New
#11
Code:BugCheck A, {0, 2, 0, fffff80002ea6bd4} Probably caused by : ntkrnlmp.exe ( nt!KiPageFault+260 )This bugcheck indicates that device driver has attempted to access a invalid memory address, or perform an instruction at a inappropriate IRQL level.Code:Usual causes: Kernel mode driver, System Service, BIOS, Windows, Virus scanner, Backup tool, compatibility
Code:TRAP_FRAME: fffff880031c4130 -- (.trap 0xfffff880031c4130) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff880031c44f8 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80002ea6bd4 rsp=fffff880031c42c0 rbp=0000000000000000 r8=fffff880031c43c8 r9=fffff880031c43c0 r10=0000000000000002 r11=fffff80002ea5f70 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz ac pe cy nt!IopCompleteRequest+0xc64: fffff800`02ea6bd4 488b09 mov rcx,qword ptr [rcx] ds:00000000`00000000=????????????????From the call stack, the thread was placed in a wait state, to allow the APC to called, and allow a driver to complete it's I/O request, which is why the IRQL level was pushed up to DISPATCH_LEVEL. The IRQL level was lowered, so when a driver wanted to page some data into memory, it was a illegal operation.Code:1: kd> k Child-SP RetAddr Call Site fffff880`031c3fe8 fffff800`02e911a9 nt!KeBugCheckEx fffff880`031c3ff0 fffff800`02e8fe20 nt!KiBugCheckDispatch+0x69 fffff880`031c4130 fffff800`02ea6bd4 nt!KiPageFault+0x260 <-- Offending Instruction fffff880`031c42c0 fffff800`02e84617 nt!IopCompleteRequest+0xc64 fffff880`031c4390 fffff800`02e8781d nt!KiDeliverApc+0x1c7 fffff880`031c4410 fffff800`02e9898f nt!KiCommitThreadWait+0x3dd fffff880`031c44a0 fffff800`030ffd32 nt!KeWaitForSingleObject+0x19f fffff880`031c4540 fffff800`0324efe4 nt!IopSynchronousCall+0x102 fffff880`031c45b0 fffff800`0327fd2f nt!IopQueryLegacyBusInformation+0x64 fffff880`031c4660 fffff800`032811b2 nt!PipCallDriverAddDevice+0x76f fffff880`031c4810 fffff800`0328164c nt!PipProcessDevNodeTree+0x2b2 fffff880`031c4a80 fffff800`02f947f2 nt!PiProcessStartSystemDevices+0x7c fffff880`031c4ad0 fffff800`02e9b251 nt!PnpDeviceActionWorker+0x302 fffff880`031c4b70 fffff800`0312fede nt!ExpWorkerThread+0x111 fffff880`031c4c00 fffff800`02e82906 nt!PspSystemThreadStartup+0x5a fffff880`031c4c40 00000000`00000000 nt!KiStartSystemThread+0x16
Now, although noticed that the Flink and Blink addresses for the linked list were invalid, therefore I went and checked the instruction, and it said that there was some pool corruption.Code:1: kd> !irql Debugger saved IRQL for processor 0x1 -- 2 (DISPATCH_LEVEL)
Code:LOCK_ADDRESS: fffff80003095b80 -- (!locks fffff80003095b80) Resource @ nt!PiEngineLock (0xfffff80003095b80) Available WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted. WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted. 1 total locksSorry for the really long post, but I think we may be dealing with some kind of driver issue here. I would keep Driver Verifier running, some people even recommend 36 hours.Code:1: kd> !poolval fffff80002ea6000 Pool page fffff80002ea6000 region is Nonpaged pool Validating Pool headers for pool page: fffff80002ea6000 Pool page [ fffff80002ea6000 ] is __inVALID. Analyzing linked list... [ fffff80002ea6000 ]: invalid previous size [ 0x41 ] should be [ 0x0 ] [ fffff80002ea6000 --> fffff80002ea6030 (size = 0x30 bytes)]: Corrupt region Scanning for single bit errors... None found