none
WIn8 BUGCHECK 139 RRS feed

  • Question

  • I've caught several  dump with win8. All of them has identical stack:

    nt!KeBugCheckEx
    nt!KiBugCheckDispatch
    nt!KiFastFailDispatch
    nt!KiRaiseSecurityCheckFailure
    nt!RtlRemoveEntryHashTable
    tcpip!WfpAleDeletePendedRemoteEndpoint
    tcpip!WfpAleHandleSendCompletion
    tcpip!WfpAlepAuthorizeSendCompletion
    tcpip!WfpAleCompleteOperation
    fwpkclnt!FwpsCompleteOperation0
    MyDriver!PendClassifyWorkRoutine
    nt!IopProcessWorkItem
    nt!ExpWorkerThread
    nt!PspSystemThreadStartup
    nt!KxStartSystemThread

    and bugcheck description:
    BugCheck 139, {3, fffff88002bea5a0, fffff88002bea4f8, 0}

    PendClassifyWorkRoutine try to complete operation pended at FWPM_LAYER_ALE_AUTH_CONNECT_V4/6 for non TCP activity. Driver is testing with all driver verifier options and it seem there is no problem with memory mangment. I suppose, the problem is endpoint was removed from the hash table earlier. I've never seen this error at win7, all dump were cauht at win8 ( 86/64 ). The last was caught on 8250.0.amd64fre.winmain_win8beta.120217-1520.

    Monday, March 12, 2012 7:26 AM

Answers

  • I believe I found a real source of the bug:

    I set block action for reauthorization but then I injected a packet to the blocked endpoint. I think, it is a source of the invalidation of the remoteEndpointTable
    • Marked as answer by pykd team Saturday, March 17, 2012 3:28 PM
    Saturday, March 17, 2012 3:28 PM

All replies

  • Do you have specific repro steps?  Is this repro consistent?  We are investigating in house.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, March 12, 2012 9:25 PM
    Moderator
  • The bag is hardly reproduced. And it seems it is my fault:
    FwpsCompleteOperation(
        (PVOID)pendContext->competeContext,
        pensContext->clonedBufferList );    // I should put an original NBL from classifyFn?
    I made a fix and started testing. I hope the buf is fixed.
    I will wite about result after testing

    Tuesday, March 13, 2012 2:23 PM
  • Yes you should be using the NBL from the initial classify.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, March 14, 2012 4:02 PM
    Moderator
  • No it did not help (((, the bug is still reproducing.

    The important thing: the bug reproduced on "quiet" machine.

    I try to run two stress test:
    1) UDP scanner ( many datagrams to different ports )
    2) UDP flood ( many datagram to the same port )

    They work fine. But a station without any network activity can fall in this bug check.

    Some information from windbg:

    1: kd> ln 82571500
    (82571500)   tcpip!remoteEndpointTable   |  (82571540)   tcpip!tokenCreationWorkQueue
    Exact matches:
        tcpip!remoteEndpointTable = <no type information>
    1: kd> dt  ntkrpamp!_RTL_DYNAMIC_HASH_TABLE 82571500
       +0x000 Flags            : 0
       +0x004 Shift            : 0
       +0x008 TableSize        : 0x80
       +0x00c Pivot            : 0
       +0x010 DivisorMask      : 0x7f
       +0x014 NumEntries       : 0xffffffff  <-----  Every dump has this counter = -1
       +0x018 NonEmptyBuckets  : 0xffffffff
       +0x01c NumEnumerators   : 0
       +0x020 Directory        : 0x845a1218 Void

    In a normal NumEntries > 0. It looks like my driver leads to a leak of remote endpoint reference. But what's wrong? And I can not reproduce it on win7 still.

    Thursday, March 15, 2012 6:02 AM
  • I believe I found a real source of the bug:

    I set block action for reauthorization but then I injected a packet to the blocked endpoint. I think, it is a source of the invalidation of the remoteEndpointTable
    • Marked as answer by pykd team Saturday, March 17, 2012 3:28 PM
    Saturday, March 17, 2012 3:28 PM
  • We are seeing this issue on our end on Win 8 # 8250 Consumer Preview build. And our driver is *not* on the stack or on any of the thread stacks. Any thoughts ?

    0: kd> kc
    Call Site
    nt!KeBugCheckEx
    nt!KiBugCheckDispatch
    nt!KiFastFailDispatch
    nt!KiRaiseSecurityCheckFailure
    nt!RtlRemoveEntryHashTable
    tcpip!WfpAleDeletePendedRemoteEndpoint
    tcpip!WfpAleHandleSendCompletion
    tcpip! ?? ::FNODOBFM::`string'
    tcpip!WfpAleConnectAcceptIndicate
    tcpip!ProcessALEForTransportPacket
    tcpip!WfpProcessOutTransportStackIndication
    tcpip!IppSendDatagramsCommon
    tcpip!UdpSendMessagesOnPathCreation
    tcpip!UdpSendMessages
    tcpip!UdpTlProviderSendMessagesCalloutRoutine
    nt!KeExpandKernelStackAndCalloutInternal
    nt!KeExpandKernelStackAndCalloutEx
    tcpip!UdpTlProviderSendMessages
    tdx!TdxSendDatagramTransportAddress
    tdx!TdxTdiDispatchInternalDeviceControl
    netbt!SendNameServiceRequest
    netbt!MSnodeRegCompletion
    netbt!TimerExpiry
    nt!KiProcessExpiredTimerList
    nt!KiExpireTimerTable
    nt!KiTimerExpiration
    nt!KiRetireDpcList
    nt!KiIdleLoop

    Tuesday, March 20, 2012 7:29 PM
  • Just looking for leads here.

    Can folks who are seeing this crash:

    1.Please share the XML file output of the following command (on elevated prompt)

    "netsh wfp show state"

    2. Describe how your driver handles multicast packets at ALE Connect layer?

    3.Share out crash dumps

    Please send this information to gpoothia at microsoft dot com

    Thanks

    Wednesday, March 21, 2012 12:27 AM
  • I saw such dumps too. All problems are gone, when I rewrote reauthorization procedure. The main error was injecting packets after reauthorization with BLOCK action.

    Wednesday, March 21, 2012 5:43 AM
  • Is there a special cases for multicast packets handling?
    Wednesday, March 21, 2012 5:45 AM
  • This code works without problems at win8:

    #include <ntddk.h>
    #include <wdmsec.h>
    #include <ndis.h>
    
    #define INITGUID
    #include <initguid.h>
    
    #include <fwpsk.h>
    #include <fwpmk.h>
    
    ///////////////////////////////////////////////////////////////////////////////
    
    DRIVER_INITIALIZE		DriverEntry;
    
    DRIVER_UNLOAD			DriverUnload;
    
    static
    PDEVICE_OBJECT		deviceObject = NULL;
    
    static
    HANDLE				injectHandle = NULL;
    
    
    static
    UINT32				resourceCalloutRegId = 0;
    
    static
    UINT32				connectCalloutRegId = 0;
    
    DEFINE_GUID( ALE_AUTH_CONNECT_V4_CALLOUT_KEY, 
    0x4c0b7b1e, 0x6100, 0x472e, 0x85, 0x19, 0x44, 0x64, 0x4, 0xdb, 0x12, 0xc1);
    
    DEFINE_GUID( ALE_RESOURCE_ASSIGNMENT_V4_CALLOUT_KEY, 
    0x7eab8a99, 0xc2d7, 0x441a, 0xa8, 0xfa, 0x4e, 0x1, 0x26, 0xde, 0x9a, 0x6e);
    
    
    typedef struct ALE_PEND_CONTEXT_V4_ {
    
    	UINT64				endpointHandle;
    
    	ULONG				compartmentId;
    
    	ULONG				remoteAddr;
    
    	PNET_BUFFER_LIST	origNetBuffer;
    
    	HANDLE				completionContext;
    
    	PIO_WORKITEM		workItem;
    
    } ALE_PEND_CONTEXT_V4, *PALE_PEND_CONTEXT_V4;
    
    #define MEM_TAG   'pcla'
    
    
    static
    VOID
    AleAuthClassify(
    	__in const FWPS_INCOMING_VALUES0 *inFixedValues,
    	__in const FWPS_INCOMING_METADATA_VALUES0 *inMetaValues,
    	__inout VOID *layerData,
    	__in const FWPS_FILTER0 *filter,
    	__in UINT64 flowContext,
    	__out FWPS_CLASSIFY_OUT0 *classifyOut
    	);
    
    static 
    IO_WORKITEM_ROUTINE  AleAuthWorkRoutine;
    
    static
    VOID
    AleCleanupContext(
    	__in PALE_PEND_CONTEXT_V4 pendContext
    	);
    
    static
    VOID
    AleInjectComplete(
    	__in VOID* context,
    	__inout NET_BUFFER_LIST* netBufferList,
    	__in BOOLEAN dispatchLevel
    	); 
    
    static
    NTSTATUS 
    AleNotify(
    	__in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
    	__in const GUID *filterKey,
    	__in const FWPS_FILTER0 *filter
    	) 
    {
    	return STATUS_SUCCESS;
    } 
    
    __forceinline
    ULONG
    htonl(
    	__in ULONG  dword 
    	)
    {
    	return ( dword >> 24 ) ^ ( dword << 24 ) ^ ( (dword & 0x00FF0000) >> 8 ) ^ ( ( dword & 0x0000FF00) << 8 );
    }
    ///////////////////////////////////////////////////////////////////////////////
    
    NTSTATUS
    DriverEntry(
    	__in PDRIVER_OBJECT driverObject,
    	__in PUNICODE_STRING registryPath
    	)
    {
    	NTSTATUS		status;
    	FWPS_CALLOUT0	calloutReg = { 0 };
    
    	do {
    
    		driverObject->DriverUnload = DriverUnload;
    
    		status = 
    			IoCreateDevice(
    				driverObject,
    				0,
    				NULL,
    				FILE_DEVICE_UNKNOWN,
    				0,
    				FALSE,
    				&deviceObject );
    
    		if ( !NT_SUCCESS( status ) )
    		{
    			ASSERT( 0 );
    			break;
    		}
    
    		deviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
    
    		status =
    			FwpsInjectionHandleCreate(
    				AF_UNSPEC,
    				FWPS_INJECTION_TYPE_TRANSPORT,
    				&injectHandle );
    
    		if ( !NT_SUCCESS( status ) )
    		{
    			ASSERT( 0 );
    			break;
    		}       
    
    		calloutReg.calloutKey = ALE_AUTH_CONNECT_V4_CALLOUT_KEY;
    		calloutReg.classifyFn = AleAuthClassify;
    		calloutReg.notifyFn = AleNotify;
    
    		status = 
    			FwpsCalloutRegister0(
    				deviceObject,
    				&calloutReg,
    				&connectCalloutRegId );
    
    		if ( !NT_SUCCESS(status) )
    			break;
    
    		calloutReg.calloutKey = ALE_RESOURCE_ASSIGNMENT_V4_CALLOUT_KEY;
    		calloutReg.classifyFn = AleAuthClassify;
    		calloutReg.notifyFn = AleNotify;
    
    		status =
    			FwpsCalloutRegister0(
    				deviceObject,
    				&calloutReg,
    				&resourceCalloutRegId );
    
    		if ( !NT_SUCCESS(status) )
    			break;
    
    	} while( FALSE );
    
    	if ( !NT_SUCCESS( status ) )
    		DriverUnload( driverObject );
    
    	return status;
    }
    
    ///////////////////////////////////////////////////////////////////////////////
    
    VOID
    DriverUnload(
    	__in PDRIVER_OBJECT driverObject )
    {
    	if ( connectCalloutRegId )
    		FwpsCalloutUnregisterById( connectCalloutRegId );
    
    	if ( resourceCalloutRegId )
    		FwpsCalloutUnregisterById( resourceCalloutRegId );
    	
    	if ( injectHandle )
    		FwpsInjectionHandleDestroy( injectHandle );
    
    	if ( deviceObject )
    		IoDeleteDevice( deviceObject );
    } 
    
    ///////////////////////////////////////////////////////////////////////////////
    
    __forceinline
    UINT32
    WfpGetFlags( 
    	__in const FWPS_INCOMING_VALUES *inFixedValues )
    {
    	switch ( inFixedValues->layerId )
    	{
    		case FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4:
    			return inFixedValues->incomingValue[ FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_FLAGS ].value.uint32;
    
    		case FWPS_LAYER_ALE_AUTH_CONNECT_V4:
    			return inFixedValues->incomingValue[ FWPS_FIELD_ALE_AUTH_CONNECT_V4_FLAGS ].value.uint32;   
    	}
    
    	ASSERT( 0 );
    
    	return 0;
    }
    
    
    VOID
    AleAuthClassify(
    	__in const FWPS_INCOMING_VALUES0 *inFixedValues,
    	__in const FWPS_INCOMING_METADATA_VALUES0 *inMetaValues,
    	__inout VOID *layerData,
    	__in const FWPS_FILTER0 *filter,
    	__in UINT64 flowContext,
    	__out FWPS_CLASSIFY_OUT0 *classifyOut
    	)
    {
    	NTSTATUS						status;
    	PNET_BUFFER_LIST				netBufferList = (PNET_BUFFER_LIST)layerData;  
    	FWPS_PACKET_INJECTION_STATE		packetState; 
    	UINT32							flags = WfpGetFlags( inFixedValues );
    	PALE_PEND_CONTEXT_V4			pendContext = NULL;
    
    	do {
    
    		if ( inFixedValues->layerId == FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 )
    		{
    			if ( (classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) != 0)
    				classifyOut->actionType = FWP_ACTION_PERMIT;
    
    			break;
    		}
    
    		if ( netBufferList )
    		{
    			packetState = 
    				FwpsQueryPacketInjectionState(
    					injectHandle,
    					netBufferList,
    					NULL );
    
    			if ( (packetState == FWPS_PACKET_INJECTED_BY_SELF) || (packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF) )
    			{
    				if ( (classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) != 0)
    					classifyOut->actionType = FWP_ACTION_PERMIT;
    
    				break;
    			}
    		}
    
    		if ( ( flags & FWP_CONDITION_FLAG_IS_REAUTHORIZE ) != 0 )
    		{
    			if ( (classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) != 0)
    				classifyOut->actionType = FWP_ACTION_PERMIT;   
    
    			break;
    		}
    
    		pendContext = ExAllocatePoolWithTag( NonPagedPool, sizeof(ALE_PEND_CONTEXT_V4), MEM_TAG );
    		if ( !pendContext )
    		{
    			classifyOut->actionType = FWP_ACTION_BLOCK;
    			classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE; 
    			break;
    		}
    
    		RtlZeroMemory( pendContext, sizeof(ALE_PEND_CONTEXT_V4) );
    
    		pendContext->endpointHandle = inMetaValues->transportEndpointHandle;
    
    		if ( inFixedValues->layerId == FWPS_LAYER_ALE_AUTH_CONNECT_V4 )
    		{
    			if( FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_COMPARTMENT_ID ) )
    				pendContext->compartmentId = inMetaValues->compartmentId;
    
    			pendContext->remoteAddr = htonl( inFixedValues->incomingValue[ FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS ].value.uint32 );
    
    			ASSERT( NET_BUFFER_LIST_NEXT_NBL(netBufferList) == NULL );
    
    			FwpsReferenceNetBufferList( netBufferList, TRUE );
    			pendContext->origNetBuffer = netBufferList;
    		}
    
    		status = 
    			FwpsPendOperation0( 
    				inMetaValues->completionHandle,
    				&pendContext->completionContext );
    
    		if ( !NT_SUCCESS( status ) )
    		{
    			classifyOut->actionType = FWP_ACTION_BLOCK;
    			classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE; 
    			break;
    		}
    
    		pendContext->workItem = IoAllocateWorkItem( deviceObject );
    		if ( !pendContext->workItem )
    		{
    			classifyOut->actionType = FWP_ACTION_BLOCK;
    			classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE; 
    			break;
    		}
    
    		IoQueueWorkItem(
    			pendContext->workItem,
    			AleAuthWorkRoutine,
    			DelayedWorkQueue,
    			pendContext );
    
    		classifyOut->actionType = FWP_ACTION_BLOCK;
    		classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
    		classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
    
    		pendContext = NULL;
    
    	} while( FALSE );
    
    	if ( pendContext )
    		AleCleanupContext( pendContext );
    }
    
    ///////////////////////////////////////////////////////////////////////////////
    
    VOID
    AleAuthWorkRoutine(
    	__in PDEVICE_OBJECT deviceObject,
    	__in_opt PVOID context
    	)
    {
    	PALE_PEND_CONTEXT_V4			pendContext = (PALE_PEND_CONTEXT_V4)context;	
    	NTSTATUS						status;
    	PNET_BUFFER_LIST				cloneNbl = NULL;
    	FWPS_TRANSPORT_SEND_PARAMS		sendArgs = {0};
    
    	do {
    
    		if ( pendContext->origNetBuffer )
    		{
    			status = 
    				FwpsAllocateCloneNetBufferList(
    					pendContext->origNetBuffer,
    					NULL,
    					NULL,
    					0,
    					&cloneNbl );
    
    			if ( !NT_SUCCESS( status ) )
    				break;
    
    			FwpsCompleteOperation0(
    				pendContext->completionContext,
    				pendContext->origNetBuffer );
    
    			pendContext->completionContext = NULL;
    
    			sendArgs.remoteAddress = (PCHAR)&pendContext->remoteAddr;
    
    			status = FwpsInjectTransportSendAsync(
    				injectHandle,
    				NULL,
    				pendContext->endpointHandle,
    				0,
    				&sendArgs,
    				AF_INET,
    				pendContext->compartmentId,
    				cloneNbl,
    				AleInjectComplete,
    				pendContext );
    
    			if ( !NT_SUCCESS( status ) )
    				break;
    
    			pendContext = NULL;
    
    		}
    		else
    		{
    			FwpsCompleteOperation0(
    				pendContext->completionContext,
    				NULL );
    
    			pendContext->completionContext = NULL;
    		}
    	
    	} while( FALSE );
    
    	if ( pendContext )
    		AleCleanupContext( pendContext );		
    }
    
    ///////////////////////////////////////////////////////////////////////////////
    
    VOID
    AleInjectComplete(
    	__in VOID* context,
    	__inout NET_BUFFER_LIST* netBufferList,
    	__in BOOLEAN dispatchLevel
    	)
    {
    	PALE_PEND_CONTEXT_V4		pendContext = (PALE_PEND_CONTEXT_V4)context;	
    
    	AleCleanupContext( pendContext );
    
    	FwpsFreeCloneNetBufferList( netBufferList, 0);
    }
    
    ///////////////////////////////////////////////////////////////////////////////
    
    VOID
    AleCleanupContext(
    	__in PALE_PEND_CONTEXT_V4 pendContext
    	)
    {
    	if ( pendContext->workItem )
    	{
    		IoFreeWorkItem( pendContext->workItem );
    	}
    
    	if ( pendContext->completionContext )
    	{
    		FwpsCompleteOperation0(
    			pendContext->completionContext,
    			pendContext->origNetBuffer );
    	}
    
    	if ( pendContext->origNetBuffer )
    		FwpsDereferenceNetBufferList0(
    			pendContext->origNetBuffer,
    			KeGetCurrentIrql() == DISPATCH_LEVEL );
    
    	ExFreePoolWithTag( pendContext, MEM_TAG );
    }
    
    ///////////////////////////////////////////////////////////////////////////////

    Try to change action at reauthorization block and setup filters for working at boot ( add two filters: boottime and permanent ). The bug will be reproduced 100%.



    Wednesday, March 21, 2012 5:49 AM