Who uses 'SevQ' tag?

NTFSD
1

Hi,

One of our customers reported a system hang while accessing files through
our FSD, and the memory dump shows a deadlock in two threads for some
structure allocated with pool tag ‘SevQ’ (which of course, our driver
doesn’t use). Google/OSR list search for this tag didn’t turn any (valid)
hits.

The stack shows SYMEVENT with a warning saying the stack unwind information
is not available, so I’m not sure if it’s related to SYMEVENT.

Anybody knows who uses ‘SevQ’ tag?

If someone from SYMANTEC is reading this and if they do use ‘SevQ’ tag, can
you please contact me off the list?

Here is more information from the dump (note the highlighted thread cycle)

Resource @ 0x85a83138 Exclusively owned
Contention Count = 100
NumberOfSharedWaiters = 2
Threads: 820a66c8-01<*> 8405f9f8-01 83d8bc80-01
======= ---------------
KD: Scanning for held locks…

Resource @ 0x85a85f10 Exclusively owned
Contention Count = 97
NumberOfSharedWaiters = 2
NumberOfExclusiveWaiters = 2
Threads: 8405f9f8-01<*> 825656b0-01 82d12b28-01

Threads Waiting On Exclusive Access:
820a66c8 82ff6ce8

Checking the pool tag shows it’s allocated with ‘SevQ’ tag.

0: kd> !pool 0x85a83138
Pool page 85a83138 region is Nonpaged pool
85a83000 is not a valid small pool allocation, checking large pool…
*85a82000 : large page allocation, Tag is SevQ, size is 0x5000 bytes
Owning component : Unknown (update pooltag.txt)

0: kd> !pool 0x85a85f10
Pool page 85a85f10 region is Nonpaged pool
85a85000 is not a valid small pool allocation, checking large pool…
*85a82000 : large page allocation, Tag is SevQ, size is 0x5000 bytes
Owning component : Unknown (update pooltag.txt)

And the thread stack for both the threads show SYMEVENT with the warning
saying stack frames could be wrong.

0: kd> !thread 0x820a66c8
THREAD 820a66c8 Cid 0d88.0f74 Teb: 7ff7c000 Win32Thread: 00000000 WAIT:
(Unknown) KernelMode Non-Alertable

Priority 14 BasePriority 8 PriorityDecrement 6
ChildEBP RetAddr Args to Child
baabacd0 8083e6a2 820a6740 820a66c8 820a6770 nt!KiSwapContext+0x26 (FPO:
[Uses EBP] [0,0,4])
baabacfc 8083f164 820a66c8 85a85f10 00000000 nt!KiSwapThread+0x284 (FPO:
[Non-Fpo])
baabad44 80818613 82f195e0 0000001b 00000000 nt!KeWaitForSingleObject+0x346
(FPO: [Non-Fpo])
baabad80 80841266 83a949f8 e4af9360 85a82000 nt!ExpWaitForResource+0xd5
(FPO: [Non-Fpo])
baabada0 baf7c598 85a85f10 00000001 e85559cc
nt!ExAcquireResourceExclusiveLite+0x8d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
baabae78 baf7cf94 00000000 e8555998 baf7bf43
SYMEVENT!SYMEvent_GetSubTask+0x2758
baabae84 baf7bf43 baabaeb8 e17d7f10 baabaf04
SYMEVENT!SYMEvent_GetSubTask+0x3154
e8555998 00000000 00000000 00000000 00000000
SYMEVENT!SYMEvent_GetSubTask+0x2103

and

0: kd> !thread 0x8405f9f8
THREAD 8405f9f8 Cid 0d88.09d4 Teb: 7ff71000 Win32Thread: 00000000 WAIT:
(Unknown) KernelMode Non-Alertable

Priority 14 BasePriority 8 PriorityDecrement 6
ChildEBP RetAddr Args to Child
ba7ec804 8083e6a2 8405fa70 8405f9f8 8405faa0 nt!KiSwapContext+0x26 (FPO:
[Uses EBP] [0,0,4])
ba7ec830 8083f164 8405f9f8 85a83138 00000000 nt!KiSwapThread+0x284 (FPO:
[Non-Fpo])
ba7ec878 80818613 84681588 0000001b 00000000 nt!KeWaitForSingleObject+0x346
(FPO: [Non-Fpo])
ba7ec8b4 80851e34 84646940 85a83128 85a83138 nt!ExpWaitForResource+0xd5
(FPO: [Non-Fpo])
ba7ec8d4 baf7b9a2 85a83138 00000001 e8916834
nt!ExAcquireResourceSharedLite+0xc6 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
ba7ec9bc baf7cf94 00000000 e8916800 baf7bf43
SYMEVENT!SYMEvent_GetSubTask+0x1b62
ba7ec9c8 baf7bf43 ba7ec9fc e17d7f10 ba7eca48
SYMEVENT!SYMEvent_GetSubTask+0x3154
e8916800 00000000 00000000 00000000 00000000
SYMEVENT!SYMEvent_GetSubTask+0x2103

Anybody knows who uses ‘SevQ’?

Thanks,

  • Hrishikesh.
2
  1. I think I always see this warning around about SYMEVENT
  2. I am sorry I have no idea who uses SevQ
  3. I am sure I too would like to learn who uses SevQ; bound to be useful
    information some time :slight_smile:

Hrishikesh Vidwans" wrote in message
news:xxxxx@ntfsd…
Hi,

One of our customers reported a system hang while accessing files through
our FSD, and the memory dump shows a deadlock in two threads for some
structure allocated with pool tag ‘SevQ’ (which of course, our driver
doesn’t use). Google/OSR list search for this tag didn’t turn any (valid)
hits.

The stack shows SYMEVENT with a warning saying the stack unwind information
is not available, so I’m not sure if it’s related to SYMEVENT.

Anybody knows who uses ‘SevQ’ tag?

If someone from SYMANTEC is reading this and if they do use ‘SevQ’ tag, can
you please contact me off the list?

Here is more information from the dump (note the highlighted thread cycle)

Resource @ 0x85a83138 Exclusively owned
Contention Count = 100
NumberOfSharedWaiters = 2
Threads: 820a66c8-01<> 8405f9f8-01 83d8bc80-01
======= ---------------
KD: Scanning for held locks…

Resource @ 0x85a85f10 Exclusively owned
Contention Count = 97
NumberOfSharedWaiters = 2
NumberOfExclusiveWaiters = 2
Threads: 8405f9f8-01<> 825656b0-01 82d12b28-01
-----------
Threads Waiting On Exclusive Access:
820a66c8 82ff6ce8
=======

Checking the pool tag shows it’s allocated with ‘SevQ’ tag.

0: kd> !pool 0x85a83138
Pool page 85a83138 region is Nonpaged pool
85a83000 is not a valid small pool allocation, checking large pool…
*85a82000 : large page allocation, Tag is SevQ, size is 0x5000 bytes
Owning component : Unknown (update pooltag.txt)

0: kd> !pool 0x85a85f10
Pool page 85a85f10 region is Nonpaged pool
85a85000 is not a valid small pool allocation, checking large pool…
*85a82000 : large page allocation, Tag is SevQ, size is 0x5000 bytes
Owning component : Unknown (update pooltag.txt)

And the thread stack for both the threads show SYMEVENT with the warning
saying stack frames could be wrong.

0: kd> !thread 0x820a66c8
THREAD 820a66c8 Cid 0d88.0f74 Teb: 7ff7c000 Win32Thread: 00000000 WAIT:
(Unknown) KernelMode Non-Alertable

Priority 14 BasePriority 8 PriorityDecrement 6
ChildEBP RetAddr Args to Child
baabacd0 8083e6a2 820a6740 820a66c8 820a6770 nt!KiSwapContext+0x26 (FPO:
[Uses EBP] [0,0,4])
baabacfc 8083f164 820a66c8 85a85f10 00000000 nt!KiSwapThread+0x284 (FPO:
[Non-Fpo])
baabad44 80818613 82f195e0 0000001b 00000000 nt!KeWaitForSingleObject+0x346
(FPO: [Non-Fpo])
baabad80 80841266 83a949f8 e4af9360 85a82000 nt!ExpWaitForResource+0xd5
(FPO: [Non-Fpo])
baabada0 baf7c598 85a85f10 00000001 e85559cc
nt!ExAcquireResourceExclusiveLite+0x8d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
baabae78 baf7cf94 00000000 e8555998 baf7bf43
SYMEVENT!SYMEvent_GetSubTask+0x2758
baabae84 baf7bf43 baabaeb8 e17d7f10 baabaf04
SYMEVENT!SYMEvent_GetSubTask+0x3154
e8555998 00000000 00000000 00000000 00000000
SYMEVENT!SYMEvent_GetSubTask+0x2103

and

0: kd> !thread 0x8405f9f8
THREAD 8405f9f8 Cid 0d88.09d4 Teb: 7ff71000 Win32Thread: 00000000 WAIT:
(Unknown) KernelMode Non-Alertable

Priority 14 BasePriority 8 PriorityDecrement 6
ChildEBP RetAddr Args to Child
ba7ec804 8083e6a2 8405fa70 8405f9f8 8405faa0 nt!KiSwapContext+0x26 (FPO:
[Uses EBP] [0,0,4])
ba7ec830 8083f164 8405f9f8 85a83138 00000000 nt!KiSwapThread+0x284 (FPO:
[Non-Fpo])
ba7ec878 80818613 84681588 0000001b 00000000 nt!KeWaitForSingleObject+0x346
(FPO: [Non-Fpo])
ba7ec8b4 80851e34 84646940 85a83128 85a83138 nt!ExpWaitForResource+0xd5
(FPO: [Non-Fpo])
ba7ec8d4 baf7b9a2 85a83138 00000001 e8916834
nt!ExAcquireResourceSharedLite+0xc6 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
ba7ec9bc baf7cf94 00000000 e8916800 baf7bf43
SYMEVENT!SYMEvent_GetSubTask+0x1b62
ba7ec9c8 baf7bf43 ba7ec9fc e17d7f10 ba7eca48
SYMEVENT!SYMEvent_GetSubTask+0x3154
e8916800 00000000 00000000 00000000 00000000
SYMEVENT!SYMEvent_GetSubTask+0x2103

Anybody knows who uses ‘SevQ’?

Thanks,
- Hrishikesh.