Microsoft, in their never ending over-eager quest to save a few KB of non-paged kernel memory, got another case of penny-wise, pound-foolish:
*** Fatal System Error: 0x000000d1
(0x85ED6902,0x00000002,0x00000008,0x85ED6902)
Connected to Windows 8 9600 x86 compatible target at (Mon Nov 30 13:05:28.973 2015 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established.
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
OK C:\Temp\17.2.0.2\x86
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;C:\Temp\17.2.0.2\x86
Executable search path is:
Windows 8 Kernel Version 9600 MP (16 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17031.x86fre.winblue_gdr.140221-1952
Machine Name:
Kernel base = 0x8125e000 PsLoadedModuleList = 0x8145d438
Debug session time: Mon Nov 30 13:05:14.789 2015 (UTC + 5:30)
System Uptime: 0 days 0:19:27.078
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows 8 9600 x86 compatible target at (Mon Nov 30 13:05:33.270 2015 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
…
…
…
Loading User Symbols
Loading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {85ed6902, 2, 8, 85ed6902}
Probably caused by : pci.sys ( pci!PciPowerUpDeviceTimerDpc+d3 )
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
81366754 cc int 3
5: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 85ed6902, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 85ed6902, address which referenced memory
Debugging Details:
READ_ADDRESS: 85ed6902
CURRENT_IRQL: 2
FAULTING_IP:
ndis!Rtl::KNeutralLock::Release+0
85ed6902 8bff mov edi,edi
IP_IN_PAGED_CODE:
ndis!Rtl::KNeutralLock::Release+0
85ed6902 8bff mov edi,edi
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
DPC_STACK_BASE: FFFFFFFF87460000
TRAP_FRAME: 8745b85c – (.trap 0xffffffff8745b85c)
ErrCode = 00000010
eax=00000004 ebx=9d302e70 ecx=a4475edc edx=00000000 esi=a44751d8 edi=9d302e70
eip=85ed6902 esp=8745b8d0 ebp=8745b8e0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndis!Rtl::KNeutralLock::Release:
85ed6902 8bff mov edi,edi
Resetting default scope
LAST_CONTROL_TRANSFER: from 813e36d9 to 81366754
FAILED_INSTRUCTION_ADDRESS:
ndis!Rtl::KNeutralLock::Release+0
85ed6902 8bff mov edi,edi
STACK_TEXT:
8745b364 813e36d9 00000003 79b3d568 00000065 nt!RtlpBreakWithStatusInstruction
8745b3b8 813e31f3 87473340 8745b7b8 8745b85c nt!KiBugCheckDebugBreak+0x1f
8745b78c 81365326 0000000a 85ed6902 00000002 nt!KeBugCheck2+0x676
8745b7b0 81379923 0000000a 85ed6902 00000002 nt!KiBugCheck2+0xc6
8745b7b0 85ed6902 0000000a 85ed6902 00000002 nt!KiTrap0E+0x1cf
8745b8cc 85e9508e 00000002 85e7ffbc 9d302f04 ndis!Rtl::KNeutralLock::Release
8745b8e0 817166ca a4475120 9d302e70 a44751d8 ndis!ndisSetDevicePowerOnComplete+0x150d2
8745b910 812cb56a a4475120 9d302e70 8745b9b8 nt!IovpLocalCompletionRoutine+0x136
8745b98c 81715c8f 00000000 94f51448 00000004 nt!IopfCompleteRequest+0x4ea
8745b9f0 860a298d 94f51820 8744f300 00000001 nt!IovCompleteRequest+0x123
8745ba28 812db456 94f51820 94f51448 a72a6d55 pci!PciPowerUpDeviceTimerDpc+0xd3
8745bae0 812db053 8745bb28 00000000 a7dbb040 nt!KiExecuteAllDpcs+0x216
8745bc04 8137aae0 00000000 00000000 00000000 nt!KiRetireDpcList+0xf3
8745bc08 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38
STACK_COMMAND: kb
FOLLOWUP_IP:
pci!PciPowerUpDeviceTimerDpc+d3
860a298d b9fffffffe mov ecx,0FEFFFFFFh
SYMBOL_STACK_INDEX: a
SYMBOL_NAME: pci!PciPowerUpDeviceTimerDpc+d3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pci
IMAGE_NAME: pci.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 53088818
IMAGE_VERSION: 6.3.9600.17031
BUCKET_ID_FUNC_OFFSET: d3
FAILURE_BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pci!PciPowerUpDeviceTimerDpc
BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pci!PciPowerUpDeviceTimerDpc
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_code_av_paged_ip_pci!pcipowerupdevicetimerdpc
FAILURE_ID_HASH: {2f2c6833-e611-db3d-954c-fb0313bc7b49}
Followup: MachineOwner
---------
5: kd> !analyze -v
Bugcheck Analysis
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 85ed6902, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 85ed6902, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 85ed6902
CURRENT_IRQL: 2
FAULTING_IP:
ndis!Rtl::KNeutralLock::Release+0
85ed6902 8bff mov edi,edi
IP_IN_PAGED_CODE:
ndis!Rtl::KNeutralLock::Release+0
85ed6902 8bff mov edi,edi
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
DPC_STACK_BASE: FFFFFFFF87460000
TRAP_FRAME: 8745b85c – (.trap 0xffffffff8745b85c)
ErrCode = 00000010
eax=00000004 ebx=9d302e70 ecx=a4475edc edx=00000000 esi=a44751d8 edi=9d302e70
eip=85ed6902 esp=8745b8d0 ebp=8745b8e0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndis!Rtl::KNeutralLock::Release:
85ed6902 8bff mov edi,edi
Resetting default scope
LAST_CONTROL_TRANSFER: from 813e36d9 to 81366754
FAILED_INSTRUCTION_ADDRESS:
ndis!Rtl::KNeutralLock::Release+0
85ed6902 8bff mov edi,edi
STACK_TEXT:
8745b364 813e36d9 00000003 79b3d568 00000065 nt!RtlpBreakWithStatusInstruction
8745b3b8 813e31f3 87473340 8745b7b8 8745b85c nt!KiBugCheckDebugBreak+0x1f
8745b78c 81365326 0000000a 85ed6902 00000002 nt!KeBugCheck2+0x676
8745b7b0 81379923 0000000a 85ed6902 00000002 nt!KiBugCheck2+0xc6
8745b7b0 85ed6902 0000000a 85ed6902 00000002 nt!KiTrap0E+0x1cf
8745b8cc 85e9508e 00000002 85e7ffbc 9d302f04 ndis!Rtl::KNeutralLock::Release
8745b8e0 817166ca a4475120 9d302e70 a44751d8 ndis!ndisSetDevicePowerOnComplete+0x150d2
8745b910 812cb56a a4475120 9d302e70 8745b9b8 nt!IovpLocalCompletionRoutine+0x136
8745b98c 81715c8f 00000000 94f51448 00000004 nt!IopfCompleteRequest+0x4ea
8745b9f0 860a298d 94f51820 8744f300 00000001 nt!IovCompleteRequest+0x123
8745ba28 812db456 94f51820 94f51448 a72a6d55 pci!PciPowerUpDeviceTimerDpc+0xd3
8745bae0 812db053 8745bb28 00000000 a7dbb040 nt!KiExecuteAllDpcs+0x216
8745bc04 8137aae0 00000000 00000000 00000000 nt!KiRetireDpcList+0xf3
8745bc08 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38
STACK_COMMAND: kb
FOLLOWUP_IP:
pci!PciPowerUpDeviceTimerDpc+d3
860a298d b9fffffffe mov ecx,0FEFFFFFFh
SYMBOL_STACK_INDEX: a
SYMBOL_NAME: pci!PciPowerUpDeviceTimerDpc+d3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pci
IMAGE_NAME: pci.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 53088818
IMAGE_VERSION: 6.3.9600.17031
BUCKET_ID_FUNC_OFFSET: d3
FAILURE_BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pci!PciPowerUpDeviceTimerDpc
BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pci!PciPowerUpDeviceTimerDpc
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_code_av_paged_ip_pci!pcipowerupdevicetimerdpc
FAILURE_ID_HASH: {2f2c6833-e611-db3d-954c-fb0313bc7b49}
Followup: MachineOwner
---------
5: kd> lmvm pci
start end module name
8609e000 860d5000 pci (pdb symbols) C:\Program Files\Windows Kits\8.1\Debuggers\x64\sym\pci.pdb\3FE60E9E1BA34EA3BCD0C5A75BEAFCEA2\pci.pdb
Loaded symbol image file: pci.sys
Image path: \SystemRoot\System32\drivers\pci.sys
Image name: pci.sys
Timestamp: Sat Feb 22 16:50:56 2014 (53088818)
CheckSum: 00038385
ImageSize: 00037000
File version: 6.3.9600.17031
Product version: 6.3.9600.17031
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft? Windows? Operating System
InternalName: pci.sys
OriginalFilename: pci.sys
ProductVersion: 6.3.9600.17031
FileVersion: 6.3.9600.17031 (winblue_gdr.140221-1952)
FileDescription: NT Plug and Play PCI Enumerator
LegalCopyright: ? Microsoft Corporation. All rights reserved.
5: kd> .crash
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
nt!RtlpBreakWithStatusInstruction:
81366754 cc int 3
5: kd> .crash
Needless to say, ndis!Rtl::KNeutralLock::Release is placed in PAGE section.
But somebody must have gotten a bonus for meeting their target metric of saving 4K of memory.