none
access global variable bsod and prompts irql_not_less_or_equal on Win10 WDK RRS feed

  • Question

  • My driver create a device in driverentry, and saved it in a global variable. It will BSOD while builded on Windows 10 WDK+vs 2015. But it is OK if build it on WDK 7600. Why?
    Tuesday, September 24, 2019 9:44 AM

Answers

  • the memory value stored in Global.ControlObject looks suspect

    READ_ADDRESS:  40250428

    which means Global.ControlObject = 40250400, this does not look like a valid kernel mode address. I would start with validating the pointer value you are assigning in DriverEntry and then comparing it to value retrieved later on.  Perhaps there is a memory corruption bug in your driver, especially consider looking at how you access the fields in Global immediately before and after the ControlObject field



    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, September 25, 2019 5:34 PM

All replies

  • Post the code that created it, the code the accesses it, and the output of !analyze -v

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, September 24, 2019 12:39 PM
  • Create codes as below:

    NTSTATUS
        DriverEntry(
        IN PDRIVER_OBJECT  DriverObject,
        IN PUNICODE_STRING RegistryPath
        )
    {
        NTSTATUS            status = STATUS_SUCCESS;
        PDEVICE_OBJECT      deviceObject;
        UNICODE_STRING      uniNtNameString;
        UNICODE_STRING      uniWin32NameString;
        PVK_CONTROL_EXT    deviceData;
        ULONG               i;
        PDRIVER_DISPATCH  * dispatch;
        UNREFERENCED_PARAMETER (RegistryPath);
        RtlInitUnicodeString (&uniNtNameString, VA_FILTER_NTNAME);
        status = IoCreateDevice (
            DriverObject,
            sizeof (VK_CONTROL_EXT),
            &uniNtNameString,
            FILE_DEVICE_UNKNOWN,
            0,                     // No standard device characteristics
            FALSE,                 // This isn't an exclusive device
            &deviceObject
            );
        if(!NT_SUCCESS (status)) {
            return status;
        }
        RtlInitUnicodeString (&uniWin32NameString, VA_FILTER_SYMNAME);
        status = IoCreateSymbolicLink (&uniWin32NameString, &uniNtNameString);
        if (!NT_SUCCESS(status)) {
            IoDeleteDevice (DriverObject->DeviceObject);
            return status;
        }
        deviceData = (PVK_CONTROL_EXT) deviceObject->DeviceExtension;
     
        Global.ControlObject = deviceObject;
        //
        // Create dispatch points
        //
        for (i=0, dispatch = DriverObject->MajorFunction; i <= IRP_MJ_MAXIMUM_FUNCTION; i++, dispatch++)
        {
            *dispatch = my_Pass;
        }
        DriverObject->DriverExtension->AddDevice           = my_AddDevice;
        DriverObject->DriverUnload                         = my_Unload;

        return status;
    }

    Analyze details:

    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 40250428, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000000, value 0 = read operation, 1 = write operation
    Arg4: 9c301b91, address which referenced memory
    Debugging Details:
    ------------------

    DUMP_CLASS: 1
    DUMP_QUALIFIER: 401
    BUILD_VERSION_STRING:  10240.16384.x86fre.th1.150709-1700
    SYSTEM_MANUFACTURER:  VMware, Inc.
    VIRTUAL_MACHINE:  VMware
    SYSTEM_PRODUCT_NAME:  VMware Virtual Platform
    SYSTEM_VERSION:  None
    BIOS_VENDOR:  Phoenix Technologies LTD
    BIOS_VERSION:  6.00
    BIOS_DATE:  05/19/2017
    BASEBOARD_MANUFACTURER:  Intel Corporation
    BASEBOARD_PRODUCT:  440BX Desktop Reference Platform
    BASEBOARD_VERSION:  None
    DUMP_TYPE:  1
    BUGCHECK_P1: 40250428
    BUGCHECK_P2: 2
    BUGCHECK_P3: 0
    BUGCHECK_P4: ffffffff9c301b91
    READ_ADDRESS:  40250428
    CURRENT_IRQL:  2
    FAULTING_IP:
    TestF!my_Pass+21 [e:\driver\TestF\TestF\filter.c @ 271]
    9c301b91 8b4828          mov     ecx,dword ptr [eax+28h]
    CPU_COUNT: 1
    CPU_MHZ: e10
    CPU_VENDOR:  GenuineIntel
    CPU_FAMILY: 6
    CPU_MODEL: 9e
    CPU_STEPPING: 9
    CPU_MICROCODE: 6,9e,9,0 (F,M,S,R)  SIG: 8E'00000000 (cache) 8E'00000000 (init)
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    BUGCHECK_STR:  AV
    PROCESS_NAME:  rundll32.exe
    ANALYSIS_SESSION_HOST:  DESKTOP-AT8GLI8
    ANALYSIS_SESSION_TIME:  09-25-2019 09:35:50.0854
    ANALYSIS_VERSION: 10.0.15063.468 x86fre
    DPC_STACK_BASE:  FFFFFFFF83330000
    TRAP_FRAME:  8332f5b4 -- (.trap 0xffffffff8332f5b4)
    ErrCode = 00000000
    eax=40250400 ebx=9b18a50f ecx=905148c0 edx=825d1498 esi=896128b0 edi=00000000
    eip=9c301b91 esp=8332f628 ebp=8332fb24 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    TestF!my_Pass+0x21:
    9c301b91 8b4828          mov     ecx,dword ptr [eax+28h] ds:0023:40250428=????????
    Resetting default scope
    LAST_CONTROL_TRANSFER:  from 81d9f266 to 81d8ce20
    STACK_TEXT: 
    8332f510 81d9f266 0000000a 40250428 00000002 nt!KiBugCheck2
    8332f510 9c301b91 0000000a 40250428 00000002 nt!KiTrap0E+0x1ca
    8332fb24 81cba183 896128b0 825d1498 9b18a5d0 TestF!my_Pass+0x21 [e:\driver\TestF\TestF\filter.c @ 271]
    8332fb40 9c31127b 8a810140 825d1498 89b6acb8 nt!IofCallDriver+0x43
    8332fbc4 9c323d03 8a810140 825d1498 825d1498 hidusb!HumInternalIoctl+0x26b
    8332fbe8 9c322357 89b6acb8 8a810210 825d1498 HIDCLASS!HidpCallDriver+0x53
    8332fc04 9c328c1c 8332fc23 825d1703 825d1498 HIDCLASS!HidpSubmitInterruptRead+0xd7
    8332fc3c 81cbbee2 00000000 825d1498 8a810210 HIDCLASS!HidpInterruptReadComplete+0x6cf0
    8332fc98 80924ec0 757fbec0 8a804138 90d05978 nt!IopfCompleteRequest+0x1d2
    8332fcd4 8092882a 00000000 82597b00 8a804220 Wdf01000!FxRequest::CompleteInternal+0x1e0 [d:\th\minkernel\wdf\framework\shared\core\fxrequest.cpp @ 863]
    8332fcf4 91bc2162 825fa740 8a804138 00000000 Wdf01000!imp_WdfRequestComplete+0x7a [d:\th\minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436]
    8332fd18 91bc0ae5 ffffffff 00000000 00000000 USBXHCI!Bulk_Transfer_CompleteCancelable+0xf6
    8332fd50 91bbfda6 8332fddc 91bb91ba 8332fd90 USBXHCI!Bulk_ProcessTransferEventWithED1+0x2d9
    8332fd58 91bb91ba 8332fd90 00000000 8a804273 USBXHCI!Bulk_EP_TransferEventHandler+0x16
    8332fd68 91bb6af6 825fa740 90d80e38 6f27f1c0 USBXHCI!TR_TransferEventHandler+0x3a
    8332fddc 809a77b1 6f27f1c0 6f2fa680 90d80e94 USBXHCI!Interrupter_WdfEvtInterruptDpc+0x364
    8332fdfc 809a7b06 00000000 00000000 81ec2300 Wdf01000!FxInterrupt::DpcHandler+0x9c [d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 75]
    8332fe10 81ca6c09 90d80e94 90d80e38 90d80e38 Wdf01000!FxInterrupt::_InterruptDpcThunk+0x3c [d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 406]
    8332fec8 81ca6775 8332ff18 00000000 80bae040 nt!KiExecuteAllDpcs+0x209
    8332fff4 81d9fe8e b2144854 00000000 00000000 nt!KiRetireDpcList+0xe5
    b2144874 81c0eb91 b2144924 00000000 89dff9c0 nt!KiDispatchInterrupt+0x2e
    b2144888 81d9c6dc 89dff9c0 b2144924 839e9e00 hal!HalEndSystemInterrupt+0xc1
    b2144888 81d2f7b1 89dff9c0 b2144924 839e9e00 nt!KiUnexpectedInterruptTail+0x221
    b21449d0 81fdcd66 e61c94ae ffffffff 007cf258 nt!MiObtainReferencedVad+0x141
    b2144acc 81fdcb33 00000000 007cf298 00001000 nt!MiAllocateVirtualMemory+0x226
    b2144af4 81d9bb9b ffffffff 007cf264 00000000 nt!NtAllocateVirtualMemory+0x33
    b2144af4 76f74740 ffffffff 007cf264 00000000 nt!KiSystemServicePostCall
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    007cf278 00000000 00000000 00000000 00000000 0x76f74740

    STACK_COMMAND:  kb
    THREAD_SHA1_HASH_MOD_FUNC:  5e4d43875ab045bcdf5d52dc8946ae46d661ace2
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  1017a574a8e0065f22c3673311655369c574d007
    THREAD_SHA1_HASH_MOD:  07c04da3cd3b56ee7bdb0c319e4238d1ab1f7a88
    FOLLOWUP_IP:
    TestF!my_Pass+21 [e:\driver\TestF\TestF\filter.c @ 271]
    9c301b91 8b4828          mov     ecx,dword ptr [eax+28h]
    FAULT_INSTR_CODE:  8928488b
    FAULTING_SOURCE_LINE:  e:\driver\TestF\TestF\filter.c
    FAULTING_SOURCE_FILE:  e:\driver\TestF\TestF\filter.c
    FAULTING_SOURCE_LINE_NUMBER:  271
    FAULTING_SOURCE_CODE: 
       267:     NTSTATUS        status;
       268:     BOOLEAN passIrpDown = TRUE;
       269:     PIO_STACK_LOCATION pIrpStack;
       270:     UCHAR majorFunc, minorFunc;
    >  271:     PVK_CONTROL_EXT controlData = (PVK_CONTROL_EXT) Global.ControlObject->DeviceExtension;
       272:
       273:     if (DeviceObject == Global.ControlObject)
       274:     {
       275:         ////  ////
       276:         Irp->IoStatus.Status = STATUS_SUCCESS;

    SYMBOL_STACK_INDEX:  2
    SYMBOL_NAME:  TestF!my_Pass+21
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: TestF
    IMAGE_NAME:  TestF.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  5d8ac2e5
    BUCKET_ID_FUNC_OFFSET:  21
    FAILURE_BUCKET_ID:  AV_TestF!my_Pass
    BUCKET_ID:  AV_TestF!my_Pass
    PRIMARY_PROBLEM_CLASS:  AV_TestF!my_Pass
    TARGET_TIME:  2019-09-25T01:31:46.000Z
    OSBUILD:  10240
    OSSERVICEPACK:  0
    SERVICEPACK_NUMBER: 0
    OS_REVISION: 0
    SUITE_MASK:  272
    PRODUCT_TYPE:  1
    OSPLATFORM_TYPE:  x86
    OSNAME:  Windows 10
    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
    OS_LOCALE: 
    USER_LCID:  0
    OSBUILD_TIMESTAMP:  2015-07-10 11:39:14
    BUILDDATESTAMP_STR:  150709-1700
    BUILDLAB_STR:  th1
    BUILDOSVER_STR:  10.0.10240.16384.x86fre.th1.150709-1700
    ANALYSIS_SESSION_ELAPSED_TIME:  13a3
    ANALYSIS_SOURCE:  KM
    FAILURE_ID_HASH_STRING:  km:av_TestF!my_Pass
    FAILURE_ID_HASH:  {460cbc2f-587a-fa65-6bab-3e1f97299f7c}
    Followup:     MachineOwner



    • Edited by Andy_2012 Wednesday, September 25, 2019 1:51 AM
    Wednesday, September 25, 2019 1:48 AM
  • the memory value stored in Global.ControlObject looks suspect

    READ_ADDRESS:  40250428

    which means Global.ControlObject = 40250400, this does not look like a valid kernel mode address. I would start with validating the pointer value you are assigning in DriverEntry and then comparing it to value retrieved later on.  Perhaps there is a memory corruption bug in your driver, especially consider looking at how you access the fields in Global immediately before and after the ControlObject field



    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, September 25, 2019 5:34 PM
  • You might want to put in some debugging print statements to show the value of Global.ControlObject when it is set in DriverEntry and in your IOCTL support code where it fails.  

    I assume you removed most of DriverEntry since otherwise I can't see why you have the statement:

    deviceData = (PVK_CONTROL_EXT) deviceObject->DeviceExtension;

    Finally, I hope this is an old driver you are trying to maintain.  If this is new code, I would certainly suggest start over with KMDF.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, September 25, 2019 5:42 PM
  • But no any another codes to set value to Global.ControlObject.

    And why DDK build the driver that can wok OK?

    Thursday, September 26, 2019 10:06 AM