BthPS3 BSOD on disconnect/driver unload (L2CAP_PS3

BSOD on disconnect/driver unload (L2CAP_PS3_ConnectionIndicationCallback)

Open nefarius opened this issue 1 year ago • 0 comments
@Kanuan discovered a crash caused by context memory being freed while a disconnect request is still in progress. Either use KEVENT or increase reference count to avoid unloading the PDO device object while the disconnect logic is pending.
WinDbg

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80043467a27, address which referenced memory

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 5811

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 5878

    Key  : Analysis.Init.CPU.mSec
    Value: 749

    Key  : Analysis.Init.Elapsed.mSec
    Value: 5062

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 110

    Key  : Bugcheck.Code.DumpHeader
    Value: 0xd1

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0xd1

    Key  : Bugcheck.Code.Register
    Value: 0xa

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  MEMORY.DMP

BUGCHECK_CODE:  d1

BUGCHECK_P1: 0

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80043467a27

READ_ADDRESS:  0000000000000000 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  svchost.exe

DPC_STACK_BASE:  FFFFF8003A675FB0

TRAP_FRAME:  fffff8003a674890 -- (.trap 0xfffff8003a674890)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffdf8713be0f20
rdx=0000000000000007 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80043467a27 rsp=fffff8003a674a20 rbp=fffff8003a674a79
 r8=fffff8004347f198  r9=0000000000000000 r10=fffff80034d22bc0
r11=fffff8003a674cb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
BthPS3!L2CAP_PS3_ConnectionIndicationCallback+0x117:
fffff800`43467a27 488b10          mov     rdx,qword ptr [rax] ds:00000000`00000000=????????????????
Resetting default scope

LOCK_ADDRESS:  fffff80035644ae0 -- (!locks fffff80035644ae0)

Resource @ nt!PiEngineLock (0xfffff80035644ae0)    Available
    Contention Count = 22
1 total locks

PNP_TRIAGE_DATA: 
	Lock address  : 0xfffff80035644ae0
	Thread Count  : 0
	Thread address: 0x0000000000000000
	Thread wait   : 0x0

STACK_TEXT:  
fffff800`3a674748 fffff800`34e09269     : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`3a674750 fffff800`34e05569     : 00000000`000000ff fffff800`34d42af8 ffffdf87`096610f0 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff800`3a674890 fffff800`43467a27     : ffff45a1`079ec7a8 00000000`12582eff 00000001`ffffffff 00000000`00000000 : nt!KiPageFault+0x469
fffff800`3a674a20 fffff800`43033479     : 00000000`00000000 ffffdf87`1a1ae010 ffffdf87`1a1ae001 fffff800`4309b3a4 : BthPS3!L2CAP_PS3_ConnectionIndicationCallback+0x117 [C:\projects\bthps3\BthPS3\L2CAP.Disconnect.c @ 168] 
fffff800`3a674ae0 fffff800`4303c19b     : 00000000`00000001 ffffdf87`1a1ae010 00000000`00000001 ffffdf87`1a1ae010 : BTHport!L2CapCon_CallClientCallbackForRemoteDisconnect+0xc9
fffff800`3a674cc0 fffff800`42fc8d71     : ffffdf87`1a1ae028 ffffdf87`17df3ad0 00000000`c000009d 00000000`00000016 : BTHport!L2CapCon_HciConnectCallback+0x46b
fffff800`3a674d90 fffff800`42fc9a2a     : ffffdf87`1a1ae028 fffff800`3a674f00 fffff800`3a675200 fffff800`42fbcb5e : BTHport!HCI_CxnCallClientCallback+0xe1
fffff800`3a674e20 fffff800`42fd3e8a     : ffffdf87`17df3f70 fffff800`3a674f70 ffffdf87`17df3a20 fffff800`3a675200 : BTHport!HCI_CxnDrainMoveList+0x7a
fffff800`3a674e70 fffff800`42fd406f     : ffffdf87`1b998205 00000000`00000004 ffffdf87`165bd720 ffffdf87`17df3a20 : BTHport!HCI_HandleDisconnectionComplete+0xb8a
fffff800`3a675070 fffff800`42fc0765     : ffffdf87`1d0da6f0 fffff800`3a675211 fffff800`3a675211 ffffdf87`165bd720 : BTHport!Fn_EVENT_DisconnectionComplete+0xaf
fffff800`3a675130 fffff800`42ff45b5     : ffffdf87`1350a000 ffffdf87`09002005 00000000`00000202 00000000`00000000 : BTHport!HCI_DoCmdCompletion+0x469
fffff800`3a675270 fffff800`430279fb     : ffffdf87`1b99bc30 fffff800`3a6753d9 00000000`00000000 00000000`00000002 : BTHport!HCI_ProcessAsynchronousEvent+0x99
fffff800`3a6752c0 fffff800`43027dec     : ffffdf87`1b99bc30 fffff800`3a6753d9 00000000`00000000 ffffdf87`1350a000 : BTHport!HCI_ProcessEventAtDPC+0x1fb
fffff800`3a675330 fffff800`43086ba7     : 00000000`00000000 fffff800`42f7c882 00000000`00000000 00000000`00000000 : BTHport!HCI_ProcessMpBip+0x3a0
fffff800`3a675440 fffff800`42f7461b     : ffffdf87`1b99bc30 00000000`00000000 00000000`00000000 fffff800`3a6755b0 : BTHport!imp_BthLegacyRecvMpBip+0x47
fffff800`3a6754a0 fffff800`42f7de99     : fffff800`3a675620 ffffdf87`134f2ab0 ffffdf87`134f2ab0 ffffdf87`12b95560 : BTHUSB!BthUsb_EventTransferComplete+0x1bb
fffff800`3a675560 fffff800`42f7e185     : 00000000`00000003 fffff800`3a675620 00000000`00000000 ffffdf87`00000006 : BTHUSB!UsbWrapWorkRoutine+0x1c9
fffff800`3a6755e0 fffff800`34c84ffe     : ffffdf87`12b95560 fffff800`3a6756f9 ffffdf87`09002340 00000000`00000000 : BTHUSB!UsbWrapInterruptReadComplete+0x205
fffff800`3a675670 fffff800`34c84ec7     : ffffdf87`00000000 fffff800`319d8100 ffffdf87`10ea6050 01000000`00100000 : nt!IopfCompleteRequest+0x11e
fffff800`3a675760 fffff800`44ae2c17     : ffffdf87`1ee28b40 ffffdf87`122515ec ffffdf87`10ea70e8 ffffffff`ffffffff : nt!IofCompleteRequest+0x17
fffff800`3a675790 fffff800`44ae22ae     : ffffdf87`10ea61a0 ffffdf87`122515ec ffffdf87`10ea61a0 00000000`00000000 : USBPORT!USBPORT_Core_iCompleteDoneTransfer+0x867
fffff800`3a675a60 fffff800`44adf98d     : ffffdf87`12251724 ffffdf87`10ea7180 ffffdf87`10ea61a0 ffffdf87`096ad040 : USBPORT!USBPORT_Core_iIrpCsqCompleteDoneTransfer+0x22e
fffff800`3a675ac0 fffff800`44ae781c     : ffffdf87`10ea70e8 ffffdf87`10ea6050 ffffdf87`098fea02 ffffdf87`096ad040 : USBPORT!USBPORT_Core_UsbIocDpc_Worker+0x24d
fffff800`3a675b30 fffff800`34c9a38e     : fffff800`3a675cb0 ffffdf87`0980f000 fffff800`3a675ea0 fffff800`319d8180 : USBPORT!USBPORT_Xdpc_Worker_IocDpc+0x18c
fffff800`3a675bb0 fffff800`34c99674     : fffff800`319d8180 00000000`00000000 00000000`00000008 00000000`000047da : nt!KiExecuteAllDpcs+0x30e
fffff800`3a675d20 fffff800`34dfe325     : 00000000`00000000 fffff800`319d8180 ffffbc01`9b966a00 ffffdf87`165b8380 : nt!KiRetireDpcList+0x1f4
fffff800`3a675fb0 fffff800`34dfe110     : 0001d3c5`1de8ffff fffff800`34d25f5a 00000000`ffffffff 00000000`00000000 : nt!KxRetireDpcList+0x5
ffffcc08`113db5b0 fffff800`34dfd9c5     : ffffdf87`165b8380 fffff800`34df8631 00000000`00000000 ffffdf87`00000005 : nt!KiDispatchInterruptContinue
ffffcc08`113db5e0 fffff800`34df8631     : 00000000`00000000 ffffdf87`00000005 00000000`00000000 ffffdf87`00000000 : nt!KiDpcInterruptBypass+0x25
ffffcc08`113db5f0 fffff800`34fd13f7     : fffff800`34fd2297 ffffdf87`00000001 ffffcc08`113db9c0 ffffdf87`165b9368 : nt!KiChainedDispatch+0xb1
ffffcc08`113db788 fffff800`34fd2297     : ffffdf87`00000001 ffffcc08`113db9c0 ffffdf87`165b9368 00000000`000000c0 : nt!PiDqIrpQueryGetResult+0x3
ffffcc08`113db790 fffff800`350eeddd     : ffffdf87`165b8380 ffffdf87`0971fd80 fffff800`34a06590 00000000`00000000 : nt!PiDqDispatch+0x1c7
ffffcc08`113db7d0 fffff800`34c8f825     : ffffdf87`165b8380 00000000`00000002 00000000`00000000 00000000`00000000 : nt!PiDaDispatch+0x4d
ffffcc08`113db800 fffff800`35075b58     : ffffdf87`165b8380 00000000`00000000 ffffdf87`165b8380 00000000`00000000 : nt!IofCallDriver+0x55
ffffcc08`113db840 fffff800`35075957     : 00000000`00000000 ffffcc08`113dbb80 00000000`00000005 ffffcc08`113dbb80 : nt!IopSynchronousServiceTail+0x1a8
ffffcc08`113db8e0 fffff800`35074cd6     : 00000000`00000000 00000000`00000000 00000000`00000000 000001ff`692639c8 : nt!IopXxxControlFile+0xc67
ffffcc08`113dba20 fffff800`34e08cb5     : ffffdf87`17403080 00000000`00000000 00000000`00000000 000001ff`67602458 : nt!NtDeviceIoControlFile+0x56
ffffcc08`113dba90 00007ffe`2bf8ce54     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
0000008d`5aa7f788 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`2bf8ce54


FAULTING_SOURCE_LINE:  C:\projects\bthps3\BthPS3\L2CAP.Disconnect.c

FAULTING_SOURCE_FILE:  C:\projects\bthps3\BthPS3\L2CAP.Disconnect.c

FAULTING_SOURCE_LINE_NUMBER:  168

FAULTING_SOURCE_CODE:  
No source found for 'C:\projects\bthps3\BthPS3\L2CAP.Disconnect.c'


SYMBOL_NAME:  BthPS3!L2CAP_PS3_ConnectionIndicationCallback+117

MODULE_NAME: BthPS3

IMAGE_NAME:  BthPS3.sys

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  117

FAILURE_BUCKET_ID:  AV_BthPS3!L2CAP_PS3_ConnectionIndicationCallback

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {402dc05b-0c19-2f3a-d858-59fa43906eb6}

Followup:     MachineOwner
---------

0: kd> kc
 # Call Site
00 nt!KeBugCheckEx
01 nt!KiBugCheckDispatch
02 nt!KiPageFault
03 BthPS3!WdfObjectGetTypedContextWorker
04 BthPS3!GetServerDeviceContext
05 BthPS3!L2CAP_PS3_ConnectionIndicationCallback
06 BTHport!L2CapCon_CallClientCallbackForRemoteDisconnect
07 BTHport!L2CapCon_HciConnectCallback
08 BTHport!HCI_CxnCallClientCallback
09 BTHport!HCI_CxnDrainMoveList
0a BTHport!HCI_HandleDisconnectionComplete
0b BTHport!Fn_EVENT_DisconnectionComplete
0c BTHport!HCI_DoCmdCompletion
0d BTHport!HCI_ProcessAsynchronousEvent
0e BTHport!HCI_ProcessEventAtDPC
0f BTHport!HCI_ProcessMpBip
10 BTHport!imp_BthLegacyRecvMpBip
11 BTHUSB!BthUsb_EventTransferComplete
12 BTHUSB!UsbWrapWorkRoutine
13 BTHUSB!UsbWrapInterruptReadComplete
14 nt!IopfCompleteRequest
15 nt!IofCompleteRequest
16 USBPORT!USBPORT_Core_iCompleteDoneTransfer
17 USBPORT!USBPORT_Core_iIrpCsqCompleteDoneTransfer
18 USBPORT!USBPORT_Core_UsbIocDpc_Worker
19 USBPORT!USBPORT_Xdpc_Worker_IocDpc
1a nt!KiExecuteAllDpcs
1b nt!KiRetireDpcList
1c nt!KxRetireDpcList
1d nt!KiDispatchInterruptContinue
1e nt!KiDpcInterruptBypass
1f nt!KiChainedDispatch
20 nt!PiDqIrpQueryGetResult
21 nt!PiDqDispatch
22 nt!PiDaDispatch
23 nt!IofCallDriver
24 nt!IopSynchronousServiceTail
25 nt!IopXxxControlFile
26 nt!NtDeviceIoControlFile
27 nt!KiSystemServiceCopyEnd
28 0x0
Aug 05 '22 09:08 nefarius
BthPS3 BthPS3 copied to clipboard

BSOD on disconnect/driver unload (L2CAP_PS3_ConnectionIndicationCallback)

WinDbg

BthPS3
BthPS3 copied to clipboard
