SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD in my minifilter

NTDEV
1

Hi,
I am getting this bug check
0xD4(SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD) while
uninstalling the driver. This driver is a minifilter.

This never occurred until recent changes where I fixed IRQL issues caught
by driver verifier. The changes are as below.

  1. Handling post create operation at passive level by creating workitem
    when IRQL>=DISPATCH_LEVEL
  2. Changing the reader write locks from SpinLock to ResourceLite lock since
    prefix table APIs were use while lock is acquired.
  3. Disabling APCs while using resource locks`

Any clue how I can debug this issue.

regards,
Madhusudhana

2

You need to post the !analyze –v output if anyone is going to have a chance
of helping you.

-scott
OSR
@OSRDrivers

“Madhusudhana Narayanappa” wrote in message
news:xxxxx@ntdev…
Hi,
I am getting this bug check
0xD4(SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD) while
uninstalling the driver. This driver is a minifilter.

This never occurred until recent changes where I fixed IRQL issues caught by
driver verifier. The changes are as below.

1. Handling post create operation at passive level by creating workitem when
IRQL>=DISPATCH_LEVEL
2. Changing the reader write locks from SpinLock to ResourceLite lock since
prefix table APIs were use while lock is acquired.
3. Disabling APCs while using resource locks`

Any clue how I can debug this issue.

regards,
Madhusudhana

3

!analyze -v output is as follows

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD (d4)
A driver unloaded without cancelling lookaside lists, DPCs, worker threads,
etc.
The broken driver’s name is displayed on the screen.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
An attempt was made to access the driver at raised IRQL after it unloaded.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff8800159f1d0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff80002ab03e1, address which referenced memory

Debugging Details:

FAULTING_IP:
MyMiniFilterDriver+b1d0
fffff880`0159f1d0 ?? ???

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xD4

PROCESS_NAME: System

CURRENT_IRQL: 2

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

STACK_TEXT:
fffff880028a0d48 fffff80002bb9d92 : fffff8800159f1d0 fffffa800eadcb60
0000000000000065 fffff80002b0e178 : nt!RtlpBreakWithStatusInstruction
fffff880028a0d50 fffff80002bbab7e : 0000000000000003 0000000000000000
fffff80002b0ea20 fffff880028a13b0 : nt!KiBugCheckDebugBreak+0x12
fffff880028a0db0 fffff80002ad2744 : 0000000000000000 abd0000026b3c882
fffffa80000a0600 fffff80002a7c790 : nt!KeBugCheck2+0x71e
fffff880028a1480 fffff80002ad1be9 : 000000000000000a fffff8800159f1d0
0000000000000002 0000000000000001 : nt!KeBugCheckEx+0x104
fffff880028a14c0 fffff80002ad0860 : fffff6fc50000a38 0000098000000000
0000007ffffffff8 fffffa800edf3aa8 : nt!KiBugCheckDispatch+0x69
fffff880028a1600 fffff80002ab03e1 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiPageFault+0x260
fffff880028a1790 fffff88001235e70 : fffffa800edf39c0 fffff80002c6f600
fffffa800edf39c0 fffffa800ed53180 : nt!ExDeleteResourceLite+0xd1
fffff880028a17f0 fffff880012b91ce : fffff880028a18b0 fffff80002c6f600
fffffa800edf39c0 fffffa800fb90e40 : Ntfs!NtfsFreeNonpagedDataFcb+0x20
fffff880028a1820 fffff88001235972 : fffff80002c6f600 fffff880028a1a01
fffff880028a18a1 fffff8a0005bd2f0 : Ntfs!NtfsDeleteFcb+0x3be
fffff880028a1880 fffff880012bb63c : fffffa800fb90e40 fffffa800ed53180
fffff8a0005bd2f0 fffff8a0005bd688 : Ntfs!NtfsTeardownFromLcb+0x1e2
fffff880028a1910 fffff8800123d0e2 : fffffa800fb90e40 fffffa800fb90e40
fffff8a0005bd2f0 0000000000000000 : Ntfs!NtfsTeardownStructures+0xcc
fffff880028a1990 fffff880012cb193 : fffffa800fb90e40 fffff80002c6f600
fffff8a0005bd2f0 0000000000000009 : Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880028a19d0 fffff880012ba357 : fffffa800fb90e40 fffff8a0005bd420
fffff8a0005bd2f0 fffffa800ed53180 : Ntfs!NtfsCommonClose+0x353
fffff880028a1aa0 fffff80002adca21 : 0000000000000000 fffff80002dc8f00
fffff80002cd1101 fffffa8000000002 : Ntfs!NtfsFspClose+0x15f
fffff880028a1b70 fffff80002d6fcce : fffffa8000000001 fffffa800eadcb60
0000000000000080 fffffa800cd5f040 : nt!ExpWorkerThread+0x111
fffff880028a1c00 fffff80002ac3fe6 : fffff880009ea180 fffffa800eadcb60
fffffa800f236060 fffff88001241384 : nt!PspSystemThreadStartup+0x5a
fffff880028a1c40 0000000000000000 : fffff880028a2000 fffff8800289c000
fffff880028a1000 0000000000000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
MyMiniFilterDriver+b1d0
fffff880`0159f1d0 ?? ???

SYMBOL_NAME: MyMiniFilterDriver+b1d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MyMiniFilterDriver

IMAGE_NAME: MyMiniFilterDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: X64_0xD4_VRF_UNLOADED_MODULE_MyMiniFilterDriver+b1d0

BUCKET_ID: X64_0xD4_VRF_UNLOADED_MODULE_MyMiniFilterDriver+b1d0

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING:
km:x64_0xd4_vrf_unloaded_module_MyMiniFilterDriver+b1d0

FAILURE_ID_HASH: {b4c71f67-fcc9-dd7c-498c-b8a89e2ce0db}

Followup: MachineOwner

On Thu, Dec 3, 2015 at 8:02 PM, Scott Noone wrote:

> You need to post the !analyze –v output if anyone is going to have a
> chance of helping you.
>
> -scott
> OSR
> @OSRDrivers
>
> “Madhusudhana Narayanappa” wrote in
> message news:xxxxx@ntdev…
>
> Hi,
> I am getting this bug check
> 0xD4(SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD) while
> uninstalling the driver. This driver is a minifilter.
>
> This never occurred until recent changes where I fixed IRQL issues caught
> by driver verifier. The changes are as below.
>
> 1. Handling post create operation at passive level by creating workitem
> when IRQL>=DISPATCH_LEVEL
> 2. Changing the reader write locks from SpinLock to ResourceLite lock
> since prefix table APIs were use while lock is acquired.
> 3. Disabling APCs while using resource locks`
>
> Any clue how I can debug this issue.
>
>
> regards,
> Madhusudhana
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

4

Do you use ERESOURCEs? If so, you need to explicitly deleting them before unloading.

-scott
OSR
@OSRDrivers

5

Wow. That worked.
I added a ExDeleteResourceLite in the unload callback routine, and now
there’s no problem.

Thanks,
Madhusudhana

On Sun, Dec 6, 2015 at 10:53 PM, wrote:

> Do you use ERESOURCEs? If so, you need to explicitly deleting them before
> unloading.
>
> -scott
> OSR
> @OSRDrivers
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>