locked
Crash in FwpsReleaseClassifyHandle0 RRS feed

  • Question

  • Hi,

    After hours of successful redirecting TCP connections to a local process my driver suddenly crashes in function FwpsReleaseClassifyHandle0.

    Since function FwpsCompleteClassify0 is called immediately before FwpsReleaseClassifyHandle0 i believe that the handle given to FwpsReleaseClassifyHandle0 is valid. Another point is that it happened only in virtual machines, so it may be a timing issue.

    I would like to know, if this could be a Windows 7 bug, here is the output from "analyze -v", a full memory dump is available.

    Jens

    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff8800171aee4, Address of the instruction which caused the bugcheck
    Arg3: fffff8800356dae0, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.

    Debugging Details:
    ------------------


    "kernel32.dll" was not found in the image list.
    Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.

    Please provide the full image name, including the extension (i.e. kernel32.dll)
    for more reliable results.Base address and size overrides can be given as
    .reload <image.ext>=<base>,<size>.
    Unable to add module at 00000000`00000000

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.

    FAULTING_IP:
    NETIO!WfpObjectDereference+4
    fffff880`0171aee4 f0834104ff      lock add dword ptr [rcx+4],0FFFFFFFFh

    CONTEXT:  fffff8800356dae0 -- (.cxr 0xfffff8800356dae0)
    rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
    rdx=fffffa80130c9e20 rsi=fffffa80176c0010 rdi=fffffa80132017f0
    rip=fffff8800171aee4 rsp=fffff8800356e4c0 rbp=0000057fecdfe808
     r8=fffffa80130c9e20  r9=5a46dd72b46f46e2 r10=fffff8800356e4a0
    r11=0000000000000000 r12=0000000000000038 r13=0000000000000000
    r14=fffffffffffffff8 r15=0000057fecd09c18
    iopl=0         nv up ei ng nz na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
    NETIO!WfpObjectDereference+0x4:
    fffff880`0171aee4 f0834104ff      lock add dword ptr [rcx+4],0FFFFFFFFh ds:002b:00000000`00000004=????????
    Resetting default scope

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0x3B

    PROCESS_NAME:  MOBILEmanager.

    CURRENT_IRQL:  2

    LAST_CONTROL_TRANSFER:  from fffff880017248e1 to fffff8800171aee4

    STACK_TEXT: 
    fffff880`0356e4c0 fffff880`017248e1 : 00000000`0001c287 fffff880`00000000 5a46dd72`b46f46e2 fffffa80`136e6490 : NETIO!WfpObjectDereference+0x4
    fffff880`0356e4f0 fffff880`01a70172 : 00000000`0001c287 0000057f`ecdfe808 fffffa80`176c0010 00000000`00000000 : NETIO!FeReleaseClassifyHandle+0x31
    fffff880`0356e520 fffff880`03af757e : fffffa80`136e6470 fffffa80`136e00a7 00000000`00000004 fffff880`03b0e353 : fwpkclnt!FwpsReleaseClassifyHandle0+0xe
    fffff880`0356e550 fffff880`03ae2d1e : fffffa80`1326be30 0000057f`ec919c38 fffffa80`13922400 fffff880`00e65c9f : mmwfp!CTcpFilter::HandleRegisterApplicationResponse+0x32e [c:\work\jens\projects\cvs-head\products\mobilemanager\client\wfpfilter\src\tcpfilter.cpp @ 557]
    fffff880`0356e5c0 fffff880`03ae67eb : fffffa80`1326b648 0000057f`ec919c38 fffffa80`13922400 fffffa80`132017f0 : mmwfp!CNetworkFilter::HandleRegisterApplicationResponse+0x2e [c:\work\jens\projects\cvs-head\products\mobilemanager\client\wfpfilter\src\networkfilter.h @ 181]
    fffff880`0356e5f0 fffff880`03ae5cdd : fffffa80`1326b390 fffffa80`13922400 fffff880`0356e7c0 00000000`00000000 : mmwfp!CMMDevice::HandleMessage+0x1eb [c:\work\jens\projects\cvs-head\products\mobilemanager\client\wfpfilter\src\device.cpp @ 601]
    fffff880`0356e780 fffff880`03ae3c77 : fffffa80`1326b390 0000057f`ecd09c18 00000000`00000038 00000000`00000000 : mmwfp!CMMDevice::OnWrite+0x2dd [c:\work\jens\projects\cvs-head\products\mobilemanager\client\wfpfilter\src\device.cpp @ 485]
    fffff880`0356e800 fffff880`00e7ced9 : 0000057f`ecdfe808 0000057f`ecd09c18 00000000`00000038 00000000`00000000 : mmwfp!CMMDevice::EvtWrite+0x37 [c:\work\jens\projects\cvs-head\products\mobilemanager\client\wfpfilter\src\device.cpp @ 121]
    fffff880`0356e830 fffff880`00e7c99f : 00000000`00000000 fffffa80`132f63e0 fffffa80`132017f0 fffffa80`132017f0 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x401
    fffff880`0356e8b0 fffff880`00e7bf98 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`132f6532 : Wdf01000!FxIoQueue::DispatchEvents+0x4df
    fffff880`0356e920 fffff880`00e81558 : fffffa80`13619300 fffffa80`132f63e0 fffffa80`136192f0 fffffa80`132f63e0 : Wdf01000!FxIoQueue::QueueRequest+0x2bc
    fffff880`0356e990 fffff880`00e6b245 : fffffa80`132f63e0 00000000`00000001 fffffa80`132928f0 00000000`00000000 : Wdf01000!FxPkgIo::Dispatch+0x37c
    fffff880`0356ea10 fffff800`02de621b : 00000000`00000001 fffffa80`132928f0 00000000`00000000 fffffa80`136192f0 : Wdf01000!FxDevice::Dispatch+0xa9
    fffff880`0356ea40 fffff800`02df0c83 : fffffa80`13619408 fffffa80`13292940 fffffa80`132928f0 fffff880`03163180 : nt!IopSynchronousServiceTail+0xfb
    fffff880`0356eab0 fffff800`02adced3 : fffff880`0356ec01 00000000`00001ac4 00000000`00000001 00000000`08cdfc1c : nt!NtWriteFile+0x7e2
    fffff880`0356ebb0 00000000`734a2e09 : 00000000`734a29f5 00000000`773801c4 00000000`00000023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0603f0f8 00000000`734a29f5 : 00000000`773801c4 00000000`00000023 00000000`00000246 00000000`08cdfff0 : wow64cpu!CpupSyscallStub+0x9
    00000000`0603f100 00000000`7351d07e : 00000000`00000000 00000000`734a1920 00000000`00000000 00000000`00000000 : wow64cpu!ReadWriteFileFault+0x31
    00000000`0603f1c0 00000000`7351c549 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa
    00000000`0603f210 00000000`7720e707 : 00000000`00000000 00000000`7efdf000 00000000`7ef4a000 00000000`00000000 : wow64!Wow64LdrpInitialize+0x429
    00000000`0603f760 00000000`771bc32e : 00000000`0603f820 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x29364
    00000000`0603f7d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe


    FOLLOWUP_IP:
    NETIO!WfpObjectDereference+4
    fffff880`0171aee4 f0834104ff      lock add dword ptr [rcx+4],0FFFFFFFFh

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  NETIO!WfpObjectDereference+4

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: NETIO

    IMAGE_NAME:  NETIO.SYS

    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce79381

    STACK_COMMAND:  .cxr 0xfffff8800356dae0 ; kb

    FAILURE_BUCKET_ID:  X64_0x3B_NETIO!WfpObjectDereference+4

    BUCKET_ID:  X64_0x3B_NETIO!WfpObjectDereference+4

    Followup: MachineOwner
    ---------

     

    Tuesday, November 29, 2011 9:45 AM

All replies

  • Please send a link to the memory dump to DHarper AT Microsoft DOT com

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, December 2, 2011 8:51 PM
    Moderator