PAGE_FAULT_IN_NONPAGED AREA

Smitha_Chandran · November 20, 2006, 11:29pm

Hi,

This error has occurred twice yesterday...but it is not repeatable..
as in there is no exact sequence of steps which would always cause the error to occur.
Analysing the crash dump tells me that the error occurred at the following line in my pre-create callback.

status=SecureLayerCreateRename(Data,CREATE_M);
where data is the FLT_CALLBACK received as an input to the pre-create routine and CREATE_M is #defined to 1.

I did !pool on the memory address and it says that the memory could be freed...
This is really the invocation of some common routine(it gets invoked by pre-create callback, pre-setinformation callback).

I have been going thru the osr posts....and have gone thorugh the recommendations of using !pool and !poolVal but am not able to proceed further.

any help would be highly appreciated. I have put in the output of !analyze -v and !pool commands below

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e1e87000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80543084, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:

Could not read faulting driver name

READ_ADDRESS: e1e87000

FAULTING_IP:
nt!RtlRandomEx+39
80543084 f3a7 rep cmpsd

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from f9798188 to 80543084

STACK_TEXT:
f46f398c f9798188 f9b9d7d4 00000001 00000001 nt!RtlRandomEx+0x39
f46f39a0 f9262888 f9b9d7d4 f46f39c0 f46f39f0 SecureLayer!SecureLayerPreOperationCreate+0x18 [d:\securelayer\securelayer.c @ 954]
f46f3a00 f92642a0 006f3a44 f9b9d778 f9d09204 fltMgr!FltpPerformPreCallbacks+0x218
f46f3a14 f9270f17 f46f3a44 f926f3aa 00000000 fltMgr!FltpPassThroughFastIo+0x82
f46f3a2c f9271436 f46f3a44 f9c60028 f9d09018 fltMgr!FltpFsControlMountVolume+0x241
f46f3a60 804efdf9 f9c6d020 f9d09008 f9d09008 fltMgr!FltpInitFrameLookasideLists+0xd4
f46f3b50 805b5642 ff7afe30 00000000 f9cf4148 nt!MmCheckCachedPageState+0x1eb
f46f3bd8 805b1b23 00000000 f46f3c18 00000040 nt!IoRegisterPlugPlayNotification+0x1d5
f46f3c2c 8056c11d 00000000 00000000 00000001 nt!CmpAddSecurityCellToCache+0x99
f46f3ca8 8056ca94 0491e930 00100001 0491e8e0 nt!CcPreparePinWrite+0x94
f46f3d04 8057027b 0491e930 00100001 0491e8e0 nt!ObpCloseHandle+0x4b
f46f3d44 8053e808 0491e930 00100001 0491e8e0 nt!NtQueryInformationProcess+0x382
f46f3d64 7c94eb94 badb0d00 0491e8bc 805c93d0 nt!ObpPushStackInfo+0x75
WARNING: Frame IP not in any known module. Following frames may be wrong.
0491e94c 00000000 00000000 00000000 00000000 0x7c94eb94

FOLLOWUP_IP:
SecureLayer!SecureLayerPreOperationCreate+18 [d:\securelayer\securelayer.c @ 954]
f9798188 ?? ???

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: SecureLayer!SecureLayerPreOperationCreate+18

MODULE_NAME: SecureLayer

IMAGE_NAME: SecureLayer.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 455e8ad7

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0x50_SecureLayer!SecureLayerPreOperationCreate+18

BUCKET_ID: 0x50_SecureLayer!SecureLayerPreOperationCreate+18

Followup: MachineOwner

Pool page e1e87000 region is Unknown
GetUlongFromAddress: unable to read from 80565070
e1e87000 is not a valid small pool allocation, checking large pool...
unable to get pool big page table - either wrong symbols or pool tagging is disabled
e1e87000 is freed (or corrupt) pool
Bad allocation size @e1e87000, too large

***
*** An error (or corruption) in the pool was detected;
*** Pool Region unknown (0xFFFFFFFFE1E87000)
***
*** Use !poolval e1e87000 for more details.
***

OSR_Community_User · November 21, 2006, 2:50am

Well, I looked at assembly of nt!RtlRandomEx and I didn’t see any
“movsb” instruction there (WinXP SP2). Don’t you have wrong
symbols ?

Anyway it looks like you pass an invalid pointer to RtlRandomEx,
I canot tell you more from the information you provided.

L.

OSR_Community_User · November 21, 2006, 3:35am

Did you notice that this is a “rep” prefixed instruction and that it is
on a page boundary? That usually indicates a buffer overrun. Try
looking at the memory “just before” this address to see if you can
figure out what you just overran.

You cut some of the debug output as well (registers notably) so that
limits how much I can say about it. But work backwards and figure out
where the ESI and EDI register values originated, since one of them has
been overrun and you’ve walked onto a non-existent page.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Smitha_Chandran · November 25, 2006, 2:18am

Thanks for all the inputs.

I tired a lot of things…but the crash still appeared though not on a regular basis. It occurred when simulating low memory conditions and if e-trust anti virus is run to scan the computer.

On closer examination, i have stumbled on something. I am using a rtlcomparememory instruction,
to compare to strings a and b. My intention is to check if a is contained in b…so i have passed a’s length as the third parameter.
But i seem to have overlooked the fact that b’s length can be smaller than in which case, this instruction would access memory which it is not supposed to.

I have corrected this now…
This could be a valid cause for such an error isnt it so???

OSR_Community_User · November 25, 2006, 2:35am

Are you using a debugger? If so, then !analyze -v is your friend.
RtlCompareMemory is a simple function and you should be able to examine the
three parameters to find the problem yourself.

If you are not using a debugger, then start using WinDbg.

Thomas F. Divine
http://www.pcausa.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-270976-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Saturday, November 25, 2006 2:20 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] PAGE_FAULT_IN_NONPAGED AREA

Thanks for all the inputs.

I tired a lot of things…but the crash still appeared though not on a
regular basis. It occurred when simulating low memory conditions and if e-
trust anti virus is run to scan the computer.

On closer examination, i have stumbled on something. I am using a
rtlcomparememory instruction,
to compare to strings a and b. My intention is to check if a is contained
in b…so i have passed a’s length as the third parameter.
But i seem to have overlooked the fact that b’s length can be smaller than
in which case, this instruction would access memory which it is not
supposed to.

I have corrected this now…
This could be a valid cause for such an error isnt it so???

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@pcausa.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · November 25, 2006, 4:02am

>> On closer examination, i have stumbled on something. I am using a
rtlcomparememory instruction, to

>compare to strings a and b. My intention is to check if a is contained
in b…so i have passed a’s
>length as the third parameter.

RtlPrefixUnicodeString does this.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 25 November 2006 07:20
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] PAGE_FAULT_IN_NONPAGED AREA

*** WARNING ***

This mail has originated outside your organization, either from an
external partner or the Global Internet.
Keep this in mind if you answer this message.

Thanks for all the inputs.

I tired a lot of things…but the crash still appeared though not on a
regular basis. It occurred when simulating low memory conditions and if
e-trust anti virus is run to scan the computer.

On closer examination, i have stumbled on something. I am using a
rtlcomparememory instruction, to compare to strings a and b. My
intention is to check if a is contained in b…so i have passed a’s
length as the third parameter.
But i seem to have overlooked the fact that b’s length can be smaller
than in which case, this instruction would access memory which it is not
supposed to.

I have corrected this now…
This could be a valid cause for such an error isnt it so???

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@baesystems.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************