A bug in vtss.sys

A bug in vtss.sys

There is a bug in vtss.sys - an attempt to close an invalid handle from the driver, the bug reveales itself only when the driver verifier is active. Mostly it is a nuisance as this bug should not have any impact on the system but the driver verifier must be disabled to use VTune 2013 as Microsoft considers this bug as a fatal error that should be fixed so the driver verifier crashes the system. The following is a crash analysis

 

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

INVALID_KERNEL_HANDLE (93)
This message occurs if kernel code (server, redirector, other driver, etc.)
attempts to close a handle that is not a valid handle.
Arguments:
Arg1: 0000000000000000, The handle that NtClose was called with.
Arg2: fffff8a0000018b0,
Arg3: 0000000000000000
Arg4: 0000000000000001

Debugging Details:
------------------

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x93

PROCESS_NAME: System

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff80003bbc3c2 to fffff80003abd620

STACK_TEXT:
fffff880`02fd2da8 fffff800`03bbc3c2 : 00000000`00000000 fffffa80`03d1e040 00000000`00000065 fffff800`03b03b10 : nt!RtlpBreakWithStatusInstruction
fffff880`02fd2db0 fffff800`03bbd1ae : 00000000`00000003 00000000`00000000 fffff800`03b006d0 00000000`00000093 : nt!KiBugCheckDebugBreak+0x12
fffff880`02fd2e10 fffff800`03ac56c4 : 00000000`0000001c fffff980`1288efe0 00000000`00000000 00000000`00000000 : nt!KeBugCheck2+0x71e
fffff880`02fd34e0 fffff800`03d2261b : 00000000`00000093 00000000`00000000 fffff8a0`000018b0 00000000`00000000 : nt!KeBugCheckEx+0x104
fffff880`02fd3520 fffff800`03ac4813 : fffff880`02fd3600 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x51ce4
fffff880`02fd3620 fffff800`03ac0db0 : fffff880`1fe0d3ff 00000000`00000000 fffff800`03c54880 00000000`00240024 : nt!KiSystemServiceCopyEnd+0x13
fffff880`02fd3828 fffff880`1fe0d3ff : 00000000`00000000 fffff800`03c54880 00000000`00240024 fffffa80`0509d4a0 : nt!KiServiceLinkage
fffff880`02fd3830 fffff880`1fe10502 : 00000000`00000000 fffffa80`05184db0 00000000`746c6600 fffff880`02fd3970 : vtss+0x73ff
fffff880`02fd38a0 fffff800`03eadeb7 : fffffa80`05184db0 ffffffff`80001bf0 fffff980`1288efe0 00000000`00000001 : vtss+0xa502
fffff880`02fd39a0 fffff800`03eae2b5 : 00000000`00000010 00000000`00000000 00000000`00000010 00000000`00010202 : nt!IopLoadDriver+0xa07
fffff880`02fd3c70 fffff800`03ad27e1 : fffff880`00000000 ffffffff`80001bf0 fffff800`03eae260 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff880`02fd3cb0 fffff800`03d656fa : ffffffff`ffffffff fffffa80`03d1e040 00000000`00000080 fffffa80`03d065a0 : nt!ExpWorkerThread+0x111
fffff880`02fd3d40 fffff800`03aa3b46 : fffff880`009e6180 fffffa80`03d1e040 fffff880`009f0f40 01e09a41`0c0a3590 : nt!PspSystemThreadStartup+0x5a
fffff880`02fd3d80 00000000`00000000 : fffff880`02fd4000 fffff880`02fce000 fffff880`02fd28b0 00000000`00000000 : nt!KiStartSystemThread+0x16

publicaciones de 141 / 0 nuevos
Último envío
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.

vtss.sys is one of VTune(TM) Amplifier XE 2013 drivers, I don't know why it impacted on your system.

You might restart the system (there is no process of using this driver), then uninstall the producrt. Thus, the driver file vtss.sys should be removed from C:\Windows\System32\drivers, even you can remove this file manually if uninstallation didn't succeed.

You can reinstall the product if you want to use VTune(TM) Amplifier XE 2013 again.

By the way, you may create a new thread on the forum for corresponding product, in this case - visit http://software.intel.com/en-us/forums/intel-vtune-amplifier-xe-and-vtun...

Quote:

Peter Wang (Intel) wrote:
I don't know why it impacted on your system.

Hi,

The reason is simple - this is an error to provide an invalid handle ( zero in that case ) and in the same time declare the caller as KernelMode ( aka Previous Mode ) - this is just an error so the driver verifier caught the Intel driver. Intel developers should have used the Driver Verifier.

I have the same issue with Windows 7 and Vtune AmplifierX 2013 Update 12. The problem is not only with Driver Verifier but with OS - this driver has affect to system stability. After 20 seconds after system has loaded it stalls and not respounding on any interrupts.

Solution is only remove file driver, but I have to work with Vtune. This is the big problem!

I'm moving this to the correct forum.

Hi Vladimir:

Can you please provide your OS information, included build number?  Ideally, you would submit an issue to Intel® Premier Support and attach the output of the 'amplxe-feedback -create-bug-report report.zip' command (i.e., the zip file) to the issue.  Any time there is a suspected "bug", we prefer to troubleshoot the issue with the reported via Premier.  It provides a secure mechanism for sharing information and an audit trail.

Regards, MrAnderson

Hi Peter 

Usually  unhandled exception/error in kernel mode will always lead to bug check it is so by the design.

As Slava said the error was related to null value handle.Try to use !handle command or set the Vtune process context to implicit will give a more insight into the probable reason of bug check.It is also recommended to run Verifier to catch such a bugs.

Thanks iliyapolak.

I have escalated this to developer to know if it is a known issue. If you met this again, please do what Mr.Anderson asked in 09/13/2013. Your log file will be helpful for problem investigating.

Thanks, Peter 

Hi Peter you are welcome

As handles are created probably by the Object Manager passing a null handle could be a failure of OS kernel mode code which is responsible for handles.

Quote:

Vladimir K. wrote:

I have the same issue with Windows 7 and Vtune AmplifierX 2013 Update 12. The problem is not only with Driver Verifier but with OS - this driver has affect to system stability. After 20 seconds after system has loaded it stalls and not respounding on any interrupts.

Solution is only remove file driver, but I have to work with Vtune. This is the big problem!

Hi Vladimir sorry but I did not understand your problem.Is it related to Driver Verifier?Could you explain that?

@Ilya:

Problem is with a buggy vtss.sys driver whose developers do not follow Microsoft driver writing and testing practices.

I just had this driver cause a BSOD even though I did not even use VTune at the moment. I will be sending minidump and other info to Jennifer via email and I hope this will be fixed.

Also it is unforgivable that VTune uninstaller does not remove this driver but it leaves it running on the system.

Finally, vtss.sys file has no version information resource and for casual users it might not be clear where it came from and whether it part of a legitimate software or malware.

-- Regards, Igor Levicki If you find my post helpfull, please rate it and/or select it as a best answer where applies. Thank you.

 

Thanks Igor for informing me.Can you send me kernel dump file.Full kernel dump if possible.

Thanks in advance.

I have similar problem, and I accidentally created dupe at http://software.intel.com/en-us/forums/topic/496323#comment-1774740 , <- there is my kernel backtrace from WinDbg, but I cannot send kernel dump, since it might contain sensitive data.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

I have upgraded to Vtune amp XE 2013 Update 15, and post-mortem WinDbg is saying:

STACK_TEXT:  

	ffffd000`38606638 fffff802`0475f7e9 : 00000000`0000000a 00000005`ffd01334 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx

	ffffd000`38606640 fffff802`0475e03a : 00000000`00000000 ffffe000`061c6880 00000000`00000000 ffffd000`38606780 : nt!KiBugCheckDispatch+0x69

	ffffd000`38606780 fffff802`04d8d490 : 00000000`00000206 fffff802`046b0056 ffffe000`00537180 ffffe000`036fa880 : nt!KiPageFault+0x23a

	ffffd000`38606910 fffff800`030c2a89 : ffffd000`207ce180 ffffe000`061c6880 fffff802`048f4180 00000000`00000000 : hal!HalSendSoftwareInterrupt+0x51

	ffffd000`38606980 ffffd000`207ce180 : ffffe000`061c6880 fffff802`048f4180 00000000`00000000 fffff802`048f4180 : vtss+0x10a89

	ffffd000`38606988 ffffe000`061c6880 : fffff802`048f4180 00000000`00000000 fffff802`048f4180 fffff800`030c2991 : 0xffffd000`207ce180

	ffffd000`38606990 fffff802`048f4180 : 00000000`00000000 fffff802`048f4180 fffff800`030c2991 ffffe000`061c6880 : 0xffffe000`061c6880

	ffffd000`38606998 00000000`00000000 : fffff802`048f4180 fffff800`030c2991 ffffe000`061c6880 00000000`00000000 : nt!KiInitialPCR+0x180

	STACK_COMMAND:  kb
FOLLOWUP_IP:

	vtss+10a89

	fffff800`030c2a89 ebd6            jmp     vtss+0x10a61 (fffff800`030c2a61)

My config: fully-patched Win 8.1 Pro x64. I hope this helps.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

@Marian

That dump confirms that vtss driver referenced pageable kernel memory while executing at DPC level(0x2).It is forbidden by design for driver to generate page fault while executing at DPC level.I am not an expert on Windows kernel programming,but I think that driver should query current IRQL level before accessing pageable memory.

I do not exclude scenario where BSOD was caused by this function  hal!HalSendSoftwareInterrupt+0x51

Quote:

iliyapolak wrote:

I do not exclude scenario where BSOD was caused by this function  hal!HalSendSoftwareInterrupt+0x51

Surely, everything is possible but the miracle. But it is more than clear (at 99%) that there is a bug in Intel's kernel driver.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Probably it is rather not a bug,but lack of caution when programming a driver for kernel mode operation.We need to wait for an input from Intel developers in order to confirm what I am suspecting.

Quote:

iliyapolak wrote:

Probably it is rather not a bug,but lack of caution when programming a driver for kernel mode operation.We need to wait for an input from Intel developers in order to confirm what I am suspecting.

What *WE* are suspecting is IMHO Intel's bug.

Maybe Intel developers were checking VTune on Win 7 (or older), but not our BSOD that exhibits on Win 8.1 x64 .I am planning to use various combinations VTune configurations on my Win 8.1 Pro x64 system, and I plan to report them here, i.e. the successful result or BSOD.

@Intel: @staff:I can provide confidential kernel dump if you will need it (as a confidential file, since full memory dump a really contains sensitive data)) seen only by staff, not by public forum.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

I would not blame so fast Intel for that "bug".Mainly because there is lack of source code with its private and public symbols or even pdb file so it is hard to see the circumstances or driver code which caused the BSOD.

Quote:

iliyapolak wrote:

I would not blame so fast Intel for that "bug".Mainly because there is lack of source code with its private and public symbols or even pdb file so it is hard to see the circumstances or driver code which caused the BSOD.

Absolutely agreed.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Quote:

Marián "VooDooMan" Meravý wrote:

Quote:

iliyapolak wrote:

I would not blame so fast Intel for that "bug".Mainly because there is lack of source code with its private and public symbols or even pdb file so it is hard to see the circumstances or driver code which caused the BSOD.

 

Absolutely agreed.

Though, Intel developers SHOULD look inside of it. I have also sent to Microsoft kernel dumps via their reporting service included in Windows.

So we will see, it will take some time, and we must be patient.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Quote:

Marián "VooDooMan" Meravý wrote:

Quote:

Marián &quot;VooDooMan&quot; Meravý wrote:

Quote:

iliyapolak wrote:

I would not blame so fast Intel for that "bug".Mainly because there is lack of source code with its private and public symbols or even pdb file so it is hard to see the circumstances or driver code which caused the BSOD.

 

Absolutely agreed.

 

Though, Intel developers SHOULD look inside of it. I have also sent to Microsoft kernel dumps via their reporting service included in Windows.

So we will see, it will take some time, and we must be patient.

I agree with you,but I fear that Intel policy is to wait for more than one occurrence of the aforementioned error(BSOD) in order to try to fix it.

VTune vtss.sys also crashed my system.Soon I will analyze full system dump.

@ iliyapolak 

Did it happen when using latest U15? Thank you to report this. Please post your results after analyzing system dump.

Regards, Peter

It is the latest version of VTune which comes with Parallel Studio XE 2013.The BSOD code is different from those reported here in this thread.Crash occurs immediately when advanced analysis is started.

I will post more details on tuesday.

By the way,what does U15 stand for?

Quote:

iliyapolak wrote:

By the way,what does U15 stand for?

Update 15 of VTune.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

@Intel: Any update for this rather catastrophic issue? Like time line of releasing U16? I'm waiting impatiently... I guess this bug is in the code really stupid bug that can be resolved by the least code change... as per my own experience my code crashing like this often have "stupid mistake" and it is causing the crash and often needs to adjust just one line of the code...

So I guess, bug causing BSOD might be resolved easily, like just change in 3 lines of code of vtss.sys driver... But I might be wrong, since I do not know deep internals of vtss.sys, nor I have reverse engineered the vtss.sys.

And PLS, timeline for U16, TIA! Though I know Intel employees cannot comment Intel's future plans, but I strongly recommend to change this policy, e.g. like "Microsoft's Tuesday". Please mention this idea at Intel's internal conference. I believe I am not the only one, who is impatient for to wait for next update/release.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

It causes BSOD only in case of "advanced" diagnostics, immediately after run of project of with this diagnostics.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Quote:

Peter Wang (Intel) wrote:

@ iliyapolak 

Did it happen when using latest U15? Thank you to report this. Please post your results after analyzing system dump.

Regards, Peter

Yes, I can confirm it happens using the latest U15.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

@Intel: I can post (privately) kernel memory dump. Privately because kernel memory could contain security sensitive data.

@Intel: Can you reproduce this problem? Few users were reporting BSOD, so I guess it is very easy to reproduce it.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Please try to use "Advanced Hotspots" with the first option (no context switches, no call stacks) - it shouldn't cause BSOD.

@Marian

Did you try to update VTune?

@Peter

It seems that VTune BSOD dump file was not saved on my machine.I will try later to reproduce that bug.

Quote:

Marián "VooDooMan" Meravý wrote:

It causes BSOD only in case of "advanced" diagnostics, immediately after run of project of with this diagnostics.

Yes the same situation on my machine.

Quote:

iliyapolak wrote:

@Marian

Did you try to update VTune?

Hello iliyapolak,

I have U15 installed, so yes, I did.

best,

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Quote:

iliyapolak wrote:

@Peter

It seems that VTune BSOD dump file was not saved on my machine.I will try later to reproduce that bug.

On Windows, you need to have at least 400 MiB swap file on ***system*** drive (e.g. c:\ ), in order to save kernel minidump.

This is because Windows at BSOD needs swap file on ***system*** drive, to write kernel dump into it, and upon next reboot, this page/swap file is moved to error reporting service (truncating it to minidump size), and system creates brend new page/swap file.

best,

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Marian, iliyapolak, just to check this issue is not connected to upgrade/install somehow, can you please uninstall/install VTune drivers and check again?

> cd <VTune install dir>/bin32

> amplxe-sepreg -u pax

> amplxe-sepreg -i

Also, can you confirm the following command doesn't cause BSOD:

> amplxe-cl -collect advanced-hotspots --duration 5

This is similar to just using "Hotspots" option inside "Advanced Hotspots" analysis type.

Quote:

Marián "VooDooMan" Meravý wrote:

Quote:

iliyapolak wrote:

@Peter

It seems that VTune BSOD dump file was not saved on my machine.I will try later to reproduce that bug.

 

On Windows, you need to have at least 400 MiB swap file on ***system*** drive (e.g. c:\ ), in order to save kernel minidump.

This is because Windows at BSOD needs swap file on ***system*** drive, to write kernel dump into it, and upon next reboot, this page/swap file is moved to error reporting service (truncating it to minidump size), and system creates brend new page/swap file.

best,

I made a mistake and enabled full memory dump(8 GB).Set this to kernel memory dump.

Quote:

iliyapolak wrote:

Quote:

Marián &quot;VooDooMan&quot; Meravý wrote:

Quote:

iliyapolak wrote:

@Peter

It seems that VTune BSOD dump file was not saved on my machine.I will try later to reproduce that bug.

 

On Windows, you need to have at least 400 MiB swap file on ***system*** drive (e.g. c:\ ), in order to save kernel minidump.

This is because Windows at BSOD needs swap file on ***system*** drive, to write kernel dump into it, and upon next reboot, this page/swap file is moved to error reporting service (truncating it to minidump size), and system creates brend new page/swap file.

best,

 

I made a mistake and enabled full memory dump(8 GB).Set this to kernel memory dump.

I really wish to upload 8 GiB full memory dump, but I'm afraid it contains security-sensitive data. I'd be glad if Intel set this topic as "private" i.e. not accessible by other users as this information is proprietary. But I have an idea, clean reboot (w/o running key agents for SSH keys, etc...) and start BSOD analysis and post it there.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

@Intel: there is full kernel memory after causing BSOD caused by vtss.sys driver.

I have 8 GiB RAM and 8 GiB of swap space.

I am posting full 8 GiB memory dump, I took attention to running programs in sake if confidentiality, so I hope full memory dump will not contain serurity-sensitive data.

Please, unpack it with 7zip. original filename is C:\Winow\MEMORY.DMP

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

@Marian

You can tell the windbg to run in secure mode,but this more related to host-target scenario.

You do not need full memory dump unless you suspect that user mode thread(code) has affected the kernel mode driver(by passing some commands).For the beginning kernel memory dump should be sufficient.

here is my full memory dum 7zip-ed.

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Quote:

Marián "VooDooMan" Meravý wrote:

I am posting full 8 GiB memory dump, I took attention to running programs in sake if confidentiality, so I hope full memory dump will not contain serurity-sensitive data.

Please, unpack it with 7zip. original filename is C:\Winow\MEMORY.DMP

Hi Marian! Thanks for your help!

I don't see the file attached to the message - did you post it other way?

due to Inel forum bug I was succesful to upload file, but I was unsuccessful to publish it onto this forum.

I decided to publish it at archive.org, and there is the link: https://archive.org/details/MEMORY.DMP.7z

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Quote:

Vitaly Slobodskoy (Intel) wrote:

Quote:

Marián &quot;VooDooMan&quot; Meravý wrote:

I am posting full 8 GiB memory dump, I took attention to running programs in sake if confidentiality, so I hope full memory dump will not contain serurity-sensitive data.

Please, unpack it with 7zip. original filename is C:\Winow\MEMORY.DMP

 

Hi Marian! Thanks for your help!

I don't see the file attached to the message - did you post it other way?

Intel's forum has bug, I have attached the file, but it is not seen here. Another bug is false-positive spam detection, so this is my 3rd approach to reply.

So I have uploaded the kernel core dump to archive.org, and there it is: (https:// ) archive.org/details/MEMORY.DMP.7z

Best,

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

@Marian

If you have kernel dump file can you upload it?

Quote:

iliyapolak wrote:

@Marian

If you have kernel dump file can you upload it?

I was trying it few times, but due to "bug" on Intel forum, my posts and uploaded files were classified like a spam :-( .

-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

full memory dump is attached.

Adjuntos: 

AdjuntoTamaño
Descargar MEMORY.DMP.7z95.89 MB
-- With best regards, VooDooMan - If you find my post helpful, please rate it and/or select it as a best answer where applies. Thank you.

Páginas

Inicie sesión para dejar un comentario.