none
MSDMFilt.sys bugcheck on Win 10 Pro 1703 RRS feed

  • Question

  • I've been working on testing a bus filter driver and MSDMFilt.sys keeps bugchecking on pool allocation issues. I can provide the dump as requested, here's the !analyze -v:

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 0

    BUILD_VERSION_STRING:  15063.0.amd64fre.rs2_release.170317-1834

    DUMP_TYPE:  0

    BUGCHECK_P1: 62

    BUGCHECK_P2: ffffa78bc9f03b10

    BUGCHECK_P3: ffffa78bcbc92d80

    BUGCHECK_P4: 1

    BUGCHECK_STR:  0xc4_62

    IMAGE_NAME:  MSDMFilt.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    MODULE_NAME: MSDMFilt

    FAULTING_MODULE: fffff80b242d0000 MSDMFilt

    VERIFIER_DRIVER_ENTRY: dt nt!_MI_VERIFIER_DRIVER_ENTRY ffffa78bcbc92d80
    Symbol nt!_MI_VERIFIER_DRIVER_ENTRY not found.

    CPU_COUNT: 4

    CPU_MHZ: 95c

    CPU_VENDOR:  AuthenticAMD

    CPU_FAMILY: 15

    CPU_MODEL: 65

    CPU_STEPPING: 1

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    PROCESS_NAME:  System

    CURRENT_IRQL:  2

    ANALYSIS_SESSION_HOST:  DESKTOP-50PU1HO

    ANALYSIS_SESSION_TIME:  10-24-2017 18:59:26.0979

    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

    LOCK_ADDRESS:  fffff802879f5f60 -- (!locks fffff802879f5f60)

    Resource @ nt!PiEngineLock (0xfffff802879f5f60)    Exclusively owned
        Contention Count = 20
         Threads: ffffa78bcb831040-01<*> 
    1 total locks, 1 locks currently held

    PNP_TRIAGE: 
    Lock address  : 0xfffff802879f5f60
    Thread Count  : 1
    Thread address: 0xffffa78bcb831040
    Thread wait   : 0x1b374

    LAST_CONTROL_TRANSFER:  from fffff8028788e242 to fffff80287802ff0

    STACK_TEXT:  
    ffffe480`9754dab8 fffff802`8788e242 : 00000000`00000062 00000000`000000c4 ffffe480`9754dc20 fffff802`877646c0 : nt!DbgBreakPointWithStatus
    ffffe480`9754dac0 fffff802`8788daf2 : 00000000`00000003 ffffe480`9754dc20 fffff802`8793f300 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
    ffffe480`9754db20 fffff802`877fd687 : ffffa78b`c9e276a0 fffff802`876a3853 ffffa78b`c9f03b10 fffff802`00000000 : nt!KeBugCheck2+0x922
    ffffe480`9754e230 fffff802`87dfd03f : 00000000`000000c4 00000000`00000062 ffffa78b`c9f03b10 ffffa78b`cbc92d80 : nt!KeBugCheckEx+0x107
    ffffe480`9754e270 fffff802`87e03966 : 00000000`00000000 fffff80b`242d0000 00000000`00000001 00000000`ffffffff : nt!VerifierBugCheckIfAppropriate+0x6b
    ffffe480`9754e2b0 fffff802`878622e4 : ffffa78b`cbc92d80 fffff80b`242d0000 00000000`00000001 fffff80b`242d1000 : nt!VfPoolCheckForLeaks+0x3e
    ffffe480`9754e2f0 fffff802`87df023a : 00000000`00015000 ffffa78b`c9f039e0 fffff802`879d6330 fffff802`879d6330 : nt!VfTargetDriversRemove+0x998c8
    ffffe480`9754e370 fffff802`87b0e8e2 : ffffa78b`c9f039e0 ffffe480`9754e4a0 00000000`00000015 ffffa47c`05921680 : nt!VfDriverUnloadImage+0x3e
    ffffe480`9754e3a0 fffff802`87c11850 : 00000000`00000001 ffffa78b`cb831040 ffffce83`8fc233a0 ffffa47c`05921680 : nt!MiUnloadSystemImage+0xe6
    ffffe480`9754e4f0 fffff802`87c54d60 : ffffa78b`cb6ab050 ffffe480`9754e710 00000000`00000010 fffff802`87c54d20 : nt!MmUnloadSystemImage+0x20
    ffffe480`9754e520 fffff802`87b3e0ae : ffffa78b`cb6ab050 00000000`00000000 ffffce83`940f9570 ffffa78b`cb6ab050 : nt!IopDeleteDriver+0x40
    ffffe480`9754e570 fffff802`876f5071 : 00000000`00000000 00000000`00000000 ffffe480`9754e710 ffffa78b`cb6ab080 : nt!ObpRemoveObjectRoutine+0x7e
    ffffe480`9754e5d0 fffff802`87ac612e : 00000000`00000000 ffffe480`9754e6f0 ffffe480`9754e710 ffffa78b`00000001 : nt!ObfDereferenceObject+0xa1
    ffffe480`9754e610 fffff802`87ac7407 : ffffa78b`caadd830 ffffe480`9754e8e0 ffffa78b`caadd830 00000000`00000000 : nt!PipCallDriverAddDevice+0x382
    ffffe480`9754e7e0 fffff802`87d35792 : ffffa78b`caadd830 fffff802`876f4429 fffff802`87a89200 00000000`00000000 : nt!PipProcessDevNodeTree+0x15f
    ffffe480`9754ea60 fffff802`87846bab : ffffa701`00000003 00000000`00000000 fffff802`00000000 ffffa78b`cd2bf060 : nt!PiRestartDevice+0xba
    ffffe480`9754eab0 fffff802`876cf168 : ffffa78b`cb831040 fffff802`879f4a00 fffff802`87a89380 fffff802`87a89380 : nt!PnpDeviceActionWorker+0xe307b
    ffffe480`9754eb80 fffff802`8776deb7 : ffffe480`93be2180 00000000`00000080 ffffa78b`c9e9e500 ffffa78b`cb831040 : nt!ExpWorkerThread+0xd8
    ffffe480`9754ec10 fffff802`87802a06 : ffffe480`93be2180 ffffa78b`cb831040 fffff802`8776de70 ffffffff`ffffffff : nt!PspSystemThreadStartup+0x47
    ffffe480`9754ec60 00000000`00000000 : ffffe480`9754f000 ffffe480`97549000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


    STACK_COMMAND:  kb

    THREAD_SHA1_HASH_MOD_FUNC:  fb40d432875b700cb6f029f4bdd526bf5ad6f9b4

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  a7cf82d3e79315b63ef45bd983391817555d3997

    THREAD_SHA1_HASH_MOD:  65e960981daf68eaa3f111ef44aadfdc4bfefe1e

    FOLLOWUP_NAME:  MachineOwner

    FAILURE_BUCKET_ID:  0xc4_62_VRF_LEAKED_POOL_IMAGE_MSDMFilt.sys

    BUCKET_ID:  0xc4_62_VRF_LEAKED_POOL_IMAGE_MSDMFilt.sys

    PRIMARY_PROBLEM_CLASS:  0xc4_62_VRF_LEAKED_POOL_IMAGE_MSDMFilt.sys

    TARGET_TIME:  2017-10-25T01:16:13.000Z

    OSBUILD:  15063

    OSSERVICEPACK:  0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  272

    PRODUCT_TYPE:  1

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE:  

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2017-09-29 00:20:26

    BUILDDATESTAMP_STR:  170317-1834

    BUILDLAB_STR:  rs2_release

    BUILDOSVER_STR:  10.0.15063.0.amd64fre.rs2_release.170317-1834

    ANALYSIS_SESSION_ELAPSED_TIME: 9140

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:0xc4_62_vrf_leaked_pool_image_msdmfilt.sys

    FAILURE_ID_HASH:  {0cff6957-7358-bab8-8071-928dd0ebce81}

    Followup:     MachineOwner
    ---------

    -----

    I've had our dev team take a look at the dumps, they also agree this is not our driver that is involved here.  Any help would be appreciated, I'd really like to get passed this matter.

    **
    Note i have also ensured to add the updated filters and ran: DF - Concurrent Hardware And Operating System (CHAOS) Test (Development and Integration)

    ***

    Thanks

    Ren

    ********************UPDATED:

    Our dev's have taken a look and there seems to be a memory leak in this filter driver.  Below is the current assessment:

    When MSDMFilt's FilterAddDevice routine is called, it calls the function FilterCreateControlDevice.
    FilterCreateControlDevice calls IoCreateDevice to create a device such as \Device\MSDMFiltXXXXXXXX.
    It then calls IoCreateSymbolicLink to create a link such as \DosDevices\MSDMFiltXXXXXXXX.
    The name of this link is saved in the device extension, in a UNICODE_STRING at offset 0x28 (Win10 x64).
    When an IRP_MN_REMOVE_DEVICE IRP is received for the device, the link is deleted and the string buffer freed using ExFreePoolWithTag.
    However, after FilterCreateControlDevice returns, FilterAddDevice calls IoAttachDeviceToDeviceStack.
    This failure path calls IoDeleteDevice and causes the function to fail with STATUS_INVALID_DEVICE_REQUEST.
    In doing so, it does not free the symbolic link or the buffer allocated for its name.
    One reason why IoAttachDeviceToDeviceStack may fail is if the previous driver attaching to the device stack did not clear the DO_DEVICE_INITIALIZING flag.
    This may be a bug in that driver, and may make sense to flag as such.
    Currently however, Driver Verifier will correctly flag this as a leak in msdmfilt.sys:
    DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
    A device driver attempting to corrupt the system has been caught.  This is
    because the driver was specified in the registry as being suspect (by the
    administrator) and the kernel has enabled substantial checking of this driver.
    If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
    be among the most commonly seen crashes.
    Arguments:
    Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading.
    Arg2: ffffd20e0f2b4e40, name of the driver having the issue.
    Arg3: ffffd20e03ec4990, verifier internal structure with driver information.
    Arg4: 0000000000000001, total # of (paged+nonpaged) allocations that weren't freed.
    Type !verifier 3 drivername.sys for info on the allocations
    that were leaked that caused the bugcheck.
    [...]
    3: kd> du ffffd20e0f2b4e40
    ffffd20e`0f2b4e40  "MSDMFilt.sys"
    3: kd> !verifier 3 msdmfilt.sys
    [...]
        Pool Allocations:
          Address             Length      Tag   Caller Address    
          ------------------  ----------  ----  ------------------
          0xffffff0a2a828fb0  0x0000004c  MSDM  0xfffff801eae1172d  MSDMFilt!FilterCreateControlDevice+0x129
        Contiguous allocations are not displayed with public symbols.
    3: kd> !verifier 0x80 0xffffff0a2a828fb0  
    Log of recent kernel pool Allocate and Free operations:
    There are up to 0x10000 entries in the log.
    Parsing 0x0000000000010000 log entries, searching for address 0xffffff0a2a828fb0.
    ======================================================================
    Pool block ffffff0a2a828fb0, Size 000000000000004c, Thread ffffd20e0d39a280
    fffff8024556b412 nt!VeAllocatePoolWithTagPriority+0x302
    fffff801e89aa112 VerifierExt!ExAllocatePoolWithTagPriority_internal_wrapper+0x82
    fffff8024556b735 nt!VerifierExAllocatePoolEx+0x55
    fffff801eae1172d MSDMFilt!FilterCreateControlDevice+0x129
    fffff801eae11a22 MSDMFilt!FilterAddDevice+0x182
    fffff801e89aaa0f VerifierExt!xdv_AddDevice_wrapper+0x7f
    fffff80244fe212f nt!PpvUtilCallAddDevice+0x88583
    fffff802453c6929 nt!PnpCallAddDevice+0x59
    fffff8024523f4ab nt!PipCallDriverAddDevice+0x6ff
    fffff80245240407 nt!PipProcessDevNodeTree+0x15f
    fffff802454ae792 nt!PiRestartDevice+0xba
    fffff80244fbfbab nt!PnpDeviceActionWorker+0xe307b
    fffff80244e48168 nt!ExpWorkerThread+0xd8
    Parsed entry 0000000000010000/0000000000010000...
    Finished parsing all pool tracking information.
    1: kd> !lmi msdmfilt
    Loaded Module Info: [msdmfilt] 
             Module: MSDMFilt
       Base Address: fffff80d05c30000
         Image Name: MSDMFilt.sys
       Machine Type: 34404 (X64)
         Time Stamp: c1137867 Wed Aug 24 08:38:15 2072
               Size: 15000
           CheckSum: 146f7
    Characteristics: 22  
    Debug Data Dirs: Type  Size     VA  Pointer
                 CODEVIEW    25,  b224,    9a24 RSDS - GUID: {9C01E766-A9FD-C1EA-97DD-87B503B649E8}
                   Age: 1, Pdb: msdmfilt.pdb
                       ??   19c,  b24c,    9a4c [Data not mapped]
                       ??     0,     0,       0  [Debug data not mapped]
         Image Type: MEMORY   - Image read successfully from loaded memory.
        Symbol Type: PDB      - Symbols loaded successfully from image header.
                     c:\symbols\msdmfilt.pdb\9C01E766A9FDC1EA97DD87B503B649E81\msdmfilt.pdb
        Load Report: public symbols , not source indexed 
                     c:\symbols\msdmfilt.pdb\9C01E766A9FDC1EA97DD87B503B649E81\msdmfilt.pdb
    1: kd> lmvm msdmfilt
    Browse full module list
    start             end                 module name
    fffff80d`05c30000 fffff80d`05c45000   MSDMFilt   (pdb symbols)          c:\symbols\msdmfilt.pdb\9C01E766A9FDC1EA97DD87B503B649E81\msdmfilt.pdb
        Loaded symbol image file: MSDMFilt.sys
        Image path: MSDMFilt.sys
        Image name: MSDMFilt.sys
        Browse all global symbols  functions  data
        Timestamp:        ***** Invalid (C1137867)
        CheckSum:         000146F7
        ImageSize:        00015000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

    • Edited by Ren MG Thursday, October 26, 2017 2:42 AM
    Wednesday, October 25, 2017 2:04 AM