Undocumented operation value in D5 bugcheck

I have a dump from a D5 bugcheck that has a value of “2” for the operation (Arg2). I’ve been searching for an explanation of what that value means but haven’t found anything so far. Has anyone ever seen this?

Here’s what !analyze reports:

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffb68191104fe8, memory referenced
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation
Arg3: fffff808f1c4137c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)

Someone else saw this on NTDEV and we didn’t get any additional details to
go on. Can you post the full !analyze -v output as well as the output of
!pte ffffb68191104fe8?

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@windbg…

I have a dump from a D5 bugcheck that has a value of “2” for the operation
(Arg2). I’ve been searching for an explanation of what that value means but
haven’t found anything so far. Has anyone ever seen this?

Here’s what !analyze reports:

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffb68191104fe8, memory referenced
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation
Arg3: fffff808f1c4137c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)

Below is the output of !analyze -v and !pte ffffb68191104fe8.

That address is bogus because I’m seeing a lot of memory corruption, which is why the bugcheck occurred. Unfortunately, all I have is a kernel triage dump.

=========================================
!analyze -v



Debugging Details:
------------------

Could not read faulting driver name

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 10.0.14393.1480 (rs1_release.170706-2004)

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: PowerEdge R930

SYSTEM_SKU: SKU=NotProvided;ModelName=PowerEdge R930

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: 2.3.1

BIOS_DATE: 01/09/2017

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0Y0V4F

BASEBOARD_VERSION: A01

DUMP_TYPE: 2

DUMP_FILE_ATTRIBUTES: 0xc
Insufficient Dumpfile Size
Kernel Generated Triage Dump

BUGCHECK_P1: ffffb68191104fe8

BUGCHECK_P2: 2

BUGCHECK_P3: fffff808f1c4137c

BUGCHECK_P4: 0

READ_ADDRESS: fffff80313fb7338: Unable to get MiVisibleState
ffffb68191104fe8

FAULTING_IP:
NnnFlt!memcpy+1ec [d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm @ 293]
fffff808f1c4137c 8901 mov dword ptr [rcx],eax<br><br>MM_INTERNAL_CODE: 0<br><br>CPU_COUNT: 20<br><br>CPU_MHZ: c78<br><br>CPU_VENDOR: GenuineIntel<br><br>CPU_FAMILY: 6<br><br>CPU_MODEL: 3f<br><br>CPU_STEPPING: 4<br><br>CPU_MICROCODE: 6,3f,4,0 (F,M,S,R) SIG: E'00000000 (cache) E'00000000 (init)<br><br>CUSTOMER_CRASH_COUNT: 1<br><br>DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER<br><br>BUGCHECK_STR: 0xD5<br><br>PROCESS_NAME: services.exe<br><br>CURRENT_IRQL: 2<br><br>ANALYSIS_SESSION_HOST: IN-7470-CSF23G2<br><br>ANALYSIS_SESSION_TIME: 07-25-2017 14:09:55.0098<br><br>ANALYSIS_VERSION: 10.0.14321.1024 amd64fre<br><br>TRAP_FRAME: ffffcf002b86ec00 -- (.trap 0xffffcf002b86ec00)<br>.trap 0xffffcf002b86ec00<br>NOTE: The trap frame does not contain all registers.<br>Some register values may be zeroed or incorrect.<br>rax=00000000003f003f rbx=0000000000000000 rcx=ffffb68191104fe8<br>rdx=ffffdf802e65500e rsi=0000000000000000 rdi=0000000000000000<br>rip=fffff808f1c4137c rsp=ffffcf002b86ed98 rbp=0000000000000000<br> r8=000000000000fff6 r9=fffff808f1797234 r10=ffff800000000000<br>r11=ffffb681910f4ff2 r12=0000000000000000 r13=0000000000000000<br>r14=0000000000000000 r15=0000000000000000<br>iopl=0 nv up ei pl nz na po nc<br>NnnFlt!memcpy+0x1ec:<br>fffff808f1c4137c 8901 mov dword ptr [rcx],eax ds:ffffb68191104fe8=????????<br>.trap<br>Resetting default scope<br><br>LAST_CONTROL_TRANSFER: from fffff80313d90bfa to fffff80313d66960<br><br>STACK_TEXT: <br>ffffcf002b86e908 fffff80313d90bfa : 0000000000000050 ffffb68191104fe8 0000000000000002 ffffcf002b86ec00 : nt!KeBugCheckEx<br>ffffcf002b86e910 fffff80313c6c0fd : 0000000000000002 0000000000000000 ffffcf002b86ec00 ffffb68191104fe8 : nt!MiSystemFault+0xfffea<br>ffffcf002b86ea00 fffff80313d6fffc : 0000000000000000 fffff80313cd01e4 0000000000000003 ffff9601b8c64498 : nt!MmAccessFault+0x27d<br>ffffcf002b86ec00 fffff808f1c4137c : fffff808f1c48bf9 ffffcf002b86ee00 0000000000000000 ffffcf002b86ee68 : nt!KiPageFault+0x13c<br>ffffcf002b86ed98 fffff808f1c48bf9 : ffffcf002b86ee00 0000000000000000 ffffcf002b86ee68 ffffb6817b0b4ef0 : NnnFlt!memcpy+0x1ec<br>ffffcf002b86eda0 fffff808f1c492ec : ffffb6817b0b4ef0 ffffcf002b86ee10 ffffcf002b86f040 ffffcf002b86f040 : NnnFlt!VolumeBuildName+0x91 <br>ffffcf002b86ede0 fffff808f1c444f6 : ffffcf002b86f040 ffffcf002b86f040 0000000000000000 0000000040000000 : NnnFlt!VolumeDeleteRenameStream+0x90 <br>ffffcf002b86ee20 fffff808f1c447d4 : 0000000000000018 ffffb6817b0b4ef0 ffff9601bb026e20 ffff9601bc3ff2a0 : NnnFlt!CloseHandler+0x18e <br>ffffcf002b86ee60 fffff808f17c6c47 : 0000000000000000 ffffcf002b86ef59 0000000000000001 ffff9601bcd7d240 : NnnFlt!PreClose+0xc <br>ffffcf002b86ee90 fffff808f17746ca : ffffcf002b86f069 ffffcf002b86f1a0 ffffa2034d055b00 ffffa2034d055c78 : FLTMGR!FltvPreOperation+0xd7<br>ffffcf002b86efc0 fffff808f1774278 : ffffcf002b86f1a0 0000000000000000 ffff9601bc7e2502 ffffb681864b0c00 : FLTMGR!FltpPerformPreCallbacks+0x2ea<br>ffffcf002b86f0d0 fffff808f1773386 : ffffb681864b0c60 ffffcf002b86f1a0 ffffb681864b0c60 ffffcf002b86f1b0 : FLTMGR!FltpPassThroughInternal+0x88<br>ffffcf002b86f100 fffff808f177312e : fffffffffffe7960 ffff9e04aa8e5e80 ffff9601bc7e2590 fffff8031402b6ad : FLTMGR!FltpPassThrough+0x1a6<br>ffffcf002b86f180 fffff8031430fd26 : ffffb681864b0c60 ffff9601bc7e2590 ffff9601b85f4780 ffff9601b85f4798 : FLTMGR!FltpDispatch+0x9e<br>ffffcf002b86f1e0 fffff80313c52a02 : ffffa2034ce489a0 0000000000000001 ffffb681864b0c60 ffff9e04aa8e5e80 : nt!IovCallDriver+0x252<br>ffffcf002b86f220 fffff8031402b6ad : ffffb681864b0c60 ffffa2034ce489a0 ffffb681864b0c60 ffffb68174fb0c60 : nt!IofCallDriver+0x72<br>ffffcf002b86f260 fffff8031401f3f8 : ffffcf002b86f660 0000000000000000 ffff9601b8e299a0 ffff9601bc7e2590 : nt!IopDeleteFile+0x12d<br>ffffcf002b86f2e0 fffff80313c8a471 : 0000000000000000 0000000000000000 ffffcf002b86f660 ffffa2034ce489a0 : nt!ObpRemoveObjectRoutine+0x78<br>ffffcf002b86f340 fffff8031401a43b : fffff808f17a3150 ffffa2034ce489a0 ffffa2034ce489a0 0000000000000001 : nt!ObfDereferenceObject+0xa1<br>ffffcf002b86f380 fffff8031403c182 : fffff803140183b0 fffff803140183b0 ffffcf002b86f660 ffff9601bcafdc50 : nt!IopParseDevice+0x208b<br>ffffcf002b86f560 fffff8031401d3ed : ffffa2034d236b01 ffffcf002b86f7c0 ffffcf0000000040 ffff9601b8e299a0 : nt!ObpLookupObjectName+0x8b2<br>ffffcf002b86f730 fffff80313fff97b : 0000000000000001 0000000000000000 000001a5c2b80430 0000000000000001 : nt!ObOpenObjectByNameEx+0x1dd<br>ffffcf002b86f870 fffff80313d71693 : ffffa2034caee800 000001a5c2b74920 ffffa2034caee800 0000000000000000 : nt!NtQueryAttributesFile+0x1ab<br>ffffcf002b86fb00 00007ffb48ff6884 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13<br>000000161f0fe1c8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffb48ff6884

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 06fc7ffe3c60fd1be9b3633307363e0f0e9fad7a

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: aa95612109f48d1c77995c8d764702f4ea0536ee

THREAD_SHA1_HASH_MOD: 398a08d3446b2eb585698e5b738f3991cc634db9

FOLLOWUP_IP:
NnnFlt!memcpy+1ec [d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm @ 293]
fffff808`f1c4137c 8901 mov dword ptr [rcx],eax

FAULT_INSTR_CODE: 8b4d0189

FAULTING_SOURCE_LINE: d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm

FAULTING_SOURCE_FILE: d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER: 293

FAULTING_SOURCE_CODE:
No source found for ‘d:\winmain\minkernel\crts\crtw32\string\amd64\memcpy.asm’

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: NnnFlt!memcpy+1ec

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NnnFlt

IMAGE_NAME: NnnFlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 59137f04

BUCKET_ID_FUNC_OFFSET: 1ec

FAILURE_BUCKET_ID: 0xD5_INVALID_NnnFlt!memcpy

BUCKET_ID: 0xD5_INVALID_NnnFlt!memcpy

PRIMARY_PROBLEM_CLASS: 0xD5_INVALID_NnnFlt!memcpy

TARGET_TIME: 2017-07-25T06:24:40.000Z

OSBUILD: 14393

OSSERVICEPACK: 1480

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 3

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 Server TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-07-07 02:26:09

BUILDDATESTAMP_STR: 170706-2004

BUILDLAB_STR: rs1_release

BUILDOSVER_STR: 10.0.14393.1480

ANALYSIS_SESSION_ELAPSED_TIME: 66a

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xd5_invalid_nnnflt!memcpy

FAILURE_ID_HASH: {56af5c73-4004-836b-a482-587919c3b8ac}

Followup: MachineOwner

=========================================
26: kd> !pte ffffb68191104fe8
=========================================
VA ffffb68191104fe8
PXE at FFFFF379BCDE6B68 PPE at FFFFF379BCD6D030 PDE at FFFFF379ADA06440 PTE at FFFFF35B40C88820
contains 0000000077C49863 contains 00000180E3141863 contains 0000018229EFC863 contains 36818C5900000000
pfn 77c49 —DA–KWEV pfn 180e3141 —DA–KWEV pfn 18229efc —DA–KWEV not valid
Page has been freed

It looks like some bugcheck parameters were updated without updating the docs and !analyze, we’ll look at getting those updated. For this case, 2 means a write access faulted.

Thanks very much.

Thanks Andy!

OP: This is a fault in freed special pool, so you should be able to see
where your driver freed the memory using the following command:

!verifier 80 ffffb68191104fe8

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@windbg…

It looks like some bugcheck parameters were updated without updating the
docs and !analyze, we’ll look at getting those updated. For this case, 2
means a write access faulted.

Thanks Scott!

Unfortunately, pool tagging was not enabled on this particular system so it didn’t produce anything (according to the response from !verifier). We had requested that pool tagging was to be enabled but apparently it wasn’t. We have asked again.