MmGetSystemAddressForMdlSafe

pradeep_bisht · April 23, 2010, 3:26pm

In my disk lower filter driver for the boot disk I’m doing the following:

whenever I receive a read from the disk driver, I create an exact same copyIrp (with embedded srb/cdb). For a read irp, i allocate NonPaged buffer and build a new mdl.
I set completion routines for the originalIrp and copyIrp. And I make sure that I complete originalIrp to disk driver only when both originalIrp and copyIarp have completed.
Once both the irps are completed, I check my allocated buffer against the MmGetSystemAddressForMdlSafe (Original->MdlAddress) and I find that for some requests some of their pages don’t match.
Earlier I thought the reason could be dummy pages. so every time there was a mismatch I copied my buffer into the originalIrp’s buffer because IIUC the data of dummy pages is a don’t care - correct me if I’m wrong. But I see that my system eventually crashes.
This is on Windows XP during the boot. I checked this on several machines running windows 7/vista it don’t see this crash (or even the mismatch). Also on XP it works fine if it is a non-boot disk.

Any help will be highly appreciated.

: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e564f820, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 806976c4, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)

Debugging Details:

READ_ADDRESS: e564f820 Paged pool

FAULTING_IP:
nt!CreateSystemRootLink+262
806976c4 8b07 mov eax,dword ptr [edi]

MM_INTERNAL_CODE: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

TRAP_FRAME: baccf710 – (.trap 0xffffffffbaccf710)
ErrCode = 00000000
eax=7c8c2780 ebx=8067c2dc ecx=baccf7bc edx=3a62024c esi=1a363428 edi=e564f820
eip=806976c4 esp=baccf784 ebp=baccf790 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!CreateSystemRootLink+0x262:
806976c4 8b07 mov eax,dword ptr [edi] ds:0023:e564f820=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f8df9 to 8052b5dc

STACK_TEXT:
baccf244 804f8df9 00000003 e564f820 00000000 nt!RtlpBreakWithStatusInstruction
baccf290 804f99e4 00000003 c0603958 c072b278 nt!KiBugCheckDebugBreak+0x19
baccf670 804f9f33 00000050 e564f820 00000000 nt!KeBugCheck2+0x574
baccf690 8052036a 00000050 e564f820 00000000 nt!KeBugCheckEx+0x1b
baccf6f8 80544578 00000000 e564f820 00000000 nt!MmAccessFault+0x9a8
baccf6f8 806976c4 00000000 e564f820 00000000 nt!KiTrap0E+0xd0
baccf790 80698c2b baccf7bc 7c900000 346c6850 nt!CreateSystemRootLink+0x262
baccf800 806af10e 7c900000 806af570 8067c2dc nt!LookupEntryPoint+0x6f
baccf814 806af5a8 806af570 8067c2dc 80087000 nt!PspLookupSystemDllEntryPoint+0x16
baccf824 806af5e4 806af821 80087000 baccfdac nt!PspInitializeSystemDll+0x20
baccf828 806af821 80087000 baccfdac 80698734 nt!PspInitPhase1+0xa
baccf834 80698734 00000001 80087000 00000000 nt!PsInitSystem+0x29
baccfdac 805cff64 80087000 00000000 00000000 nt!Phase1Initialization+0xe28
baccfddc 805460de 8069790c 80087000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!CreateSystemRootLink+262
806976c4 8b07 mov eax,dword ptr [edi]

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: nt!CreateSystemRootLink+262

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

FAILURE_BUCKET_ID: 0x50_nt!CreateSystemRootLink+262

BUCKET_ID: 0x50_nt!CreateSystemRootLink+262

Followup: MachineOwner

pradeep_bisht · April 23, 2010, 8:52pm

I think my problem is similar to this but unfortunately looks like there was no conclusion.

http://www.osronline.com/showThread.cfm?link=178631

Scott_Noone_OSR · April 26, 2010, 8:09am

>3. Once both the irps are completed, I check my allocated buffer against

the MmGetSystemAddressForMdlSafe
(Original->MdlAddress) and I find that for some requests some of their
pages don’t match.

Dummy pages would definitely explain that.

Earlier I thought the reason could be dummy pages. so every time there
was a mismatch I copied my buffer into the >originalIrp’s buffer because
IIUC the data of dummy pages is a don’t care - correct me if I’m wrong. But
I see that my >system eventually crashes.

Checking the dummy pages theory is easy, just dump the PFN array of the MDL
(see the MmGetMdlPfnArray macro). If you see the same PFN address multiple
times then you have dummy pages.

You lose me a bit from there though. Why are you overwriting the buffer if
you see this condition? Due to the magic of dummy pages, if you care about
the contents of the original read then you need to double buffer it.

My gut feel of the crash is a corruption or in page error. Have you run this
driver under Verifier?

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntdev…
> In my disk lower filter driver for the boot disk I’m doing the following:
>
> 1. whenever I receive a read from the disk driver, I create an exact same
> copyIrp (with embedded srb/cdb). For a read irp, i allocate NonPaged
> buffer and build a new mdl.
> 2. I set completion routines for the originalIrp and copyIrp. And I make
> sure that I complete originalIrp to disk driver only when both originalIrp
> and copyIarp have completed.
> 3. Once both the irps are completed, I check my allocated buffer against
> the MmGetSystemAddressForMdlSafe (Original->MdlAddress) and I find that
> for some requests some of their pages don’t match.
> 4. Earlier I thought the reason could be dummy pages. so every time there
> was a mismatch I copied my buffer into the originalIrp’s buffer because
> IIUC the data of dummy pages is a don’t care - correct me if I’m wrong.
> But I see that my system eventually crashes.
> 5. This is on Windows XP during the boot. I checked this on several
> machines running windows 7/vista it don’t see this crash (or even the
> mismatch). Also on XP it works fine if it is a non-boot disk.
>
> Any help will be highly appreciated.
>
> : kd> !analyze -v
> ***
> *
>
> * Bugcheck Analysis
>
> *
>
>
>
> PAGE_FAULT_IN_NONPAGED_AREA (50)
> Invalid system memory was referenced. This cannot be protected by
> try-except,
> it must be protected by a Probe. Typically the address is just plain bad
> or it
> is pointing at freed memory.
> Arguments:
> Arg1: e564f820, memory referenced.
> Arg2: 00000000, value 0 = read operation, 1 = write operation.
> Arg3: 806976c4, If non-zero, the instruction address which referenced the
> bad memory
> address.
> Arg4: 00000002, (reserved)
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: e564f820 Paged pool
>
> FAULTING_IP:
> nt!CreateSystemRootLink+262
> 806976c4 8b07 mov eax,dword ptr [edi]
>
> MM_INTERNAL_CODE: 2
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x50
>
> PROCESS_NAME: System
>
> TRAP_FRAME: baccf710 – (.trap 0xffffffffbaccf710)
> ErrCode = 00000000
> eax=7c8c2780 ebx=8067c2dc ecx=baccf7bc edx=3a62024c esi=1a363428
> edi=e564f820
> eip=806976c4 esp=baccf784 ebp=baccf790 iopl=0 nv up ei pl nz na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010206
> nt!CreateSystemRootLink+0x262:
> 806976c4 8b07 mov eax,dword ptr [edi]
> ds:0023:e564f820=???
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 804f8df9 to 8052b5dc
>
> STACK_TEXT:
> baccf244 804f8df9 00000003 e564f820 00000000
> nt!RtlpBreakWithStatusInstruction
> baccf290 804f99e4 00000003 c0603958 c072b278 nt!KiBugCheckDebugBreak+0x19
> baccf670 804f9f33 00000050 e564f820 00000000 nt!KeBugCheck2+0x574
> baccf690 8052036a 00000050 e564f820 00000000 nt!KeBugCheckEx+0x1b
> baccf6f8 80544578 00000000 e564f820 00000000 nt!MmAccessFault+0x9a8
> baccf6f8 806976c4 00000000 e564f820 00000000 nt!KiTrap0E+0xd0
> baccf790 80698c2b baccf7bc 7c900000 346c6850 nt!CreateSystemRootLink+0x262
> baccf800 806af10e 7c900000 806af570 8067c2dc nt!LookupEntryPoint+0x6f
> baccf814 806af5a8 806af570 8067c2dc 80087000
> nt!PspLookupSystemDllEntryPoint+0x16
> baccf824 806af5e4 806af821 80087000 baccfdac
> nt!PspInitializeSystemDll+0x20
> baccf828 806af821 80087000 baccfdac 80698734 nt!PspInitPhase1+0xa
> baccf834 80698734 00000001 80087000 00000000 nt!PsInitSystem+0x29
> baccfdac 805cff64 80087000 00000000 00000000 nt!Phase1Initialization+0xe28
> baccfddc 805460de 8069790c 80087000 00000000
> nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt!CreateSystemRootLink+262
> 806976c4 8b07 mov eax,dword ptr [edi]
>
> SYMBOL_STACK_INDEX: 6
>
> SYMBOL_NAME: nt!CreateSystemRootLink+262
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrpamp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a
>
> FAILURE_BUCKET_ID: 0x50_nt!CreateSystemRootLink+262
>
> BUCKET_ID: 0x50_nt!CreateSystemRootLink+262
>
> Followup: MachineOwner
> ---------
>
>

Mark_Roddy · April 26, 2010, 8:45am

On Fri, Apr 23, 2010 at 3:28 PM, wrote:

> I create an exact same copyIrp

How exactly are you creating “an exact copyIrp”? In particular, are you
using IoBuildPartialMdl to copy the MDL?

Mark Roddy