Crash with IoReleaseRemoveLock on WinXp

Hello!
My driver (usb driver filter) work fine many times (couple of years), but now started to crash sometimes :

********************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.
Arguments:
Arg1: 00000016, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502faa, address which referenced memory

Debugging Details:

READ_ADDRESS: 00000016
CURRENT_IRQL: 1c
FAULTING_IP:
nt!KiWaitTest+30
80502faa 6683781601 cmp word ptr [eax+16h],1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 804fa2fe to 80502faa

STACK_TEXT:
b9d13c4c 804fa2fe 87d82518 c00000bb 87d9dbb8 nt!KiWaitTest+0x30
b9d13c60 804f5aff 87d82518 00000000 00000000 nt!KeSetEvent+0x5a
b9d13c80 b7173bd3 87d82510 87d9dbb8 00000000 nt!IoReleaseRemoveLockEx+0xb9
b9d13ca0 b71761b9 00000000 87d9dbb8 b9d13cec MYDRIVER!FilterObjectDispatchIRP+0x59 [c:\driverwork\MYDRIVER.c @ 500]
b9d13cb0 804ef1f9 87d82430 87d9dbb8 87d9dbb8 MYDRIVER!PassThroughRequest+0x37 [f:\driverwork\MYDRIVER.c @ 298]
b9d13cc0 80605560 b9d13d44 87d9dbb8 87d80000 nt!IopfCallDriver+0x31
b9d13cec 80605629 87d9dbb8 0000000b 87dab604 nt!WmipForwardWmiIrp+0x17e
b9d13d18 806068fd 0000000b 87dab6f8 00000000 nt!WmipSendWmiIrp+0x59
b9d13d54 8060699f 87e679a8 00000000 b9d13d7c nt!WmipRegisterOrUpdateDS+0x4f
b9d13d7c 80538923 00000000 00000000 8afd8020 nt!WmipRegistrationWorker+0x49
b9d13dac 805cffee 00000000 00000000 00000000 nt!ExpWorkerThread+0xef
b9d13ddc 8054620e 80538834 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
*******************************************

FilterObjectDispatchIRP :
*******************************************
NTSTATUS
FilterObjectDispatchIRP
(
__in PDEVICE_OBJECT deviceObject,
__in PIRP Irp
)
{
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;

ntStatus = IoAcquireRemoveLock(&deviceExtension->removeLock, Irp);
if (!NT_SUCCESS(ntStatus))
{
return CompleteRequest(Irp, ntStatus, 0);
}

IoSkipCurrentIrpStackLocation(Irp);
NTSTATUS status = IoCallDriver(deviceExtension->nextDO, Irp);

IoReleaseRemoveLock(&deviceExtension->removeLock, Irp); // <- Line 500 crash

return status;
}
*******************************************

What and why can happend ? Only on WinXP… I spend many time try to solve it(((
Thank you for help!

If I remember correctly this is a bug in wmi where it doesn’t take a reference when it queues a work item to perform the registration. Again, if I remember correctly the fix was to acquire the wait lock before you make the wmi reg call.and then release it after processing the wmi reg irp right before completion.

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
Sent: Wednesday, February 22, 2017 1:54:14 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Crash with IoReleaseRemoveLock on WinXp

Hello!
My driver (usb driver filter) work fine many times (couple of years), but now started to crash sometimes :

********************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.
Arguments:
Arg1: 00000016, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502faa, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: 00000016
CURRENT_IRQL: 1c
FAULTING_IP:
nt!KiWaitTest+30
80502faa 6683781601 cmp word ptr [eax+16h],1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 804fa2fe to 80502faa

STACK_TEXT:
b9d13c4c 804fa2fe 87d82518 c00000bb 87d9dbb8 nt!KiWaitTest+0x30
b9d13c60 804f5aff 87d82518 00000000 00000000 nt!KeSetEvent+0x5a
b9d13c80 b7173bd3 87d82510 87d9dbb8 00000000 nt!IoReleaseRemoveLockEx+0xb9
b9d13ca0 b71761b9 00000000 87d9dbb8 b9d13cec MYDRIVER!FilterObjectDispatchIRP+0x59 [c:\driverwork\MYDRIVER.c @ 500]
b9d13cb0 804ef1f9 87d82430 87d9dbb8 87d9dbb8 MYDRIVER!PassThroughRequest+0x37 [f:\driverwork\MYDRIVER.c @ 298]
b9d13cc0 80605560 b9d13d44 87d9dbb8 87d80000 nt!IopfCallDriver+0x31
b9d13cec 80605629 87d9dbb8 0000000b 87dab604 nt!WmipForwardWmiIrp+0x17e
b9d13d18 806068fd 0000000b 87dab6f8 00000000 nt!WmipSendWmiIrp+0x59
b9d13d54 8060699f 87e679a8 00000000 b9d13d7c nt!WmipRegisterOrUpdateDS+0x4f
b9d13d7c 80538923 00000000 00000000 8afd8020 nt!WmipRegistrationWorker+0x49
b9d13dac 805cffee 00000000 00000000 00000000 nt!ExpWorkerThread+0xef
b9d13ddc 8054620e 80538834 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FilterObjectDispatchIRP :

NTSTATUS
FilterObjectDispatchIRP
(
in PDEVICE_OBJECT deviceObject,
in PIRP Irp
)
{
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;

ntStatus = IoAcquireRemoveLock(&deviceExtension->removeLock, Irp);
if (!NT_SUCCESS(ntStatus))
{
return CompleteRequest(Irp, ntStatus, 0);
}

IoSkipCurrentIrpStackLocation(Irp);
NTSTATUS status = IoCallDriver(deviceExtension->nextDO, Irp);

IoReleaseRemoveLock(&deviceExtension->removeLock, Irp); // <- Line 500 crash

return status;
}
*******************************************

What and why can happend ? Only on WinXP… I spend many time try to solve it(((
Thank you for help!


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Doron Holan, thank you very much, I will try your advice !

Wow! GOOD one!

If that fixes the problem, Mr. Funky owes Mr. Holan some sort of a gift certificate or something. Perhaps buy him one of those new Teslas that are coming out. SOMEthing. If that’s the bug, you could have spent the rest of your days trying to find it without Mr. Holan’s help.

Peter
OSR
@OSRDrivers

Another reason to use KMDF ;). I had to identify the bug and add the workaround to the framework so that the community at large would be shielded from the race.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Thursday, February 23, 2017 2:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Crash with IoReleaseRemoveLock on WinXp



Wow! GOOD one!

If that fixes the problem, Mr. Funky owes Mr. Holan some sort of a gift certificate or something. Perhaps buy him one of those new Teslas that are coming out. SOMEthing. If that’s the bug, you could have spent the rest of your days trying to find it without Mr. Holan’s help.

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>