FltFlushBuffers, XP, mrxsmb BugCheck

NTFSD
1

Hi,

I am seeing a bugcheck on XP SP2 and SP3.
This happens reliably when I call FltFlushBuffers from my mini filter.
Has anyone seen or resolved this before?

Here is the relevant information at time of BugCheck:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: f4c95c2c, Exception Record Address
Arg4: f4c95928, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
+16
00000000 ?? ???

EXCEPTION_RECORD: f4c95c2c – (.exr 0xfffffffff4c95c2c)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

CONTEXT: f4c95928 – (.cxr 0xfffffffff4c95928)
eax=00000000 ebx=86545c78 ecx=000002ee edx=00000000 esi=86545c78 edi=00000000
eip=00000000 esp=f4c95cf4 ebp=f4c95d08 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
rdbss!RxLowIoCompletionTail+33
f5ce9622 8bd8 mov ebx,eax

FAILED_INSTRUCTION_ADDRESS:
+33
00000000 ?? ???

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f5ce9622 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f4c95cf0 f5ce9622 86545c78 00000000 86545c78 0x0
f4c95d08 f5cf82c3 86545c78 00000000 866004a8 rdbss!RxLowIoCompletionTail+0x33
f4c95d1c f5cae3f0 86545c78 00000000 866004a8 rdbss!RxLowIoCompletion+0x3f
f4c95d44 f5c951db 006004a8 00545c78 8636cc00 mrxsmb!SmbPseExchangeStart_Locks+0x30f
f4c95d6c f5cde4b1 00000000 00000000 8653eda8 mrxsmb!SmbPseContinueOrdinaryExchange+0x12e
f4c95d9c f5ce8957 00ce7fc0 f5ce8240 f4c95ddc rdbss!RxpWorkerThreadDispatcher+0x93
f4c95dac 805c6160 f5ce7fc0 00000000 00000000 rdbss!RxWorkerThreadDispatcher+0x1a
f4c95ddc 80541dd2 f5ce893d f5ce7fc0 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: rdbss!RxLowIoCompletionTail+33

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rdbss

IMAGE_NAME: rdbss.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025ee6

STACK_COMMAND: .cxr 0xfffffffff4c95928 ; kb

FAILURE_BUCKET_ID: 0x7E_NULL_IP_rdbss!RxLowIoCompletionTail+33

BUCKET_ID: 0x7E_NULL_IP_rdbss!RxLowIoCompletionTail+33

2

OK, let’s analyze this

The error is 7E, exception not handled
The exception is c0000005, access fault
The faulting IP is 0

The EIP register is 0

This screams “local stack overrun killed return address”. It *could* be
something else, but that’s the most likely cause. The second likely cause
is passing a pointer to a __CDECL callback handler when you should have
passed a pointer to a __STDCALL calback handler. If you ever have to cast
a function pointer to get your code to compile, there is a nearly-100%
chance there is a coding error and the casting tells the compiler “trust
me”. You have a better chance at a street game of three-card monte.
joe

Hi,

I am seeing a bugcheck on XP SP2 and SP3.
This happens reliably when I call FltFlushBuffers from my mini filter.
Has anyone seen or resolved this before?

Here is the relevant information at time of BugCheck:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: f4c95c2c, Exception Record Address
Arg4: f4c95928, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
+16
00000000 ?? ???

EXCEPTION_RECORD: f4c95c2c – (.exr 0xfffffffff4c95c2c)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

CONTEXT: f4c95928 – (.cxr 0xfffffffff4c95928)
eax=00000000 ebx=86545c78 ecx=000002ee edx=00000000 esi=86545c78
edi=00000000
eip=00000000 esp=f4c95cf4 ebp=f4c95d08 iopl=0 nv up ei ng nz ac po
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010293
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
rdbss!RxLowIoCompletionTail+33
f5ce9622 8bd8 mov ebx,eax

FAILED_INSTRUCTION_ADDRESS:
+33
00000000 ?? ???

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f5ce9622 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f4c95cf0 f5ce9622 86545c78 00000000 86545c78 0x0
f4c95d08 f5cf82c3 86545c78 00000000 866004a8
rdbss!RxLowIoCompletionTail+0x33
f4c95d1c f5cae3f0 86545c78 00000000 866004a8 rdbss!RxLowIoCompletion+0x3f
f4c95d44 f5c951db 006004a8 00545c78 8636cc00
mrxsmb!SmbPseExchangeStart_Locks+0x30f
f4c95d6c f5cde4b1 00000000 00000000 8653eda8
mrxsmb!SmbPseContinueOrdinaryExchange+0x12e
f4c95d9c f5ce8957 00ce7fc0 f5ce8240 f4c95ddc
rdbss!RxpWorkerThreadDispatcher+0x93
f4c95dac 805c6160 f5ce7fc0 00000000 00000000
rdbss!RxWorkerThreadDispatcher+0x1a
f4c95ddc 80541dd2 f5ce893d f5ce7fc0 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: rdbss!RxLowIoCompletionTail+33

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rdbss

IMAGE_NAME: rdbss.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025ee6

STACK_COMMAND: .cxr 0xfffffffff4c95928 ; kb

FAILURE_BUCKET_ID: 0x7E_NULL_IP_rdbss!RxLowIoCompletionTail+33

BUCKET_ID: 0x7E_NULL_IP_rdbss!RxLowIoCompletionTail+33

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer