BSOD DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb) in rdbss.sys

Hi,

We are working on file system encryption minifilter driver.If we copy file in
NAS enccrypted path, then delete, and then restart, bugcheck happens.

It points to rdbss.sys driver not our file system filter driver.

I have made this registry setting to capture stack traces so the guilty driver can be easily identified
set HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\TrackLockedPages to a DWORD 1

Bug check details:

DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb)
Caused by a driver not cleaning up completely after an I/O.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff88002919d4a, The calling address in the driver that locked the pages or if the
IO manager locked the pages this points to the dispatch routine of
the top driver on the stack to which the IRP was sent.
Arg2: 0000000000000000, The caller of the calling address in the driver that locked the
pages. If the IO manager locked the pages this points to the device
object of the top driver on the stack to which the IRP was sent.
Arg3: fffffa8003a43010, A pointer to the MDL containing the locked pages.
Arg4: 0000000000000002, The number of locked pages.

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING: 7601.24214.amd64fre.win7sp1_ldr_escrow.180801-1700

SYSTEM_MANUFACTURER: VMware, Inc.

VIRTUAL_MACHINE: VMware

SYSTEM_PRODUCT_NAME: VMware Virtual Platform

SYSTEM_VERSION: None

BIOS_VENDOR: Phoenix Technologies LTD

BIOS_VERSION: 6.00

BIOS_DATE: 07/30/2013

BASEBOARD_MANUFACTURER: Intel Corporation

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

BASEBOARD_VERSION: None

DUMP_TYPE: 0

BUGCHECK_P1: fffff88002919d4a

BUGCHECK_P2: 0

BUGCHECK_P3: fffffa8003a43010

BUGCHECK_P4: 2

FAULTING_IP:
rdbss!RxLockUserBuffer+b2
fffff88002919d4a eb45 jmp rdbss!RxLockUserBuffer+0xf9 (fffff88002919d91)

CPU_COUNT: 2

CPU_MHZ: 960

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2d

CPU_STEPPING: 7

CPU_MICROCODE: 6,2d,7,0 (F,M,S,R) SIG: 710'00000000 (cache) 710'00000000 (init)

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xCB

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: NOI-D70QD152

ANALYSIS_SESSION_TIME: 08-20-2018 11:16:03.0536

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

LAST_CONTROL_TRANSFER: from fffff8000198f3ac to fffff800016b29a0

STACK_TEXT:
fffff88005d5b858 fffff8000198f3ac : 00000000000000cb fffff88002919d4a 0000000000000000 fffffa8003a43010 : nt!KeBugCheckEx
fffff88005d5b860 fffff8000192a326 : 0000000000000001 fffffa80033219f0 fffffa8000000000 fffffa8000000000 : nt! ?? ::NNGAKEGL::string'+0x131ac fffff88005d5b8a0 fffff80001659894 : 0000000000000000 fffffa8001891080 fffffa8003667ad0 fffff8000191b37b : nt!PspProcessDelete+0x1a2 fffff88005d5b900 fffff800018f263f : fffffa8003667b00 0000000000000001 fffffa80033219f0 fffff8000190b04e : nt!ObfDereferenceObject+0xd4 fffff88005d5b960 fffff80001659894 : 0000000000000000 fffffa80036ba160 fffffa8001891f30 fffffa80036ba160 : nt!PspThreadDelete+0xe3 fffff88005d5b9a0 fffff8000190b4d1 : fffffa80036ba160 0000000000000000 fffffa80033219f0 0000000000000000 : nt!ObfDereferenceObject+0xd4 fffff88005d5ba00 fffff8000190b1e4 : 0000000000000b34 fffffa80030deb00 fffff8a002028ef0 0000000000000b34 : nt!ObpCloseHandleTableEntry+0xc1 fffff88005d5ba90 fffff800016c09d3 : fffffa80033219f0 fffff88005d5bb60 0000000000000000 0000000000000000 : nt!ObpCloseHandle+0x94 fffff88005d5bae0 000000007719999a : 000007fefccf1873 000000000029eb90 00000000002d58c0 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 0000000001c0f6d8 000007fefccf1873 : 000000000029eb90 00000000002d58c0 0000000000000000 000007fefd0b2006 : ntdll!NtClose+0xa 0000000001c0f6e0 0000000077031951 : 0000000004710298 0000000089000089 0000000000000000 000000000022d390 : KERNELBASE!CloseHandle+0x13 0000000001c0f710 000007fefac45c2c : 0000000001a7a520 0000000000000000 0000000000244940 0000000000000000 : kernel32!CloseHandleImplementation+0x3d 0000000001c0f820 000007fefac3f335 : 0000000000000000 0000000000000000 0000000001a7a520 0000000000000000 : shsvcs!COMXProc::CAdviseClient::vector deleting destructor'+0x3c
0000000001c0f850 000007fefac311ac : 0000000001a7d330 0000000000000000 0000000001a7dde0 0000000001a7a4a0 : shsvcs!COMXProc::CThreadTaskCheckClients::_DoStuff+0xc9
0000000001c0f890 000007fefac3110a : 0000000001a7d330 0000000000000000 0000000000000000 0000000000000000 : shsvcs!CThreadTask::_CallDoStuff+0x76
0000000001c0f8c0 000000007713d13b : 0000000001e95080 0000000001e95080 0000000000000000 0000000000000002 : shsvcs!CThreadTask::_ThreadProc+0x12
0000000001c0f8f0 0000000077229e87 : 0000000000000000 0000000001a7d330 0000000000227aa0 0000000001ef5248 : ntdll!RtlpTpWorkCallback+0x16b
0000000001c0f9d0 00000000770259cd : 0000000000000002 0000000200020002 0000000000227aa0 0000000001e95080 : ntdll!TppWorkerThread+0x6f7
0000000001c0fc60 000000007718383d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
0000000001c0fc90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 0b89289000e72fa8be7f9b7d086b1768bbb3e1f0

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: bb662d1717cf489f1d9ce6b4c73e2e030aa404ce

THREAD_SHA1_HASH_MOD: d2a905b0950cb2e9ab7e398c3a06ceb0608fb060

FOLLOWUP_IP:
rdbss!RxLockUserBuffer+b2
fffff88002919d4a eb45 jmp rdbss!RxLockUserBuffer+0xf9 (fffff88002919d91)

FAULT_INSTR_CODE: d88b45eb

SYMBOL_NAME: rdbss!RxLockUserBuffer+b2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rdbss

IMAGE_NAME: rdbss.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 59deb54c

FAILURE_BUCKET_ID: X64_0xCB_rdbss!RxLockUserBuffer+b2

BUCKET_ID: X64_0xCB_rdbss!RxLockUserBuffer+b2

PRIMARY_PROBLEM_CLASS: X64_0xCB_rdbss!RxLockUserBuffer+b2

TARGET_TIME: 2018-08-17T07:21:16.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 274

PRODUCT_TYPE: 3

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

OSEDITION: Windows 7 Server (Service Pack 1) Enterprise TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2018-08-02 07:48:10

BUILDDATESTAMP_STR: 180801-1700

BUILDLAB_STR: win7sp1_ldr_escrow

BUILDOSVER_STR: 6.1.7601.24214.amd64fre.win7sp1_ldr_escrow.180801-1700

ANALYSIS_SESSION_ELAPSED_TIME: c5fa

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_0xcb_rdbss!rxlockuserbuffer+b2

FAILURE_ID_HASH: {1a7b1b6a-d847-222f-47cc-87c5d98ec2b4}

Any help on same?

Thanks in Advance!

System: Windows server 2008R2.

Is there any known issue reported in rdbss.sys??
or how any help to debug this issue further.

Thanks
Pooja

> Any help on same?

Review your use of MDLs and in particular beware of the way that FltMgr and
the IoMgr will (or will not) cleanup an MDL when the operation finishes (as
I recall it is to do with whether iopb->Parameters->Write.MdlAddress is set
or not)

/r

Hi, I can see similar bugcheck in rdbss.sys reported in OSR,
http://osronline.com/showThread.CFM?link=220997

I doubt it might be a known issue in rdbss (Redirected Drive Buffering SubSystem) driver w.r.t. lock pages.

Any idea, it will be a great help!

Thanks a lot!
Pooja

Hello everyone, tell me please, I encountered a blue screen on my Windows Server 2012 P2, which acts as my RDS host. BSOD has an RDP-FILE-SYSTEM code and error 0x00000027. A 67 GB dump file was created on my server. I analyzed it and there was code ZEROED_STACK_0x27. I tried to find the reason on my own, read materials from this source, this one and this one. As I understand it, there is a certain rdbss.sys driver that conflicts with some other application accessing it, can you tell me what can be done, how to find it exactly? The server itself is a virtual target on ESXI 6.5, which is hosted on a Dell R740 server. On windows rivods I see an event about a blue screen with a code of 1001, in ESXI 6.5 logs there is nothing. Update all the latest, VMTools I updated.

This is a year old three. Please don’t necropost.

If you hav a question, start a new thread.

Peter