BSOD win10 2004/10.0.19041.1 #27

VMHolePuncher · 2023-07-20T07:39:40Z

Get this bsod after about a minute of running the hv + um example.

fffff803`7cbf70d0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffffe0c`ca527550=000000000000000a
7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000ccddcced, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8037ca8bdb6, address which referenced memory

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2311

    Key  : Analysis.Elapsed.mSec
    Value: 2358

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 374

    Key  : Analysis.Init.Elapsed.mSec
    Value: 4467

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0xa

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xa

    Key  : Failure.Bucket
    Value: AV_nt!RtlRbRemoveNode

    Key  : Failure.Hash
    Value: {9b43c07a-2da2-b63c-46ab-1c788c8a28c1}

    Key  : Hypervisor.Enlightenments.Value
    Value: 0

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 0

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 0

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 0

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 16908288

    Key  : Hypervisor.Flags.ValueHex
    Value: 1020000

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 0

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  a

BUGCHECK_P1: ccddcced

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff8037ca8bdb6

FILE_IN_CAB:  MEMORY.DMP

WRITE_ADDRESS:  00000000ccddcced 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

TRAP_FRAME:  fffffe0cca527690 -- (.trap 0xfffffe0cca527690)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffce09d6601980 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8037ca8bdb6 rsp=fffffe0cca527828 rbp=ffffce09d6600040
 r8=00000000ccddccdd  r9=00000000ccddccdd r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!RtlRbRemoveNode+0xa46:
fffff803`7ca8bdb6 4d897110        mov     qword ptr [r9+10h],r14 ds:00000000`ccddcced=????????????????
Resetting default scope

STACK_TEXT:  
fffffe0c`ca527548 fffff803`7cc09069     : 00000000`0000000a 00000000`ccddcced 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffffe0c`ca527550 fffff803`7cc05369     : 00000000`00000000 fffffe0c`ca527781 ffffffff`ffffffe5 00000000`00004000 : nt!KiBugCheckDispatch+0x69
fffffe0c`ca527690 fffff803`7ca8bdb6     : 00000000`0000004b ffffce09`d6601980 fffff803`7ca5a1b9 ffffce09`d6600040 : nt!KiPageFault+0x469
fffffe0c`ca527828 fffff803`7ca5a1b9     : ffffce09`d6600040 ffffce09`b9800100 ffffce09`b9800100 00000000`00000000 : nt!RtlRbRemoveNode+0xa46
fffffe0c`ca527840 fffff803`7ca59dff     : ffffce09`d6600ca0 ffffce09`d6600ca0 9401df92`00000000 00000000`0000001b : nt!RtlpHpSegFreeRangeRemove+0x19
fffffe0c`ca527870 fffff803`7ca5986b     : ffffffff`ffffffff 00000000`00000067 ffffffff`ffffffff ffffce09`d6600ca0 : nt!RtlpHpSegPageRangeCoalesce+0x1df
fffffe0c`ca5278f0 fffff803`7ca896e2     : ffffce09`b9800000 ffffce09`b9800100 ffffce09`d6600000 a2e64ead`a2e64ead : nt!RtlpHpSegPageRangeShrink+0xeb
fffffe0c`ca527960 fffff803`7d1b1149     : fffff803`00000000 00000000`00000000 00000000`00000000 01000000`00100000 : nt!ExFreeHeapPool+0x6b2
fffffe0c`ca527a40 fffff803`7cab85f5     : ffffce09`d0743080 fffff803`7cae5450 ffffce09`b9c9ac40 ffffce09`00000000 : nt!ExFreePool+0x9
fffffe0c`ca527a70 fffff803`7cb55935     : ffffce09`d0743080 00000000`00000080 ffffce09`b9ca00c0 000fa4ef`bd9bbfff : nt!ExpWorkerThread+0x105
fffffe0c`ca527b10 fffff803`7cbfe728     : ffff9401`df7a1180 ffffce09`d0743080 fffff803`7cb558e0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffe0c`ca527b60 00000000`00000000     : fffffe0c`ca528000 fffffe0c`ca521000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME:  nt!RtlRbRemoveNode+a46

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  a46

FAILURE_BUCKET_ID:  AV_nt!RtlRbRemoveNode

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {9b43c07a-2da2-b63c-46ab-1c788c8a28c1}

Followup:     MachineOwner
---------

The text was updated successfully, but these errors were encountered:

jonomango · 2023-07-20T07:49:36Z

Hi, can you check to see if you get a BSOD with the latest commit? 86ca9f5

VMHolePuncher · 2023-07-20T08:04:02Z

I am getting this with the newest commit:

fffff803`4fdf70d0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffc080`aec56480=0000000000000139
12: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, An RTL_BALANCED_NODE RBTree entry has been corrupted.
Arg2: ffffc080aec567a0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffffc080aec566f8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2218

    Key  : Analysis.Elapsed.mSec
    Value: 2258

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 358

    Key  : Analysis.Init.Elapsed.mSec
    Value: 1925

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x139

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x139

    Key  : FailFast.Name
    Value: INVALID_BALANCED_TREE

    Key  : FailFast.Type
    Value: 29

    Key  : Failure.Bucket
    Value: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

    Key  : Failure.Hash
    Value: {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

    Key  : Hypervisor.Enlightenments.Value
    Value: 0

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 0

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 0

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 0

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 16908288

    Key  : Hypervisor.Flags.ValueHex
    Value: 1020000

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 0

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  139

BUGCHECK_P1: 1d

BUGCHECK_P2: ffffc080aec567a0

BUGCHECK_P3: ffffc080aec566f8

BUGCHECK_P4: 0

FILE_IN_CAB:  MEMORY.DMP

TRAP_FRAME:  ffffc080aec567a0 -- (.trap 0xffffc080aec567a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=ffff9e82d8701b80 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8034fe3d7df rsp=ffffc080aec56938 rbp=ffff9e82d8700040
 r8=0000000000000000  r9=ffff9e82d8701b88 r10=0000000000000000
r11=ffff9e82d8700040 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt!RtlRbRemoveNode+0x1b246f:
fffff803`4fe3d7df cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffc080aec566f8 -- (.exr 0xffffc080aec566f8)
ExceptionAddress: fffff8034fe3d7df (nt!RtlRbRemoveNode+0x00000000001b246f)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  000000000000001d

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffffc080`aec56478 fffff803`4fe09069     : 00000000`00000139 00000000`0000001d ffffc080`aec567a0 ffffc080`aec566f8 : nt!KeBugCheckEx
ffffc080`aec56480 fffff803`4fe09490     : ffffc080`aec56490 fffff803`55225692 00000000`00000000 00000000`00001000 : nt!KiBugCheckDispatch+0x69
ffffc080`aec565c0 fffff803`4fe07823     : ffff9e82`e1bf7bd0 ffff9e82`e30ec0a0 ffff9e82`ed764ab0 ffff8387`00000005 : nt!KiFastFailDispatch+0xd0
ffffc080`aec567a0 fffff803`4fe3d7df     : ffff9e82`d8800100 ffffffff`ffffffff fffff803`4fc57007 00000000`00000001 : nt!KiRaiseSecurityCheckFailure+0x323
ffffc080`aec56938 fffff803`4fc57007     : 00000000`00000001 00000000`67000000 ffff9e82`f5a00040 00000000`00000067 : nt!RtlRbRemoveNode+0x1b246f
ffffc080`aec56950 fffff803`4fc56dba     : 00000000`00000000 00000000`00000000 00000000`00000000 ffff9e82`00000000 : nt!RtlpHpSegPageRangeAllocate+0x107
ffffc080`aec569f0 fffff803`4fc8d0a6     : 00000000`00067000 00000000`00067000 00000000`00000000 ffff9e82`e30ec0a0 : nt!RtlpHpSegAlloc+0x5a
ffffc080`aec56a50 fffff803`503b11c4     : 00000000`00000d07 70100080`04002001 ffff9e82`6a536c46 ffffc080`aec56c00 : nt!ExAllocateHeapPool+0x8f6
ffffc080`aec56b90 ffff9e82`f5b824d1     : 00000000`00000000 ffffc080`aec56ce0 00000000`00000001 ffff9e82`00000000 : nt!ExAllocatePoolWithTag+0x64
ffffc080`aec56be0 00000000`00000000     : ffffc080`aec56ce0 00000000`00000001 ffff9e82`00000000 00000000`00000000 : 0xffff9e82`f5b824d1


SYMBOL_NAME:  nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

Followup:     MachineOwner
---------```

jonomango · 2023-07-20T08:11:31Z

I am honestly not sure what the cause of this issue could be. Try replacing um/main.cpp with only the following:

int main() {
  if (!hv::is_hv_running()) {
    printf("HV not running.\n");
    return 0;
  }
}

VMHolePuncher · 2023-07-20T08:42:48Z

I'm not getting the bsod with just that code.

jonomango added the bug Something isn't working label Jul 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BSOD win10 2004/10.0.19041.1 #27

BSOD win10 2004/10.0.19041.1 #27

VMHolePuncher commented Jul 20, 2023 •

edited

Loading

jonomango commented Jul 20, 2023

VMHolePuncher commented Jul 20, 2023

jonomango commented Jul 20, 2023

VMHolePuncher commented Jul 20, 2023

BSOD win10 2004/10.0.19041.1 #27

BSOD win10 2004/10.0.19041.1 #27

Comments

VMHolePuncher commented Jul 20, 2023 • edited Loading

jonomango commented Jul 20, 2023

VMHolePuncher commented Jul 20, 2023

jonomango commented Jul 20, 2023

VMHolePuncher commented Jul 20, 2023

VMHolePuncher commented Jul 20, 2023 •

edited

Loading