I have random BSOD on function FsRtlNotifyFullReportChange
I would like an answer,
Already a question how the FsRtlNotifyFullReportChange function can establish a BSOD?
I do not understand, I do not modify in any case the data of variable notifysync and dirnotifylist,
in my driver only the kernel OS windows notifications functions access this data.
I do not understand anything.
The variable pn et pn1 are correct.
WHY ???
The CCB is correct !
if ((irps->MajorFunction == IRP_MJ_DIRECTORY_CONTROL))
{
if ((irps->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY))
{
PPARAMVDF vdf;
PPARAMVCB vcb;
PCCB fsc;
ULONG CompletionFilter;
PFILE_OBJECT file;
BOOLEAN WatchTree;
file = irps->FileObject;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY VCB:%d FILE:%.8x\n”, ISVCB, file));
if (ISVCB == FALSE)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY EH !!! ISVCB==FALSE\n”));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
if (file == NULL)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY EH !!! file=NULLL\n”));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY r?pertoire %wZ bt\n”, &file->FileName));
CompletionFilter = irps->Parameters.NotifyDirectory.CompletionFilter;
WatchTree = (irps->Flags& SL_WATCH_TREE) == SL_WATCH_TREE;
vcb = (PPARAMVCB)DeviceObject->DeviceExtension;
{
BOOLEAN pasbon = FALSE;
if (vcb->identifier != CIdentifier)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY vcb->identifier != CIdentifier %x\n”, vcb->identifier));
}
if (vcb->sidentifier != CIdentifierVCB)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY vcb->sidentifier != CIdentifierVCB %x\n”, vcb->sidentifier));
}
if (pasbon)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY PAS BON DONC 1\n”, vcb->sidentifier));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
}
vdf = (PPARAMVDF)vcb->Tdisk.DCB->DeviceExtension;
{
BOOLEAN pasbon = FALSE;
if (vdf->identifier != CIdentifier)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY dcb->identifier != CIdentifier %x\n”, vcb->identifier));
}
if (vdf->sidentifier != CIdentifierDCB)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY dcb->sidentifier != CIdentifierDCB %x\n”, vcb->sidentifier));
}
if (pasbon)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY PAS BON DONC 2\n”, vcb->sidentifier));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
}
if (vdf == NULL)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY Gros soucis vdf=NULL\n”));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY Before Context %x\n”, file->FsContext2));
LockVDFNotify(vdf);
FsRtlNotifyFullChangeDirectory(vdf->NotifySync,
&vdf->DirNotifyList,
file->FsContext2,
(PSTRING)&file->FileName,
WatchTree,
FALSE,
CompletionFilter,
Irp,
NULL,
NULL);
unLockVDFNotify(vdf);
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY After Context %x\n”, file->FsContext2));
fsc = (PCCB)file->FsContext2;
fsc = vfsValidPointer(vdf, fsc);
if (fsc != NULL)
fsc->evchgdirectory = TRUE;
else
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY Not found fsc\n”));
//Irp->IoStatus.Status=STATUS_SUCCESS; ////effet de bord remove 07092017
status = STATUS_PENDING;
CondiFsRtlExitFileSystem();
goto gty;
}
void LockVDFNotify(PPARAMVDF vdf)
{
ExAcquireResourceExclusiveLite(&vdf->ResourceNextFile, TRUE);
}
void unLockVDFNotify(PPARAMVDF vdf)
{
ExReleaseResourceLite(&vdf->ResourceNextFile);
}
case IOCTL_CMD_FILE_NOTIFY:
{
DWORD si;
KdPrintf((“IOCTL_CMD_FILE_NOTIFY\n”));
si = irps->Parameters.DeviceIoControl.InputBufferLength;
if (si >= sizeof(TNOTIFY))
{
PNOTIFY pn = (PNOTIFY)irp->AssociatedIrp.SystemBuffer;
if (pn != NULL)
{
PPARAMVDF vdf = NULL;
vdf = vdf_GetParamFromID(pn->id);
if (vdf != NULL)
{
if (vdf->hProcessID == hpid)
{
KdPrintf((“IOCTL_CMD_FILE_NOTIFY bon id\n”));
if ((vdf->used == TRUE) && (vdf->parameter == TRUE))
{
if (pn->internalcmd == 1)
{
if (si >= sizeof(TNOTIFY1))
{
UNICODE_STRING strfilename;
PNOTIFY1 pn1 = (PNOTIFY1)pn;
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY ‘%ws’ filtermatch:%d action:%d\n”, pn1->filename, pn1->filtermatch, pn1->action));
RtlInitUnicodeString(&strfilename, pn1->filename);
LockVDFNotify(vdf);
FsRtlNotifyFullReportChange(
vdf->NotifySync,
&vdf->DirNotifyList,
(PSTRING)&strfilename,
pn1->namaeoffset,
NULL,
NULL,
pn1->filtermatch,
pn1->action,
NULL
);
unLockVDFNotify(vdf);
//RtlFreeUnicodeString(&strfilename);
status = STATUS_SUCCESS;
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY si < sizeof(TNOTIFY1) %d<%d\n”,si,sizeof(TNOTIFY1)));
status = STATUS_BUFFER_TOO_SMALL;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY cmd:%d unkown\n”,pn->internalcmd));
status = STATUS_NOT_IMPLEMENTED;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY device:%d removed\n”, pn->id));
status = STATUS_DEVICE_REMOVED;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY process is not own\n”, pn->internalcmd));
status = STATUS_ACCESS_DENIED;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY device:%d invalid\n”, pn->id));
status = STATUS_INVALID_HANDLE;
}
}
else
{
status = STATUS_INTERNAL_ERROR;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY si < sizeof(TNOTIFY) %d<%d\n”, si, sizeof(TNOTIFY)));
status = STATUS_BUFFER_TOO_SMALL;
}
}
break;
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffe0008f814108, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801678ec046, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 10240.17443.amd64fre.th1.170602-2340
SYSTEM_MANUFACTURER: innotek GmbH
VIRTUAL_MACHINE: VirtualBox
SYSTEM_PRODUCT_NAME: VirtualBox
SYSTEM_VERSION: 1.2
BIOS_VENDOR: innotek GmbH
BIOS_VERSION: VirtualBox
BIOS_DATE: 12/01/2006
BASEBOARD_MANUFACTURER: Oracle Corporation
BASEBOARD_PRODUCT: VirtualBox
BASEBOARD_VERSION: 1.2
DUMP_TYPE: 1
BUGCHECK_P1: ffffe0008f814108
BUGCHECK_P2: 0
BUGCHECK_P3: fffff801678ec046
BUGCHECK_P4: 0
READ_ADDRESS: ffffe0008f814108 Nonpaged pool
FAULTING_IP:
nt!FsRtlNotifyFilterReportChange+41e
fffff801`678ec046 663938 cmp word ptr [rax],di
MM_INTERNAL_CODE: 0
CPU_COUNT: 2
CPU_MHZ: fa0
CPU_VENDOR: AuthenticAMD
CPU_FAMILY: 15
CPU_MODEL: 2
CPU_STEPPING: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: SampleFileSystem.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N
ANALYSIS_SESSION_TIME: 07-19-2018 19:49:39.0356
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
TRAP_FRAME: ffffd0012a2d16d0 – (.trap 0xffffd0012a2d16d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0008f814108 rbx=0000000000000000 rcx=ffffc00071159410
rdx=ffffe0008dbc0d00 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801678ec046 rsp=ffffd0012a2d1860 rbp=ffffd0012a2d3780
r8=0000000000000000 r9=ffffe0008f5fba38 r10=ffffd0012a2d1ff8
r11=ffffd0012a2d1998 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!FsRtlNotifyFilterReportChange+0x41e:
fffff801678ec046 663938 cmp word ptr [rax],di ds:ffffe000
8f814108=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff801675a1714 to fffff801675595f0
STACK_TEXT:
ffffd0012a2d1488 fffff801
675a1714 : 0000000000000050 ffffe000
8f814108 0000000000000000 ffffd001
2a2d16d0 : nt!KeBugCheckEx
ffffd0012a2d1490 fffff801
6743eeb6 : 0000000000000000 00000000
00000000 ffffd0012a2d16d0 00000000
00000000 : nt! ?? ::FNODOBFM::string'+0x39514 ffffd001
2a2d1580 fffff801675626bd : 00000000
00000000 ffffd0012a2d1860 ffffe000
8f780840 0000000000000010 : nt!MmAccessFault+0x696 ffffd001
2a2d16d0 fffff801678ec046 : fffff801
e8d1bf30 ffffd0012a2d3780 00000000
0000001d fffff80100000004 : nt!KiPageFault+0x13d ffffd001
2a2d1860 fffff80167a70827 : ffffe000
8c95e890 ffffe0008dbc0d00 ffffd001
2a2d1ff8 ffffd0012a2d0002 : nt!FsRtlNotifyFilterReportChange+0x41e ffffd001
2a2d19a0 fffff801e8d154c8 : ffffe000
8dbc01c0 ffffcf8187982fe0 00000000
0000001d fffff801e8d248f4 : nt!FsRtlNotifyFullReportChange+0x4b ffffd001
2a2d1a00 fffff801e8d138ce : ffffe000
8c1c18a0 ffffcf8186f6aea0 ffffcf81
86f6af70 0000000000000007 : vfs_x64!vfums_deviceiocontrol+0x1128 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 1294] ffffd001
2a2d3640 fffff801e8d137be : ffffe000
8c1c18a0 ffffcf8186f6aea0 ffffcf81
86f6af70 fffff80167b481ba : vfs_x64!controldispatch+0x9e [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 3819] ffffd001
2a2d3680 fffff801e8d1c007 : ffffe000
8c1c18a0 ffffcf8186f6aea0 00000000
00000001 0000000000001bae : vfs_x64!_DrvDispatch+0x19e [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 4986] ffffd001
2a2d36e0 fffff801e6c4cd70 : ffffe000
8c1c18a0 ffffcf8186f6aea0 ffffcf81
86f6afb8 ffffe0008e0f9230 : vfs_x64!DrvDispatch+0xd7 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\ui.c @ 345] ffffd001
2a2d3750 fffff80167b35044 : ffffcf81
86f6aea0 0000000000000002 00000000
00000000 ffffe00020206f49 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xe0 ffffd001
2a2d37b0 fffff8016741cd42 : 00000000
00000001 ffffd0012a2d3b80 ffffe000
8c5adf20 ffffe0008e0f9190 : nt!IovCallDriver+0x3d8 ffffd001
2a2d3810 fffff80167824f9d : 00000000
00000000 ffffd0012a2d3b80 ffffe000
8c5adf20 ffffe000000001c8 : nt!IofCallDriver+0x72 ffffd001
2a2d3850 fffff80167823d66 : fffff801
e6b32d90 0000000000000000 00000000
00000000 0000000000000000 : nt!IopXxxControlFile+0x122d ffffd001
2a2d3a20 fffff80167563c63 : fffff6fb
5ffdd880 0000000000000000 00000000
00000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56 ffffd001
2a2d3a90 00007ffc815a389a : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 00000000
04d6d328 0000000000000000 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : 0x00007ffc
815a389a
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 13e6c9bc8044d0731fcd499ce3dc691a54a2990e
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 421722234584b59c8f1f49e2e3ea5230e98ae2a2
THREAD_SHA1_HASH_MOD: 8c264e8de88b25cb7e9e676820d23d3abe940b7a
FOLLOWUP_IP:
vfs_x64!vfums_deviceiocontrol+1128 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 1294]
fffff801`e8d154c8 488b8c2438010000 mov rcx,qword ptr [rsp+138h]
FAULT_INSTR_CODE: 248c8b48
FAULTING_SOURCE_LINE: c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c
FAULTING_SOURCE_FILE: c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c
FAULTING_SOURCE_LINE_NUMBER: 1294
FAULTING_SOURCE_CODE:
1290: pn1->filtermatch,
1291: pn1->action,
1292: NULL
1293: );
1294: unLockVDFNotify(vdf);
1295: //RtlFreeUnicodeString(&strfilename);
1296: status = STATUS_SUCCESS;
1297: }
1298: else
1299: {
What is this memory address (0xffffe0008f814108)?
I am unable to debug it.
Help please !!!