又遇到一个很好玩的内核资源泄漏样本,分享一下。
某台WinXP sp3系统出现了死机现象,该现象是在安装了我的驱动后才出现的,第一反应是“MD,怎么又泄漏了”。
以下是分析过程:
!poolused的输出
0: kd> !poolused 2
Sorting by NonPaged Pool Consumed
NonPaged Paged
Tag Allocs Used Allocs Used
tsni 62403 33947232 0 0 UNKNOWN pooltag 'tsni', please update pooltag.txt
FMvo 21652 21825376 0 0 FLT_VOLUME structure , Binary: fltmgr.sys
SBcx 10828 11780864 0 0 UNKNOWN pooltag 'SBcx', please update pooltag.txt
Devi 32861 10905648 0 0 Device objects
FMis 10841 6503328 0 0 FLT_INSTANCE structure , Binary: fltmgr.sys
Drti 10844 5899136 0 0 UNKNOWN pooltag 'Drti', please update pooltag.txt
FMrr 21682 2425184 0 0 Per-processor Cache-aware rundown ref structure , Binary: fltmgr.sys
FMct 10841 2339864 0 0 TRACK_COMPLETION_NODES structure , Binary: fltmgr.sys
Tef2 220 2242016 0 0 UNKNOWN pooltag 'Tef2', please update pooltag.txt
WPSd 278 1677896 0 0 UNKNOWN pooltag 'WPSd', please update pooltag.txt
MmCm 30 963440 0 0 Calls made to MmAllocateContiguousMemory , Binary: nt!mm
Pp 10822 779184 287 33456 UNKNOWN pooltag 'Pp ', please update pooltag.txt
DmaB 34 729088 0 0 UNKNOWN pooltag 'DmaB', please update pooltag.txt
Io 16786 693632 156 6480 general IO allocations , Binary: nt!io
Thre 1033 661120 0 0 Thread objects , Binary: nt!ps
File 3038 465648 0 0 File objects
FMwi 10831 433240 0 0 Work item structures , Binary: fltmgr.sys
iAEC 183 361992 0 0 UNKNOWN pooltag 'iAEC', please update pooltag.txt
SEY4 2970 332752 0 0 UNKNOWN pooltag 'SEY4', please update pooltag.txt
可见fltmgr的卷相关资源占用特别严重(tag名以”FM”开头的几项,如”FMvo”和”FMi”等)
fltmgr.sys是微软的文件过滤驱动,一般可以排除由它导致资源泄漏的可能性。于是想到可能是基于fltmgr的minifilter驱动引起此故障。
于是继续列举系统中目前以存在的minifilter驱动。
!fltkd.filters的输出
0: kd> !fltkd.filters
Filter List: 8999805c "Frame 1"
FLT_FILTER: 897e5ba8 "SEyeFilter" "382020"
FLT_INSTANCE: 89965510 "SEyeFilter - Top Instance" "382020"
FLT_INSTANCE: 89964b50 "SEyeFilter - Top Instance" "382020"
FLT_FILTER: 89e8be68 "SPBBCDrv" "365100"
FLT_INSTANCE: 89987420 "SPBBCDrv" "365100"
FLT_INSTANCE: 89984008 "SPBBCDrv" "365100"
FLT_FILTER: 89e4aba8 "eeCtrl" "329010"
FLT_INSTANCE: 89ec5c28 "eeCtrl" "329010"
FLT_INSTANCE: 899ba008 "eeCtrl" "329010"
FLT_FILTER: 89ab9568 "SRTSP" "329000"
FLT_INSTANCE: 89981de0 "SRTSP" "329000"
FLT_INSTANCE: 89982270 "SRTSP" "329000"
FLT_INSTANCE: 896dd780 "SRTSP" "329000"
FLT_INSTANCE: 896be9d8 "SRTSP" "329000"
FLT_FILTER: 893e0e30 "vfsmfd" "263410"
FLT_INSTANCE: 893f6008 "VEAI" "263400"
FLT_INSTANCE: 89649008 "VEAI" "263400"
FLT_INSTANCE: 895ee008 "VEAI" "263400"
FLT_INSTANCE: 895f0008 "VEAI" "263400"
FLT_INSTANCE: 893f67c0 "Default" "263410"
FLT_FILTER: 8971bb58 "WavxDMgr" "145300"
FLT_INSTANCE: 89cf58b0 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 8997b400 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 896de608 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 896d7998 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 89230cf0 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 87018878 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 870076a8 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 87018b30 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 870032d0 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 8700e970 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 87003008 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 87003580 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 86fffdb0 "WavxDMgr Instance" "145300"
FLT_INSTANCE: 86ff02d0 "WavxDMgr Instance" "145300"
... 省略若干重复输出
发现WavxDmgr这个minifilter对卷设备进行了上万次的挂载(有上万条“FLT_INSTANCE: XXXXXXXX “WavxDMgr Instance” “145300””),
因此占用了大量的Nonpaged Pool资源。有理由猜测某种操作触发了WavxDmgr的BUG,导致它疯狂的进行挂载操作,最终导致系统资源耗尽而死机。
以“WavxDmgr”为关键字搜索,可以找到这么一篇文章:Novell ZENworks 11 SP2
其中有一段相关的说明:
2.6.3 数据加密与 Tablet PC 上的 Dell ControlPoint Security Manager 不兼容
如果将数据加密策略应用到使用 Dell ControlPoint Security Manager 的 Tablet PC,设备将无法重引导到操作系统。
此问题是因 Dell ControlPoint Security Manager 驱动程序 (WavxDMgr.sys) 过渡使用文件系统堆栈所致。对于任何使用名称解析且晚于该安全管理器驱动程序装载的文件系统过滤器驱动程序,都可能会发生同样的结果。
而我的驱动正好符合“使用名称解析且晚于该安全管理器驱动程序装载的文件系统过滤器驱动程序”,于是触发了WavxDmgr的资源泄漏BUG。
验证
0: kd> !for_each_module s -a @#Base @#End "tsni"
a7e0f300 74 73 6e 69 14 02 00 00-68 c9 54 80 50 c9 54 80 tsni....h.T.P.T.
a7e10ba3 74 73 6e 69 68 14 02 00-00 53 53 53 68 e0 f2 e0 tsnih....SSSh...
0: kd> lm a a7e0f300
start end module name
a7ddb000 a7e14180 WavxDMgr (deferred)
0: kd> lm a a7e10ba3
start end module name
a7ddb000 a7e14180 WavxDMgr (deferred)
0: kd> !for_each_module s -a @#Base @#End "SBcx"
a7e0e114 53 42 63 78 00 00 00 00-00 00 00 00 00 00 00 00 SBcx............
0: kd> lm a a7e0e114
start end module name
a7ddb000 a7e14180 WavxDMgr (deferred)
0: kd> !for_each_module s -a @#Base @#End "Drti"
a7dde5ad 44 72 74 69 68 18 02 00-00 6a 00 ff 15 e8 df e0 Drtih....j......
0: kd> lm a a7dde5ad
start end module name
a7ddb000 a7e14180 WavxDMgr (deferred)
就是这厮!