search

microsoft / Windows-driver-samples

This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
Microsoft Public License
6.98k stars 4.94k forks source link

Bugcheck 7F EXCEPTION_DOUBLE_FAULT win32kfull!xxxDestroyWindow [Server 2019] #457

Open n-mam opened 4 years ago

n-mam commented 4 years ago

On one of out tests setups we are experiencing bugcheck 7F EXCEPTION_DOUBLE_FAULT as shown below. The user mode context of the faulting thread is our .net GUI application i.e. when it is in the process of being terminated via script (using pskill). The crash is random in that sometimes pskill on the process does not bugcheck the system. Earlier I came across this post which looks similar to the issue we are facing.

http://kitrap08.blogspot.com/2015/02/

Since this is an automation setup I am nor sure exactly what is the UI state of the application. Presumably there are several error popups which could be active at the point when pskill is initiated on our process. Just wanted to understand if there's any way in which we could circumvent this issue ? With that I am assuming that generally and under no circumstance should UM code be able to trigger a KM bugcheck.

The OS is Windows Server 2009 standard edition and is up to date with the latest patchs as of this writing. Earlier there was wdfilter,sys also in the call stack which I disable via local group policy. But the crash persists even without wdfilter in the call stack.

12: kd> vertarget Windows 10 Kernel Version 17763 MP (24 procs) Free x64 Product: Server, suite: TerminalServer SingleUserTS Built by: 17763.1.amd64fre.rs5_release.180914-1434 Machine Name: Kernel base = 0xfffff8013da08000 PsLoadedModuleList = 0xfffff8013de21710 Debug session time: Mon Feb 10 17:05:28.677 2020 (UTC - 8:00) System Uptime: 0 days 11:47:46.778

12: kd> .bugcheck Bugcheck code 0000007F Arguments 0000000000000008 ffffde801ff4ce50 ffffc30318ce3eb0 fffff8013dbcf6d4

12: kd> !sysinfo machineid Machine ID Information [From Smbios 2.7, DMIVersion 0, Size=5393] BiosMajorRelease = 0 BiosMinorRelease = 0 FirmwareMajorRelease = 0 FirmwareMinorRelease = 0 BiosVendor = Intel Corporation BiosVersion = SE5C610.86B.01.01.0014.121820151719 BiosReleaseDate = 12/18/2015 SystemManufacturer = Intel Corporation SystemProductName = S2600WT2R SystemFamily = Family SystemVersion = .................... SystemSKU = SKU Number BaseBoardManufacturer = Intel Corporation BaseBoardProduct = S2600WT2R BaseBoardVersion = H21573-366

12: kd> !sysinfo cpuinfo [CPU Information] ~MHz = REG_DWORD 2394 Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0 Identifier = REG_SZ Intel64 Family 6 Model 63 Stepping 2 ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz Update Status = REG_DWORD 0 VendorIdentifier = REG_SZ GenuineIntel MSR8B = REG_QWORD 3c00000000

12: kd> !thread
THREAD ffffcd8830367080  Cid 09b0.27c0  Teb: 000000377234f000 Win32Thread: ffffcd8832afc530 RUNNING on processor c
Not impersonating
DeviceMap                 ffff9c85dce03f50
Owning Process            ffffcd8830d5f080       Image:         NMX Designer.exe
Attached Process          ffffc58fb3c17140       Image:         Registry
Wait Start TickCount      2717873        Ticks: 0
Context Switch Count      6813275        IdealProcessor: 23             
UserTime                  00:45:58.484
KernelTime                00:01:29.218
Win32 Start Address 0x000001a0976c0000
Stack Init ffffc30318ce9c90 Current ffffc303156c8a20
Base ffffc30318cea000 Limit ffffc30318ce4000 Call 0000000000000000
Priority 11 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
ffffde801ff4cd08 fffff8013dbd01e9 : 000000000000007f 0000000000000008 ffffde801ff4ce50 ffffc30318ce3eb0 : nt!KeBugCheckEx
ffffde801ff4cd10 fffff8013dbcb1ee : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffde801ff4ce50 fffff8013dbcf6d4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDoubleFaultAbort+0x2ae (TrapFrame @ ffffde801ff4ce50)
ffffc30318ce3eb0 fffff8013dbc2690 : fffff8013da6ab79 ffffc30318ce40b0 fffff8013dd01b22 ffff9c85dc600340 : nt!KiServiceInternal+0x14 (TrapFrame @ ffffc30318ce3eb0)
ffffc30318ce4048 fffff8013da6ab79 : ffffc30318ce40b0 fffff8013dd01b22 ffff9c85dc600340 000000000000001c : nt!KiServiceLinkage
ffffc30318ce4050 fffff8013e02ef23 : 0000000000001000 000001ba7d957000 3f514e02328a7012 3f6561072057b573 : nt!CmSiProtectViewOfSection+0x31
ffffc30318ce4090 fffff8013e02eeb6 : ffffffffffffffff 0000000000028000 ffff9c85e37c3000 fffff8013dfa0a5e : nt!HvpViewMapMakeViewRangeCOWByCaller+0x47
ffffc30318ce40f0 fffff8013e02eb85 : 0000000000026000 0000000000001000 fffff8013dfdd9f0 fffff8013dfa2400 : nt!HvpViewMapCOWAndUnsealRange+0x4e
ffffc30318ce4120 fffff8013e09664e : ffff9c85e37c3000 ffffc30318ce41e9 000000000002601c 000000007fffffff : nt!HvpSetRangeProtection+0xb9
ffffc30318ce4170 fffff8013e096495 : ffff9c85e37c3050 ffff9c85e37c3000 ffffcd8800000002 ffff9c85e37c3050 : nt!HvpMarkDirty+0x15a
ffffc30318ce4250 fffff8013dfad998 : 00000000ffffffff 01d5e07759a16de3 ffffc30318ce43a0 ffff9c85e13f1ab8 : nt!HvpMarkCellDirty+0xc1
ffffc30318ce42a0 fffff8013dfae470 : ffffc30318ce4888 3ff8f1ae90000000 000f003f00000000 3ff97d8290000000 : nt!CmSetValueKey+0x330
ffffc30318ce4450 fffff8013dbcfc08 : 3e62999c25159f11 3e668925d901c83b 3e415506dadd3e2a 3e622aee6c57304e : nt!NtSetValueKey+0x620
ffffc30318ce4640 fffff8013dbc2690 : ffffad2333bec6c4 0000000000000002 0000000000000004 ffffc30318ce49c0 : nt!KiSystemServiceCopyEnd+0x28 (TrapFrame @ ffffc30318ce46b0)
ffffc30318ce4848 ffffad2333bec6c4 : 0000000000000002 0000000000000004 ffffc30318ce49c0 0000000000000000 : nt!KiServiceLinkage
ffffc30318ce4850 ffffad2333bec599 : ffffad45006084a0 ffffc30318ce4a30 ffffad45006084a0 0000000000000000 : win32kbase!CitpPostUpdateUseInfoSave+0xac
ffffc30318ce4930 ffffad2333c5d6f4 : 0000000000000002 ffffcd8800000003 80000039020932b6 ffffc30318ce5340 : win32kbase!CitpPostUpdateUseInfoLog+0x109
ffffc30318ce4e10 ffffad2333beb768 : fffff8013daf3fb0 ffffad2333c43da2 0000000000000000 0000000000000047 : win32kbase!CitpSetForegroundProcess+0x71f1c
ffffc30318ce5230 ffffad2333beb683 : ffffad4502d5a010 ffffc30318ce5359 ffffad4504d92500 ffffad2333ac7a64 : win32kbase!CitpProcessForegroundChange+0xd8
ffffc30318ce5280 ffffad2333882fa1 : 0000000000000780 0000000000000001 ffffad2333c153d0 ffffad2333894830 : win32kbase!CitProcessForegroundChange+0x43
ffffc30318ce52c0 ffffad2333887ff3 : 0000000000000000 ffffc30318ce54c0 0000000000000000 0000041000000780 : win32kfull!xxxSetForegroundThreadWithWindowHint+0xc5
ffffc30318ce53c0 ffffad233388648b : ffffad4504d92500 ffffad4504d92500 0000000000000000 ffffad4502d5a010 : win32kfull!xxxSetForegroundWindow2+0x11f
ffffc30318ce5520 ffffad2333880c2f : ffffad450061f401 ffffad450061f4a0 ffffad4500000000 ffffc30318ce5630 : win32kfull!xxxSetForegroundWindowWithOptions+0x9f
ffffc30318ce55d0 ffffad2333893f9e : 0000000000000000 ffffad4504d85500 ffffc30318ce56e9 ffffad450061f4a0 : win32kfull!xxxActivateWindowWithOptions+0x1e3
ffffc30318ce5650 ffffad23338eca77 : 0000000000000000 ffffad4504d85500 ffffad4504d85280 ffffad4504d85560 : win32kfull!xxxDestroyWindow+0x67e
ffffc30318ce5750 ffffad2333893b31 : 0000000000000000 ffffc30318ce5839 ffffad450061f4a0 ffffad4504d85280 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce57a0 ffffad23338eca77 : 0000000000000000 ffffad4504d85280 ffffad4504d85000 ffffad4504d852e0 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce58a0 ffffad2333893b31 : 0000000000000000 ffffc30318ce5989 ffffad450061f4a0 ffffad4504d85000 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce58f0 ffffad23338eca77 : 0000000000000000 ffffad4504d85000 ffffad4504d84c80 ffffad4504d85060 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce59f0 ffffad2333893b31 : 0000000000000000 ffffc30318ce5ad9 ffffad450061f4a0 ffffad4504d84c80 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce5a40 ffffad23338eca77 : 0000000000000000 ffffad4504d84c80 ffffad4504d84a00 ffffad4504d84ce0 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce5b40 ffffad2333893b31 : 0000000000000000 ffffc30318ce5c29 ffffad450061f4a0 ffffad4504d84a00 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce5b90 ffffad23338eca77 : 0000000000000000 ffffad4504d84a00 ffffad4504d84780 ffffad4504d84a60 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce5c90 ffffad2333893b31 : 0000000000000000 ffffc30318ce5d79 ffffad450061f4a0 ffffad4504d84780 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce5ce0 ffffad23338eca77 : 0000000000000000 ffffad4504d84780 ffffad4504d84500 ffffad4504d847e0 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce5de0 ffffad2333893b31 : 0000000000000000 ffffc30318ce5ec9 ffffad450061f4a0 ffffad4504d84500 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce5e30 ffffad23338eca77 : 0000000000000000 ffffad4504d84500 ffffad4504d84280 ffffad4504d84560 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce5f30 ffffad2333893b31 : 0000000000000000 ffffc30318ce6019 ffffad450061f4a0 ffffad4504d84280 : win32kfull!xxxDW_DestroyOwnedWindows+0x107
ffffc30318ce5f80 ffffad23338eca77 : 0000000000000000 ffffad4504d84280 ffffad4504d84000 ffffad4504d842e0 : win32kfull!xxxDestroyWindow+0x211
ffffc30318ce6080 ffffad2333893b31 : 0000000000000000 ffffc30318ce6169 ffffad450061f4a0 ffffad4504d84000 : win32kfull!xxxDW_DestroyOwnedWindows+0x107

12: kd> !stackusage
Stack Usage By Function
=================================================================================

      Size     Count  Module
0x00003100        49  win32kfull!xxxDestroyWindow
0x00000F50        49  win32kfull!xxxDW_DestroyOwnedWindows
0x000004E0         1  win32kbase!CitpPostUpdateUseInfoLog
0x00000420         1  win32kbase!CitpSetForegroundProcess
0x00000208         1  nt!KiSystemServiceCopyEnd
0x000001F0         1  nt!NtSetValueKey
0x000001C0         1  win32kfull!xxxRealDefWindowProc
0x000001B0         1  nt!CmSetValueKey
0x00000198         1  nt!KiServiceInternal
0x00000160         1  win32kfull!xxxSetForegroundWindow2
0x00000140         1  nt!KiBugCheckDispatch
0x00000100         1  win32kfull!xxxSetForegroundThreadWithWindowHint
0x00000100         1  win32kfull!xxxDestroyWindow
0x000000E0         1  win32kbase!CitpPostUpdateUseInfoSave
0x000000E0         1  nt!HvpMarkDirty
0x000000B0         1  win32kfull!xxxSetForegroundWindowWithOptions
0x00000080         1  win32kfull!xxxActivateWindowWithOptions
0x00000080         1  win32kfull!NtUserMessageCall
0x00000070         1  win32kfull!xxxWrapRealDefWindowProc
0x00000060         1  nt!HvpViewMapMakeViewRangeCOWByCaller
0x00000050         1  win32kbase!CitpProcessForegroundChange
0x00000050         1  nt!HvpSetRangeProtection
0x00000050         1  nt!HvpMarkCellDirty
0x00000040         1  win32kfull!NtUserfnDWORD
0x00000040         1  win32kbase!CitProcessForegroundChange
0x00000040         1  nt!CmSiProtectViewOfSection
0x00000030         1  nt!HvpViewMapCOWAndUnsealRange
0x00000010         2  nt!KiServiceLinkage
0x00000008         2  nt!KeBugCheckEx

Total Size: 0x00005D28

Stack Usage By Module
=================================================================================

      Size     Count  Module
0x000047D0       107  win32kfull
0x00000AE8        15  nt
0x00000A70         5  win32kbase

Total Size: 0x00005D28

12: kd> !process ffffcd8830d5f080
PROCESS ffffcd8830d5f080
    SessionId: 1  Cid: 09b0    Peb: 377234e000  ParentCid: 0ce0
    DirBase: 2fe155002  ObjectTable: ffff9c85e4cd8000  HandleCount: 988.
    Image: NMX Designer.exe
    VadRoot ffffcd8832afba40 Vads 835 Clone 0 Private 115044. Modified 3379. Locked 38.
    DeviceMap ffff9c85dcc13d20
    Token                             ffff9c85ffbd55f0
    ElapsedTime                       04:07:48.116
    UserTime                          00:00:02.859
    KernelTime                        00:00:00.859
    QuotaPoolUsage[PagedPool]         993184
    QuotaPoolUsage[NonPagedPool]      289852
    Working Set Sizes (now,min,max)  (144197, 50, 345) (576788KB, 200KB, 1380KB)
    PeakWorkingSetSize                147314
    VirtualSize                       5495 Mb
    PeakVirtualSize                   5549 Mb
    PageFaultCount                    1637927
    MemoryPriority                    FOREGROUND
    BasePriority                      8
    CommitCharge                      124792
    Job                               ffffc58fb9811970

        THREAD ffffcd8830367080  Cid 09b0.27c0  Teb: 000000377234f000 Win32Thread: ffffcd8832afc530 RUNNING on processor c
        Not impersonating
        DeviceMap                 ffff9c85dce03f50
        Owning Process            ffffcd8830d5f080       Image:         NMX Designer.exe
        Attached Process          ffffc58fb3c17140       Image:         Registry
        Wait Start TickCount      2717873        Ticks: 0
        Context Switch Count      6813275        IdealProcessor: 23             
        UserTime                  00:45:58.484
        KernelTime                00:01:29.218
        Win32 Start Address 0x000001a0976c0000
        Stack Init ffffc30318ce9c90 Current ffffc303156c8a20
        Base ffffc30318cea000 Limit ffffc30318ce4000 Call 0000000000000000
        Priority 11 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        ffffde801ff4cd08 fffff8013dbd01e9 nt!KeBugCheckEx
        ffffde801ff4cd10 fffff8013dbcb1ee nt!KiBugCheckDispatch+0x69
        ffffde801ff4ce50 fffff8013dbcf6d4 nt!KiDoubleFaultAbort+0x2ae (TrapFrame @ ffffde801ff4ce50)
        ffffc30318ce3eb0 fffff8013dbc2690 nt!KiServiceInternal+0x14 (TrapFrame @ ffffc30318ce3eb0)
        ffffc30318ce4048 fffff8013da6ab79 nt!KiServiceLinkage
        ffffc30318ce4050 fffff8013e02ef23 nt!CmSiProtectViewOfSection+0x31
        ffffc30318ce4090 fffff8013e02eeb6 nt!HvpViewMapMakeViewRangeCOWByCaller+0x47
        ffffc30318ce40f0 fffff8013e02eb85 nt!HvpViewMapCOWAndUnsealRange+0x4e
        ffffc30318ce4120 fffff8013e09664e nt!HvpSetRangeProtection+0xb9
        ffffc30318ce4170 fffff8013e096495 nt!HvpMarkDirty+0x15a
        ffffc30318ce4250 fffff8013dfad998 nt!HvpMarkCellDirty+0xc1
        ffffc30318ce42a0 fffff8013dfae470 nt!CmSetValueKey+0x330
        ffffc30318ce4450 fffff8013dbcfc08 nt!NtSetValueKey+0x620
        ffffc30318ce4640 fffff8013dbc2690 nt!KiSystemServiceCopyEnd+0x28 (TrapFrame @ ffffc30318ce46b0)
        ffffc30318ce4848 ffffad2333bec6c4 nt!KiServiceLinkage
        ffffc30318ce4850 ffffad2333bec599 win32kbase!CitpPostUpdateUseInfoSave+0xac
        ffffc30318ce4930 ffffad2333c5d6f4 win32kbase!CitpPostUpdateUseInfoLog+0x109
        ffffc30318ce4e10 ffffad2333beb768 win32kbase!CitpSetForegroundProcess+0x71f1c
        ffffc30318ce5230 ffffad2333beb683 win32kbase!CitpProcessForegroundChange+0xd8
        ffffc30318ce5280 ffffad2333882fa1 win32kbase!CitProcessForegroundChange+0x43
        ffffc30318ce52c0 ffffad2333887ff3 win32kfull!xxxSetForegroundThreadWithWindowHint+0xc5
        ffffc30318ce53c0 ffffad233388648b win32kfull!xxxSetForegroundWindow2+0x11f
        ffffc30318ce5520 ffffad2333880c2f win32kfull!xxxSetForegroundWindowWithOptions+0x9f
        ffffc30318ce55d0 ffffad2333893f9e win32kfull!xxxActivateWindowWithOptions+0x1e3
        ffffc30318ce5650 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x67e
        ffffc30318ce5750 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce57a0 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce58a0 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce58f0 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce59f0 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce5a40 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce5b40 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce5b90 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce5c90 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce5ce0 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce5de0 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce5e30 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce5f30 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
        ffffc30318ce5f80 ffffad23338eca77 win32kfull!xxxDestroyWindow+0x211
        ffffc30318ce6080 ffffad2333893b31 win32kfull!xxxDW_DestroyOwnedWindows+0x107
n-mam commented 4 years ago

Any thing we could do here to circumvent/fix the issue ?

A user mode .net app is crashing the Kernel here.

n-mam commented 4 years ago

any inputs on the above issue ?