BSOD when uninstalling the driver (race condition)

[aserdean]

Providing stack trace and analysis of the issue:

kd> k
Child-SP RetAddr Call Site
ffffd00026166af8 fffff802dde5e7c6 nt!DbgBreakPointWithStatus
ffffd00026166b00 fffff802dde5e0d7 nt!KiBugCheckDebugBreak+0x12
ffffd00026166b60 fffff802dddd51a4 nt!KeBugCheck2+0x8ab
ffffd00026167270 fffff802ddde0be9 nt!KeBugCheckEx+0x104
ffffd000261672b0 fffff802ddddf43a nt!KiBugCheckDispatch+0x69
ffffd000261673f0 fffff800024cb4d4 nt!KiPageFault+0x23a
ffffd00026167580 fffff800024cc3ef OVSExt!OvsDoDumpFlows+0xa0 [c:\work\ovs\datapath-windows\ovsext\flow.c @ 2015]
ffffd000261675e0 fffff800024d134c OVSExt!_FlowNlDumpCmdHandler+0x197 [c:\work\ovs\datapath-windows\ovsext\flow.c @ 590]
ffffd00026167740 fffff800024e128f OVSExt!InvokeNetlinkCmdHandler+0x6c [c:\work\ovs\datapath-windows\ovsext\datapath.c @ 952]
ffffd00026167770 fffff8000053bc18 OVSExt!OvsDeviceControl+0x263 [c:\work\ovs\datapath-windows\ovsext\datapath.c @ 862]
ffffd00026167840 fffff802de04f395 NDIS!ndisDummyIrpHandler+0x88
ffffd00026167870 fffff802de04fd2a nt!IopXxxControlFile+0x845
ffffd00026167a20 fffff802ddde08b3 nt!NtDeviceIoControlFile+0x56
ffffd00026167a90 00000000775a2772 nt!KiSystemServiceCopyEnd+0x13
00000000009eee88 00000000775a2371 wow64cpu!CpupSyscallStub+0x2
00000000009eee90 00000000775c323a wow64cpu!DeviceIoctlFileFault+0x31
00000000009eef40 00000000775c317e wow64!RunCpuSimulation+0xa
00000000009eef90 00007ffbc1ca6bd0 wow64!Wow64LdrpInitialize+0x172
00000000009ef4d0 00007ffbc1ca6aa6 ntdll!_LdrpInitialize+0xd8
00000000009ef540 0000000000000000 ntdll!LdrInitializeThunk+0xe
kd> !analyze -v

---

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

  ---

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff800024cb4d4, address which referenced memory

Debugging Details:

"KERNEL32.DLL" was not found in the image list.
Debugger will attempt to load "KERNEL32.DLL" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=,.
Unable to add module at 00000000`00000000

READ_ADDRESS: 0000000000000000

CURRENT_IRQL: 2

FAULTING_IP:
OVSExt!OvsDoDumpFlows+a0 [c:\work\ovs\datapath-windows\ovsext\flow.c @ 2015]
fffff800`024cb4d4 488b18 mov rbx,qword ptr [rax]

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: ovs-vswitchd.e

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

TRAP_FRAME: ffffd000261673f0 -- (.trap 0xffffd000261673f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffd000261675e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800024cb4d4 rsp=ffffd00026167580 rbp=0000000000000000
r8=ffffd00026167601 r9=0000000000000000 r10=00000000c000000d
r11=ffffd000261677b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
OVSExt!OvsDoDumpFlows+0xa0:
fffff800024cb4d4 488b18 mov rbx,qword ptr [rax] ds:0000000000000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff802dde5e7c6 to fffff802ddddbc90

STACK_TEXT:
ffffd00026166af8 fffff802dde5e7c6 : 0000000000000000 0000000000000000 ffffd00026166c60 fffff802ddd83654 : nt!DbgBreakPointWithStatus
ffffd00026166b00 fffff802dde5e0d7 : 0000000000000003 ffffd00026166c60 fffff802ddde3070 00000000000000d1 : nt!KiBugCheckDebugBreak+0x12
ffffd00026166b60 fffff802dddd51a4 : 0000000000000000 0000000000000001 fffff6fb00000000 ffffd00026e00000 : nt!KeBugCheck2+0x8ab
ffffd00026167270 fffff802ddde0be9 : 000000000000000a 0000000000000000 0000000000000002 0000000000000000 : nt!KeBugCheckEx+0x104
ffffd000261672b0 fffff802ddddf43a : 0000000000000000 0000000000000000 ffffe00003cdbf00 ffffd000261673f0 : nt!KiBugCheckDispatch+0x69
ffffd000261673f0 fffff800024cb4d4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x23a
ffffd00026167580 fffff800024cc3ef : 0000000000010300 0000000000000000 0000000000000002 ffffe00003e35e90 : OVSExt!OvsDoDumpFlows+0xa0 [c:\work\ovs\datapath-windows\ovsext\flow.c @ 2015]
ffffd000261675e0 fffff800024d134c : ffffe00000000001 ffffd000261677a0 0000000000000004 fffff68000000010 : OVSExt!_FlowNlDumpCmdHandler+0x197 [c:\work\ovs\datapath-windows\ovsext\flow.c @ 590]
ffffd00026167740 fffff800024e128f : fffff800024de2c0 0000000000010000 0000000000000000 fffff802ddce5d64 : OVSExt!InvokeNetlinkCmdHandler+0x6c [c:\work\ovs\datapath-windows\ovsext\datapath.c @ 952]
ffffd00026167770 fffff8000053bc18 : ffffe000020fa010 00000000afc84402 ffffe000020f43b0 ffffe000020fa010 : OVSExt!OvsDeviceControl+0x263 [c:\work\ovs\datapath-windows\ovsext\datapath.c @ 862]
ffffd00026167840 fffff802de04f395 : ffffe000020fa010 0000000000000001 ffffe00001851ac0 000000000000000e : NDIS!ndisDummyIrpHandler+0x88
ffffd00026167870 fffff802de04fd2a : ffffd00026167a38 00000000775a1f30 0000000000000001 0000000000000000 : nt!IopXxxControlFile+0x845
ffffd00026167a20 fffff802ddde08b3 : ffffe00003c9c080 ffffd000001f0003 00000000009ee588 fffff80200000001 : nt!NtDeviceIoControlFile+0x56
ffffd00026167a90 00000000775a2772 : 00000000775a2371 000000237763b66c 0000000000000023 00000000000000ff : nt!KiSystemServiceCopyEnd+0x13
00000000009eee88 00000000775a2371 : 000000237763b66c 0000000000000023 00000000000000ff 000000000112fd78 : wow64cpu!CpupSyscallStub+0x2
00000000009eee90 00000000775c323a : 0000000000000000 00000000775a1503 0000000000000000 00000000775c3420 : wow64cpu!DeviceIoctlFileFault+0x31
00000000009eef40 00000000775c317e : 0000000000000000 0000000000000000 00000000009efd30 00000000009ef590 : wow64!RunCpuSimulation+0xa
00000000009eef90 00007ffbc1ca6bd0 : 0000000000000000 0000000000000000 000000007e2d4000 0000000000000000 : wow64!Wow64LdrpInitialize+0x172
00000000009ef4d0 00007ffbc1ca6aa6 : 00000000009ef590 0000000000000000 0000000000000000 000000007e2d4000 : ntdll!_LdrpInitialize+0xd8
00000000009ef540 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe

STACK_COMMAND: kb

FOLLOWUP_IP:
OVSExt!OvsDoDumpFlows+a0 [c:\work\ovs\datapath-windows\ovsext\flow.c @ 2015]
fffff800`024cb4d4 488b18 mov rbx,qword ptr [rax]

FAULTING_SOURCE_LINE: c:\work\ovs\datapath-windows\ovsext\flow.c

FAULTING_SOURCE_FILE: c:\work\ovs\datapath-windows\ovsext\flow.c

FAULTING_SOURCE_LINE_NUMBER: 2015

FAULTING_SOURCE_CODE:
2011: ASSERT(KeGetCurrentIrql() == DISPATCH_LEVEL);
2012: OvsAcquireDatapathRead(datapath, &dpLockState, TRUE);
2013:
2014: head = &datapath->flowTable[rowIndex];

2015: node = head->Flink;
2016:
2017: while (column < columnIndex) {
2018: if (node == head) {
2019: break;
2020: }

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: OVSExt!OvsDoDumpFlows+a0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: OVSExt

IMAGE_NAME: OVSExt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 54738f8a

BUCKET_ID_FUNC_OFFSET: a0

FAILURE_BUCKET_ID: AV_OVSExt!OvsDoDumpFlows

BUCKET_ID: AV_OVSExt!OvsDoDumpFlows

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_ovsext!ovsdodumpflows

FAILURE_ID_HASH: {c54c24d9-99fe-6cd5-9aec-e9bf0723059e}

Followup: MachineOwner

kd> ??&gOvsSwitchContext->datapath
struct _OVS_DATAPATH * 0xffffe00003e35f08 +0x000 flowTable : (null) +0x008 nFlows : 0 +0x010 hits : 0x19bb3 +0x018 misses : 0xdb05 +0x020 lost : 0 +0x028 lock : 0xffffe000018246d0 _NDIS_RW_LOCK_EX

[svinturis]

Bug fixed by the above patch. Closed.