Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Undocumented operation value in D5 bugcheck

Jerry_KelleyJerry_Kelley Member Posts: 7
I have a dump from a D5 bugcheck that has a value of "2" for the operation (Arg2). I've been searching for an explanation of what that value means but haven't found anything so far. Has anyone ever seen this?

Here's what !analyze reports:

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffb68191104fe8, memory referenced
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation
Arg3: fffff808f1c4137c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302
    Someone else saw this on NTDEV and we didn't get any additional details to
    go on. Can you post the full !analyze -v output as well as the output of
    !pte ffffb68191104fe8?

    -scott
    OSR
    @OSRDrivers

    wrote in message news:[email protected]

    I have a dump from a D5 bugcheck that has a value of "2" for the operation
    (Arg2). I've been searching for an explanation of what that value means but
    haven't found anything so far. Has anyone ever seen this?

    Here's what !analyze reports:

    DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffb68191104fe8, memory referenced
    Arg2: 0000000000000002, value 0 = read operation, 1 = write operation
    Arg3: fffff808f1c4137c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, (reserved)

    -scott
    OSR

  • Jerry_KelleyJerry_Kelley Member Posts: 7
    Below is the output of !analyze -v and !pte ffffb68191104fe8.

    That address is bogus because I'm seeing a lot of memory corruption, which is why the bugcheck occurred. Unfortunately, all I have is a kernel triage dump.

    =========================================
    !analyze -v
    =========================================
    <bugcheck details already posted>

    Debugging Details:
    ------------------

    Could not read faulting driver name

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 400

    BUILD_VERSION_STRING: 10.0.14393.1480 (rs1_release.170706-2004)

    SYSTEM_MANUFACTURER: Dell Inc.

    SYSTEM_PRODUCT_NAME: PowerEdge R930

    SYSTEM_SKU: SKU=NotProvided;ModelName=PowerEdge R930

    BIOS_VENDOR: Dell Inc.

    BIOS_VERSION: 2.3.1

    BIOS_DATE: 01/09/2017

    BASEBOARD_MANUFACTURER: Dell Inc.

    BASEBOARD_PRODUCT: 0Y0V4F

    BASEBOARD_VERSION: A01

    DUMP_TYPE: 2

    DUMP_FILE_ATTRIBUTES: 0xc
    Insufficient Dumpfile Size
    Kernel Generated Triage Dump

    BUGCHECK_P1: ffffb68191104fe8

    BUGCHECK_P2: 2

    BUGCHECK_P3: fffff808f1c4137c

    BUGCHECK_P4: 0

    READ_ADDRESS: fffff80313fb7338: Unable to get MiVisibleState
    ffffb68191104fe8

    FAULTING_IP:
    NnnFlt!memcpy+1ec [d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm @ 293]
    fffff808`f1c4137c 8901 mov dword ptr [rcx],eax

    MM_INTERNAL_CODE: 0

    CPU_COUNT: 20

    CPU_MHZ: c78

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 3f

    CPU_STEPPING: 4

    CPU_MICROCODE: 6,3f,4,0 (F,M,S,R) SIG: E'00000000 (cache) E'00000000 (init)

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER

    BUGCHECK_STR: 0xD5

    PROCESS_NAME: services.exe

    CURRENT_IRQL: 2

    ANALYSIS_SESSION_HOST: IN-7470-CSF23G2

    ANALYSIS_SESSION_TIME: 07-25-2017 14:09:55.0098

    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

    TRAP_FRAME: ffffcf002b86ec00 -- (.trap 0xffffcf002b86ec00)
    .trap 0xffffcf002b86ec00
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=00000000003f003f rbx=0000000000000000 rcx=ffffb68191104fe8
    rdx=ffffdf802e65500e rsi=0000000000000000 rdi=0000000000000000
    rip=fffff808f1c4137c rsp=ffffcf002b86ed98 rbp=0000000000000000
    r8=000000000000fff6 r9=fffff808f1797234 r10=ffff800000000000
    r11=ffffb681910f4ff2 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz na po nc
    NnnFlt!memcpy+0x1ec:
    fffff808`f1c4137c 8901 mov dword ptr [rcx],eax ds:ffffb681`91104fe8=????????
    .trap
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff80313d90bfa to fffff80313d66960

    STACK_TEXT:
    ffffcf00`2b86e908 fffff803`13d90bfa : 00000000`00000050 ffffb681`91104fe8 00000000`00000002 ffffcf00`2b86ec00 : nt!KeBugCheckEx
    ffffcf00`2b86e910 fffff803`13c6c0fd : 00000000`00000002 00000000`00000000 ffffcf00`2b86ec00 ffffb681`91104fe8 : nt!MiSystemFault+0xfffea
    ffffcf00`2b86ea00 fffff803`13d6fffc : 00000000`00000000 fffff803`13cd01e4 00000000`00000003 ffff9601`b8c64498 : nt!MmAccessFault+0x27d
    ffffcf00`2b86ec00 fffff808`f1c4137c : fffff808`f1c48bf9 ffffcf00`2b86ee00 00000000`00000000 ffffcf00`2b86ee68 : nt!KiPageFault+0x13c
    ffffcf00`2b86ed98 fffff808`f1c48bf9 : ffffcf00`2b86ee00 00000000`00000000 ffffcf00`2b86ee68 ffffb681`7b0b4ef0 : NnnFlt!memcpy+0x1ec
    ffffcf00`2b86eda0 fffff808`f1c492ec : ffffb681`7b0b4ef0 ffffcf00`2b86ee10 ffffcf00`2b86f040 ffffcf00`2b86f040 : NnnFlt!VolumeBuildName+0x91
    ffffcf00`2b86ede0 fffff808`f1c444f6 : ffffcf00`2b86f040 ffffcf00`2b86f040 00000000`00000000 00000000`40000000 : NnnFlt!VolumeDeleteRenameStream+0x90
    ffffcf00`2b86ee20 fffff808`f1c447d4 : 00000000`00000018 ffffb681`7b0b4ef0 ffff9601`bb026e20 ffff9601`bc3ff2a0 : NnnFlt!CloseHandler+0x18e
    ffffcf00`2b86ee60 fffff808`f17c6c47 : 00000000`00000000 ffffcf00`2b86ef59 00000000`00000001 ffff9601`bcd7d240 : NnnFlt!PreClose+0xc
    ffffcf00`2b86ee90 fffff808`f17746ca : ffffcf00`2b86f069 ffffcf00`2b86f1a0 ffffa203`4d055b00 ffffa203`4d055c78 : FLTMGR!FltvPreOperation+0xd7
    ffffcf00`2b86efc0 fffff808`f1774278 : ffffcf00`2b86f1a0 00000000`00000000 ffff9601`bc7e2502 ffffb681`864b0c00 : FLTMGR!FltpPerformPreCallbacks+0x2ea
    ffffcf00`2b86f0d0 fffff808`f1773386 : ffffb681`864b0c60 ffffcf00`2b86f1a0 ffffb681`864b0c60 ffffcf00`2b86f1b0 : FLTMGR!FltpPassThroughInternal+0x88
    ffffcf00`2b86f100 fffff808`f177312e : ffffffff`fffe7960 ffff9e04`aa8e5e80 ffff9601`bc7e2590 fffff803`1402b6ad : FLTMGR!FltpPassThrough+0x1a6
    ffffcf00`2b86f180 fffff803`1430fd26 : ffffb681`864b0c60 ffff9601`bc7e2590 ffff9601`b85f4780 ffff9601`b85f4798 : FLTMGR!FltpDispatch+0x9e
    ffffcf00`2b86f1e0 fffff803`13c52a02 : ffffa203`4ce489a0 00000000`00000001 ffffb681`864b0c60 ffff9e04`aa8e5e80 : nt!IovCallDriver+0x252
    ffffcf00`2b86f220 fffff803`1402b6ad : ffffb681`864b0c60 ffffa203`4ce489a0 ffffb681`864b0c60 ffffb681`74fb0c60 : nt!IofCallDriver+0x72
    ffffcf00`2b86f260 fffff803`1401f3f8 : ffffcf00`2b86f660 00000000`00000000 ffff9601`b8e299a0 ffff9601`bc7e2590 : nt!IopDeleteFile+0x12d
    ffffcf00`2b86f2e0 fffff803`13c8a471 : 00000000`00000000 00000000`00000000 ffffcf00`2b86f660 ffffa203`4ce489a0 : nt!ObpRemoveObjectRoutine+0x78
    ffffcf00`2b86f340 fffff803`1401a43b : fffff808`f17a3150 ffffa203`4ce489a0 ffffa203`4ce489a0 00000000`00000001 : nt!ObfDereferenceObject+0xa1
    ffffcf00`2b86f380 fffff803`1403c182 : fffff803`140183b0 fffff803`140183b0 ffffcf00`2b86f660 ffff9601`bcafdc50 : nt!IopParseDevice+0x208b
    ffffcf00`2b86f560 fffff803`1401d3ed : ffffa203`4d236b01 ffffcf00`2b86f7c0 ffffcf00`00000040 ffff9601`b8e299a0 : nt!ObpLookupObjectName+0x8b2
    ffffcf00`2b86f730 fffff803`13fff97b : 00000000`00000001 00000000`00000000 000001a5`c2b80430 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1dd
    ffffcf00`2b86f870 fffff803`13d71693 : ffffa203`4caee800 000001a5`c2b74920 ffffa203`4caee800 00000000`00000000 : nt!NtQueryAttributesFile+0x1ab
    ffffcf00`2b86fb00 00007ffb`48ff6884 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000016`1f0fe1c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`48ff6884

    STACK_COMMAND: kb

    THREAD_SHA1_HASH_MOD_FUNC: 06fc7ffe3c60fd1be9b3633307363e0f0e9fad7a

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: aa95612109f48d1c77995c8d764702f4ea0536ee

    THREAD_SHA1_HASH_MOD: 398a08d3446b2eb585698e5b738f3991cc634db9

    FOLLOWUP_IP:
    NnnFlt!memcpy+1ec [d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm @ 293]
    fffff808`f1c4137c 8901 mov dword ptr [rcx],eax

    FAULT_INSTR_CODE: 8b4d0189

    FAULTING_SOURCE_LINE: d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm

    FAULTING_SOURCE_FILE: d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm

    FAULTING_SOURCE_LINE_NUMBER: 293

    FAULTING_SOURCE_CODE:
    No source found for 'd:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm'

    SYMBOL_STACK_INDEX: 4

    SYMBOL_NAME: NnnFlt!memcpy+1ec

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: NnnFlt

    IMAGE_NAME: NnnFlt.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 59137f04

    BUCKET_ID_FUNC_OFFSET: 1ec

    FAILURE_BUCKET_ID: 0xD5_INVALID_NnnFlt!memcpy

    BUCKET_ID: 0xD5_INVALID_NnnFlt!memcpy

    PRIMARY_PROBLEM_CLASS: 0xD5_INVALID_NnnFlt!memcpy

    TARGET_TIME: 2017-07-25T06:24:40.000Z

    OSBUILD: 14393

    OSSERVICEPACK: 1480

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 272

    PRODUCT_TYPE: 3

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 Server TerminalServer SingleUserTS

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2017-07-07 02:26:09

    BUILDDATESTAMP_STR: 170706-2004

    BUILDLAB_STR: rs1_release

    BUILDOSVER_STR: 10.0.14393.1480

    ANALYSIS_SESSION_ELAPSED_TIME: 66a

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0xd5_invalid_nnnflt!memcpy

    FAILURE_ID_HASH: {56af5c73-4004-836b-a482-587919c3b8ac}

    Followup: MachineOwner


    =========================================
    26: kd> !pte ffffb68191104fe8
    =========================================
    VA ffffb68191104fe8
    PXE at FFFFF379BCDE6B68 PPE at FFFFF379BCD6D030 PDE at FFFFF379ADA06440 PTE at FFFFF35B40C88820
    contains 0000000077C49863 contains 00000180E3141863 contains 0000018229EFC863 contains 36818C5900000000
    pfn 77c49 ---DA--KWEV pfn 180e3141 ---DA--KWEV pfn 18229efc ---DA--KWEV not valid
    Page has been freed
  • aluhrsaluhrs Member - All Emails Posts: 32
    It looks like some bugcheck parameters were updated without updating the docs and !analyze, we'll look at getting those updated. For this case, 2 means a write access faulted.
  • Jerry_KelleyJerry_Kelley Member Posts: 7
    Thanks very much.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302
    Thanks Andy!

    OP: This is a fault in freed special pool, so you should be able to see
    where your driver freed the memory using the following command:

    !verifier 80 ffffb68191104fe8

    -scott
    OSR
    @OSRDrivers

    wrote in message news:[email protected]

    It looks like some bugcheck parameters were updated without updating the
    docs and !analyze, we'll look at getting those updated. For this case, 2
    means a write access faulted.

    -scott
    OSR

  • Jerry_KelleyJerry_Kelley Member Posts: 7
    Thanks Scott!
  • Jerry_KelleyJerry_Kelley Member Posts: 7
    Unfortunately, pool tagging was not enabled on this particular system so it didn't produce anything (according to the response from !verifier). We had requested that pool tagging was to be enabled but apparently it wasn't. We have asked again.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA