Hi,
I’ve got a bugcheck IRQL_LESS_OR_EQUAL (page fault)
The call stack is
STACK_TEXT:
f7c75c1c 804df460 86499008 00a89310 00000000
nt!CcAdjustVacbLevelLockCount+0x87
f7c75c50 804e0358 00000000 00001000 f7c75d58 nt!CcUnpinFileData+0x178
f7c75c70 804e12e9 86499008 f7c75cc0 00001000
nt!CcReleaseByteRangeFromWrite+0x70
f7c75cf8 804e1539 00001000 00000000 00000001 nt!CcFlushCache+0x497
f7c75d3c 804e3bf3 867cc1e0 8054d1a0 867cb340 nt!CcWriteBehind+0x133
f7c75d7c 80528545 867cc1e0 00000000 867cb340 nt!CcWorkerThread+0x11f
f7c75dac 805b05c6 867cc1e0 00000000 00000000 nt!ExpWorkerThread+0xed
f7c75ddc 80534de6 80528458 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
The call stack points to a problem when the LazyWriter stores
data into the file. The crash instruction is here:
// CcAdjustVacbLevelLockCount:
804e4ccf push dword ptr [ebp-0x4] // Zero
804e4cd2 push edi // SharedCacheMap->Vacbs
(86499DC0)
804e4cd3 push esi // SharedCacheMap (86499008)
804e4cd4 call nt!VacbLevelReference (804e4222)
804e4cd9 push dword ptr [ebp-0x4]
804e4cdc mov ecx,[ebp+0x14]
804e4cdf add [eax],ecx <==== HERE - EAX is 0x0400
The “VacbLevelReference” receives three parameters.
- Pointer to SharedCacheMap, which is 86499008 (i.e. not NULL).
- SharedCacheMap->Vacbs (86499dc0->864999b0)
- Zero
The SharedCacheMap’s some fields are here
+0x030 InitialVacbs : [4] (null)
+0x040 Vacbs : 0x86499dc0 -> 0x864999b0
+0x044 FileObject : 0x86715a58
+0x048 ActiveVacb : (null)
+0x04c NeedToZero : (null)
+0x050 ActivePage : 0
+0x054 NeedToZeroPage : 0
+0x058 ActiveVacbSpinLock : 0
+0x05c VacbActiveCount : 0
+0x060 DirtyPages : 3
Vacb list contains some NULL values, spreaded through the array:
864999b0 867a29c0 867a4340 867a42e0 867a43e8
864999c0 867a2720 867a4310 867a4238 867a42f8
864999d0 867a3fc8 867a2048 867a2a50 867a3e90
864999e0 867a2f18 867a3ec0 867a2a38 867a40d0
864999F0 00000000 867a29a8 867a3668 867a2b58
86499a00 867a2348 867a4040 867a3f50 867a2870
86499a10 00000000 00000000 00000000 867a3278
86499a20 867a2fa8 00000000 00000000 867a5cc0
86499a30 00000000 00000000 867a3170 00000000
The function “VacbLevelReference” seems to pop one of the values
from this table. This value is NULL. The function then
adds 0x400 to it and returns the result.
The function returns 0x00000400 (NullPtr + 0x400).
The marked instruction after return from the function causes page fault.
The FileObject in the SharedCacheMap points that the file
is “$Mft” (Ntfs’ Master File Table).
Does anyone knows some information or tip
where to find the source of problems or what
could cause this ?
Maybe the cache actually does not contain the required
page or the file is not in the cache ?
(Although the file object does contain DataSectionObject
and SharedCacheMap within the SectionObjectPointer.
Thanks for any hints or tips
L.