Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1419785 - [virtio-win][whql][balloon] Guest WIN8-32 occured BSOD in job "DF - PNP Stop (Rebalance) Device Test (Certification)"
Summary: [virtio-win][whql][balloon] Guest WIN8-32 occured BSOD in job "DF - PNP Stop ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: virtio-win
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Ladi Prosek
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 03:31 UTC by xiagao
Modified: 2017-08-01 12:55 UTC (History)
9 users (show)

Fixed In Version: 133
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 12:55:38 UTC
Target Upstream Version:


Attachments (Terms of Use)
screenshot of guest bsod (22.10 KB, image/png)
2017-02-07 03:31 UTC, xiagao
no flags Details
screenshot of guest bsod with 132-BLN driver (22.06 KB, image/png)
2017-02-14 02:52 UTC, xiagao
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2341 0 normal SHIPPED_LIVE virtio-win bug fix and enhancement update 2017-08-01 16:52:38 UTC

Description xiagao 2017-02-07 03:31:29 UTC
Created attachment 1248261 [details]
screenshot of guest bsod

Description of problem:
Running job "DF - PNP Stop (Rebalance) Device Test (Certification)",  WIN8-32 guest occured BSOD.

Version-Release number of selected component (if applicable):
kernel-3.10.0-556.el7.x86_64
qemu-kvm-rhev-2.8.0-3.el7.x86_64
seabios-1.10.1-2.el7.x86_64
virtio-win-prewhql-131


How reproducible:
1/5

Steps to Reproduce:
1.boot win8-32 guest
/usr/libexec/qemu-kvm -name 131BLNWIN832TOY -enable-kvm -m 3G -smp 4 -uuid e580e1ba-f23d-43f8-9c0e-f0665ec35ee7 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/tmp/131BLNWIN832TOY,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime,driftfix=slew -boot order=cd,menu=on -device piix3-usb-uhci,id=usb -drive file=131BLNWIN832TOY,if=none,id=drive-ide0-0-0,format=raw,serial=mike_cao,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -drive file=en_windows_8_enterprise_x86_dvd_917587.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive file=131BLNWIN832TOY.vfd,if=floppy,id=drive-fdc0-0-0,format=raw,cache=none -netdev tap,script=/etc/qemu-ifup,downscript=no,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=00:52:03:68:8f:42 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=isa_serial0 -device usb-tablet,id=input0 -vnc 0.0.0.0:1 -vga std -M pc -device virtio-balloon-pci,id=balloon0,bus=pci.0
2.Run the job
3.Check the guest status

Actual results:
BSOD

Expected results:
PASS

Additional info:
screenshot of guest bsod (attachment)

Comment 2 xiagao 2017-02-07 03:34:36 UTC
The memory dump file debug info as following:

BugCheck D1, {8, 2, 0, 97fda7c7}

*** ERROR: Module load completed but symbols could not be loaded for balloon.sys
*** ERROR: Module load completed but symbols could not be loaded for MSDMFilt.sys
Probably caused by : balloon.sys ( balloon+27c7 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 97fda7c7, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  00000008 

CURRENT_IRQL:  2

FAULTING_IP: 
balloon+27c7
97fda7c7 8b4e08          mov     ecx,dword ptr [esi+8]

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME:  877b09a0 -- (.trap 0xffffffff877b09a0)
ErrCode = 00000000
eax=00000000 ebx=00000001 ecx=9e84afd0 edx=00000000 esi=00000000 edi=877b0a54
eip=97fda7c7 esp=877b0a14 ebp=877b0a20 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
balloon+0x27c7:
97fda7c7 8b4e08          mov     ecx,dword ptr [esi+8] ds:0023:00000008=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 815da840 to 81563ccc

STACK_TEXT:  
877b0980 815da840 0000000a 00000008 00000002 nt!KiBugCheck2
877b0980 97fda7c7 0000000a 00000008 00000002 nt!KiTrap0E+0x2c8
WARNING: Stack unwind information not available. Following frames may be wrong.
877b0a20 97fd967b 00000000 877b0a54 00000001 balloon+0x27c7
877b0a68 97fe085e 6c78f320 877b0a9c 82e4d075 balloon+0x167b
877b0a74 82e4d075 5fe65060 9fb86f98 a0bfeee8 balloon+0x885e
877b0a9c 82e4ce8d 9f040e90 93870d9c 9f040e90 Wdf01000!FxPkgGeneral::OnClose+0xc8
877b0abc 82e45bc2 9f040e90 98021c38 9f040e90 Wdf01000!FxPkgGeneral::Dispatch+0xc0
877b0ae4 82e45a33 98021c38 9f040e90 98021c38 Wdf01000!FxDevice::Dispatch+0x155
877b0b00 818fef4b 98021c38 9f040e90 9f040e90 Wdf01000!FxDevice::DispatchWithLock+0x77
877b0b20 814a4a9f 81916565 9f040f88 9f040fac nt!IovCallDriver+0x2e3
877b0b34 81916565 877b0b5c 8191665c 98021c38 nt!IofCallDriver+0x62
877b0b3c 8191665c 98021c38 9f040e90 8b418b28 nt!ViFilterIoCallDriver+0x10
877b0b5c 818fef4b 8b418be0 9f040e90 8b477888 nt!ViFilterDispatchGeneric+0x5e
877b0b7c 814a4a9f 97fe6353 9f040fac 9f040fd0 nt!IovCallDriver+0x2e3
877b0b90 97fe6353 9f040e90 8b4777d0 00000000 nt!IofCallDriver+0x62
877b0ba8 97fe5074 8b4777d0 9f040e90 8b4777d0 MSDMFilt+0x2353
877b0bc8 818fef4b 8b4777d0 9f040e90 9f040e90 MSDMFilt+0x1074
877b0be8 814a4a9f 81916565 9f040fd0 9f040ff4 nt!IovCallDriver+0x2e3
877b0bfc 81916565 877b0c24 8191665c 8b4777d0 nt!IofCallDriver+0x62
877b0c04 8191665c 8b4777d0 9f040e90 8b4e63e8 nt!ViFilterIoCallDriver+0x10
877b0c24 818fef4b 8b4e64a0 9f040e90 9f040e90 nt!ViFilterDispatchGeneric+0x5e
877b0c44 814a4a9f 816aedd3 00000000 980592e0 nt!IovCallDriver+0x2e3
877b0c58 816aedd3 84d57f18 980592c8 98059200 nt!IofCallDriver+0x62
877b0c94 816aea2d 980592e0 00000000 980592e0 nt!IopDeleteFile+0xef
877b0cac 814a08f6 00000000 97fe7502 a01d6ff0 nt!ObpRemoveObjectRoutine+0x43
877b0cc0 814a0882 980592e0 97fe7515 8b4e63e8 nt!ObfDereferenceObjectWithTag+0x5c
877b0cc8 97fe7515 8b4e63e8 00000000 877b0d1c nt!ObfDereferenceObject+0xd
877b0cd8 814ed737 8b4e63e8 a01d6ff0 816434b8 MSDMFilt+0x3515
877b0d1c 814ed854 9fb2cfd0 84d99040 00000000 nt!IopProcessWorkItem+0xa1
877b0d74 81530415 00010000 0f171e05 00000000 nt!ExpWorkerThread+0x111
877b0db0 815dc039 814ed747 00010000 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
balloon+27c7
97fda7c7 8b4e08          mov     ecx,dword ptr [esi+8]

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  balloon+27c7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: balloon

IMAGE_NAME:  balloon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  588eb709

FAILURE_BUCKET_ID:  AV_VRF_balloon+27c7

BUCKET_ID:  AV_VRF_balloon+27c7

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_balloon+27c7

FAILURE_ID_HASH:  {8cc1e982-5013-bbe1-cf12-284f258a9d62}

Followup: MachineOwner
---------

Comment 4 Vadim Rozenfeld 2017-02-13 09:52:41 UTC
please try build 132
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=537914

Comment 5 xiagao 2017-02-14 02:51:03 UTC
still hit BSOD with build 132.

2/5 failed. 

The memory dump file debug info as following:

BugCheck D1, {8bc9f85e, 2, 8, 8bc9f85e}

*** ERROR: Module load completed but symbols could not be loaded for balloon.sys
*** ERROR: Module load completed but symbols could not be loaded for MSDMFilt.sys
Probably caused by : balloon.sys ( balloon+885e )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 8bc9f85e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 8bc9f85e, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  8bc9f85e 

CURRENT_IRQL:  2

FAULTING_IP: 
balloon+885e
8bc9f85e 56              push    esi

IP_IN_PAGED_CODE: 
balloon+885e
8bc9f85e 56              push    esi

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME:  873ac9f8 -- (.trap 0xffffffff873ac9f8)
ErrCode = 00000010
eax=00000005 ebx=659fd060 ecx=fec65770 edx=00000007 esi=75019320 edi=8afe6e58
eip=8bc9f85e esp=873aca6c ebp=873aca74 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
balloon+0x885e:
8bc9f85e 56              push    esi
Resetting default scope

LAST_CONTROL_TRANSFER:  from 80f71840 to 80efaccc

FAILED_INSTRUCTION_ADDRESS: 
balloon+885e
8bc9f85e 56              push    esi

STACK_TEXT:  
873ac9d8 80f71840 0000000a 8bc9f85e 00000002 nt!KiBugCheck2
873ac9d8 8bc9f85e 0000000a 8bc9f85e 00000002 nt!KiTrap0E+0x2c8
WARNING: Stack unwind information not available. Following frames may be wrong.
873aca74 85477075 659fd060 89178f98 8ae8cee8 balloon+0x885e
873aca9c 85476e8d a0306e90 8afe6d9c a0306e90 Wdf01000!FxPkgGeneral::OnClose+0xc8
873acabc 8546fbc2 a0306e90 87924ee8 a0306e90 Wdf01000!FxPkgGeneral::Dispatch+0xc0
873acae4 8546fa33 87924ee8 a0306e90 87924ee8 Wdf01000!FxDevice::Dispatch+0x155
873acb00 81295f4b 87924ee8 a0306e90 a0306e90 Wdf01000!FxDevice::DispatchWithLock+0x77
873acb20 80e3ba9f 812ad565 a0306f88 a0306fac nt!IovCallDriver+0x2e3
873acb34 812ad565 873acb5c 812ad65c 87924ee8 nt!IofCallDriver+0x62
873acb3c 812ad65c 87924ee8 a0306e90 8793ac50 nt!ViFilterIoCallDriver+0x10
873acb5c 81295f4b 8793ad08 a0306e90 879370d8 nt!ViFilterDispatchGeneric+0x5e
873acb7c 80e3ba9f 8bca5353 a0306fac a0306fd0 nt!IovCallDriver+0x2e3
873acb90 8bca5353 a0306e90 87937020 00000000 nt!IofCallDriver+0x62
873acba8 8bca4074 87937020 a0306e90 87937020 MSDMFilt+0x2353
873acbc8 81295f4b 87937020 a0306e90 a0306e90 MSDMFilt+0x1074
873acbe8 80e3ba9f 812ad565 a0306fd0 a0306ff4 nt!IovCallDriver+0x2e3
873acbfc 812ad565 873acc24 812ad65c 87937020 nt!IofCallDriver+0x62
873acc04 812ad65c 87937020 a0306e90 879372a0 nt!ViFilterIoCallDriver+0x10
873acc24 81295f4b 87937358 a0306e90 a0306e90 nt!ViFilterDispatchGeneric+0x5e
873acc44 80e3ba9f 81045dd3 00000000 8999fc58 nt!IovCallDriver+0x2e3
873acc58 81045dd3 84757f18 8999fc40 8999fc00 nt!IofCallDriver+0x62
873acc8c 80e85116 873accac 81045a2d 8999fc58 nt!IopDeleteFile+0xef
873acd08 80e847f9 80fda4b8 4c3016e5 00000000 nt!KeRemoveQueueEx+0x28b
873acd74 80ec7415 00010000 4c3017a1 00000000 nt!ExpWorkerThread+0xb6
873acdb0 80f73039 80e84747 00010000 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
balloon+885e
8bc9f85e 56              push    esi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  balloon+885e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: balloon

IMAGE_NAME:  balloon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  58a05c46

FAILURE_BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_balloon+885e

BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_balloon+885e

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_code_av_paged_ip_balloon+885e

FAILURE_ID_HASH:  {ed5ccc01-dff5-0dd8-072e-450eb76d8583}

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 8bc9f85e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 8bc9f85e, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  8bc9f85e 

CURRENT_IRQL:  2

FAULTING_IP: 
balloon+885e
8bc9f85e 56              push    esi

IP_IN_PAGED_CODE: 
balloon+885e
8bc9f85e 56              push    esi

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME:  873ac9f8 -- (.trap 0xffffffff873ac9f8)
ErrCode = 00000010
eax=00000005 ebx=659fd060 ecx=fec65770 edx=00000007 esi=75019320 edi=8afe6e58
eip=8bc9f85e esp=873aca6c ebp=873aca74 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
balloon+0x885e:
8bc9f85e 56              push    esi
Resetting default scope

LAST_CONTROL_TRANSFER:  from 80f71840 to 80efaccc

FAILED_INSTRUCTION_ADDRESS: 
balloon+885e
8bc9f85e 56              push    esi

STACK_TEXT:  
873ac9d8 80f71840 0000000a 8bc9f85e 00000002 nt!KiBugCheck2
873ac9d8 8bc9f85e 0000000a 8bc9f85e 00000002 nt!KiTrap0E+0x2c8
WARNING: Stack unwind information not available. Following frames may be wrong.
873aca74 85477075 659fd060 89178f98 8ae8cee8 balloon+0x885e
873aca9c 85476e8d a0306e90 8afe6d9c a0306e90 Wdf01000!FxPkgGeneral::OnClose+0xc8
873acabc 8546fbc2 a0306e90 87924ee8 a0306e90 Wdf01000!FxPkgGeneral::Dispatch+0xc0
873acae4 8546fa33 87924ee8 a0306e90 87924ee8 Wdf01000!FxDevice::Dispatch+0x155
873acb00 81295f4b 87924ee8 a0306e90 a0306e90 Wdf01000!FxDevice::DispatchWithLock+0x77
873acb20 80e3ba9f 812ad565 a0306f88 a0306fac nt!IovCallDriver+0x2e3
873acb34 812ad565 873acb5c 812ad65c 87924ee8 nt!IofCallDriver+0x62
873acb3c 812ad65c 87924ee8 a0306e90 8793ac50 nt!ViFilterIoCallDriver+0x10
873acb5c 81295f4b 8793ad08 a0306e90 879370d8 nt!ViFilterDispatchGeneric+0x5e
873acb7c 80e3ba9f 8bca5353 a0306fac a0306fd0 nt!IovCallDriver+0x2e3
873acb90 8bca5353 a0306e90 87937020 00000000 nt!IofCallDriver+0x62
873acba8 8bca4074 87937020 a0306e90 87937020 MSDMFilt+0x2353
873acbc8 81295f4b 87937020 a0306e90 a0306e90 MSDMFilt+0x1074
873acbe8 80e3ba9f 812ad565 a0306fd0 a0306ff4 nt!IovCallDriver+0x2e3
873acbfc 812ad565 873acc24 812ad65c 87937020 nt!IofCallDriver+0x62
873acc04 812ad65c 87937020 a0306e90 879372a0 nt!ViFilterIoCallDriver+0x10
873acc24 81295f4b 87937358 a0306e90 a0306e90 nt!ViFilterDispatchGeneric+0x5e
873acc44 80e3ba9f 81045dd3 00000000 8999fc58 nt!IovCallDriver+0x2e3
873acc58 81045dd3 84757f18 8999fc40 8999fc00 nt!IofCallDriver+0x62
873acc8c 80e85116 873accac 81045a2d 8999fc58 nt!IopDeleteFile+0xef
873acd08 80e847f9 80fda4b8 4c3016e5 00000000 nt!KeRemoveQueueEx+0x28b
873acd74 80ec7415 00010000 4c3017a1 00000000 nt!ExpWorkerThread+0xb6
873acdb0 80f73039 80e84747 00010000 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
balloon+885e
8bc9f85e 56              push    esi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  balloon+885e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: balloon

IMAGE_NAME:  balloon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  58a05c46

FAILURE_BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_balloon+885e

BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_balloon+885e

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_code_av_paged_ip_balloon+885e

FAILURE_ID_HASH:  {ed5ccc01-dff5-0dd8-072e-450eb76d8583}

Followup: MachineOwner
---------

Comment 6 xiagao 2017-02-14 02:52:19 UTC
Created attachment 1250103 [details]
screenshot of guest bsod with 132-BLN driver

Comment 8 Ladi Prosek 2017-02-14 09:01:40 UTC
(In reply to xiagao from comment #5)
> Arg1: 8bc9f85e, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000008, value 0 = read operation, 1 = write operation
> Arg4: 8bc9f85e, address which referenced memory

Ah, this is a code access. Part of BalloonEvtFileClose now executes at DISPATCH_LEVEL and I forgot to remove the function from the PAGE section. Fix coming. Thanks!

Comment 9 Ladi Prosek 2017-02-15 12:01:49 UTC
Fix for the issue described in comment 5 has been committed:
https://github.com/virtio-win/kvm-guest-drivers-windows/commit/7327107c02b9573524b7a6506660b00effa558fb

Comment 10 xiagao 2017-02-28 12:23:04 UTC
Verified this bug on virtio-win-prewhql-133.
guest:win8-32

Comment 11 xiagao 2017-03-01 03:15:27 UTC
(In reply to xiagao from comment #10)
> Verified this bug on virtio-win-prewhql-133.
> guest:win8-32

Tests more times again.

Still hit bsod issue, reassign this bug. I will update the memory dump info later.

Comment 12 xiagao 2017-03-01 03:29:41 UTC
still hit BSOD with build 133.

1/5 failed. 

The memory dump file debug info as following:



BugCheck D1, {9e174dd0, 2, 0, 97780857}

*** ERROR: Module load completed but symbols could not be loaded for balloon.sys
*** ERROR: Module load completed but symbols could not be loaded for MSDMFilt.sys
Probably caused by : balloon.sys ( balloon+2857 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 9e174dd0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 97780857, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  9e174dd0 Special pool

CURRENT_IRQL:  2

FAULTING_IP: 
balloon+2857
97780857 8b4e08          mov     ecx,dword ptr [esi+8]

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME:  87594998 -- (.trap 0xffffffff87594998)
ErrCode = 00000000
eax=00000000 ebx=00000001 ecx=a6fd4f10 edx=00000000 esi=9e174dc8 edi=87594a4c
eip=97780857 esp=87594a0c ebp=87594a18 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
balloon+0x2857:
97780857 8b4e08          mov     ecx,dword ptr [esi+8] ds:0023:9e174dd0=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 81b82840 to 81b0bccc

STACK_TEXT:  
87594978 81b82840 0000000a 9e174dd0 00000002 nt!KiBugCheck2
87594978 97780857 0000000a 9e174dd0 00000002 nt!KiTrap0E+0x2c8
WARNING: Stack unwind information not available. Following frames may be wrong.
87594a18 9777f67b 9e174dc8 87594a4c 00000001 balloon+0x2857
87594a60 9777fc08 6d8c9320 a6fe2f98 a6f36fa8 balloon+0x167b
87594a74 8545e075 66833060 a6fe2f98 8e182ee8 balloon+0x1c08
87594a9c 8545de8d 9fe7ae90 92736d9c 9fe7ae90 Wdf01000!FxPkgGeneral::OnClose+0xc8
87594abc 85456bc2 9fe7ae90 97b60530 9fe7ae90 Wdf01000!FxPkgGeneral::Dispatch+0xc0
87594ae4 85456a33 97b60530 9fe7ae90 97b60530 Wdf01000!FxDevice::Dispatch+0x155
87594b00 81ea6f4b 97b60530 9fe7ae90 9fe7ae90 Wdf01000!FxDevice::DispatchWithLock+0x77
87594b20 81a4ca9f 81ebe565 9fe7af88 9fe7afac nt!IovCallDriver+0x2e3
87594b34 81ebe565 87594b5c 81ebe65c 97b60530 nt!IofCallDriver+0x62
87594b3c 81ebe65c 97b60530 9fe7ae90 8a716ec0 nt!ViFilterIoCallDriver+0x10
87594b5c 81ea6f4b 8a716f78 9fe7ae90 952667b0 nt!ViFilterDispatchGeneric+0x5e
87594b7c 81a4ca9f 9778c353 9fe7afac 9fe7afd0 nt!IovCallDriver+0x2e3
87594b90 9778c353 9fe7ae90 952666f8 00000000 nt!IofCallDriver+0x62
87594ba8 9778b074 952666f8 9fe7ae90 952666f8 MSDMFilt+0x2353
87594bc8 81ea6f4b 952666f8 9fe7ae90 9fe7ae90 MSDMFilt+0x1074
87594be8 81a4ca9f 81ebe565 9fe7afd0 9fe7aff4 nt!IovCallDriver+0x2e3
87594bfc 81ebe565 87594c24 81ebe65c 952666f8 nt!IofCallDriver+0x62
87594c04 81ebe65c 952666f8 9fe7ae90 89f361d0 nt!ViFilterIoCallDriver+0x10
87594c24 81ea6f4b 89f36288 9fe7ae90 9fe7ae90 nt!ViFilterDispatchGeneric+0x5e
87594c44 81a4ca9f 81c56dd3 00000000 8a0cac58 nt!IovCallDriver+0x2e3
87594c58 81c56dd3 85357f18 8a0cac40 8a0cac00 nt!IofCallDriver+0x62
87594c8c 81fb1796 87594cac 81c56a2d 8a0cac58 nt!IopDeleteFile+0xef
87594cac 81a488f6 00000000 9778d502 a6f08ff0 hal!KfLowerIrql+0x2c
87594cc0 81a48882 8a0cac58 9778d515 89f361d0 nt!ObfDereferenceObjectWithTag+0x5c
87594cc8 9778d515 89f361d0 00000000 87594d1c nt!ObfDereferenceObject+0xd
87594cd8 81a95737 89f361d0 a6f08ff0 81beb4b8 MSDMFilt+0x3515
87594d1c 81a95854 9a856fd0 8535c040 00000000 nt!IopProcessWorkItem+0xa1
87594d74 81ad8415 00010000 822c986f 00000000 nt!ExpWorkerThread+0x111
87594db0 81b84039 81a95747 00010000 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
balloon+2857
97780857 8b4e08          mov     ecx,dword ptr [esi+8]

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  balloon+2857

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: balloon

IMAGE_NAME:  balloon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  58b2e9b5

FAILURE_BUCKET_ID:  AV_VRF_balloon+2857

BUCKET_ID:  AV_VRF_balloon+2857

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_balloon+2857

FAILURE_ID_HASH:  {37b88797-f829-30fb-256c-f387f04d8b18}

Followup: MachineOwner
---------

Comment 14 Ladi Prosek 2017-03-01 16:09:49 UTC
(In reply to xiagao from comment #11)
> Still hit bsod issue, reassign this bug. I will update the memory dump info
> later.

Thank you! Confirming that I did not really fix the bug. I think I got confused by the documentation:

"In summary, the framework's automatic synchronization capability provides the following features:

The framework always synchronizes each device's PnP and power management callback functions."

I understood it as PnP being always automatically synchronized with other device callbacks but it seems to be synchronized only with itself.

Apologies for wasting your time by not running the test before posting fixes. I am setting up HCK now and reproducing the issue locally to be sure that the next fix actually works.

Comment 15 Ladi Prosek 2017-03-02 14:17:45 UTC
Ok, I am unable to reproduce this. Even after writing a targeted stress test and adding a 1 second delay to BalloonEvtFileClose to increase the chances of hitting the race, I still don't see the function run in parallel with anything else.

xiagao, would it be possible to get access to the problematic VM?

Thanks,
Ladi

Comment 17 Ladi Prosek 2017-03-03 13:20:28 UTC
I have copied the virtual disk to my local host and launched the VM with the same QEMU command line. Still no crash after running the test more than a dozen times.

Unfortunately I won't be able to verify the patch before I post it. I'll try my best for it to be the last fix needed :) Thanks!

Comment 19 Ladi Prosek 2017-03-21 07:50:06 UTC
Fix has been committed, fingers crossed :)
https://github.com/virtio-win/kvm-guest-drivers-windows/commit/22b0e4c6550d69368d03ad736cd5bb6781be65b4

Comment 20 xiagao 2017-03-29 04:50:23 UTC
Verified this bug on virtio-win-prewhql-135.

guest: win8-32
run times: 7

Comment 26 errata-xmlrpc 2017-08-01 12:55:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2341


Note You need to log in before you can comment on or make changes to this bug.