BSOD on windows server 2012?

U

ultral2013-03-05 14:31:37

System administration

ultral, 2013-03-05 14:31:37

Hello
In production, there is a dell poweredge r720xd server with windows server 2012 datacenter edition, it crashed after I sent the virtual machine to reboot.
Interesting from the minidump:
Specifications kd>! analyze -v
********************************************** ********************************
* *
* Bugcheck Analysis *
* *
********** ******************************************************* *******************
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 000000000000f6c8, memory referenced
Arg2: 00000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8016a28be15, address which referenced memory
Debugging Details:
— *** .sys
*** ERROR: Module load completed but symbols could not be loaded for Vid.sys
BUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExDeferredFreePool+1b5
fffff801`6a28be15 49394208 cmp qword ptr [r10+8],rax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME: vmwp.exe
TRAP_FRAME: fffff8800e6a9fb0 - (.trap 0xfffff8800e6a9fb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax = fffffa80629cc6d0 rbx = 0000000000000000 rcx = fffffa80629cc6c0
rdx = fffffa80626d3d60 rsi = 0000000000000000 rdi = 0000000000000000
rip = fffff8016a28be15 rsp = fffff8800e6aa140 rbp = fffff8800e6aa1b8
r8 = fffffa80629cc6e0 r9 = 0000000000000000 r10 = 000000000000f6c0
r11 = 0000000000000001 r12 = 0000000000000000 r13 = 0000000000000000
r14 = 0000000000000000 r15 = 0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!ExDeferredFreePool+0x1b5:
fffff801`6a28be15 49394208 cmp qword ptr [r10+8],rax ds:00000000`0000f6c8=????????????????
A scope default
resetting LAST_CONTROL_TRANSFER: from fffff8016a096369 to fffff8016a097040
STACK_TEXT:
fffff880`0e6a9e68 fffff801`6a096369: 00000000`0000000a 00000000`0000f6c8 00000000`00000002 00000000`00000000: nt KeBugCheckEx!
Fffff880`0e6a9e70 fffff801`6a094be0: 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`0e6a9fb0: nt KiBugCheckDispatch + 0x69!
fffff880`0e6a9fb0 fffff801`6a28be15: 00000000`0001453e 00000000`00000000 00000000`00014600 fffffa80`60c47c78: nt KiPageFault + 0x260!
fffff880`0e6aa140 fffff801`6a28ab48: fffff880`00000000 fffffa80`680cbac0 fffffa80`636db870 fffff880`00800008: nt!ExDeferredFreePool+0x1b5
fffff801`6a0dcc71 fffff880`0e6aa1d0: fffffa80`680cbad0 0000001d`f5615fff fffffa80`dee2d980 fffffa80`76706d4d: nt ExFreePoolWithTag + 0xb39!
fffff880`0e6aa2b0 fffff801`6a483c5b: 00000000`00000000 fffff700`0003b000 0000001d`f5610000 00000000`00000001: nt MiFreePhysicalView + 0x51!
fffff801`6a0dcac0 fffff880`0e6aa2e0: fffffa80`dee2d980 fffffa80`7151fb00 fffffa80`680969b0 fffffa80`dee2d980: nt MiRemoveVadCharges + 0x12b!
fffff880`0e6aa320 fffff801`6a0fbe54: fffffa80`680969b0 fffffa80`69592d10 fffffa80`6db99320 00000000`00000000: nt MiFinishVadDeletion + 0x1d0!
fffff880`0e6aa390 fffff801`6a1492da: fffffa80`680969b0 00000000`00000000 fffffa80`6a55cd70 0000001d`f5610000: nt!MiUnmapVad+0xf4
fffff880`0501637f fffff880`0e6aa3f0: 00000000`00000000 00000000`00000000 0000001d`f480f270 fffffa80`70875d80: nt MiUnmapLockedPagesInUserSpace + 0xFA!
fffff880`0e6aa420 00000000`00000000: 00000000`00000000 0000001d`f480f270 fffffa80`70875d80 fffff880`0e6aa600: Vid + 0x1637f
STACK_COMMAND: kb
FOLLOWUP_IP:
nt ExDeferredFreePool 1b5 +!
fffff801`6a28be15 49394208 cmp qword ptr [r10 + 8], rax
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt ExDeferredFreePool 1b5 +!
FOLLOWUP_NAME: Pool_corruption
IMAGE_NAME: Pool_Corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: Pool_Corruption
BUCKET_ID_FUNC_OFFSET: 1b5
FAILURE_BUCKET_ID: 0xC5_2_nt !ExDeferredFreePool
BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool
Followup: Pool_corruption Any
idea where to dig?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

P

prabhu, 2013-03-05
@prabhu

dig in the direction of memory or an array, we are waiting for the results.

R

rinx, 2013-03-05
@rinx

Raise a case in support of DELL. Their server support is very OK - they will ask you to collect everything you need and help.
There was a positive experience (though not with Windows Server 2012, but still).

M

Michael., 2013-03-05
@kulinich

Most likely I will write a banal thing, but still:
If this is not an error in the vid.sys driver (reference to relocatable memory at the DISPATCH_LEVEL level), then, as an option, the RAM should be checked.

A

amirul, 2013-03-07
@amirul

Pool corruption - can be anyone (including iron). Someone messed up (actually overwrote) the memory manager's service structures, and the bugcheck happened only after the memory manager tried to use these structures (in this case, ExDeferredFreePool).
Drive memtest to calm your conscience.
Next verifier.exe
Create standard settings -> Select drivers from the list (select all non-Microsoft drivers)
Reboot and wait. Special pool in the vast majority of cases catches those who like to write to addresses that do not belong to them right at the time of writing (and in this case the culprit will be right on the stack).