My QA gave me strange BSOD that I even have not idea what is happened.
I public it bellow and very appreciate any hint how to looking for the problem.
Some additional information:
-
OS: Windows 7, 32-bit
-
The traps function MbpIsNameInExpression() is very old and simple, it receives as entry only 2 PUNICODE_STRING and both are OK.
-
I don’t belive that IRQL is 2 as written, because entry callback PfPreOperationCallback() starts from checking:
if(KeGetCurrentIrql() > APC_LEVEL)
return returnStatus;
and driver itself ups IRQL only to APC (for Lite resource) and back, no DPC_LEVEL.
-
The problem occurs on IRP_MJ_WRITE in context msiexec.exe.
-
May using towupper() inside driver be problem?
Thanks for help & Best regards,
Michael
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory
Debugging Details:
READ_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
+47ad180
00000000 ?? ???
PROCESS_NAME: msiexec.exe
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD1
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre
TRAP_FRAME: d0d17428 – (.trap 0xffffffffd0d17428)
ErrCode = 00000010
eax=85d4d090 ebx=00000000 ecx=00000001 edx=00000000 esi=887b6c20 edi=85d4d030
eip=00000000 esp=d0d1749c ebp=d0d174d4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
00000000 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 00000000 to 82e7fb7f
FAILED_INSTRUCTION_ADDRESS:
+47ad180
00000000 ?? ???
STACK_TEXT:
d0d17428 00000000 badb0d00 00000000 00000003 nt!KiTrap0E+0x1b3
WARNING: Frame IP not in any known module. Following frames may be wrong.
d0d17498 82eefc0d d0d17528 00000000 00000000 0x0
d0d174d4 82e0d90f 00000000 00000000 d0d17528 nt!KiDeliverApc+0xf8
d0d174f4 82e0db29 82f69c01 d0d17528 aabcd25c hal!HalpDispatchSoftwareInterrupt+0x49
d0d1750c 82e0dcc3 933494b0 d0d17528 82e22af0 hal!HalpCheckForSoftwareInterrupt+0x83
d0d17518 82e22af0 d0d17600 000000e1 d0d17660 hal!HalEndSystemInterrupt+0x67
d0d17518 b95a6508 d0d17600 000000e1 d0d17660 hal!HalpIpiHandler+0x198
d0d17660 b95aa757 c6fc0d80 d0d1773c 00000000 my_driver!MbpIsNameInExpression+0x278 [d:\prega\sources\dev\driver\mbp\mbp.c @ 2054]
…
d0d179f8 8c91eaeb 8872b200 d0d17a18 d0d17a44 my_driver!PfPreOperationCallback+0x10a [d:\prega\sources\dev\driver\pf\file_filtering.c @ 557]
d0d17a64 8c92117b d0d17aa0 865f0600 88796664 fltmgr!FltpPerformPreCallbacks+0x34d
d0d17a7c 8c933dcf 00d17aa0 d0d17b44 887664c0 fltmgr!FltpPassThroughFastIo+0x3d
d0d17ac0 8c920fec 865f0600 8879669c 00008000 fltmgr!FltpFastIoWrite+0x163
d0d17af4 8c9211bb 00000004 00000000 88796694 fltmgr!FltpPerformFastIoCall+0x22e
d0d17b20 8c933dcf 00d17b44 865f0600 8c933c6c fltmgr!FltpPassThroughFastIo+0x7d
d0d17b64 830af665 865f0600 d0d17bac 00008000 fltmgr!FltpFastIoWrite+0x163
d0d17c08 82e7c8c6 8971b698 00000000 00000000 nt!NtWriteFile+0x342
d0d17c08 778770f4 8971b698 00000000 00000000 nt!KiSystemServicePostCall
01a9f744 00000000 00000000 00000000 00000000 0x778770f4
STACK_COMMAND: kb
FOLLOWUP_IP:
my_driver!mbpIsNameInExpression+278 [d:\prega\sources\dev\driver\mbp\mbp.c @ 2054]
b95a6508 837a0400 cmp dword ptr [edx+4],0
FAULTING_SOURCE_LINE: d:\prega\sources\dev\driver\mbp\mbp.c
FAULTING_SOURCE_FILE: d:\prega\sources\dev\driver\mbp\mbp.c
FAULTING_SOURCE_LINE_NUMBER: 2054
FAULTING_SOURCE_CODE:
2050: retry = FALSE;
2051:
2052: // find next possible match
2053:
2054: while ((NameIndex < NUM_OF_CHARS_IN_PSTRING(Name)) && towupper(WCHAR_IN_PSTRING(Name, NameIndex)) != towupper(WCHAR_IN_PSTRING(Expression, ExpressionIndex)))
2055: {
2056: NameIndex++;
2057: }
2058:
2059: // is it a match ?
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: my_driver!mbpIsNameInExpression+278
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: my_driver
IMAGE_NAME: my_driver-x86.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 54d38d0b
FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_my_driver!mbpIsNameInExpression+278
BUCKET_ID: 0xD1_CODE_AV_NULL_IP_my_driver!mbpIsNameInExpression+278
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xd1_code_av_null_ip_my_driver!mbpisnameinexpression+278
FAILURE_ID_HASH: {cc1b5722-ecab-3447-1826-9cfa92a3b5fa}