The crash vikram talks about in the original message does not “crash
exactly on IoCallDriver”. The symbol reported is in rdbss.
There is one bug in the code below. You should call
IoCopyCurrentIrpStackLocationToNext() or IoSkipNextIrpStackLocation()
rather than doing *nextLocation = *currentLocation. The latter is a
common mistake and will cause problems - get out of this practice
immediately. The method you use would copy the completion routine to
the lower stack location as well which causes all sorts of painful to
debug problems.
You should also see my previous mail message. I think your problem is
that you’re moving the request out of the context of the original
process. The File System driver is expecting to be called in the
context of the original process, so that it choose whether to do
buffered or direct I/O.
-p
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
dsingh@IN.rainbow.com
Sent: Thursday, February 05, 2004 9:47 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] IoCallDriver crashes
Hi,
-Have you checked the validity of lower device object i.e.
DevExtension->FileSystem?
-Do you really need a system thread? Also if this is a short term
activity then WorkItems can be used.
-Also you can check the IRQL using KeGetCurrentIrql.
Hope this will help
Dev
-----Original Message-----
From: vikram [mailto:xxxxx@linuxmail.org]
Sent: Thursday, February 05, 2004 11:34 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] IoCallDriver crashes
I am attaching the code so that it can help you analyze what exactly the
problem is
The driver entry where i initialize this thread
ntStatus = PsCreateSystemThread(&threadHandle,
(ACCESS_MASK)0,
NULL,
(HANDLE) 0,
NULL,
CsampPollingThread,
guiDevice );
if (!NT_SUCCESS(ntStatus)) {
DbgPrint ((“Filemon.SYS: PsCreateSystemThread failed\n”));
}
//
// Convert the Thread object handle into a pointer to the Thread
object
// itself. Then close the handle.
//
ntStatus = ObReferenceObjectByHandle(threadHandle,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
&ThreadObject,
NULL );
if (!NT_SUCCESS(ntStatus)) {
DbgPrint ((“Filemon.SYS: ObReferenceObjectByHandle
failed\n”));
}
ZwClose(threadHandle);
This is the thread code
VOID CsampPollingThread(IN PDEVICE_OBJECT DevObject)
{
PHOOK_EXTENSION DevExtension = DevObject->DeviceExtension;
PIRP Irp;
NTSTATUS Status;
PLIST_ENTRY nextEntry;
KIRQL oldIrql;
PIO_STACK_LOCATION currentIrpStack;
PIO_STACK_LOCATION nextIrpStack;
KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY );
//
// Now enter the main IRP-processing loop
//
while( TRUE )
{
//
// Wait indefinitely for an IRP to appear in the work queue or
for
// the Unload routine to stop the thread. Every successful
return
// from the wait decrements the semaphore count by 1.
//
KeWaitForSingleObject(&IrpQueueSemaphore,
Executive,
KernelMode,
FALSE,
NULL );
DbgPrint ((“Filemon: Thread awake --------->”));
//
// See if thread was awakened because driver is unloading
itself…
//
if( DevExtension->ThreadShouldStop ) {
PsTerminateSystemThread( STATUS_SUCCESS );
}
//
// Remove a pending IRP from the queue.
//
KeAcquireSpinLock(&QueueLock, &oldIrql);
DbgPrint ((“Filemon: isListEmpty is
%d”,IsListEmpty(&PendingIrpQueue)));
nextEntry = RemoveHeadList(&PendingIrpQueue);
Irp = CONTAINING_RECORD(nextEntry, IRP, Tail.Overlay.ListEntry);
KeReleaseSpinLock(&QueueLock,oldIrql);
if (!Irp)
{
DbgPrint ((“Filemon:not able to get the pending Irp”));
}
else
{
currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
nextIrpStack = IoGetNextIrpStackLocation(Irp);
DbgPrint ((“Exception occured at IoGetNextIrpStackLocation”));
*nextIrpStack = *currentIrpStack;
DbgPrint ((“Exception occured at IoSetCompletionRoutine”));
IoCallDriver (DevExtension->FileSystem,Irp);
DbgPrint((“Filemon:After IoCallDriver ---->2\n”));
}
} // end of while-loop
}
Suggest where exactly the problem is coz it crashes exactly on
IoCallDriver
Thanks in advance
=vikramsingh
“vikram” wrote in message news:xxxxx@ntdev…
> I create a thread from one of my filter driver. In the main flow i
enter
the
> irps to the queue and the second thread is removing the irps from the
queue
> and sending it to the next driver. But on doing the IoCallDriver the
system
> get crashes. when i catch the exception using try and except it
gives
> the exceptioncode -1073741819.
> I am not getting what exactly is this, but is there any irql
difference
> which don’t allow me to call IoCallDriver or what it is as it is dead
sure
> that it crashes on IoCallDriver. I have checked that i am able to
access
the
> DeviceExtension in the threaded function but still can’t figure out
what
> exactly the problem is.
>
> here is register dump
> eax=85e6413c ebx=0000001e ecx=00000000 edx=8046b6a6 esi=00000000
> edi=80406530
> eip=80455a28 esp=b747d7c0 ebp=b747dddc iopl=0 nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
> nt!MmLockPagableSectionByHandle+73c:
> 80455a28 ?? ???
>
> and !analyze -v report is
>
>
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*
*
>
>
> KMODE_EXCEPTION_NOT_HANDLED (1e)
> This is a very common bugcheck. Usually the exception address
pinpoints
> the driver/function that caused the problem. Always note this address
> as well as the link date of the driver/image that contains this
address.
> Arguments:
> Arg1: c0000005, The exception code that was not handled
> Arg2: 8041de37, The address that the exception occurred at
> Arg3: 00000000, Parameter 0 of the exception
> Arg4: 00000008, Parameter 1 of the exception
>
> Debugging Details:
> ------------------
>
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
> referenced memory at “0x%08lx”. The memory could not be “%s”.
>
> FAULTING_IP:
> nt!FsRtlResetLargeMcb+201
> 8041de37 ?? ???
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 00000008
>
> READ_ADDRESS: unable to read from 804e40b8
> unable to read from 804e3484
> unable to read from 804e2310
> unable to read from 804d3dc8
> unable to read from 804e2328
> unable to read from 804e3480
> unable to read from 804d3dcc
> unable to read from 804e3548
> unable to read from 804e4058
> 00000008
> DEFAULT_BUCKET_ID: DRIVER_FAULT
> BUGCHECK_STR: 0x1E
> LAST_CONTROL_TRANSFER: from 0000001e to 80455a28
> STACK_TEXT:
> b747d7bc 0000001e c0000005 8041de37 00000000
> nt!MmLockPagableSectionByHandle+0x73c
>
> FOLLOWUP_IP:
> rdbss!RxStopMinirdr+196
> b7ba53ef ?? ???
> FOLLOWUP_NAME: MachineOwner
> SYMBOL_NAME: rdbss!RxStopMinirdr+196
> MODULE_NAME: rdbss
> IMAGE_NAME: rdbss.sys
> DEBUG_FLR_IMAGE_TIMESTAMP: 3ecd5369
> STACK_COMMAND: kb
> BUCKET_ID: 0x1E_rdbss!RxStopMinirdr+196
> Followup: MachineOwner
>
> Any suggestions as what to do.
> Thanks in advance.
>
>
>
>
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: dsingh@in.rainbow.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com