Mutex

NTFSD
1

Hi all,

I am writing two minifilter drivers for different purposes, but I am facing a problem during Fast Mutex Acquiring. I don’t know what is the problem but both drivers doing problem in running parallel.

1- Name of Mutex objects are totally different.

2- Name of Generic tables are totally different.

3- Altitudes values are different.

4- Even each and everything are different.

Dump Report :

FAULTING_MODULE: fffff80002c19000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 50652b31

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ExAcquireRundownProtection+0
fffff800`02cad000 488b01 mov rax,qword ptr [rcx]

EXCEPTION_RECORD: fffff880009a9318 – (.exr 0xfffff880009a9318)
ExceptionAddress: fffff80002cad000 (nt!ExAcquireRundownProtection)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT: fffff880009a8b80 – (.cxr 0xfffff880009a8b80)
rax=fffff880009a9608 rbx=0000000000000000 rcx=0000000000000008
rdx=fffff88003f2d150 rsi=fffff880009a9678 rdi=fffffa8002b29e70
rip=fffff80002cad000 rsp=fffff880009a9558 rbp=0000000000000000
r8=fffff880009a9678 r9=0000000000000000 r10=fffff80002c19000
r11=00000000000006de r12=0000000000000000 r13=0000000000000001
r14=0000000000000000 r15=fffff88003f2d150
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
nt!ExAcquireRundownProtection:
fffff80002cad000 488b01 mov rax,qword ptr [rcx] ds:002b:0000000000000008=???
Resetting default scope

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from fffff88001005bde to fffff80002cad000

STACK_TEXT:
fffff880009a9558 fffff88001005bde : 0000000000000000 fffff8800102cc3a fffff8a00052ff20 0000000000000000 : nt!ExAcquireRundownProtection
fffff880009a9560 fffff88001031b8b : fffffa8000000000 fffff880009a9660 00000064001f0001 fffff8a00052ff20 : fltmgr!FltObjectReference+0xe
fffff880009a9590 fffff88003f30123 : 0000000000000000 fffffa8002ad4000 fffffa8002b29e70 0000000000000001 : fltmgr!FltCreateCommunicationPort+0x6b
fffff880009a9610 fffff80003070fa7 : fffffa8002b29e70 fffffa8002ad4000 0000000000000000 0000000000000000 : WinFPdrv+0xa123
fffff880009a96e0 fffff800031b6a56 : fffffa8002747b98 fffffa8002747b98 fffffa8002747b10 fffff8a000000020 : nt!EtwWriteStartScenario+0x2267
fffff880009a99b0 fffff800031b7c12 : fffff80000000000 fffff8a0002ae8e0 ffffffff80000158 fffff8a000504930 : nt!TmInitSystem+0x3c26
fffff880009a9a40 fffff800031bac45 : 0000000000000007 0000000000000010 ffffffff80000028 fffff80000818850 : nt!TmInitSystem+0x4de2
fffff880009a9b40 fffff8000310afc9 : 4865137400347d80 fffffa80016ffb60 0000000000000080 fffffa80016ff040 : nt!TmInitSystem+0x7e15
fffff880009a9d10 fffff80002f286e6 : 207d3840ff33ea8b 0000000000000080 48704d8b48000001 fffff80002c67559 : nt!WheaAttemptPhysicalPageOffline+0x359
fffff880009a9d40 fffff80002c67566 : fffff80002e02e80 fffffa80016ffb60 fffff80002e10c40 4127733c5d3b0000 : nt!PsCreateSystemThread+0x6e2
fffff880009a9d80 0000000000000000 : fffff880009aa000 fffff880009a4000 fffff880009a8f70 0000000000000000 : nt!KeTestAlertThread+0x946

FOLLOWUP_IP:
WinFPdrv+a123
fffff880`03f30123 89442440 mov dword ptr [rsp+40h],eax

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: WinFPdrv+a123

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WinFPdrv

IMAGE_NAME: WinFPdrv.sys

STACK_COMMAND: .cxr 0xfffff880009a8b80 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Thanks

2

> Hi all,

I am writing two minifilter drivers for different purposes, but I am
facing a problem during Fast Mutex Acquiring. I don’t know what is the
problem but both drivers doing problem in running parallel.

1- Name of Mutex objects are totally different.

Not sure why the “name” is relevant. Fast mutexes (and kernel objects in
general) do not have “names”, they are referenced by address. Nobody
cares what the name of the variable is that holds the address, as long as
the address is a pointer to a valid fast mutex.

2- Name of Generic tables are totally different.

Again, I have no idea what you mean by “name”. Do you mean the tables are
different? That they have separate addresses? How are they allocated?
There are no “names” for tables, only *addresses*, and the addresses must
be valid. If the addresses in two variables (no matter what their names
are) are the same, they are referring to the same table.

3- Altitudes values are different.

Explain.

4- Even each and everything are different.

So what is the issue about things being the “same” or “different”? Since
you don’t show any code, I have no idea what “everything” refers to. Do
you properly initialize the fast mutex? Where is the FAST_MUTEX declared?
Could it be used before it is initialized?

It very much looks like a derference of a NULL pointer (see the value in
ECX).

Also, make sure you have the correct symbols loaded!
joe

Dump Report :

FAULTING_MODULE: fffff80002c19000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 50652b31

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ExAcquireRundownProtection+0
fffff800`02cad000 488b01 mov rax,qword ptr [rcx]

EXCEPTION_RECORD: fffff880009a9318 – (.exr 0xfffff880009a9318)
ExceptionAddress: fffff80002cad000 (nt!ExAcquireRundownProtection)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT: fffff880009a8b80 – (.cxr 0xfffff880009a8b80)
rax=fffff880009a9608 rbx=0000000000000000 rcx=0000000000000008
rdx=fffff88003f2d150 rsi=fffff880009a9678 rdi=fffffa8002b29e70
rip=fffff80002cad000 rsp=fffff880009a9558 rbp=0000000000000000
r8=fffff880009a9678 r9=0000000000000000 r10=fffff80002c19000
r11=00000000000006de r12=0000000000000000 r13=0000000000000001
r14=0000000000000000 r15=fffff88003f2d150
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010202
nt!ExAcquireRundownProtection:
fffff80002cad000 488b01 mov rax,qword ptr [rcx] ds:002b:0000000000000008=???
Resetting default scope

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from fffff88001005bde to fffff80002cad000

STACK_TEXT:
fffff880009a9558 fffff88001005bde : 0000000000000000 fffff8800102cc3a
fffff8a00052ff20 0000000000000000 : nt!ExAcquireRundownProtection
fffff880009a9560 fffff88001031b8b : fffffa8000000000 fffff880009a9660
00000064001f0001 fffff8a00052ff20 : fltmgr!FltObjectReference+0xe
fffff880009a9590 fffff88003f30123 : 0000000000000000 fffffa8002ad4000
fffffa8002b29e70 0000000000000001 :
fltmgr!FltCreateCommunicationPort+0x6b
fffff880009a9610 fffff80003070fa7 : fffffa8002b29e70 fffffa8002ad4000
0000000000000000 0000000000000000 : WinFPdrv+0xa123
fffff880009a96e0 fffff800031b6a56 : fffffa8002747b98 fffffa8002747b98
fffffa8002747b10 fffff8a000000020 : nt!EtwWriteStartScenario+0x2267
fffff880009a99b0 fffff800031b7c12 : fffff80000000000 fffff8a0002ae8e0
ffffffff80000158 fffff8a000504930 : nt!TmInitSystem+0x3c26
fffff880009a9a40 fffff800031bac45 : 0000000000000007 0000000000000010
ffffffff80000028 fffff80000818850 : nt!TmInitSystem+0x4de2
fffff880009a9b40 fffff8000310afc9 : 4865137400347d80 fffffa80016ffb60
0000000000000080 fffffa80016ff040 : nt!TmInitSystem+0x7e15
fffff880009a9d10 fffff80002f286e6 : 207d3840ff33ea8b 0000000000000080
48704d8b48000001 fffff80002c67559 :
nt!WheaAttemptPhysicalPageOffline+0x359
fffff880009a9d40 fffff80002c67566 : fffff80002e02e80 fffffa80016ffb60
fffff80002e10c40 4127733c5d3b0000 : nt!PsCreateSystemThread+0x6e2
fffff880009a9d80 0000000000000000 : fffff880009aa000 fffff880009a4000
fffff880009a8f70 0000000000000000 : nt!KeTestAlertThread+0x946

FOLLOWUP_IP:
WinFPdrv+a123
fffff880`03f30123 89442440 mov dword ptr [rsp+40h],eax

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: WinFPdrv+a123

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WinFPdrv

IMAGE_NAME: WinFPdrv.sys

STACK_COMMAND: .cxr 0xfffff880009a8b80 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Thanks

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

From the stack it looks like FltCreateCommunicationPort is trying to reference something and use a rundown reference which ends up dereferencing a NULL pointer. I think it’s the FLT_FILTER. Do you perhaps call FltCreateCommunicationPort before you call FltRegisterFilter ? What parameter do you pass in as the Filter to FltCreateCommunicationPort ?

Also it looks like you might not have the right symbols loaded, could you please fix that ?

Thanks,
Alex.