archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/base/ntos/mm/triage.c

728 lines
19 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1999 Microsoft Corporation
  5. Module Name:
  7. triage.c
  9. Abstract:
  11. This module contains the Phase 0 code to triage bugchecks and
  12. automatically enable various system tracing components until the
  13. guilty party is found.
  15. Author:
  17. Landy Wang 13-Jan-1999
  19. Revision History:
  21. --*/
  23. #include "mi.h"
  24. #include "ntiodump.h"
  26. #ifdef ALLOC_PRAGMA
  27. #pragma alloc_text(INIT,MiTriageSystem)
  28. #pragma alloc_text(INIT,MiTriageAddDrivers)
  29. #endif
  31. //
  32. // Always update this macro when adding triage support for additional bugchecks.
  33. //
  35. #define MI_CAN_TRIAGE_BUGCHECK(BugCheckCode) \
  36. ((BugCheckCode) == NO_MORE_SYSTEM_PTES || \
  37. (BugCheckCode) == BAD_POOL_HEADER || \
  38. (BugCheckCode) == DRIVER_CORRUPTED_SYSPTES || \
  39. (BugCheckCode) == DRIVER_CORRUPTED_EXPOOL || \
  40. (BugCheckCode) == DRIVER_CORRUPTED_MMPOOL)
  42. //
  43. // These are bugchecks that were presumably triggered by either autotriage or
  44. // the admin's registry settings - so don't apply any new rules and in addition,
  45. // keep the old ones unaltered so it can reproduce.
  46. //
  48. #define MI_HOLD_TRIAGE_BUGCHECK(BugCheckCode) \
  49. ((BugCheckCode) == DRIVER_USED_EXCESSIVE_PTES || \
  50. (BugCheckCode) == DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS || \
  51. (BugCheckCode) == PAGE_FAULT_IN_FREED_SPECIAL_POOL || \
  52. (BugCheckCode) == DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL || \
  53. (BugCheckCode) == PAGE_FAULT_BEYOND_END_OF_ALLOCATION || \
  54. (BugCheckCode) == DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION || \
  55. (BugCheckCode) == DRIVER_CAUGHT_MODIFYING_FREED_POOL || \
  56. (BugCheckCode) == SYSTEM_PTE_MISUSE)
  58. #define MI_TRACKING_PTES 0x00000002
  59. #define MI_PROTECT_FREED_NONPAGED_POOL 0x00000004
  60. #define MI_VERIFYING_PRENT5_DRIVERS 0x00000008
  61. #define MI_KEEPING_PREVIOUS_SETTINGS 0x00000010
  63. #ifdef ALLOC_DATA_PRAGMA
  64. #pragma const_seg("INITCONST")
  65. #pragma data_seg("INITDATA")
  66. #endif
  67. const PCHAR MiTriageActionStrings[] = {
  68. "Locked pages tracking",
  69. "System PTE usage tracking",
  70. "Making accesses to freed nonpaged pool cause bugchecks",
  71. "Driver Verifying Pre-Windows 2000 built drivers",
  72. "Keeping previous autotriage settings"
  73. };
  75. #if DBG
  76. ULONG MiTriageDebug = 0;
  77. BOOLEAN MiTriageRegardless = FALSE;
  78. #endif
  80. #ifdef ALLOC_DATA_PRAGMA
  81. #pragma const_seg()
  82. #pragma data_seg()
  83. #endif
  85. //
  86. // N.B. The debugger references this.
  87. //
  89. ULONG MmTriageActionTaken;
  91. //
  92. // The Version number must be incremented whenever the MI_TRIAGE_STORAGE
  93. // structure is changed. This enables usermode programs to decode the Mm
  94. // portions of triage dumps regardless of which kernel revision created the
  95. // dump.
  96. //
  98. typedef struct _MI_TRIAGE_STORAGE {
  99. ULONG Version;
  100. ULONG Size;
  101. ULONG MmSpecialPoolTag;
  102. ULONG MiTriageActionTaken;
  104. ULONG MmVerifyDriverLevel;
  105. ULONG KernelVerifier;
  106. ULONG_PTR MmMaximumNonPagedPool;
  107. ULONG_PTR MmAllocatedNonPagedPool;
  109. ULONG_PTR PagedPoolMaximum;
  110. ULONG_PTR PagedPoolAllocated;
  112. ULONG_PTR CommittedPages;
  113. ULONG_PTR CommittedPagesPeak;
  114. ULONG_PTR CommitLimitMaximum;
  116. } MI_TRIAGE_STORAGE, *PMI_TRIAGE_STORAGE;
  118. PKLDR_DATA_TABLE_ENTRY
  119. TriageGetLoaderEntry (
  120. IN PVOID TriageDumpBlock,
  121. IN ULONG ModuleIndex
  122. );
  124. LOGICAL
  125. TriageActUpon(
  126. IN PVOID TriageDumpBlock
  127. );
  129. PVOID
  130. TriageGetMmInformation (
  131. IN PVOID TriageDumpBlock
  132. );
  135. LOGICAL
  136. MiTriageSystem (
  137. IN PLOADER_PARAMETER_BLOCK LoaderBlock
  138. )
  140. /*++
  142. Routine Description:
  144. This routine takes the information from the last bugcheck (if any)
  145. and triages it. Various debugging options are then automatically
  146. enabled.
  148. Arguments:
  150. LoaderBlock - Supplies a pointer to the system loader block.
  152. Return Value:
  154. TRUE if triaging succeeded and options were enabled. FALSE otherwise.
  156. --*/
  158. {
  159. PVOID TriageDumpBlock;
  160. ULONG_PTR BugCheckData[5];
  161. ULONG i;
  162. ULONG ModuleCount;
  163. NTSTATUS Status;
  164. PLIST_ENTRY NextEntry;
  165. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  166. PKLDR_DATA_TABLE_ENTRY DumpTableEntry;
  167. LOGICAL Matched;
  168. ULONG OldDrivers;
  169. ULONG OldDriversNotVerifying;
  170. PMI_TRIAGE_STORAGE TriageInformation;
  172. if (LoaderBlock->Extension == NULL) {
  173. return FALSE;
  174. }
  176. if (LoaderBlock->Extension->Size < sizeof (LOADER_PARAMETER_EXTENSION)) {
  177. return FALSE;
  178. }
  180. TriageDumpBlock = LoaderBlock->Extension->TriageDumpBlock;
  182. Status = TriageGetBugcheckData (TriageDumpBlock,
  183. (PULONG)&BugCheckData[0],
  184. (PUINT_PTR) &BugCheckData[1],
  185. (PUINT_PTR) &BugCheckData[2],
  186. (PUINT_PTR) &BugCheckData[3],
  187. (PUINT_PTR) &BugCheckData[4]);
  189. if (!NT_SUCCESS (Status)) {
  190. return FALSE;
  191. }
  193. //
  194. // Always display at least the bugcheck data from the previous crash.
  195. //
  197. DbgPrint ("MiTriageSystem: Previous bugcheck was %x %p %p %p %p\n",
  198. BugCheckData[0],
  199. BugCheckData[1],
  200. BugCheckData[2],
  201. BugCheckData[3],
  202. BugCheckData[4]);
  204. if (TriageActUpon (TriageDumpBlock) == FALSE) {
  205. DbgPrint ("MiTriageSystem: Triage disabled in registry by administrator\n");
  206. return FALSE;
  207. }
  209. DbgPrint ("MiTriageSystem: Triage ENABLED in registry by administrator\n");
  211. //
  212. // See if the previous bugcheck was one where action can be taken.
  213. // If not, bail now. If so, then march on and verify all the loaded
  214. // module checksums before actually taking action on the bugcheck.
  215. //
  217. if (!MI_CAN_TRIAGE_BUGCHECK(BugCheckData[0])) {
  218. return FALSE;
  219. }
  221. TriageInformation = (PMI_TRIAGE_STORAGE) TriageGetMmInformation (TriageDumpBlock);
  223. if (TriageInformation == NULL) {
  224. return FALSE;
  225. }
  227. Status = TriageGetDriverCount (TriageDumpBlock, &ModuleCount);
  229. if (!NT_SUCCESS (Status)) {
  230. return FALSE;
  231. }
  233. //
  234. // Process module information from the triage dump.
  235. //
  237. #if DBG
  238. if (MiTriageDebug & 0x1) {
  239. DbgPrint ("MiTriageSystem: printing active drivers from triage crash...\n");
  240. }
  241. #endif
  243. OldDrivers = 0;
  244. OldDriversNotVerifying = 0;
  246. for (i = 0; i < ModuleCount; i += 1) {
  248. DumpTableEntry = TriageGetLoaderEntry (TriageDumpBlock, i);
  250. if (DumpTableEntry != NULL) {
  252. if ((DumpTableEntry->Flags & LDRP_ENTRY_NATIVE) == 0) {
  253. OldDrivers += 1;
  254. if ((DumpTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0) {
  256. //
  257. // An NT3 or NT4 driver is in the system and was not
  258. // running under the verifier.
  259. //
  261. OldDriversNotVerifying += 1;
  262. }
  263. }
  264. #if DBG
  265. if (MiTriageDebug & 0x1) {
  267. DbgPrint (" %wZ: base = %p, size = %lx, flags = %lx\n",
  268. &DumpTableEntry->BaseDllName,
  269. DumpTableEntry->DllBase,
  270. DumpTableEntry->SizeOfImage,
  271. DumpTableEntry->Flags);
  272. }
  273. #endif
  274. }
  275. }
  277. //
  278. // Ensure that every driver that is currently loaded is identical to
  279. // the one in the triage dump before proceeding.
  280. //
  282. NextEntry = LoaderBlock->LoadOrderListHead.Flink;
  284. while (NextEntry != &LoaderBlock->LoadOrderListHead) {
  286. DataTableEntry = CONTAINING_RECORD(NextEntry,
  287. KLDR_DATA_TABLE_ENTRY,
  288. InLoadOrderLinks);
  290. Matched = FALSE;
  292. for (i = 0; i < ModuleCount; i += 1) {
  294. DumpTableEntry = TriageGetLoaderEntry (TriageDumpBlock, i);
  296. if (DumpTableEntry != NULL) {
  298. if (DataTableEntry->CheckSum == DumpTableEntry->CheckSum) {
  299. Matched = TRUE;
  300. break;
  301. }
  302. }
  303. }
  305. if (Matched == FALSE) {
  306. DbgPrint ("Matching checksum for module %wZ not found in triage dump\n",
  307. &DataTableEntry->BaseDllName);
  309. #if DBG
  310. if (MiTriageRegardless == FALSE)
  311. #endif
  312. return FALSE;
  313. }
  315. NextEntry = NextEntry->Flink;
  316. }
  318. #if DBG
  319. if (MiTriageDebug & 0x1) {
  320. DbgPrint ("MiTriageSystem: OldDrivers = %u, without verification =%u\n",
  321. OldDrivers,
  322. OldDriversNotVerifying);
  323. }
  324. #endif
  326. //
  327. // All boot loaded drivers matched, take action on the triage dump now.
  328. //
  330. if (MI_HOLD_TRIAGE_BUGCHECK(BugCheckData[0])) {
  332. //
  333. // The last bugcheck was presumably triggered by either autotriage or
  334. // the admin's registry settings - so don't apply any new rules
  335. // and in addition, keep the old ones unaltered so it can reproduce.
  336. //
  338. MmTriageActionTaken = TriageInformation->MiTriageActionTaken;
  339. MmTriageActionTaken |= MI_KEEPING_PREVIOUS_SETTINGS;
  340. }
  341. else {
  343. switch (BugCheckData[0]) {
  345. case DRIVER_CORRUPTED_SYSPTES:
  347. //
  348. // Turn on PTE tracking to trigger a SYSTEM_PTE_MISUSE bugcheck.
  349. //
  351. MmTriageActionTaken |= MI_TRACKING_PTES;
  352. break;
  354. case NO_MORE_SYSTEM_PTES:
  356. //
  357. // Turn on PTE tracking so the driver can be identified via a
  358. // DRIVER_USED_EXCESSIVE_PTES bugcheck.
  359. //
  361. if (BugCheckData[1] == SystemPteSpace) {
  362. MmTriageActionTaken |= MI_TRACKING_PTES;
  363. }
  364. break;
  366. case BAD_POOL_HEADER:
  367. case DRIVER_CORRUPTED_EXPOOL:
  369. //
  370. // Turn on the driver verifier and/or special pool.
  371. // Start by enabling it for every driver that isn't built for NT5.
  372. // Override any specified driver verifier options so that only
  373. // special pool is enabled to minimize the performance hit.
  374. //
  376. if (OldDrivers != 0) {
  377. if (OldDriversNotVerifying != 0) {
  378. MmTriageActionTaken |= MI_VERIFYING_PRENT5_DRIVERS;
  379. }
  380. }
  382. break;
  384. case DRIVER_CORRUPTED_MMPOOL:
  386. //
  387. // Protect freed nonpaged pool if the system had less than 128mb
  388. // of nonpaged pool anyway. This is to trigger a
  389. // DRIVER_CAUGHT_MODIFYING_FREED_POOL bugcheck.
  390. //
  392. #define MB128 ((ULONG_PTR)0x80000000 >> PAGE_SHIFT)
  394. if (TriageInformation->MmMaximumNonPagedPool < MB128) {
  395. MmTriageActionTaken |= MI_PROTECT_FREED_NONPAGED_POOL;
  396. }
  397. break;
  399. case IRQL_NOT_LESS_OR_EQUAL:
  400. case DRIVER_IRQL_NOT_LESS_OR_EQUAL:
  401. default:
  402. break;
  403. }
  404. }
  406. //
  407. // For now always show if action was taken from the bugcheck
  408. // data from the crash. This print and the space for the print strings
  409. // will be enabled for checked builds only prior to shipping.
  410. //
  412. if (MmTriageActionTaken != 0) {
  414. if (MmTriageActionTaken & MI_TRACKING_PTES) {
  415. MmTrackPtes |= 0x1;
  416. }
  418. if (MmTriageActionTaken & MI_VERIFYING_PRENT5_DRIVERS) {
  419. MmVerifyDriverLevel &= ~DRIVER_VERIFIER_FORCE_IRQL_CHECKING;
  420. MmVerifyDriverLevel |= DRIVER_VERIFIER_SPECIAL_POOLING;
  421. }
  423. if (MmTriageActionTaken & MI_PROTECT_FREED_NONPAGED_POOL) {
  424. MmProtectFreedNonPagedPool = TRUE;
  425. }
  427. DbgPrint ("MiTriageSystem: enabling options below to find who caused the last crash\n");
  429. for (i = 0; i < 32; i += 1) {
  430. if (MmTriageActionTaken & (1 << i)) {
  431. DbgPrint (" %s\n", MiTriageActionStrings[i]);
  432. }
  433. }
  434. }
  436. return TRUE;
  437. }
  440. LOGICAL
  441. MiTriageAddDrivers (
  442. IN PLOADER_PARAMETER_BLOCK LoaderBlock
  443. )
  445. /*++
  447. Routine Description:
  449. This routine moves the names of any drivers that autotriage has determined
  450. need verifying from the LoaderBlock into pool.
  452. Arguments:
  454. LoaderBlock - Supplies a pointer to the system loader block.
  456. Return Value:
  458. TRUE if any drivers were added, FALSE if not.
  460. --*/
  462. {
  463. ULONG i;
  464. ULONG ModuleCount;
  465. NTSTATUS Status;
  466. PKLDR_DATA_TABLE_ENTRY DumpTableEntry;
  467. PVOID TriageDumpBlock;
  468. ULONG NameLength;
  469. LOGICAL Added;
  470. PMI_VERIFIER_DRIVER_ENTRY VerifierDriverEntry;
  472. if ((MmTriageActionTaken & MI_VERIFYING_PRENT5_DRIVERS) == 0) {
  473. return FALSE;
  474. }
  476. TriageDumpBlock = LoaderBlock->Extension->TriageDumpBlock;
  478. Status = TriageGetDriverCount (TriageDumpBlock, &ModuleCount);
  480. if (!NT_SUCCESS (Status)) {
  481. return FALSE;
  482. }
  484. Added = FALSE;
  486. for (i = 0; i < ModuleCount; i += 1) {
  488. DumpTableEntry = TriageGetLoaderEntry (TriageDumpBlock, i);
  490. if (DumpTableEntry == NULL) {
  491. continue;
  492. }
  494. if (DumpTableEntry->Flags & LDRP_ENTRY_NATIVE) {
  495. continue;
  496. }
  498. DbgPrint ("MiTriageAddDrivers: Marking %wZ for verification when it is loaded\n", &DumpTableEntry->BaseDllName);
  500. NameLength = DumpTableEntry->BaseDllName.Length;
  502. VerifierDriverEntry = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  503. NonPagedPool,
  504. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  505. NameLength,
  506. 'dLmM');
  508. if (VerifierDriverEntry == NULL) {
  509. continue;
  510. }
  512. VerifierDriverEntry->Loads = 0;
  513. VerifierDriverEntry->Unloads = 0;
  514. VerifierDriverEntry->BaseName.Buffer = (PWSTR)((PCHAR)VerifierDriverEntry +
  515. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  517. VerifierDriverEntry->BaseName.Length = (USHORT)NameLength;
  518. VerifierDriverEntry->BaseName.MaximumLength = (USHORT)NameLength;
  520. RtlCopyMemory (VerifierDriverEntry->BaseName.Buffer,
  521. DumpTableEntry->BaseDllName.Buffer,
  522. NameLength);
  524. InsertHeadList (&MiSuspectDriverList, &VerifierDriverEntry->Links);
  525. Added = TRUE;
  526. }
  528. return Added;
  529. }
  531. #define MAX_UNLOADED_NAME_LENGTH 24
  533. typedef struct _DUMP_UNLOADED_DRIVERS {
  534. UNICODE_STRING Name;
  535. WCHAR DriverName[MAX_UNLOADED_NAME_LENGTH / sizeof (WCHAR)];
  536. PVOID StartAddress;
  537. PVOID EndAddress;
  538. } DUMP_UNLOADED_DRIVERS, *PDUMP_UNLOADED_DRIVERS;
  541. ULONG
  542. MmSizeOfUnloadedDriverInformation (
  543. VOID
  544. )
  546. /*++
  548. Routine Description:
  550. This routine returns the size of the Mm-internal unloaded driver
  551. information that is stored in the triage dump when (if?) the system crashes.
  553. Arguments:
  555. None.
  557. Return Value:
  559. Size of the Mm-internal unloaded driver information.
  561. --*/
  563. {
  564. if (MmUnloadedDrivers == NULL) {
  565. return sizeof (ULONG_PTR);
  566. }
  568. return sizeof(ULONG_PTR) + MI_UNLOADED_DRIVERS * sizeof(DUMP_UNLOADED_DRIVERS);
  569. }
  572. VOID
  573. MmWriteUnloadedDriverInformation (
  574. IN PVOID Destination
  575. )
  577. /*++
  579. Routine Description:
  581. This routine stores the Mm-internal unloaded driver information into
  582. the triage dump.
  584. Arguments:
  586. None.
  588. Return Value:
  590. None.
  592. --*/
  594. {
  595. ULONG i;
  596. ULONG Index;
  597. PUNLOADED_DRIVERS Unloaded;
  598. PDUMP_UNLOADED_DRIVERS DumpUnloaded;
  600. if (MmUnloadedDrivers == NULL) {
  601. *(PULONG)Destination = 0;
  602. }
  603. else {
  605. DumpUnloaded = (PDUMP_UNLOADED_DRIVERS)((PULONG_PTR)Destination + 1);
  606. Unloaded = MmUnloadedDrivers;
  608. //
  609. // Write the list with the most recently unloaded driver first to the
  610. // least recently unloaded driver last.
  611. //
  613. Index = MmLastUnloadedDriver - 1;
  615. for (i = 0; i < MI_UNLOADED_DRIVERS; i += 1) {
  617. if (Index >= MI_UNLOADED_DRIVERS) {
  618. Index = MI_UNLOADED_DRIVERS - 1;
  619. }
  621. Unloaded = &MmUnloadedDrivers[Index];
  623. DumpUnloaded->Name = Unloaded->Name;
  625. if (Unloaded->Name.Buffer == NULL) {
  626. break;
  627. }
  629. DumpUnloaded->StartAddress = Unloaded->StartAddress;
  630. DumpUnloaded->EndAddress = Unloaded->EndAddress;
  632. if (DumpUnloaded->Name.Length > MAX_UNLOADED_NAME_LENGTH) {
  633. DumpUnloaded->Name.Length = MAX_UNLOADED_NAME_LENGTH;
  634. }
  636. if (DumpUnloaded->Name.MaximumLength > MAX_UNLOADED_NAME_LENGTH) {
  637. DumpUnloaded->Name.MaximumLength = MAX_UNLOADED_NAME_LENGTH;
  638. }
  640. DumpUnloaded->Name.Buffer = DumpUnloaded->DriverName;
  642. RtlCopyMemory ((PVOID)DumpUnloaded->Name.Buffer,
  643. (PVOID)Unloaded->Name.Buffer,
  644. DumpUnloaded->Name.MaximumLength);
  646. DumpUnloaded += 1;
  647. Index -= 1;
  648. }
  650. *(PULONG)Destination = i;
  651. }
  652. }
  655. ULONG
  656. MmSizeOfTriageInformation (
  657. VOID
  658. )
  660. /*++
  662. Routine Description:
  664. This routine returns the size of the Mm-internal information that is
  665. stored in the triage dump when (if?) the system crashes.
  667. Arguments:
  669. None.
  671. Return Value:
  673. Size of the Mm-internal triage information.
  675. --*/
  677. {
  678. return sizeof (MI_TRIAGE_STORAGE);
  679. }
  682. VOID
  683. MmWriteTriageInformation (
  684. IN PVOID Destination
  685. )
  687. /*++
  689. Routine Description:
  691. This routine stores the Mm-internal information into the triage dump.
  693. Arguments:
  695. None.
  697. Return Value:
  699. None.
  701. --*/
  703. {
  704. MI_TRIAGE_STORAGE TriageInformation;
  706. TriageInformation.Version = 1;
  707. TriageInformation.Size = sizeof (MI_TRIAGE_STORAGE);
  709. TriageInformation.MmSpecialPoolTag = MmSpecialPoolTag;
  710. TriageInformation.MiTriageActionTaken = MmTriageActionTaken;
  712. TriageInformation.MmVerifyDriverLevel = MmVerifierData.Level;
  713. TriageInformation.KernelVerifier = KernelVerifier;
  715. TriageInformation.MmMaximumNonPagedPool = MmMaximumNonPagedPoolInBytes >> PAGE_SHIFT;
  716. TriageInformation.MmAllocatedNonPagedPool = MmAllocatedNonPagedPool;
  718. TriageInformation.PagedPoolMaximum = MmSizeOfPagedPoolInBytes >> PAGE_SHIFT;
  719. TriageInformation.PagedPoolAllocated = MmPagedPoolInfo.AllocatedPagedPool;
  721. TriageInformation.CommittedPages = MmTotalCommittedPages;
  722. TriageInformation.CommittedPagesPeak = MmPeakCommitment;
  723. TriageInformation.CommitLimitMaximum = MmTotalCommitLimitMaximum;
  725. RtlCopyMemory (Destination,
  726. (PVOID)&TriageInformation,
  727. sizeof (MI_TRIAGE_STORAGE));
  728. }