//
// According to analyze, BSoD has occurred because tmtdi driver access illegal memory address (90900020)
// when it tries to process network event (connect).
//
0: kd> vertarget
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Machine Name:*** ERROR: Module load completed but symbols could not be loaded for srv.sys
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Wed Apr 8 18:00:01.906 2009 (GMT+9)
System Uptime: 0 days 0:02:28.656
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 90900020, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: ba3979e2, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 90900020
CURRENT_IRQL: 2
FAULTING_IP:
tmtdi!MyEventConnect+580 [d:\nsc5.3\src\tmtdi\drv\sys\tmtdint.c @ 266]
ba3979e2 8b4e18 mov ecx,dword ptr [esi+18h]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: casdscsvc.exe
TRAP_FRAME: f789e7ac -- (.trap 0xfffffffff789e7ac)
ErrCode = 00000000
eax=ba49c387 ebx=10000000 ecx=16a10003 edx=16a00002 esi=90900008 edi=f789e890
eip=ba3979e2 esp=f789e820 ebp=f789e8cc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
tmtdi!MyEventConnect+0x580:
ba3979e2 8b4e18 mov ecx,dword ptr [esi+18h] ds:0023:90900020=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from ba3979e2 to 80837ed5
STACK_TEXT:
f789e7ac ba3979e2 badb0d00 16a00002 00000000 nt!KiTrap0E+0x2a7
f789e8cc ba49bd8a 88a68558 00000016 f789e930 tmtdi!MyEventConnect+0x580
f789e94c ba49caf9 88c87e98 190215ac 00007013 tcpip!DelayedAcceptConn+0xbe
f789ea10 ba4a6f9f 89b406f0 0b0215ac 190215ac tcpip!TCPRcv+0x1054
f789ea70 ba4a69e8 00000020 89b406f0 ba4a854d tcpip!DeliverToUser+0x189
f789eb24 ba4a6c66 89b406f0 89ac562c 0000001a tcpip!IPRcvPacket+0x66c
f789eb64 ba4a6d68 00000000 89df7828 89ac560a tcpip!ARPRcvIndicationNew+0x149
f789eba0 f72141d9 89ab2008 00000000 00000000 tcpip!ARPRcvPacket+0x68
f789ebf4 baaed769 89be1130 f789eda4 00000002 NDIS!ethFilterDprIndicateReceivePacket+0x318
WARNING: Stack unwind information not available. Following frames may be wrong.
f789ef3c bab034ab 00000002 89b1b500 89b16000 b57xp32+0x6769
00000000 00000000 00000000 00000000 00000000 b57xp32+0x1c4ab
STACK_COMMAND: kb
FOLLOWUP_IP:
tmtdi!MyEventConnect+580
ba3979e2 8b4e18 mov ecx,dword ptr [esi+18h]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: tmtdi!MyEventConnect+580
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tmtdi
IMAGE_NAME: tmtdi.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 47ce457b
FAILURE_BUCKET_ID: 0xD1_tmtdi!MyEventConnect+580
BUCKET_ID: 0xD1_tmtdi!MyEventConnect+580
Followup: MachineOwner
---------
0: kd> .trap 0xfffffffff789e7ac
ErrCode = 00000000
eax=ba49c387 ebx=10000000 ecx=16a10003 edx=16a00002 esi=90900008 edi=f789e890
eip=ba3979e2 esp=f789e820 ebp=f789e8cc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
tmtdi!MyEventConnect+0x580:
ba3979e2 8b4e18 mov ecx,dword ptr [esi+18h] ds:0023:90900020=????????
//
// The illegal memory address (90900020) is IRP's CurrentStackLocation.
// The IRP (ba49c387) is already freed even if ClientEventConnect event handler returns STATUS_MORE_PROCESSING_REQUIRED (c0000016).
//
0: kd> ub tmtdi!MyEventConnect+0x580 L16
tmtdi!MyEventConnect+0x510
ba397972 398570ffffff cmp dword ptr [ebp-90h],eax
ba397978 743b je tmtdi!MyEventConnect+0x553 (ba3979b5)
ba39797a ffb56cffffff push dword ptr [ebp-94h]
ba397980 ffb560ffffff push dword ptr [ebp-0A0h]
ba397986 ffb564ffffff push dword ptr [ebp-9Ch]
ba39798c ff751c push dword ptr [ebp+1Ch]
ba39798f ffb574ffffff push dword ptr [ebp-8Ch]
ba397995 ff7514 push dword ptr [ebp+14h]
ba397998 ffb568ffffff push dword ptr [ebp-98h]
ba39799e ff750c push dword ptr [ebp+0Ch]
ba3979a1 ffb680000000 push dword ptr [esi+80h]
ba3979a7 ff9570ffffff call dword ptr [ebp-90h] // <== This is ClientEventConnect event handler. (*4)
ba3979ad 898578ffffff mov dword ptr [ebp-88h],eax // <== Set return code of the event handler. (*3)
ba3979b3 eb0a jmp tmtdi!MyEventConnect+0x55d (ba3979bf)
ba3979b5 c78578ffffff010000c0 mov dword ptr [ebp-88h],0C0000001h
ba3979bf 81bd78ffffff160000c0 cmp dword ptr [ebp-88h],0C0000016h
ba3979c9 0f85f7000000 jne tmtdi!MyEventConnect+0x664 (ba397ac6)
ba3979cf 8b856cffffff mov eax,dword ptr [ebp-94h] // <== (*1)
ba3979d5 8b00 mov eax,dword ptr [eax] // <== (*2)
ba3979d7 85c0 test eax,eax
ba3979d9 0f84e7000000 je tmtdi!MyEventConnect+0x664 (ba397ac6)
ba3979df 8b7060 mov esi,dword ptr [eax+60h]
0: kd> u tmtdi!MyEventConnect+0x580
tmtdi!MyEventConnect+0x580
ba3979e2 8b4e18 mov ecx,dword ptr [esi+18h] // <== BSoD point is.
ba3979e5 89b574ffffff mov dword ptr [ebp-8Ch],esi
ba3979eb ff156cc639ba call dword ptr [tmtdi!_imp_ObfReferenceObject (ba39c66c)]
ba3979f1 ff7618 push dword ptr [esi+18h]
ba3979f4 6860c939ba push offset tmtdi!gDeviceContext (ba39c960)
ba3979f9 e8da82ffff call tmtdi!FindEventInfo (ba38fcd8)
ba3979fe 85c0 test eax,eax
ba397a00 898570ffffff mov dword ptr [ebp-90h],eax
0: kd> dds ebp-0x94 L1 // <== (*1)
f789e838 f789e910
0: kd> ? poi(f789e910)
Evaluate expression: -1169570937 = ba49c387 // <== eax register's value is. (*2)
0: kd> dt nt!_IRP poi(f789e910) -r2
+0x000 Type : -16251
+0x002 Size : 0x850f
+0x004 MdlAddress : 0x000000b5 _MDL
+0x000 Next : ????
+0x004 Size : ??
+0x006 MdlFlags : ??
+0x008 Process : ????
+0x00c MappedSystemVa : ????
+0x010 StartVa : ????
+0x014 ByteCount : ??
+0x018 ByteOffset : ??
+0x008 Flags : 0xe90107c6
+0x00c AssociatedIrp : __unnamed
+0x000 MasterIrp : 0x000000ab _IRP
+0x000 Type : ??
+0x002 Size : ??
+0x004 MdlAddress : ????
+0x008 Flags : ??
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : ??
+0x021 PendingReturned : ??
+0x022 StackCount : ??
+0x023 CurrentLocation : ??
+0x024 Cancel : ??
+0x025 CancelIrql : ??
+0x026 ApcEnvironment : ??
+0x027 AllocationFlags : ??
+0x028 UserIosb : ????
+0x02c UserEvent : ????
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : ????
+0x03c UserBuffer : ????
+0x040 Tail : __unnamed
+0x000 IrpCount : 171
+0x000 SystemBuffer : 0x000000ab
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x90909090 - 0x55ff8b90 ]
+0x000 Flink : 0x90909090 _LIST_ENTRY
+0x000 Flink : ????
+0x004 Blink : ????
+0x004 Blink : 0x55ff8b90 _LIST_ENTRY
+0x000 Flink : ????
+0x004 Blink : ????
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x000 Status : -1957237621
+0x000 Pointer : 0x8b56ec8b
+0x004 Information : 0x4eff0875
+0x020 RequestorMode : 48 '0'
+0x021 PendingReturned : 0x57 'W'
+0x022 StackCount : 15 ''
+0x023 CurrentLocation : -123 ''
+0x024 Cancel : 0x70 'p'
+0x025 CancelIrql : 0x1 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0 ''
+0x028 UserIosb : 0x4defc0bf _IO_STATUS_BLOCK
+0x000 Status : ??
+0x000 Pointer : ????
+0x004 Information : ??
+0x02c UserEvent : 0xffcf8bba _KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : ??
+0x001 Absolute : ??
+0x001 NpxIrql : ??
+0x002 Size : ??
+0x002 Hand : ??
+0x003 Inserted : ??
+0x003 DebugActive : ??
+0x000 Lock : ??
+0x004 SignalState : ??
+0x008 WaitListHead : _LIST_ENTRY
+0x030 Overlay : __unnamed
+0x000 AsynchronousParameters : __unnamed
+0x000 UserApcRoutine : 0x4dd2c015 void +4dd2c015
+0x004 UserApcContext : 0x842ca1ba
+0x000 AllocationSize : _LARGE_INTEGER 0x842ca1ba`4dd2c015
+0x000 LowPart : 0x4dd2c015
+0x004 HighPart : -2077449798
+0x000 u : __unnamed
+0x000 QuadPart : -8922578940186148843
+0x038 CancelRoutine : 0xc085ba4e void +ffffffffc085ba4e
+0x03c UserBuffer : 0x850fcf8b
+0x040 Tail : __unnamed
+0x000 Overlay : __unnamed
+0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
+0x000 DriverContext : [4] 0x0000ea6c
+0x010 Thread : 0xd00815ff _ETHREAD
+0x014 AuxiliaryBuffer : 0xe856ba4d "--- memory read error at address 0xe856ba4d ---"
+0x018 ListEntry : _LIST_ENTRY [ 0xa9 - 0xc25d5e5f ]
+0x020 CurrentStackLocation : 0x90900008 _IO_STACK_LOCATION // <== The corrupted CurrentStackLocation is here.
+0x020 PacketType : 0x90900008
+0x024 OriginalFileObject : 0x8b909090 _FILE_OBJECT
+0x000 Apc : _KAPC
+0x000 Type : 0x6c 'l'
+0x001 SpareByte0 : 0xea ''
+0x002 Size : 0 ''
+0x003 SpareByte1 : 0 ''
+0x004 SpareLong0 : 0xd2c415ff
+0x008 Thread : 0x558aba4d _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [ 0x84e8d0c - 0xd00815ff ]
+0x014 KernelRoutine : 0xe856ba4d void +ffffffffe856ba4d
+0x018 RundownRoutine : 0x000000a9 void +a9
+0x01c NormalRoutine : 0xc25d5e5f void +ffffffffc25d5e5f
+0x020 NormalContext : 0x90900008
+0x024 SystemArgument1 : 0x8b909090
+0x028 SystemArgument2 : 0xec8b55ff
+0x02c ApcStateIndex : 81 'Q'
+0x02d ApcMode : -117 ''
+0x02e Inserted : 0xd ''
+0x000 CompletionKey : 0x0000ea6c
Memory read error ffcf8bbe
0: kd> !pool poi(f789e910)
Pool page ba49c387 region is Unknown
ba49c000 is not a valid large pool allocation, checking large session pool...
ba49c000 is freed (or corrupt) pool // <==
Bad previous allocation size @ba49c000, last size was 0
0: kd> dds ebp-0x88 L1 // <== (*3)
f789e844 c0000016 // <== STATUS_NEED_MORE_PROCESSING
//
// The IRP (ba49c387) is out parameter from ClientEventConnect event handler of saknet driver.
// (Ref. for ClientEventConnect: http://msdn.microsoft.com/en-us/library/ms801682.aspx)
//
0: kd> u poi(ebp-0x90) // <== (*4)
saknet+0xb3b6: // <== This is saknet driver's.
b92733b6 55 push ebp
b92733b7 8bec mov ebp,esp
b92733b9 83ec5c sub esp,5Ch
b92733bc 56 push esi
b92733bd 57 push edi
b92733be 8b4508 mov eax,dword ptr [ebp+8]
b92733c1 8945f8 mov dword ptr [ebp-8],eax
b92733c4 8b4d10 mov ecx,dword ptr [ebp+10h]
0: kd> lmtv m saknet
start end module name
b9268000 b927af60 saknet
Loaded symbol image file: saknet.sys
Image path: \SystemRoot\system32\drivers\saknet.sys
Image name: saknet.sys
Timestamp: Sat Apr 26 09:13:57 2008 (481273C5)
CheckSum: 000210FA
ImageSize: 00012F60
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
//
// All the information above, saknet.sys driver seems to have bad behavior when STATUS_NEED_MORE_PROCESSING is returned.
//
3 条评论:
Prettу nicе post. I јuѕt
stumblеd upon yоuг blog and wanted to say that Ι have reallу enjοyed
surfing around your blog poѕtѕ.
Αftеr all ӏ will be ѕubѕcribing to уοur feed аnd I hopе yοu ωritе аgaіn soon!
Also see my page - samsung galaxy note 2
Αwesome! Its genuinely гemarkable pіеce of writing, Ι haνe got muсh cleaг іdea concerning from this
post.
Here is my website - samsung galaxy s3
Gгеat aгticle.
Also visit my web site ; pikavippii
发表评论