, FLOW_DATA,
> listEntry);
>
> networkEvent->inoutBound = flowContext->inoutBound;
> networkEvent->ipProto = flowContext->ipProto;
> networkEvent->localAddr = flowContext->localAddressV4;
> networkEvent->localPort = flowContext->localPort;
> networkEvent->remoteAddr = flowContext->remoteAddressV4;
> networkEvent->remotePort = flowContext->remotePort;
> networkEvent->processId = flowContext->processId;
> RtlCopyBytes(networkEvent->procPath,
> flowContext->processPath, 1024);
> networkEvent->time = flowContext->time;
> networkEvent->dataSize = flowContext->dataSize;
>
> ExFreePool(flowContext);
> //ExFreePoolWithTag(flowContext->processPath,
> TAG_NAME_CALLOUT);
>
> status = STATUS_SUCCESS;
> }
> else
> {
> //DbgPrint(“list is empty!”);
> status = STATUS_INVALID_PARAMETER;
> }
>
> KeReleaseInStackQueuedSpinLock(&lockHandle);
>
> return status;
> }
>
> but dump faulting source is not my supposition.
>
> FAULTING_SOURCE_CODE:
> 9560: (PVOID)NextEntry);
> 9561: }
> 9562:
> 9563: ListHead->Flink = NextEntry;
> > 9564: NextEntry->Blink = ListHead;
> 9565:
> 9566: return Entry;
> 9567: }
> 9568:
> 9569: FORCEINLINE
>
> i think if ListHead->Flink = NextEntry is correct then NextEntry->Blist =
> ListHead must be correct.
> what i miss? here are RemoveHeadList function in wdm.h
>
> FORCEINLINE
> PLIST_ENTRY
> RemoveHeadList(
> Inout PLIST_ENTRY ListHead
> )
>
> {
>
> PLIST_ENTRY Entry;
> PLIST_ENTRY NextEntry;
>
> Entry = ListHead->Flink;
>
> #if DBG
>
> RtlpCheckListEntry(ListHead);
>
> #endif
>
> NextEntry = Entry->Flink;
> if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {
> FatalListEntryError((PVOID)ListHead,
> (PVOID)Entry,
> (PVOID)NextEntry);
> }
>
> ListHead->Flink = NextEntry;
> NextEntry->Blink = ListHead;
>
> return Entry;
> }
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Mark_Roddy · June 5, 2014, 2:01pm

The actual complaint is ATTEMPTED_WRITE_TO_READONLY_MEMORY. Which is odd.
In the future please provide all of the output from !analyze -v, it might
help.

The tests before the fault don’t write anything, they only do reads. The
page of memory being accessed isn’t bogus, it is read-only.

Mark Roddy

On Thu, Jun 5, 2014 at 7:32 AM, wrote:

> i have some problem about RemoveHeadList.
>
> BSOD dump is here.
>
> DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
>
> BUGCHECK_STR: 0xBE
>
> CURRENT_IRQL: 2
>
> ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
>
> TRAP_FRAME: fffff88005848390 – (.trap 0xfffff88005848390)
> NOTE: The trap frame does not contain all registers.
> Some register values may be zeroed or incorrect.
> rax=fffff80002f074a0 rbx=0000000000000000 rcx=fffff88003817060
> rdx=fffffa80029b2240 rsi=0000000000000000 rdi=0000000000000000
> rip=fffff880038138e8 rsp=fffff88005848520 rbp=fffff880058486b0
> r8=fffff80002f074a0 r9=0000000000000003 r10=0000000000000000
> r11=fffff88005848180 r12=0000000000000000 r13=0000000000000000
> r14=0000000000000000 r15=0000000000000000
> iopl=0 nv up ei ng nz na po nc
> msnmntr!RemoveHeadList+0x78:
> fffff880038138e8 48894808 mov qword ptr [rax+8],rcx > ds:fffff80002f074a8=9090909090909090
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from fffff80002d79a12 to fffff80002c809f0
>
> STACK_TEXT:
> fffff88005847ab8 fffff80002d79a12 : fffff80002f074a8 fffffa8002f23060
> 0000000000000065 fffff80002cc3878 : nt!RtlpBreakWithStatusInstruction
> fffff88005847ac0 fffff80002d7a7fe : fffff88000000003 0000000000000000
> fffff80002cc4120 fffff88005848120 : nt!KiBugCheckDebugBreak+0x12
> fffff88005847b20 fffff80002c88cc4 : 0000000000000000 0000000000000000
> 0000000000000000 fffff80002e18588 : nt!KeBugCheck2+0x71e
> fffff880058481f0 fffff80002d0514b : 00000000000000be fffff80002f074a8
> 0e60000002f07121 fffff88005848390 : nt!KeBugCheckEx+0x104
> fffff88005848230 fffff80002c86cee : fffffa80029b2240 fffff80002f074a0
> 0000000000000003 fffffa80037b2e70 : nt! ?? ::FNODOBFM::string'+0x4333b > fffff88005848390 fffff880038138e8 : fffff88003817060 fffffa80029b2240 > fffff80002f074a0 0000057ffc84d188 : nt!KiPageFault+0x16e > fffff88005848520 fffff8800381365f : fffff88003817060 fffff88003817060 > fffffa80029b2240 0000000000000003 : msnmntr!RemoveHeadList+0x78 > [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564] > fffff88005848560 fffff88003813b01 : fffffa8002e3a040 0000000000000830 > fffff88005848640 fffff88005848650 : > msnmntr!MonitorSendNetworEventToUserApp+0x8f > fffff88005848600 fffff88000e2fb7c : 0000057ffd5b8b88 0000057ffc84d188 > 0000000000000830 0000000000000000 : msnmntr!MonitorEvtDeviceControl+0x111 > fffff88005848670 fffff88000e2f1ff : fffffa8002a47400 fffffa8000000000 > fffffa8002a47470 fffffa8002a4b228 : > Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488 > fffff880058486f0 fffff88000e3a2fb : fffffa8002a512f0 fffffa80037b2e00 > 0000000000000000 fffffa80037b2e70 : > Wdf01000!FxIoQueue::DispatchEvents+0x66f > fffff88005848770 fffff88000e3051a : fffffa8002a51200 fffffa80037b2e70 > fffffa800380b5f0 fffff88005848850 : Wdf01000!FxIoQueue::QueueRequest+0x2ab > fffff880058487e0 fffff88000e2c79a : fffffa80037b2e70 fffffa800380b5f0 > fffff88005848b60 fffffa800380b5f0 : Wdf01000!FxPkgIo::Dispatch+0x4da > fffff88005848850 fffff88000e2c866 : fffffa800380b5f0 fffff88005848b60 > fffffa8002a47060 0000000000000001 : Wdf01000!FxDevice::Dispatch+0x19a > fffff88005848890 fffff80002fa53a7 : fffffa80037702e0 fffff88005848b60 > fffffa80037702e0 fffffa800380b5f0 : > Wdf01000!FxDevice::DispatchWithLock+0xa6 > fffff880058488d0 fffff80002fa5c06 : 0000000000000000 0000000000000000 > 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x607 > fffff88005848a00 fffff80002c87e53 : fffffa8001c8c700 0000000000000001 > 0000000000001f80 0000000000000000 : nt!NtDeviceIoControlFile+0x56 > fffff88005848a70 0000000077a7132a : 000007fefd979af9 cccccccccccccccc > cccccccccccccccc cccccccccccccccc : nt!KiSystemServiceCopyEnd+0x13 > 00000000042aedd8 000007fefd979af9 : cccccccccccccccc cccccccccccccccc > cccccccccccccccc cccccccccccccccc : ntdll!ZwDeviceIoControlFile+0xa > 00000000042aede0 000000007781683f : 000000000012000c 000000013fb97000 > cccccccccccccccc cccccccccccccccc : KERNELBASE!DeviceIoControl+0x75 > 00000000042aee50 000000013f0fa758 : 0000000000000000 0000000000000003 > 0000000000000000 0000000000000000 : > kernel32!DeviceIoControlImplementation+0x7f > 00000000042aeea0 0000000000000000 : 0000000000000003 0000000000000000 > 0000000000000000 00000000042aef40 : > PCMonitor!CNetworkMon::GetNetworkEventFromKernel+0x518 > > > STACK_COMMAND: kb > > FOLLOWUP_IP: > msnmntr!RemoveHeadList+78 [c:\program files (x86)\windows > kits\8.1\include\km\wdm.h @ 9564] > fffff880038138e8 48894808 mov qword ptr [rax+8],rcx
>
> FAULTING_SOURCE_LINE: c:\program files (x86)\windows
> kits\8.1\include\km\wdm.h
>
> FAULTING_SOURCE_FILE: c:\program files (x86)\windows
> kits\8.1\include\km\wdm.h
>
> FAULTING_SOURCE_LINE_NUMBER: 9564
>
> FAULTING_SOURCE_CODE:
> 9560: (PVOID)NextEntry);
> 9561: }
> 9562:
> 9563: ListHead->Flink = NextEntry;
> > 9564: NextEntry->Blink = ListHead;
> 9565:
> 9566: return Entry;
> 9567: }
> 9568:
> 9569: FORCEINLINE
>
>
> SYMBOL_STACK_INDEX: 6
>
> SYMBOL_NAME: msnmntr!RemoveHeadList+78
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: msnmntr
>
> IMAGE_NAME: msnmntr.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 539020ba
>
> FAILURE_BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78
>
> BUCKET_ID: X64_0xBE_msnmntr!RemoveHeadList+78
>
> ANALYSIS_SOURCE: KM
>
> FAILURE_ID_HASH_STRING: km:x64_0xbe_msnmntr!removeheadlist+78
>
> FAILURE_ID_HASH: {c13b7753-0c9b-c33d-1abc-c7489eb3ce72}
>
> Followup: MachineOwner
> ---------
>
> before KiPageFault and BugCheckEx, my dirver call RemoveHeadList
> at this time BSOD has up!
>
> msnmntr!RemoveHeadList+0x78:
> fffff880038138e8 48894808 mov qword ptr [rax+8],rcx > ds:fffff80002f074a8=9090909090909090
>
> inter code in RemoveListHead()
>
> Entry = ListHead->Flink;
> …
> if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {
>
> compare rutine is here. now i understand
> when i access empty Entry->Blink, the BSOD is up because of
> ListHead(flowcontextlist)->Flink are not exist
>
> the function MonitorSendNetworkEventToUserApp is here.
>
> NTSTATUS MonitorSendNetworEventToUserApp(Inout PNETWORK_EVENT
> networkEvent)
> {
> //DbgPrint(“Enterd MonitorSendNetworEventToUserApp function\n”);
> KLOCK_QUEUE_HANDLE lockHandle;
> NTSTATUS status = STATUS_SUCCESS;
>
> KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);
> // flowContextList is global LIST_ENTRY struct and this list are
> added data use
> // InsertTailList(&flowContextList, &flowContext->listEntry)
> function.
>
> if (!IsListEmpty(&flowContextList))
> {
> FLOW_DATA* flowContext;
> LIST_ENTRY* entry;
>
>
> DbgPrint(“1flowContextList.Blink : %x,
> flowContextList.Flink : %x \n”, flowContextList.Blink,
> flowContextList.Flink);
>
> entry = RemoveHeadList(&flowContextList);
>
> DbgPrint(“2flowContextList.Blink : %x,
> flowContextList.Flink : %x \n”, flowContextList.Blink,
> flowContextList.Flink);
>
> flowContext = CONTAINING_RECORD(entry, FLOW_DATA,
> listEntry);
>
> networkEvent->inoutBound = flowContext->inoutBound;
> networkEvent->ipProto = flowContext->ipProto;
> networkEvent->localAddr = flowContext->localAddressV4;
> networkEvent->localPort = flowContext->localPort;
> networkEvent->remoteAddr = flowContext->remoteAddressV4;
> networkEvent->remotePort = flowContext->remotePort;
> networkEvent->processId = flowContext->processId;
> RtlCopyBytes(networkEvent->procPath,
> flowContext->processPath, 1024);
> networkEvent->time = flowContext->time;
> networkEvent->dataSize = flowContext->dataSize;
>
> ExFreePool(flowContext);
> //ExFreePoolWithTag(flowContext->processPath,
> TAG_NAME_CALLOUT);
>
> status = STATUS_SUCCESS;
> }
> else
> {
> //DbgPrint(“list is empty!”);
> status = STATUS_INVALID_PARAMETER;
> }
>
> KeReleaseInStackQueuedSpinLock(&lockHandle);
>
> return status;
> }
>
> but dump faulting source is not my supposition.
>
> FAULTING_SOURCE_CODE:
> 9560: (PVOID)NextEntry);
> 9561: }
> 9562:
> 9563: ListHead->Flink = NextEntry;
> > 9564: NextEntry->Blink = ListHead;
> 9565:
> 9566: return Entry;
> 9567: }
> 9568:
> 9569: FORCEINLINE
>
> i think if ListHead->Flink = NextEntry is correct then NextEntry->Blist =
> ListHead must be correct.
> what i miss? here are RemoveHeadList function in wdm.h
>
> FORCEINLINE
> PLIST_ENTRY
> RemoveHeadList(
> Inout PLIST_ENTRY ListHead
> )
>
> {
>
> PLIST_ENTRY Entry;
> PLIST_ENTRY NextEntry;
>
> Entry = ListHead->Flink;
>
> #if DBG
>
> RtlpCheckListEntry(ListHead);
>
> #endif
>
> NextEntry = Entry->Flink;
> if ((Entry->Blink != ListHead) || (NextEntry->Blink != Entry)) {
> FatalListEntryError((PVOID)ListHead,
> (PVOID)Entry,
> (PVOID)NextEntry);
> }
>
> ListHead->Flink = NextEntry;
> NextEntry->Blink = ListHead;
>
> return Entry;
> }
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

juho_louis · June 6, 2014, 9:54am

thanks for replay!

i’ll keep try solve problem.
and thank to yours advice.