bug check in wdf01000.sys

Hello,

I developed and installed a KMDF driver for a PCIe FPGA. O.S: Win7-64
Upon trying to write a HW register with IOCTL from application I got a blue screen.

Can you please help:
How can a bug in my driver can cause a crash in wdf01000.sys ?

Thank you,
Zvika

Following are the details:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\module\FIO\071717-46691-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\MySymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\Windows\System32
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.23796.amd64fre.win7sp1_ldr.170427-1518
Machine Name:
Kernel base = 0xfffff8000300b000 PsLoadedModuleList = 0xfffff8000324d730
Debug session time: Mon Jul 17 16:44:40.768 2017 (UTC + 3:00)
System Uptime: 0 days 0:06:40.672
Loading Kernel Symbols



Loading User Symbols
Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {ffffffffc0000005, fffff88000e5188d, fffff880035a82f8, fffff880035a7b50}

Probably caused by : Wdf01000.sys ( Wdf01000!FxRequest::CompleteInternal+21 )

Followup: MachineOwner

7: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff88000e5188d, The address that the exception occurred at
Arg3: fffff880035a82f8, Exception Record Address
Arg4: fffff880035a7b50, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
Wdf01000!FxRequest::CompleteInternal+21
fffff880`00e5188d 498b9db8000000 mov rbx,qword ptr [r13+0B8h]

EXCEPTION_RECORD: fffff880035a82f8 – (.exr 0xfffff880035a82f8)
ExceptionAddress: fffff88000e5188d (Wdf01000!FxRequest::CompleteInternal+0x0000000000000021)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000000000000b8
Attempt to read from address 00000000000000b8

CONTEXT: fffff880035a7b50 – (.cxr 0xfffff880035a7b50)
rax=0000000000000000 rbx=fffffa800b4c4b60 rcx=fffffa800b4c4b60
rdx=0000000000000000 rsi=0000000000000000 rdi=fffffa8009b4fa20
rip=fffff88000e5188d rsp=fffff880035a8530 rbp=0000000000000000
r8=0000000000000000 r9=fffff880051e40f0 r10=fffffa8009b4fba0
r11=fffffa800b4c4b50 r12=0000057ff4b3b498 r13=0000000000000000
r14=0000000000000000 r15=fffffa8009b8d8f0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
Wdf01000!FxRequest::CompleteInternal+0x21:
fffff88000e5188d 498b9db8000000 mov rbx,qword ptr [r13+0B8h] ds:002b:00000000000000b8=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 00000000000000b8

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032b7100
00000000000000b8

FOLLOWUP_IP:
Wdf01000!FxRequest::CompleteInternal+21
fffff880`00e5188d 498b9db8000000 mov rbx,qword ptr [r13+0B8h]

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff88000e5188d

STACK_TEXT:
fffff880035a8530 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Wdf01000!FxRequest::CompleteInternal+0x21

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Wdf01000!FxRequest::CompleteInternal+21

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME: Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51c55683

STACK_COMMAND: .cxr 0xfffff880035a7b50 ; kb

FAILURE_BUCKET_ID: X64_0x7E_Wdf01000!FxRequest::CompleteInternal+21

BUCKET_ID: X64_0x7E_Wdf01000!FxRequest::CompleteInternal+21

Followup: MachineOwner

> Can you please help:
How can a bug in my driver can cause a crash in wdf01000.sys ?

Very simple. Your driver can pass invalid pointer to KMDF and it will dereference it. Or invalid structure/array size.
Really, consider my previous advice.

– pa

Hi Pavel,

The cause to the crash:

After calling WdfRequestCompleteWithInformation at the end of the IOCTL message handler I called also to WdfRequestComplete by mistake.

Thank you,
Zvika