pastebin - collaborative debugging tool
nrubsig.kpaste.net RSS


kernel crash in |nfs41_downcall()|
Posted by Anonymous on Wed 24th Jul 2024 11:13
raw | new post
view followups (newest first): Code using |QueueUserAPC()| which triggers kernel crash in |nfs41_downcall()| by Anonymous

  1.  
  2. ************* Preparing the environment for Debugger Extensions Gallery repositories **************
  3.    ExtensionRepository : Implicit
  4.    UseExperimentalFeatureForNugetShare : true
  5.    AllowNugetExeUpdate : true
  6.    NonInteractiveNuget : true
  7.    AllowNugetMSCredentialProviderInstall : true
  8.    AllowParallelInitializationOfLocalRepositories : true
  9.  
  10.    EnableRedirectToV8JsProvider : false
  11.  
  12.    -- Configuring repositories
  13.       ----> Repository : LocalInstalled, Enabled: true
  14.       ----> Repository : UserExtensions, Enabled: true
  15.  
  16. >>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.000 seconds
  17.  
  18. ************* Waiting for Debugger Extensions Gallery to Initialize **************
  19.  
  20. >>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.437 seconds
  21.    ----> Repository : UserExtensions, Enabled: true, Packages count: 0
  22.    ----> Repository : LocalInstalled, Enabled: true, Packages count: 41
  23.  
  24. Microsoft (R) Windows Debugger Version 10.0.27553.1004 AMD64
  25. Copyright (c) Microsoft Corporation. All rights reserved.
  26.  
  27.  
  28. Loading Dump File [C:\Windows\MEMORY.DMP]
  29. Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
  30.  
  31.  
  32. ************* Path validation summary **************
  33. Response                         Time (ms)     Location
  34. Deferred                                       srv*
  35. Symbol search path is: srv*
  36. Executable search path is:
  37. Windows 10 Kernel Version 19041 MP (8 procs) Free x64
  38. Product: WinNt, suite: TerminalServer SingleUserTS
  39. Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
  40. Kernel base = 0xfffff804`46a00000 PsLoadedModuleList = 0xfffff804`4762a820
  41. Debug session time: Wed Jul 24 12:08:35.387 2024 (UTC + 2:00)
  42. System Uptime: 0 days 0:04:20.113
  43. Loading Kernel Symbols
  44. ...............................................................
  45. ...........Page 101a2c not present in the dump file. Type ".hh dbgerr004" for details
  46. .....................................................
  47. ................................................................
  48. ......
  49. Loading User Symbols
  50. PEB is paged out (Peb.Ldr = 000000dc`9b394018).  Type ".hh dbgerr001" for details
  51. Loading unloaded module list
  52. ......
  53. For analysis of this file, run !analyze -v
  54. nt!KeBugCheckEx:
  55. fffff804`46dfdde0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff886`52ec9d10=0000000000000139
  56. 4: kd> !analyze -v
  57. *******************************************************************************
  58. *                                                                             *
  59. *                        Bugcheck Analysis                                    *
  60. *                                                                             *
  61. *******************************************************************************
  62.  
  63. KERNEL_SECURITY_CHECK_FAILURE (139)
  64. A kernel component has corrupted a critical data structure.  The corruption
  65. could potentially allow a malicious user to gain control of this machine.
  66. Arguments:
  67. Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
  68. Arg2: fffff88652eca030, Address of the trap frame for the exception that caused the BugCheck
  69. Arg3: fffff88652ec9f88, Address of the exception record for the exception that caused the BugCheck
  70. Arg4: 0000000000000000, Reserved
  71.  
  72. Debugging Details:
  73. ------------------
  74.  
  75. Unable to load image \SystemRoot\system32\DRIVERS\nfs41_driver.sys, Win32 error 0n2
  76.  
  77. KEY_VALUES_STRING: 1
  78.  
  79.     Key  : Analysis.CPU.mSec
  80.     Value: 5061
  81.  
  82.     Key  : Analysis.Elapsed.mSec
  83.     Value: 6187
  84.  
  85.     Key  : Analysis.IO.Other.Mb
  86.     Value: 0
  87.  
  88.     Key  : Analysis.IO.Read.Mb
  89.     Value: 2
  90.  
  91.     Key  : Analysis.IO.Write.Mb
  92.     Value: 1
  93.  
  94.     Key  : Analysis.Init.CPU.mSec
  95.     Value: 936
  96.  
  97.     Key  : Analysis.Init.Elapsed.mSec
  98.     Value: 36047
  99.  
  100.     Key  : Analysis.Memory.CommitPeak.Mb
  101.     Value: 92
  102.  
  103.     Key  : Bugcheck.Code.KiBugCheckData
  104.     Value: 0x139
  105.  
  106.     Key  : Bugcheck.Code.LegacyAPI
  107.     Value: 0x139
  108.  
  109.     Key  : Bugcheck.Code.TargetModel
  110.     Value: 0x139
  111.  
  112.     Key  : FailFast.Name
  113.     Value: CORRUPT_LIST_ENTRY
  114.  
  115.     Key  : FailFast.Type
  116.     Value: 3
  117.  
  118.     Key  : Failure.Bucket
  119.     Value: 0x139_3_CORRUPT_LIST_ENTRY_nfs41_driver!nfs41_downcall
  120.  
  121.     Key  : Failure.Hash
  122.     Value: {a27df1dd-f47c-8bad-92f0-22e713d43992}
  123.  
  124.     Key  : Hypervisor.Enlightenments.Value
  125.     Value: 12576
  126.  
  127.     Key  : Hypervisor.Enlightenments.ValueHex
  128.     Value: 3120
  129.  
  130.     Key  : Hypervisor.Flags.AnyHypervisorPresent
  131.     Value: 1
  132.  
  133.     Key  : Hypervisor.Flags.ApicEnlightened
  134.     Value: 0
  135.  
  136.     Key  : Hypervisor.Flags.ApicVirtualizationAvailable
  137.     Value: 0
  138.  
  139.     Key  : Hypervisor.Flags.AsyncMemoryHint
  140.     Value: 0
  141.  
  142.     Key  : Hypervisor.Flags.CoreSchedulerRequested
  143.     Value: 0
  144.  
  145.     Key  : Hypervisor.Flags.CpuManager
  146.     Value: 0
  147.  
  148.     Key  : Hypervisor.Flags.DeprecateAutoEoi
  149.     Value: 1
  150.  
  151.     Key  : Hypervisor.Flags.DynamicCpuDisabled
  152.     Value: 0
  153.  
  154.     Key  : Hypervisor.Flags.Epf
  155.     Value: 0
  156.  
  157.     Key  : Hypervisor.Flags.ExtendedProcessorMasks
  158.     Value: 0
  159.  
  160.     Key  : Hypervisor.Flags.HardwareMbecAvailable
  161.     Value: 0
  162.  
  163.     Key  : Hypervisor.Flags.MaxBankNumber
  164.     Value: 0
  165.  
  166.     Key  : Hypervisor.Flags.MemoryZeroingControl
  167.     Value: 0
  168.  
  169.     Key  : Hypervisor.Flags.NoExtendedRangeFlush
  170.     Value: 1
  171.  
  172.     Key  : Hypervisor.Flags.NoNonArchCoreSharing
  173.     Value: 0
  174.  
  175.     Key  : Hypervisor.Flags.Phase0InitDone
  176.     Value: 1
  177.  
  178.     Key  : Hypervisor.Flags.PowerSchedulerQos
  179.     Value: 0
  180.  
  181.     Key  : Hypervisor.Flags.RootScheduler
  182.     Value: 0
  183.  
  184.     Key  : Hypervisor.Flags.SynicAvailable
  185.     Value: 1
  186.  
  187.     Key  : Hypervisor.Flags.UseQpcBias
  188.     Value: 0
  189.  
  190.     Key  : Hypervisor.Flags.Value
  191.     Value: 536632
  192.  
  193.     Key  : Hypervisor.Flags.ValueHex
  194.     Value: 83038
  195.  
  196.     Key  : Hypervisor.Flags.VpAssistPage
  197.     Value: 1
  198.  
  199.     Key  : Hypervisor.Flags.VsmAvailable
  200.     Value: 0
  201.  
  202.     Key  : Hypervisor.RootFlags.AccessStats
  203.     Value: 0
  204.  
  205.     Key  : Hypervisor.RootFlags.CrashdumpEnlightened
  206.     Value: 0
  207.  
  208.     Key  : Hypervisor.RootFlags.CreateVirtualProcessor
  209.     Value: 0
  210.  
  211.     Key  : Hypervisor.RootFlags.DisableHyperthreading
  212.     Value: 0
  213.  
  214.     Key  : Hypervisor.RootFlags.HostTimelineSync
  215.     Value: 0
  216.  
  217.     Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
  218.     Value: 0
  219.  
  220.     Key  : Hypervisor.RootFlags.IsHyperV
  221.     Value: 0
  222.  
  223.     Key  : Hypervisor.RootFlags.LivedumpEnlightened
  224.     Value: 0
  225.  
  226.     Key  : Hypervisor.RootFlags.MapDeviceInterrupt
  227.     Value: 0
  228.  
  229.     Key  : Hypervisor.RootFlags.MceEnlightened
  230.     Value: 0
  231.  
  232.     Key  : Hypervisor.RootFlags.Nested
  233.     Value: 0
  234.  
  235.     Key  : Hypervisor.RootFlags.StartLogicalProcessor
  236.     Value: 0
  237.  
  238.     Key  : Hypervisor.RootFlags.Value
  239.     Value: 0
  240.  
  241.     Key  : Hypervisor.RootFlags.ValueHex
  242.     Value: 0
  243.  
  244.     Key  : SecureKernel.HalpHvciEnabled
  245.     Value: 0
  246.  
  247.     Key  : WER.OS.Branch
  248.     Value: vb_release
  249.  
  250.     Key  : WER.OS.Version
  251.     Value: 10.0.19041.1
  252.  
  253.  
  254. BUGCHECK_CODE:  139
  255.  
  256. BUGCHECK_P1: 3
  257.  
  258. BUGCHECK_P2: fffff88652eca030
  259.  
  260. BUGCHECK_P3: fffff88652ec9f88
  261.  
  262. BUGCHECK_P4: 0
  263.  
  264. FILE_IN_CAB:  MEMORY.DMP
  265.  
  266. TRAP_FRAME:  fffff88652eca030 -- (.trap 0xfffff88652eca030)
  267. NOTE: The trap frame does not contain all registers.
  268. Some register values may be zeroed or incorrect.
  269. rax=fffff8044c016d38 rbx=0000000000000000 rcx=0000000000000003
  270. rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
  271. rip=fffff80446e2e2fb rsp=fffff88652eca1c0 rbp=fffff88652eca251
  272.  r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
  273. r11=fffff780000003b0 r12=0000000000000000 r13=0000000000000000
  274. r14=0000000000000000 r15=0000000000000000
  275. iopl=0         nv up ei pl nz ac pe nc
  276. nt!KeWaitForSingleObject+0x1f6d2b:
  277. fffff804`46e2e2fb cd29            int     29h
  278. Resetting default scope
  279.  
  280. EXCEPTION_RECORD:  fffff88652ec9f88 -- (.exr 0xfffff88652ec9f88)
  281. ExceptionAddress: fffff80446e2e2fb (nt!KeWaitForSingleObject+0x00000000001f6d2b)
  282.    ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  283.   ExceptionFlags: 00000001
  284. NumberParameters: 1
  285.    Parameter[0]: 0000000000000003
  286. Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
  287.  
  288. BLACKBOXBSD: 1 (!blackboxbsd)
  289.  
  290.  
  291. BLACKBOXNTFS: 1 (!blackboxntfs)
  292.  
  293.  
  294. BLACKBOXWINLOGON: 1
  295.  
  296. PROCESS_NAME:  nfsd_debug.exe
  297.  
  298. ERROR_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den  berlauf eines stapelbasierten Puffers ermittelt. Dieser  berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu  bernehmen.
  299.  
  300. EXCEPTION_CODE_STR:  c0000409
  301.  
  302. EXCEPTION_PARAMETER1:  0000000000000003
  303.  
  304. EXCEPTION_STR:  0xc0000409
  305.  
  306. STACK_TEXT:  
  307. fffff886`52ec9d08 fffff804`46e125a9     : 00000000`00000139 00000000`00000003 fffff886`52eca030 fffff886`52ec9f88 : nt!KeBugCheckEx
  308. fffff886`52ec9d10 fffff804`46e12b50     : 00000000`00000000 00000000`00000000 fffff886`52ec9f50 00000000`00000000 : nt!KiBugCheckDispatch+0x69
  309. fffff886`52ec9e50 fffff804`46e109f2     : ffff950f`53c20a20 ffff950f`53c20a20 ffff950f`594be8b8 fffff804`4c010a30 : nt!KiFastFailDispatch+0xd0
  310. fffff886`52eca030 fffff804`46e2e2fb     : ffff950f`50e04380 fffff804`000001c0 fffff886`00000000 ffff950f`5812e010 : nt!KiRaiseSecurityCheckFailure+0x332
  311. fffff886`52eca1c0 fffff804`46cf295a     : fffff804`4c016d30 00000000`00000022 fffff804`4c02c600 ffff950f`583c9a00 : nt!KeWaitForSingleObject+0x1f6d2b
  312. fffff886`52eca2b0 fffff804`46c3c2c2     : 00000000`00000000 ffff950f`583c9a60 fffff804`4c016d18 fffff804`46c3ad40 : nt!ExpAcquireFastMutexContended+0x7a
  313. fffff886`52eca2f0 fffff804`4c002839     : ffff950f`583c9a60 fffff886`00000001 ffff950f`00000000 fffff886`00000000 : nt!ExAcquireFastMutex+0x162
  314. fffff886`52eca340 fffff804`4bffca9e     : ffff950f`53c20a20 00000000`0028201c fffff804`47725440 00000000`00000000 : nfs41_driver!nfs41_downcall+0x159 [C:\cygwin64\home\roland_mainz\work\msnfs41_uidmapping\ms-nfs41-client\sys\nfs41_driver.c @ 2070]
  315. fffff886`52eca3b0 fffff804`4c02c976     : ffff950f`53c20a20 ffff950f`53b78060 00000000`00000002 ffff950f`53c20a20 : nfs41_driver!nfs41_DevFcbXXXControlFile+0x13e [C:\cygwin64\home\roland_mainz\work\msnfs41_uidmapping\ms-nfs41-client\sys\nfs41_driver.c @ 2566]
  316. fffff886`52eca430 fffff804`4c02c698     : ffff950f`53c20a20 ffff950f`53c20a20 ffff950f`53b78000 ffff950f`53c20a20 : nfs41_driver!RxXXXControlFileCallthru+0x76 [base\fs\rdr2\rdbss\ntdevfcb.c @ 130]
  317. fffff886`52eca460 fffff804`4c009542     : 00000000`00000000 ffff950f`583c9a60 ffff950f`53b78001 00000000`00000000 : nfs41_driver!RxCommonDevFCBIoCtl+0x58 [base\fs\rdr2\rdbss\ntdevfcb.c @ 491]
  318. fffff886`52eca490 fffff804`4c02397d     : fffff804`4c016370 ffff950f`50e02100 ffff950f`59d01440 ffff950f`53b78060 : nfs41_driver!RxFsdCommonDispatch+0x442 [base\fs\rdr2\rdbss\ntfsd.c @ 848]
  319. fffff886`52eca590 fffff804`4bffd8d7     : ffff950f`5806de40 00000000`00000002 fffff886`52eca630 00000000`0000000f : nfs41_driver!RxFsdDispatch+0xfd [base\fs\rdr2\rdbss\ntfsd.c @ 442]
  320. fffff886`52eca5c0 fffff804`46c2d3f5     : ffff950f`53b78060 ffff950f`583c9a60 ffff950f`588e5730 fffff804`46c3cd1b : nfs41_driver!nfs41_FsdDispatch+0x67 [C:\cygwin64\home\roland_mainz\work\msnfs41_uidmapping\ms-nfs41-client\sys\nfs41_driver.c @ 7284]
  321. fffff886`52eca600 fffff804`4b16f248     : fffff804`4b168000 00000000`00000000 ffff950f`53989b60 ffff950f`5a2eae68 : nt!IofCallDriver+0x55
  322. fffff886`52eca640 fffff804`4b16ed99     : ffff828e`1d6e6b90 00000000`00000000 fffff804`4b168000 00000000`00000000 : mup!MupiCallUncProvider+0xb8
  323. fffff886`52eca6b0 fffff804`4b16ecce     : ffff950f`583c9a60 ffff950f`5a2eae60 ffff950f`5ac2e500 00000000`00000000 : mup!MupStateMachine+0x59
  324. fffff886`52eca6e0 fffff804`46c2d3f5     : ffff950f`5ac2e500 00000000`00000000 ffff950f`5806de40 00000000`00000001 : mup!MupFsdIrpPassThrough+0x17e
  325. fffff886`52eca750 fffff804`444a4a76     : ffff950f`0028201c fffff886`52eca950 ffff950f`53b78060 fffff804`4701cdf1 : nt!IofCallDriver+0x55
  326. fffff886`52eca790 fffff804`46c2d3f5     : 00000000`00000002 ffff950f`583c9c50 fffff886`20206f49 fffff886`52eca950 : FLTMGR!FltpDispatch+0xd6
  327. fffff886`52eca7f0 fffff804`4701bddc     : 00000000`00000001 00000000`0028201c ffff950f`5ac2e500 ffff950f`577df080 : nt!IofCallDriver+0x55
  328. fffff886`52eca830 fffff804`4701ba2a     : 00000000`0028201c fffff886`52ecab80 00000000`00000000 00000000`0028201c : nt!IopSynchronousServiceTail+0x34c
  329. fffff886`52eca8d0 fffff804`4701ad06     : 00007ff7`4f06a8d0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xd0a
  330. fffff886`52ecaa20 fffff804`46e11d05     : 00000000`00000000 fffff804`46c3d22e ffff950f`5766e080 000000dc`9b394000 : nt!NtDeviceIoControlFile+0x56
  331. fffff886`52ecaa90 00007fff`064cd644     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
  332. 000000dc`9cbfa358 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`064cd644
  333.  
  334.  
  335. FAULTING_SOURCE_LINE:  C:\cygwin64\home\roland_mainz\work\msnfs41_uidmapping\ms-nfs41-client\sys\nfs41_driver.c
  336.  
  337. FAULTING_SOURCE_FILE:  C:\cygwin64\home\roland_mainz\work\msnfs41_uidmapping\ms-nfs41-client\sys\nfs41_driver.c
  338.  
  339. FAULTING_SOURCE_LINE_NUMBER:  2070
  340.  
  341. FAULTING_SOURCE_CODE:  
  342.   2066:         goto out_free;
  343.   2067:     }
  344.   2068:
  345.   2069:     ExAcquireFastMutex(&cur->lock);    
  346. > 2070:     if (cur->state == NFS41_NOT_WAITING) {
  347.   2071:         DbgP("[downcall] Nobody is waiting for this request!!!\n");
  348.   2072:         switch(cur->opcode) {
  349.   2073:         case NFS41_WRITE:
  350.   2074:         case NFS41_READ:
  351.   2075:             MmUnmapLockedPages(cur->buf, cur->u.ReadWrite.MdlAddress);
  352.  
  353.  
  354. SYMBOL_NAME:  nfs41_driver!nfs41_downcall+159
  355.  
  356. MODULE_NAME: nfs41_driver
  357.  
  358. IMAGE_NAME:  nfs41_driver.sys
  359.  
  360. STACK_COMMAND:  .cxr; .ecxr ; kb
  361.  
  362. BUCKET_ID_FUNC_OFFSET:  159
  363.  
  364. FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_nfs41_driver!nfs41_downcall
  365.  
  366. OS_VERSION:  10.0.19041.1
  367.  
  368. BUILDLAB_STR:  vb_release
  369.  
  370. OSPLATFORM_TYPE:  x64
  371.  
  372. OSNAME:  Windows 10
  373.  
  374. FAILURE_ID_HASH:  {a27df1dd-f47c-8bad-92f0-22e713d43992}
  375.  
  376. Followup:     MachineOwner
  377. ---------

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with {%HIGHLIGHT}




All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at