BSOD PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc) happens after volume gets dismounted(Minifilter)

Hi,

I am working on encryption based minifilter driver. I have a cluster environment with 2 machines and a stress script is running to down cluster nodes simultaneously so as to move cluster disk from one node to another and vice versa.
My encryption driver is installed on both machines. As one node goes down,my minifilter driver’s Instance TeardownStart/TeardownComplete and Instance Cleanup callbacks gets called in response to volume dismount.After random number of iterations, bugcheck happens.

And i have checked that this issue happens after FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64” volume has been dismounted.

Can anyone help me to understand root cause ?

Thanks a lot for any of your suggestion!

PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.

0: kd> !fltkd.volumes

Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**

So, what does !verifier say. In particular !verifier 80 ffffcf8080a90be0. A stack might be helpful too.

STACK_TEXT:
nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x8a2
nt!KeBugCheckEx+0x104
nt!MiSystemFault+0x1048
nt!MmAccessFault+0x219
nt!KiPageFault+0x317
nt!FsRtlLookupReservedPerFileContext
nt!FsRtlRemoveReservedPerFileContext+0xe
fltmgr!FltpDeleteAllFileListCtrls+0x9e98
fltmgr!FltpFreeVolume+0xdf
fltmgr!FltpCleanupDeviceObject+0x6b
fltmgr!FltpFastIoDetachDeviceWorker+0x15
nt!ExpWorkerThread+0x69f
nt!PspSystemThreadStartup+0x18a
nt!KiStartSystemThread+0x16

Thanks for responding!
I am posting !verifier 80 information from similar crash and it points to my encryption driver in stack.
But still I cannot relate how this is directly linked to my crash.

!verifier 80 ffffcf8070f7cbe0

Log of recent kernel pool Allocate and Free operations:

There are up to 0x10000 entries in the log.

Parsing 0x0000000000010000 log entries, searching for address 0xffffcf8070f7cbe0.

======================================================================
Pool block ffffcf8070f7cb40, Size 00000000000004c0, Thread ffffe000a072e880
fffff80376486bf2 nt!VfFreePoolNotification+0x4a
fffff8037609f0b2 nt!ExFreePoolWithTag+0xb2
fffff80376478130 nt!VerifierExFreePoolWithTag+0x44
fffff800b04ac7fd Encryption!ExFreeToNPagedLookasideList+0x5d
fffff800b04c046f Encryption!PfmDerefenceFcb+0x3cf
fffff800b04b8de4 Encryption!PfmCloseCallback+0x414
fffff800b0250d31 fltmgr!FltvPreOperation+0xf5
fffff800b02020ba fltmgr!FltpPerformPreCallbacks+0x31a
fffff800b0202d0c fltmgr!FltpPassThroughInternal+0x8c
fffff800b0201934 fltmgr!FltpPassThrough+0x2b5
fffff800b02010aa fltmgr!FltpDispatch+0x9a
fffff80376476911 nt!IovCallDriver+0x3cd
fffff803761adabc nt!IopDeleteFile+0x128

Finished parsing all pool tracking information.

Mismatched FltGet***Context/FltReleaseContext. !Verifier is your friend

Hi Rod,

Can you please help to elaborate upon Mismatched FltGet***Context/FltReleaseContext
in this particular context.

Thanks a lot!
Pooja

Well I would guess from the stack that the crash happens when the filter manager tries to disconnect the contexts from the file objects as a result of a dismount. It has gone through the contexts it has and it has tried to dereference each one. Only it has tripped over some memory that you have already freed. This could either be a FilterManager Context or it could be something you have thrown into FileObject->FsContext (somewhere in the FSRTL_ADVANCED_FCB_HEADER), or it could be both - I have no idea of your architecture. The address might give you a clue, as might he code at the point of failure.

You obviously have a referenced structure and it equally obviously is being freed before everything is done with it - so you are probably either missing reference/dereference pair or you have a dereference which is missing its matching reference.

The Get/Release context reference was because the most commont reference/dereference opertations are the ones that the minifilter does for you to handle context (File/Stream/Volume/Instance/StreamHandle) lifetimes.

Hi Rod,

To relate to your post, my minifilter driver architecture is based upon shadow file object design, where I have set fileobject->FScontext to my own created FCB.

Now, in test operation, before dismount, IRP_MJ_CLOSE has happened for one of file on same volume to be dismounted.
And in that Close operation handling , we have freed my own created fcb structure(This is the one which has been freed up in callstack of !verifier 80 ffffcf8070f7cbe0 )

Now in dismount operation,after ContextCleanup call back has completed , bugcheck happens creeping for above address in ltmgr!FltpDeleteAllFileListCtrls+0x9e98

So, I am trying to relate what is actually happening in FltpDeleteAllFileListCtrls operation for my fcb related structure…

I hope, it makes sense.

Thanks a lot!

So, I am trying to relate what is actually happening in FltpDeleteAllFileListCtrls operation for my fcb related structure…
You’ll have to determine that but it will be one of four things

  • If your FCB also masquerades as a filter manager Stream context for the lower file object then it could be being detached from the lower file object .
  • The Filter Manager could be looking at YourFcb->AdvHeader.FilterContexts to remove all the stream contexts that other filters have attached
  • If your FCB also masquerades as a filter manager File context for the lower file object then it could be being detached from the lower file object .
  • The Filter Manager could be looking at *YourFcb->AdvHeader.FileContextSupport to remove all the file contexts that other filters have attached.

You’ll need to determine which yourself - you have all the information you need.

Hi Rod,

Thank you so much for your prompt responses.

To relate to your suggestions,in driver, to initialize advancedFCBHeader,there is a call to FsRtlSetupAdvancedHeaderEx(1stParam,2ndParam,&fcb->FileCtxSupportPointer)

And as per FsRtlSetupAdvancedHeaderEx() code in Ntifs.h ,
(_advhdr)->FileContextSupportPointer = &fcb->FileCtxSupportPointer;

and localAdvHdr->Flags2 |= FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS;

which means, we do support PerStreamContext and PerFileContext.

In IRP_MJ_Close callback , we have called FsRtlTeardownPerStreamContexts(AdvacncedFCBHeader) to teardown streamcontext.

Should we call FsRtlTeardownPerFileContexts() to teardown filecontexts as well??

Thanks a lot!

Hey, guess what the documentation for FsRtlTeardownPerFileContexts had disappeared alongside nearly every other useful IFS api. That’s two weeks and counting. If anyone would like to add their distress at this breakage to the case it might be useful.

Anyway to the case in point - that sounds like a good plan. Without the documentation I cannot be sure…

Gotta love that! Though it does appear to still be present on the Korean(?) version of the help docs.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

To follow up you can get an a approximation of the document here. It looks like this is required during IRP_MJ_CLOSE handling (or during final deref)

BSOD details:
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.

BUGCHECK_P1: ffffcf8080a90be0

BUGCHECK_P2: 0

BUGCHECK_P3: fffff800365ba96c

BUGCHECK_P4: 0

READ_ADDRESS: ffffcf8080a90be0 Special pool

FAULTING_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0xCC

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_VERSION: 10.0.17763.1 amd64fre

TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

STACK_TEXT:
ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

FOLLOWUP_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

FAULT_INSTR_CODE: 48018b48

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 0

FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext

0: kd> !fltkd.volumes

Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**

PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.

BUGCHECK_P1: ffffcf8080a90be0

BUGCHECK_P2: 0

BUGCHECK_P3: fffff800365ba96c

BUGCHECK_P4: 0

READ_ADDRESS: ffffcf8080a90be0 Special pool

FAULTING_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0xCC

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_VERSION: 10.0.17763.1 amd64fre

TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

STACK_TEXT:
ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

FOLLOWUP_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

FAULT_INSTR_CODE: 48018b48

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 0

FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext

0: kd> !fltkd.volumes

Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**

PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.

TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

STACK_TEXT:
ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

0: kd> !fltkd.volumes

Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**

STACK_TEXT:
ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

STACK_TEXT:
ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16