Problem with reading from two drivers in Windows Service
KBJ
When i try to read from two drivers (NDIS IM & TDI) in one Windows (XP)
Service, Windows is crashing (PFN_LIST_CORRUPT (4e)). Why? When I read from
one driver all is working correctly.
Here is part of my code:
1. TDI:
TDI-Based Open Source Personal Firewall for Windows
http://tdifw.sourceforge.net/
2. NDIS IM:
#define malloc_np(size) \
ExAllocatePool( NonPagedPool, size )
#define free_np(ptr) \
ExFreePool(ptr)
struct ndis_item *AddToBuffer(PNDIS_PACKET Packet, const enum Direction
direction)
{
BOOLEAN first = FALSE;
struct ndis_item *item = NULL;
PUCHAR protocolType;
LARGE_INTEGER CurrentSystemTime, CurrentLocalTime;
TIME_FIELDS log_time;
PUCHAR buffer;
buffer = GetBuffer(Packet);
if (!buffer)
{
goto done;
}
NdisAcquireSpinLock( &bufferHelper.guard );
bufferHelper.total++;
if (!bufferHelper.Overflow)
{
item = (struct ndis_item*)malloc_np(sizeof(struct ndis_item));
item->next = NULL;
//get log reqest time
KeQuerySystemTime(&CurrentSystemTime);
ExSystemTimeToLocalTime(&CurrentSystemTime, &CurrentLocalTime);
RtlTimeToTimeFields(&CurrentLocalTime, &log_time);
item->log_time.Hour = (UCHAR)log_time.Hour;
item->log_time.Minute = (UCHAR)log_time.Minute;
item->log_time.Second = (UCHAR)log_time.Second;
item->log_time.Milliseconds = log_time.Milliseconds;
item->packetLength = GetPacketLength(Packet);
item->id = bufferHelper.total - 1;
item->direction = direction;
GetMacAddress(buffer, item->DESTINATION_ADDRESS, Destination);
GetMacAddress(buffer, item->SOURCE_ADDRESS, Source);
item->protocol = (USHORT)(buffer[12] << 8) + buffer[13];
bufferHelper.count++;
first = bufferHelper.head == NULL && bufferHelper.tail == NULL;
if (first)
{
bufferHelper.buffer = bufferHelper.head = bufferHelper.tail = item;
}
else
{
bufferHelper.tail = bufferHelper.buffer->next = item;
bufferHelper.buffer = bufferHelper.buffer->next;
}
}
bufferHelper.Overflow = bufferHelper.count >= bufferHelper.maxLength;
NdisReleaseSpinLock( &bufferHelper.guard );
// signal to user app
if (bufferHelper.event != NULL)
{
KeSetEvent(bufferHelper.event, IO_NO_INCREMENT, FALSE);
}
done:
return item;
}
void RemoveList()
{
struct ndis_item *current = bufferHelper.head;
while (current != NULL)
{
current = RemoveItem(current);
}
bufferHelper.buffer = bufferHelper.head = bufferHelper.tail = NULL;
}
NTSTATUS DevGetBuffer(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
KIRQL irql;
NTSTATUS NtStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpSp;
PUCHAR ioBuffer = NULL;
ULONG inputBufferLength;
ULONG outputBufferLength, Remaining;
struct ndis_item *cursor;
UINT cursorSize;
ULONG itemsCount;
UNREFERENCED_PARAMETER(pDeviceObject);
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
ioBuffer = pIrp->AssociatedIrp.SystemBuffer;
inputBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
outputBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
Remaining = outputBufferLength;
// Sanity Check On Length
if( Remaining < sizeof( UNICODE_NULL ) )
{
inputBufferLength = 0;
NtStatus = NDIS_STATUS_BUFFER_OVERFLOW;
goto CompleteTheIRP;
}
NdisAcquireSpinLock( &bufferHelper.guard );
itemsCount = bufferHelper.count;
cursor = bufferHelper.head;
while (cursor != NULL)
{
cursorSize = sizeof(struct ndis_item);
RtlCopyMemory(ioBuffer, cursor, cursorSize);
ioBuffer += cursorSize;
inputBufferLength += cursorSize;
outputBufferLength -= cursorSize;
cursor = cursor->next;
}
RemoveList();
NdisReleaseSpinLock( &bufferHelper.guard );
CompleteTheIRP:
pIrp->IoStatus.Information = inputBufferLength;
pIrp->IoStatus.Status = NtStatus;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return NtStatus;
}
NTSTATUS DevIoControl(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
PIO_STACK_LOCATION pIrpSp;
NTSTATUS NtStatus = STATUS_SUCCESS;
ULONG BytesReturned = 0;
ULONG FunctionCode;
PUCHAR ioBuffer = NULL;
ULONG inputBufferLength;
ULONG outputBufferLength;
UNREFERENCED_PARAMETER(pDeviceObject);
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
ioBuffer = pIrp->AssociatedIrp.SystemBuffer;
inputBufferLength =
pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
outputBufferLength =
pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
FunctionCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (FunctionCode)
{
case IOCTL_PTUSERIO_GET_BUFFER:
return DevGetBuffer(pDeviceObject, pIrp);
default:
NtStatus = STATUS_NOT_SUPPORTED;
break;
}
if (NtStatus != STATUS_PENDING)
{
pIrp->IoStatus.Information = BytesReturned;
pIrp->IoStatus.Status = NtStatus;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}
return NtStatus;
}
3. Windows Service:
unsigned __stdcall dispatcher(LPVOID param)
{
HANDLE handles[2];
HANDLE handles2[2];
DWORD i, n, n2;
UCHAR *tmpText = NULL;
int reqSize = 0;
char msg[1024];
struct my_time mt;
mt.Hour = 0;
mt.Minute = 0;
mt.Second = 0;
mt.Milliseconds = 0;
handles[0] = g_event;
handles[1] = g_exit_event;
handles2[0] = g_event2;
handles2[1] = g_exit_event2;
for (;;)
{
if (!DeviceIoControl(g_device, IOCTL_CMD_GETREQUEST, NULL, 0,
g_disp_buf, DISP_BUF_SIZE, &n, NULL))
{
winerr("dispatcher: DeviceIoControl");
break;
}
if (!DeviceIoControl(g_device2, IOCTL_PTUSERIO_GET_BUFFER, NULL, 0,
g_disp_buf2, DISP_BUF_SIZE2, &n2, NULL))
{
winerr("dispatcher: Passthru DeviceIoControl");
break;
}
if (n == 0)
{
DWORD wait;
// if working with log file flush it!
if (g_logfile != NULL)
{
fflush(g_logfile);
}
// wait for data
wait = WaitForMultipleObjects(2, handles, FALSE, INFINITE);
if (wait == WAIT_OBJECT_0 + 1)
{
break;
}
else
if (wait != WAIT_OBJECT_0)
{
winerr("dispatcher: WaitForSingleObject");
break;
}
continue;
}
if (n2 == 0)
{
DWORD wait;
// wait for data
wait = WaitForMultipleObjects(2, handles2, FALSE, INFINITE);
if (wait == WAIT_OBJECT_0 + 1)
{
break;
}
else
if (wait != WAIT_OBJECT_0)
{
winerr("dispatcher: Passthru WaitForSingleObject");
break;
}
continue;
}
for (i = 0; i < n;)
{
struct request_log *request;
if (n - i < sizeof(*request))
{
break;
}
request = (struct request_log *)(g_disp_buf + i);
dispatch_request(request);
i += request->struct_size;
}
for (i = 0; i < n2;)
{
struct ndis_item *ndis_request;
if (n - i < sizeof(struct ndis_item))
{
break;
}
ndis_request = (struct ndis_item *)(g_disp_buf2 + i);
if (ndis_request == NULL)
{
winerr("dispatcher: unexpected error: ndis_request cannot be a null.");
break;
}
tmpText = (UCHAR*)(g_disp_buf2 + i + sizeof(struct ndis_item));
reqSize = sizeof(struct ndis_item);
(struct ndis_item *)(g_disp_buf2 + i + reqSize);
i += sizeof(struct ndis_item);
Log(ndis_request);
}
}
return 0;
}
-------------------------------------------------------
I am getting the following error:
* Fatal System Error: 0x0000004e
(0x00000007,0x000019B7,0x00000002,0x00000000)
Wed Mar 26 19:59:30.453 2008 (GMT+1): Break instruction exception - code
80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
* ERROR: Symbol file could not be found. Defaulted to export symbols for
ntoskrnl.exe -
Loading Kernel Symbols
........................................................................................
Loading User Symbols
Loading unloaded module list
.....
*****************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*****************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4E, {7, 19b7, 2, 0}
Probably caused by : ntoskrnl.exe (
nt!KeDeregisterBugCheckReasonCallback+6c7 )
Followup: MachineOwner
---------
nt!DbgBreakPointWithStatus+0x4:
804e3592 cc int 3
kd> !analyze -v
*****************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*****************************************************************************
PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 000019b7, page frame number
Arg3: 00000002, current share count
Arg4: 00000000, 0
Debugging Details:
------------------
MODULE_NAME: nt
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 45e54711
BUGCHECK_STR: 0x4E_7
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 80532f5e to 804e3592
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f9e732d4 80532f5e 00000003 000019b7 80c55928 nt!DbgBreakPointWithStatus+0x4
f9e736b4 8053354e 0000004e 00000007 000019b7
nt!KeDeregisterBugCheckReasonCallback+0x6c7
f9e736d4 805249de 0000004e 00000007 000019b7 nt!KeBugCheckEx+0x1b
f9e73728 805494b6 817fcf38 81473000 80561b40 nt!IoSetFileOrigin+0xcaa2
f9e73754 8054ad8b 81471000 81473000 81540af8 nt!wcstombs+0x25c6
f9e73794 f98b9de7 81471000 00000000 f9e73990 nt!ExAllocatePoolWithTag+0x247
f9e737a4 f98ba007 817ddcf8 81471000 f98b9fd1 Ntfs+0x1de7
f9e73990 f98b9c24 f9e739a0 81540af8 0110070a Ntfs+0x2007
f9e73b04 804e37f7 81744020 81540af8 81784968 Ntfs+0x1c24
f9e73b24 804e37f7 817978d0 81540af8 00a40000 nt!IofCallDriver+0x32
f9e73b48 804ed2bc 81785809 f9e73b70 f9e73c04 nt!IofCallDriver+0x32
f9e73c24 804ec231 e1334900 e1334908 e1334908
nt!MmMapLockedPagesSpecifyCache+0x7e1
f9e73c60 804ed980 817449d0 e1334900 00000a40 nt!KeQueryTickCount+0x347
f9e73ce8 804ec078 00002000 00000000 00000001 nt!IoSynchronousPageWrite+0x337
f9e73d2c 804e4f1d 817c7298 80561640 817c9020 nt!KeQueryTickCount+0x18e
f9e73d74 804e426b 817c7298 00000000 817c9020 nt!KeReadStateTimer+0x124
f9e73dac 8057d0f1 817c7298 00000000 00000000 nt!ExQueueWorkItem+0x104
f9e73ddc 804f827a 804e4196 00000000 00000000 nt!PsCreateSystemThread+0x70
00000000 00000000 00000000 00000000 00000000 nt!KeInitializeTimer+0x107
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeDeregisterBugCheckReasonCallback+6c7
80532f5e e8b7fdfdff call nt!KeI386AllocateGdtSelectors+0x8c
(80512d1a)
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KeDeregisterBugCheckReasonCallback+6c7
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntoskrnl.exe
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
--
Regards
KBJ
Gianluca Varenni
machine and see where it crashes?
Or at least analyze the crash dump with windbg and "!analyze -v"?
Have a nice day
GV
We
"KBJ" <no_mail@no_mail.pl> wrote in message
news:fseivd$39p$1...@inews.gazeta.pl...
KBJ
> Have you tried attaching the kernel debugger (windbg) to the crashing
> machine and see where it crashes?
Yes, I'm getting the following error:
*** Fatal System Error: 0x0000004e
(0x00000007,0x00001A83,0x00000002,0x00000000)
Thu Mar 27 13:04:32.082 2008 (GMT+1): Break instruction exception - code
80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
.........................................................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4E, {7, 1a83, 2, 0}
Probably caused by : memory_corruption
Followup: memory_corruption
---------
nt!RtlpBreakWithStatusInstruction:
804e3b25 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 00001a83, page frame number
Arg3: 00000002, current share count
Arg4: 00000000, 0
Debugging Details:
------------------
BUGCHECK_STR: 0x4E_7
DEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: System
IRP_ADDRESS: 8149f008
LAST_CONTROL_TRANSFER: from 805328e7 to 804e3b25
SYMBOL_ON_RAW_STACK: 1
STACK_ADDR_RAW_STACK_SYMBOL: fffffffff97094e8
STACK_COMMAND: dds F97094E8-0x20 ; kb
STACK_TEXT:
f97094c8 f9709970
f97094cc 80504e4d nt!MiCleanSection+0x6bd
f97094d0 e15165a0
f97094d4 00000001
f97094d8 00000000
f97094dc 00000000
f97094e0 00000000
f97094e4 f64cf8a4 mrxdav!_NULL_IMPORT_DESCRIPTOR+0x3c
f97094e8 f64a7000 mrxdav!MrxDAVEfsControlCompletion <PERF> (mrxdav+0x0)
f97094ec 805a758e nt!MiSnapThunk+0x6f
f97094f0 814a8500
f97094f4 f64d035e mrxdav!_NULL_IMPORT_DESCRIPTOR+0xaf6
f97094f8 000000ff
f97094fc f64cf8a4 mrxdav!_NULL_IMPORT_DESCRIPTOR+0x3c
f9709500 f64adaa8 mrxdav!_imp__GetSecurityUserInfo
f9709504 805a7701 nt!MiSnapThunk+0x382
f9709508 816c6290
f970950c 00000000
f9709510 f64a7000 mrxdav!MrxDAVEfsControlCompletion <PERF> (mrxdav+0x0)
f9709514 f970991c
f9709518 f64adaa8 mrxdav!_imp__GetSecurityUserInfo
f970951c 804f2d87 nt!MiRemoveMappedView+0x253
f9709520 816c6260
f9709524 817cca00
f9709528 f995a958 KSecDD!DESParityTable <PERF> (KSecDD+0x14958)
f970952c 00000000
f9709530 0000000e
f9709534 f64d0372 mrxdav!_NULL_IMPORT_DESCRIPTOR+0xb0a
f9709538 00000000
f970953c 00000000
f9709540 00000000
f9709544 00040100
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804d910c - nt!KiXMMIZeroPage+73
[ fb:90 ]
804d9112-804d9115 4 bytes - nt!KiXMMIZeroPage+79 (+0x06)
[ 57 ff ff ff:dd e7 0e 01 ]
804d9545-804d954a 6 bytes - nt!ExAcquireResourceSharedLite+10 (+0x433)
[ fa 8b 75 08 33 db:e9 13 e4 0e 01 cc ]
804d9564 - nt!ExAcquireResourceSharedLite+98 (+0x1f)
[ fb:90 ]
804d9569-804d9570 8 bytes - nt!ExAcquireResourceSharedLite+b8 (+0x05)
[ c2 08 00 90 90 90 90 90:e9 63 ab 10 01 c2 08 00 ]
804dbb82 - nt!ExReleaseResourceLite+ba (+0x2619)
[ 99:3f ]
804dbb94 - nt!ExReleaseResourceLite+c8 (+0x12)
[ 87:2d ]
804dbba0 - nt!ExReleaseResourceLite+d0 (+0x0c)
[ 7e:24 ]
804dbbc5-804dbbcd 9 bytes - nt!ExReleaseResourceLite+f5 (+0x25)
[ 90 90 90 90 90 90 90 90:e9 f1 84 10 01 5f 5e 5b ]
804dbbd5-804dbbda 6 bytes - nt!ExReleaseResourceLite+5 (+0x10)
[ 64 a1 24 01 00 00:e9 64 bd 0e 01 cc ]
804dbbe8 - nt!ExReleaseResourceLite+18 (+0x13)
[ 36:dc ]
804dbbf9 - nt!ExReleaseResourceLite+29 (+0x11)
[ 25:cb ]
804dbc16-804dbc1a 5 bytes - nt!ExReleaseResourceLite+75 (+0x1d)
[ 66 81 e2 7f ff:e9 11 bd 0e 01 ]
804deff2-804deff8 7 bytes - nt!KiFastCallEntry+7f (+0x33dc)
[ c7 45 08 00 0d db ba:e9 06 89 0e 01 cc cc ]
804df07c-804df080 5 bytes - nt!KiServiceExit (+0x8a)
[ fa f7 45 70 00:e9 7c 50 10 01 ]
804df16b-804df16d 3 bytes - nt!KiSystemCallExitBranch+2 (+0xef)
[ 5a 59 9d:c8 02 04 ]
804e34b4-804e34b8 5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x4349)
[ fa 8b 01 89 02:e9 f3 43 0e 01 ]
804e34d1-804e34d6 6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)
[ fa 8b 41 04 89 0a:e9 f9 43 0e 01 cc ]
804e34f2-804e34f6 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)
[ fa 8b 01 3b c1:e9 8d 43 0e 01 ]
804e3b4c-804e3b50 5 bytes - nt!ExAcquireResourceExclusiveLite+7
(+0x65a)
[ 64 a1 24 01 00:e9 19 05 10 01 ]
804e3b6d-804e3b71 5 bytes - nt!ExAcquireResourceExclusiveLite+47
(+0x21)
[ 89 46 1c 66 89:e9 16 05 10 01 ]
804e9175-804e917a 6 bytes - nt!ExAcquireSharedWaitForExclusive+10
(+0x5608)
[ fa 8b 75 08 33 db:e9 d4 e7 0d 01 cc ]
804e9194 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f)
[ fb:90 ]
804e9199-804e91a0 8 bytes - nt!ExAcquireSharedWaitForExclusive+ef
(+0x05)
[ c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00 ]
804ed809-804ed80f 7 bytes - nt!CcGetActiveVacb+5 (+0x4670)
[ fa 8b 45 08 8b 48 48:e9 5e a1 0d 01 cc cc ]
804ef1dc-804ef1e3 8 bytes - nt!CcSetActiveVacb+7 (+0x19d3)
[ fa 8b 45 08 83 78 48 00:e9 e0 87 0d 01 cc cc cc ]
804ef1ff-804ef20c 14 bytes - nt!CcSetActiveVacb+a3 (+0x23)
[ 8b 0a 89 48 48 89 58 50:e9 ad 87 0d 01 e9 9c 87 ]
130 errors : !nt (804d910c-804ef20c)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
---------
--
Regards
KBJ
Maxim S. Shatskih
> Service, Windows is crashing (PFN_LIST_CORRUPT (4e)).
MDL mismanagement usually.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
ma...@storagecraft.com
http://www.storagecraft.com