Minifilter crash on Windows 7

TimC · August 31, 2009, 11:11am

Hi,

I developed a fs minifilter for Vista/Vista64bit, which has been running fine on XP/XP64bit and Vista/Vista64bit, but crashes with a blue screen on Windows 7, with bugcheck code 3b, which indicates DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS. According to my report, this is the RTM version of Windows 7.

Here is the bugcheck info:
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033

Additional information about the problem:
BCCode: 3b
BCP1: 00000000C0000005
BCP2: FFFFF800028A6A0A
BCP3: FFFFF88005452FE0
BCP4: 0000000000000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1

According to the MS documentation, the fourth parameter above indicates the number of locked pages, but it is 0.

The minifilter is based on the reparse example and does not do any explicit locking of pages.

Any ideas what I should look for or how to debug this?

Thanks!

–Tim

OSR_Community_User · September 1, 2009, 8:53am

Well, how about starting by posting the results of !analyze -v.

mm

TimC · September 1, 2009, 9:53am

Here is the output of !analyze -v.

--Tim

4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff800028f5a0a, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff8800b002fe0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ExfReleaseRundownProtection+2a
fffff800`028f5a0a f0488301ff lock add qword ptr [rcx],0FFFFFFFFFFFFFFFFh

CONTEXT: fffff8800b002fe0 -- (.cxr 0xfffff8800b002fe0)
rax=0000000000000001 rbx=fffff88007e1e238 rcx=0000000000000000
rdx=fffffffffffffffe rsi=0000000000001589 rdi=0000000000000000
rip=fffff800028f5a0a rsp=fffff8800b0039c0 rbp=fffff8800b0046a0
r8=fffffa800dfad628 r9=fffff8800b003bb0 r10=fffffa8000000000
r11=fffff80002c58d30 r12=fffff88007e1e230 r13=0000000000001587
r14=fffff88007e1b000 r15=fffff8800b003c00
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!ExfReleaseRundownProtection+0x2a:
fffff800028f5a0a f0488301ff lock add qword ptr [rcx],0FFFFFFFFFFFFFFFFh ds:002b:0000000000000000=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: annihilate_han

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff800028f5a0a

STACK_TEXT:
fffff8800b0039c0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!ExfReleaseRundownProtection+0x2a

FOLLOWUP_IP:
nt!ExfReleaseRundownProtection+2a
fffff800`028f5a0a f0488301ff lock add qword ptr [rcx],0FFFFFFFFFFFFFFFFh

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ExfReleaseRundownProtection+2a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600

STACK_COMMAND: .cxr 0xfffff8800b002fe0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_nt!ExfReleaseRundownProtection+2a

BUCKET_ID: X64_0x3B_nt!ExfReleaseRundownProtection+2a

Followup: MachineOwner

4: kd> .cxr 0xfffff8800b002fe0
rax=0000000000000001 rbx=fffff88007e1e238 rcx=0000000000000000
rdx=fffffffffffffffe rsi=0000000000001589 rdi=0000000000000000
rip=fffff800028f5a0a rsp=fffff8800b0039c0 rbp=fffff8800b0046a0
r8=fffffa800dfad628 r9=fffff8800b003bb0 r10=fffffa8000000000
r11=fffff80002c58d30 r12=fffff88007e1e230 r13=0000000000001587
r14=fffff88007e1b000 r15=fffff8800b003c00
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!ExfReleaseRundownProtection+0x2a:
fffff800028f5a0a f0488301ff lock add qword ptr [rcx],0FFFFFFFFFFFFFFFFh ds:002b:0000000000000000=????????????????

OSR_Community_User · September 1, 2009, 10:05am

Hmm. Not much of a stack, to say the least.

Is this a crashdump or a live system?

mm

TimC · September 1, 2009, 2:36pm

This is the crash dump. Unfortunately, it is running on a release build/test system, so there is no debugging info, nor pdb info for the driver.

I hope to be able to build/test a debug version on that machine.

TimC · September 1, 2009, 4:48pm

Actually, after further diagnosis (thanks to my colleague), we believe this is actually caused by a system utility we use (an older version of SysInternal’s handle) and not the minifilter I wrote. It appears this behavior is fixed in the newer version of handle.

This thread can be closed.

Thanks!

–Tim

OSR_Community_User · September 1, 2009, 4:50pm

I almost mentioned that; I wish I had. ProcExp used to do this, I think.

mm

OSR_Community_User · September 1, 2009, 7:37pm

> This is the crash dump. Unfortunately, it is running on a release build/test system, so there is no

debugging info, nor pdb info for the driver.

Preserving PDBs for the release builds of the drivers is a good idea.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com