Hi,
I got a weird blue screen 0xA (IRQL_NOT_LESS_OR_EQUAL). We have a filter
driver that implements some kind of sparse file system and uses a kernel
mode TDI client. Sometimes the User-Mode application that talks with our
filter driver blows away. This has no implications on the drivers, except
for this strange blue screen that I got twice - though I am only guessing on
the first occurrence (I don’t have a dump file for it). After the user mode
application blows away, and we try to delete all of our cache, we get the
following blue screen in an Explorer thread. The output from winDbg analyze
-v is:
kd> !analyze -v
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: a81aa80a, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8043239b, address which referenced memory
Debugging Details:
READ_ADDRESS: a81aa80a Nonpaged pool
CURRENT_IRQL: 2
FAULTING_IP:
nt!KiUnwaitThread+8
8043239b 8b7004 mov esi,[eax+0x4]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: A
LAST_CONTROL_TRANSFER: from 8042bef7 to 80455994
STACK_TEXT:
ChildEBP RetAddr Args to Child
b8dea18c 8042bef7 00000003 b8dea1d4 a81aa80a
nt!RtlpBreakWithStatusInstruction
b8dea1bc 8042c2bb 00000003 a81aa80a 8043239b nt!KiBugCheckDebugBreak+0x31
b8dea548 80467e7f 00000000 a81aa80a 00000002 nt!KeBugCheckEx+0x390
b8dea548 8043239b 00000000 a81aa80a 00000002 nt!KiTrap0E+0x27c
b8dea5dc 8042ccb7 00000002 e308d908 e308d908 nt!KiUnwaitThread+0x8
b8dea5f4 a000099e ffac1920 00000002 00000000 nt!KeSetEvent+0x44
b8dea610 a00597a4 e308d908 00000108 e308d908 win32k!SetWakeBit+0xb2
b8dea62c a0059829 e308d908 00000400 00000000 win32k!_PostThreadMessage+0x94
b8dea65c 804649a1 000003a4 00000400 00000000
win32k!NtUserPostThreadMessage+0xbb
b8dea65c 77e17666 000003a4 00000400 00000000 nt!KiSystemService+0xc4
0006fd04 78316d9a 001184f8 00008000 000e26b8
USER32!NtUserPostThreadMessage+0xb
0006fd3c 78316c6c 0006fd60 00000001 00000000 SHELL32!FreePFSNCIContents+0x52
0006fd58 783166fd 000e26b8 00000411 00000000
SHELL32!SHChangeNotifyDeregisterInternal+0x30
0006fd74 7830d381 00000574 0000037c 00000000
SHELL32!SHChangeRegistrationReceive+0x2b
0006fdc0 7830cf9a 00090478 000100d2 00000411
SHELL32!CDesktopBrowser::WndProcBS+0x657
0006fde4 77e11b60 00090458 00000411 00000574
SHELL32!CDesktopBrowser::DesktopWndProc+0x158
0006fe04 77e12f29 7830cf53 000100d2 00000411 USER32!UserCallWinProc+0x18
0006fe20 77e12f4f 00450c78 00000411 00000574
USER32!DispatchClientMessage+0x4b
0006fe48 77fa032f 0006fe58 00000018 00450c78 USER32!__fnDWORD+0x22
0006fe6c 77e12b4e 0006fee0 00000000 00000000
ntdll!KiUserCallbackDispatcher+0x13
b8dea934 80430a2a b8dea9f4 b8dea9ec 00000000 nt!KiCallUserMode+0x4
b8dea998 a0054076 00000002 b8dea9c8 00000018 nt!KeUserModeCallback+0xa6
b8deac28 a0071d16 a0320c78 00000411 00000574 win32k!SfnDWORD+0xc2
b8deaca0 a00014cb e3043008 b8dead64 00000000 win32k!xxxReceiveMessage+0x3d6
b8deacdc a0053815 b8dead0c 000021ff 00000000
win32k!xxxInternalGetMessage+0x1ce
b8dead48 804649a1 0006fee0 00000000 00000000 win32k!NtUserPeekMessage+0x5c
b8dead48 77e12bac 0006fee0 00000000 00000000 nt!KiSystemService+0xc4
0006fe94 77e12ca2 0006fee0 00000000 00000000 USER32!NtUserPeekMessage+0xb
0006fec0 782f7359 0006fee0 00000000 00000000 USER32!PeekMessageW+0xba
0006fefc 782f4c87 77e839ad 00090458 00000001
SHELL32!CDesktopBrowser::_PeekForAMessage+0x1b
0006ff1c 782f4c33 00000000 00401908 00090458
SHELL32!CDesktopBrowser::_MessageLoop+0x14
0006ff24 00401908 00090458 00000000 0002077e
SHELL32!SHDesktopMessageLoop+0x20
0006ff60 00401621 0000005c 00000000 0002077e Explorer!ExplorerWinMain+0x27a
0006ffc0 77e8d326 00000000 00000000 7ffdf000 Explorer!ModuleEntry+0x97
0006fff0 00000000 004015a8 00000000 000000c8 KERNEL32!BaseProcessStart+0x3d
FOLLOWUP_IP:
win32k!SetWakeBit+b2
a000099e ebbc jmp win32k!SetWakeBit+0xb2 (a000095c)
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: win32k!SetWakeBit+b2
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3bc32f6b
STACK_COMMAND: kb
BUCKET_ID: 0xA_win32k!SetWakeBit+b2
The thread that blue screened is part of the explorer process, and has no
connection to our own application as far as I know. The thread that the
message is sent to is also an explorer thread and this is its stack:
THREAD ffac1b60 Cid 37c.3a4 Teb: 7ffdb000 Win32Thread: e308d908 WAIT:
(UserRequest) UserMode Non-Alertable
ffac3a44 NotificationEvent
ffac21c4 NotificationEvent
ffac18e4 NotificationEvent
ffac1844 NotificationEvent
ffaf2fe4 NotificationEvent
ffac0f64 NotificationEvent
ffaa1084 NotificationEvent
812bd484 NotificationEvent
ffac1920 SynchronizationEvent
IRP List:
81283768: (0006,00b8) Flags: 00000000 Mdl: 853a3928
File Object: 812bd428
(“\Banana\Release\Release_2.1\Client\Version_2.1.0.3\Debug”) Network
Redirector (MrxSmb)
ffb429e8: (0006,00b8) Flags: 00000000 Mdl: 816a5d08
File Object: 812bd428
(“\Banana\Release\Release_2.1\Client\Version_2.1.0.3\Debug”) Network
Redirector (MrxSmb)
817cf168: (0006,00b8) Flags: 00000000 Mdl: ffa80f88
File Object: ffaa1028
(“\Banana\Release\Release_2.1\Client\Version_2.1.0.3\Release”) Network
Redirector (MrxSmb)
ffaf7368: (0006,00b8) Flags: 00000000 Mdl: 816f38e8
File Object: ffaa1028
(“\Banana\Release\Release_2.1\Client\Version_2.1.0.3\Release”) Network
Redirector (MrxSmb)
81650008: (0006,01b4) Flags: 00000000 Mdl: 00000000
File Object: ffac2168 (“\Documents and Settings\All Users\Start Menu”)
811468e8: (0006,01b4) Flags: 00000000 Mdl: 00000000
File Object: ffac2168 (“\Documents and Settings\All Users\Start Menu”)
ffafc548: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac0f08 (“\Documents and Settings\GiladB\Application
Data\Microsoft\Internet Explorer\Quick Launch”)
816a1e68: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac0f08 (“\Documents and Settings\GiladB\Application
Data\Microsoft\Internet Explorer\Quick Launch”)
ffb01e68: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffaf2f88 (“\Documents and Settings\GiladB\Desktop”)
ffac1628: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffaf2f88 (“\Documents and Settings\GiladB\Desktop”)
ffac0d48: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac17e8 (“\Documents and Settings\All Users\Desktop”)
ffac0008: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac17e8 (“\Documents and Settings\All Users\Desktop”)
ffac11c8: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac1888 (“\Documents and Settings\GiladB\Desktop”)
ffac2b68: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac1888 (“\Documents and Settings\GiladB\Desktop”)
816ad2a8: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac39e8 (“\Documents and Settings\GiladB\Start menu”)
ffaf05a8: (0006,0190) Flags: 00000000 Mdl: 00000000
File Object: ffac39e8 (“\Documents and Settings\GiladB\Start menu”)
Not impersonating
Owning Process ffaf3d60
WaitTime (seconds) 46327
Context Switch Count 134218013 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address 0x77e964cb
Win32 Start Address 0x782f3488
Stack Init b90e3000 Current b90e2930 Base b90e3000 Limit b90df000
Call 0
Priority 11 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
b90e2948 8042d5a3 00000020 e3034ae0 810c30a8 nt!KiSwapThread+0xc5
b90e297c 804502c9 00000009 b90e29f8 00000001
nt!KeWaitForMultipleObjects+0x266
b90e2d48 804649a1 00000009 0011e9f0 00000001
nt!NtWaitForMultipleObjects+0x3a0
b90e2d48 77f82829 00000009 0011e9f0 00000001 nt!KiSystemService+0xc4
00f5fde4 77e127b7 0011e9f0 00000001 00000000
NTDLL!NtWaitForMultipleObjects+0xb
00f5fde4 77e127b7 0011e9f0 00000001 00000000 +0x77e127b7
00f5fe40 77e1282f 00f5fe0c 00f5feb8 ffffffff +0x77e127b7
00f5fe5c 782f3546 00000008 00f5feb8 00000000 +0x77e1282f
7840a2f0 00000001 00000002 00000368 00000180 +0x782f3546
As you can see the thread is waiting on a synchronization object ffac1920
which is being signaled in the blue-screen-thread. All the IRPs in the
waiting thread are for file objects that are not related to our filter
driver (we are filtering requests for a specific directory not under
\documents and settings), in as much there might be a deadlock somewhere,
since they all returned pending. I checked the locks and this is what I got:
kd> !locks
Resource @ 0x818604f4 Shared 1 owning threads
Contention Count = 25
Threads: 818a70c0-01
Resource @ 0x817ccd08 Exclusively owned
Contention Count = 7070
Threads: ffaeeda0-01
Resource @ 0x81734e28 Shared 1 owning threads
Contention Count = 32
Threads: 818a70c0-01
Resource @ 0x803f89a8 Shared 1 owning threads
Threads: 810da6e0-01
Resource @ 0xffa88c68 Exclusively owned
Threads: 818a70c0-01
Resource @ 0xffaade08 Exclusively owned
Threads: 818a70c0-01
Resource @ 0xffab3b48 Shared 1 owning threads
Threads: 818a7340-01
Resource @ 0x813078c0 Shared 1 owning threads
Threads: ffb20023-01 *** Invalid thread
6273 total locks, 8 locks currently held
And it doesn’t seem like a deadlock anywhere with our file system filter
driver. If you want I can send you the threads’ stacks that are in our
filter driver (the message is way two long by now for the lyris server)
Any suggestions as to the source of the Blue Screen? I think that it might
be related to some memory corruption that our drivers caused, because it
seems very unlikely that waking up a thread will cause a blue screen, isn’t
it? Any suggestions as to what can cause such a corruption?
Thanks,
Gilad
*** END PGP VERIFIED MESSAGE ***
G.
“For those who bear the instruments of war - and we are among them,
Some in practice,
Some by a hug of approval -
Are sucked, mumbling “necessity” and “vengeance”,
Into the domain of war crimes.”
Nathan Alterman, 1948