Driver Verifier unexpected I/O verification violation in VolSnap

n4r1B 21 Reputation points
2022-06-08T10:42:34.71+00:00

I'm getting a DRIVER_VERIFIER_IOMANAGER_VIOLATION, trying to restart a Volume that has Volume Shadow copies as Child Devnodes. The error is the following:

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)  
The IO manager has caught a misbehaving driver.  
Arguments:  
Arg1: 0000000000000221, An IRP dispatch handler for a PDO has deleted its device object, but the  
 hardware has not been reported as missing in a bus relations query.  
Arg2: fffff801521546b0, The address in the driver's code where the error was detected.  
Arg3: ffffd503fac7ec60, IRP address.  
Arg4: ffffd503ce1472c0, Device object address.  

This only happens when verifying all drivers (ViVerifyAllDrivers set to true). Is trivial to reproduce by creating a Volume Shadow copy in a Removable device and using pnputil to restart the Volume.

From what I've been able to find online about this issue I've seen some people asking about it, being the most interesting the following thread:
https://social.msdn.microsoft.com/Forums/en-US/dfb8aca9-2e7b-4d7a-a221-aeb3cd5ca932/bsod-in-volsnapsys-during-sleep-and-pnp-disable-and-enable-with-io-before-and-after?forum=whck

In that thread the main answer mentions this is a known issue on Win8, I'm wondering if I'm facing the same issue. If that's the case will these be solved at some point, I'm running Win11 21H2 Build 22000.675.

----------

Technical Notes

The problem seems to be related with how the Volume Shadow Devnode is created with just having only a PDO in the DevStack. This seems to make the Stack not to be properly marked in function PipCallDriverAddDevice -- Call to IovUtilMarkStack doesn't set flag 0x10000000 -- This plays a role later on function IovpCallDriver1 when the DeviceObject and DevStack are checked to see if they are marked when IRP_MJ_PNP and IRP_MN_REMOVE_DEVICE. Specially the fact that IovUtilIsInFdoStack returns FALSE which in turn won't set flag 0x10000000 in the VFCallDriverData. Again, this plays a role later after the IRP is processed and the DeviceObject is marked as Deleted -- Seems to be flag 0x4000000 in DeviceObjectExtension flags -- in the VF post processing, function IovpCallDriver2 since flag 0x10000000 was not set in the VFCallDriverData it will enter in a branch where the function seems to check if the LowerDeviceObject matches the DeviceObject the IRP was the target of. And since they match -- Only one device in the Volume Shadow Devstack -- and flag 0x4000000 was set in the VfIoDeleteDevice then the Bugcheck 0x221 will be reported.

Of course, I might be mistaken in many aspects here since I don't know the internals. But that's what I can see that's causing this issue.

Best Regards,
n4r1B

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
3,529 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,246 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 37,351 Reputation points
    2022-06-09T07:51:10.63+00:00

    Hi there,

    You can use the driver verifier tool to dig out more about this. It's used to detect and troubleshoot many driver issues that are known to cause system corruption, failures, or other unpredictable behavior https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/use-driver-verifier-to-identify-issues

    You can also share the minidump with Microsoft to analyze the root cause of the issue. The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    https://social.msdn.microsoft.com/Forums/windows/en-US/8ab05543-e71d-4fd7-8132-a5340c2681e2/test-signed-driver-test-blue-screen-error-quotdriververifieriomanagerviolation-c9quot?forum=whck

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/51d19b70-6404-4c72-a648-926357aa34c7/hck-test-blue-screen-fuzz-query-and-set-security-test-driververifieriomanagerviolation-c9?forum=whck

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    No comments