Home Community Discussion Forums Most Active Hardware Boards Digital I/O Topic

Digital I/O

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PCIe-6535B DAQmx N-samples callback can crash the PC (bluescreen)

PCIe-6535B DAQmx N-samples callback can crash the PC (bluescreen)

‎02-13-2022 08:25 AM

When registering the N-samples callback with DAQmxRegisterEveryNSamplesEvent on a PCIe-6535B card after committing the task the PC will bluescreen. With a PCI-6534 everything works. Even if one is not supposed to do this, a bluescreen is a potential security risk and can often be exploited to gain control over the machine in order to install root kits for example. A usermode application should not be able to crash the PC, by design.

 

I hope this bug-report/description will save someone else days of tracking down this problem.

 

Here's nidaqmx python code to reproduce the problem:

 

==============================================================================

import nidaqmx
from nidaqmx.constants import AcquisitionType
import numpy as np


def callback(task_handle, every_n_samples_event_type, number_of_samples, callback_data):
print('Every N Samples callback invoked.')
return 0


with nidaqmx.Task() as task:
data = np.zeros(1 << 16, dtype=np.uint32)
ch = task.do_channels.add_do_chan('Dev1/port0:3', line_grouping=nidaqmx.constants.LineGrouping.CHAN_FOR_ALL_LINES)
task.timing.cfg_samp_clk_timing(10000, samps_per_chan=len(data), sample_mode=AcquisitionType.FINITE)
task.control(nidaqmx.constants.TaskMode.TASK_COMMIT) # this leads to a crash
task.register_every_n_samples_transferred_from_buffer_event(int(len(data) / 4), callback)
#task.control(nidaqmx.constants.TaskMode.TASK_COMMIT) # this instead does not lead to a crash
task.write(data, auto_start=False)
task.start()
task.wait_until_done()
print('task.out_stream.total_samp_per_chan_generated', task.out_stream.total_samp_per_chan_generated)

import nidaqmx
from nidaqmx.constants import AcquisitionType
import numpy as np


def callback(task_handle, every_n_samples_event_type, number_of_samples, callback_data):
print('Every N Samples callback invoked.')
return 0


with nidaqmx.Task() as task:
data = np.zeros(1 << 16, dtype=np.uint32)
ch = task.do_channels.add_do_chan('Dev1/port0:3', line_grouping=nidaqmx.constants.LineGrouping.CHAN_FOR_ALL_LINES)
task.timing.cfg_samp_clk_timing(10000, samps_per_chan=len(data), sample_mode=AcquisitionType.FINITE)
task.control(nidaqmx.constants.TaskMode.TASK_COMMIT) # this leads to a crash
task.register_every_n_samples_transferred_from_buffer_event(int(len(data) / 4), callback)
#task.control(nidaqmx.constants.TaskMode.TASK_COMMIT) # this instead does not lead to a crash
task.write(data, auto_start=False)
task.start()
task.wait_until_done()
print('task.out_stream.total_samp_per_chan_generated', task.out_stream.total_samp_per_chan_generated)

==============================================================================

 

System Info:

Microsoft Windows 10 Enterprise 2016 LTSB

Model NI PCIe-6535B

NI-DAQmx Device Driver 21.3.0f165

NI-DAQmx ADE Support 21.3.0

NI-DAQmx MAX Configuration 21.3.0

 

The bluescreen happens in ninshsdk.dll

 

KMODE_EXCEPTION_NOT_HANDLED (1e)

EXCEPTION_CODE: (NTSTATUS) 0xc0000094 - {EXCEPTION} Integer division by zero.

FAULTING_IP:
ninshsdk!nNINSHSD100::iMemoryMappedBufferSupervisor::___CPPKRLCast+e233
fffff80d`3a0146f3 48f7b3f0000000 div rax,qword ptr [rbx+0F0h]

EXCEPTION_PARAMETER2: 0000000000000b6a

BUGCHECK_STR: 0x1E_c0000094

 

LAST_CONTROL_TRANSFER: from fffff80280846172 to fffff802807d2940

STACK_TEXT:
fffff802`82fd2488 fffff802`80846172 : 00000000`0000001e ffffffff`c0000094 fffff80d`3a0146f3 00000000`00000000 : nt!KeBugCheckEx
fffff802`82fd2490 fffff802`807dad2d : fffff802`809ca000 fffff802`80676000 0004d670`0081b000 ffffcc07`aa8f2000 : nt!KeRegisterNmiCallback+0xce
fffff802`82fd24d0 fffff802`8077b4a1 : fffff802`82fd4000 00000000`00000000 fffff802`82fcd000 fffff80d`35383820 : nt!_chkstk+0x5d
fffff802`82fd2500 fffff802`8077a2c4 : fffff802`82fd33e8 fffff802`82fd3130 fffff802`82fd33e8 fffff802`82fd32b0 : nt!KeQuerySystemTimePrecise+0x3041
fffff802`82fd2c00 fffff802`807e2a02 : 00000000`00000002 fffff802`80978928 00000000`00000002 00000000`00000014 : nt!KeQuerySystemTimePrecise+0x1e64
fffff802`82fd32b0 fffff802`807dc9c6 : fffff802`82fd34a0 00000000`00000000 00000001`ffffffff fffffff6`00000002 : nt!setjmpex+0x6ea2
fffff802`82fd3490 fffff80d`3a0146f3 : 00000000`00000000 fffff802`806f2429 ffffcc07`a5fd51c0 00000000`00000000 : nt!setjmpex+0xe66
fffff802`82fd3620 fffff80d`3a0256b9 : 00000000`00000000 ffffcc07`ab651b98 00000000`00000000 fffff802`80602779 : ninshsdk!nNINSHSD100::iMemoryMappedBufferSupervisor::___CPPKRLCast+0xe233
fffff802`82fd3680 fffff80d`3a024ab7 : 00000000`9200c002 ffffcc07`a5835590 00000000`00000002 fffff802`806025f0 : ninshsdk!nNINSHSD100::iChip::operator new+0x105e9
fffff802`82fd36b0 fffff80d`3a0231e6 : ffffcc07`a5de0be0 fffff802`82fd3910 ffffa101`3c065050 00000000`00000000 : ninshsdk!nNINSHSD100::iChip::operator new+0xf9e7
fffff802`82fd37b0 fffff80d`34f42df3 : 00000000`00000000 fffff802`809b5180 0000055f`a41ca284 fffff802`8071f18b : ninshsdk!nNINSHSD100::iChip::operator new+0xe116
fffff802`82fd37e0 fffff802`806ea385 : 00000001`4dd75ee2 fffff802`809b5180 ffffcc07`aae8f320 ffffcc07`aae8f320 : nipalk!tBusFlavorSync::tBusFlavorSync+0x2c63
fffff802`82fd3810 fffff802`806e9910 : 00000000`0000003e ffffcc07`accd0e40 00000000`00140001 00000000`00000000 : nt!KeSetEvent+0x3335
fffff802`82fd3960 fffff802`807d5f9a : 00000000`00000000 fffff802`809b5180 fffff802`80a30940 ffffcc07`a642c080 : nt!KeSetEvent+0x28c0
fffff802`82fd3be0 00000000`00000000 : fffff802`82fd4000 fffff802`82fcd000 00000000`00000000 00000000`00000000 : nt!KeSynchronizeExecution+0x263a

 

Greetings from Austria

0 Kudos
Message 1 of 2
(1,046 Views)
Reply

Re: PCIe-6535B DAQmx N-samples callback can crash the PC (bluescreen)

‎05-06-2025 05:51 AM

Hello,

I got a similar BSOD with Ni6537B card on Windows 10 using the DAQMX driver version 25.0

Here are some parts of the analysis of the MEMORY.DMP file:

SYMBOL_NAME:  ninshsdk!nNINSHSD100::iMemoryMappedBufferSupervisor::___CPPKRLCast+e233

MODULE_NAME: ninshsdk

IMAGE_NAME:  ninshsdk.dll

STACK_COMMAND: .process /r /p 0xfffff80632b24a00; .thread 0xfffff80632b27a00 ; kb

BUCKET_ID_FUNC_OFFSET:  e233

FAILURE_BUCKET_ID:  0x1E_C0000094_ninshsdk!nNINSHSD100::iMemoryMappedBufferSupervisor::___CPPKRLCast

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {416bf0fc-073c-e3bd-13b1-ebf505a6af84}

Followup:     MachineOwner

BUGCHECK_CODE:  1e

BUGCHECK_P1: ffffffffc0000094

BUGCHECK_P2: fffff8064f3a46f3

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8063640

FILE_IN_CAB:  MEMORY.DMP

FAULTING_THREAD:  fffff80632b27a00

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000fffff8063640

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

 

 # RetAddr               : Args to Child                                                           : Call Site
00 fffff806`322fb09e     : 00000000`0000001e ffffffff`c0000094 fffff806`4f3a46f3 00000000`00000000 : nt!KeBugCheckEx
01 fffff806`32207e72     : fffff806`322fb07c 00000000`00000000 00000000`00000000 00000000`00000000 : nt!HvlpVtlCallExceptionHandler+0x22
02 fffff806`320ab207     : fffff806`3688b710 00000000`00000000 fffff806`36875c20 fffff806`32201fae : nt!RtlpExecuteHandlerForException+0x12
03 fffff806`321394f6     : fffff806`368753f8 fffff806`3688be20 fffff806`368753f8 00000000`00000000 : nt!RtlDispatchException+0x297
04 fffff806`321fe6e2     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x186
05 fffff806`321fe6b0     : fffff806`32211ae5 00000000`00000000 01000000`00100000 ffff9681`514023b0 : nt!KxExceptionDispatchOnExceptionStack+0x12
06 fffff806`32211ae5     : 00000000`00000000 01000000`00100000 ffff9681`514023b0 fffff806`ab042ed7 : nt!KiExceptionDispatchOnExceptionStackContinue
07 fffff806`32209d04     : 00000000`00000000 00000000`00000000 00000000`00000001 fffff806`49e9ccd9 : nt!KiExceptionDispatch+0x125
08 fffff806`4f3a46f3     : 00000000`00000000 00000000`014398fa fffff806`2e237180 fffff806`32056270 : nt!KiDivideErrorFault+0x304
09 fffff806`4f3b56b9     : fffff806`2e237180 ffff9681`1f9878b8 00000000`00000000 fffff806`32055deb : ninshsdk!nNINSHSD100::iMemoryMappedBufferSupervisor::___CPPKRLCast+0xe233
0a fffff806`4f3b4ab7     : 00000000`92004002 ffff9681`1f99a600 00000000`00000002 00000303`845f6812 : ninshsdk!nNINSHSD100::iChip::operator new+0x105e9
0b fffff806`4f3b31e6     : ffff9681`1f9875a0 fffff806`36875920 fffff806`36875ae0 fffff806`2e237180 : ninshsdk!nNINSHSD100::iChip::operator new+0xf9e7
0c fffff806`364018a3     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ninshsdk!nNINSHSD100::iChip::operator new+0xe116
0d fffff806`320c166e     : 00000000`00000000 fffff806`49e3873b fffff806`36875ae0 fffff806`00000002 : nipalk!tBusFlavorSync::tBusFlavorSync+0x2c63
0e fffff806`320c0954     : 00000000`00000000 00000000`00000000 00000000`00140001 00000000`00000000 : nt!KiExecuteAllDpcs+0x30e
0f fffff806`32201fae     : 00000000`00000000 fffff806`2e237180 fffff806`32b27a00 ffff9681`32211080 : nt!KiRetireDpcList+0x1f4
10 00000000`00000000     : fffff806`36876000 fffff806`3686f000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e

 

Any ideas? The system is working from many years ago without any issue like this, nothing changed.

 

Thanks,

Zoltan

0 Kudos
Message 2 of 2
(27 Views)
Reply