[SOLVED] Few BSODs - WIN 7 x64

[Patrick]

Now I know why we were seeing NETIO calls.

3: kd> .bugcheck
Bugcheck code 0000001E
Arguments ffffffff`c0000005 fffff880`009caba0 00000000`00000000 00000000`00000000

3: kd> knL
 # Child-SP          RetAddr           Call Site
00 fffff880`009caae8 fffff800`02f2763b nt!KeBugCheckEx
01 fffff880`009caaf0 fffff800`02ee7b28 nt!KipFatalFilter+0x1b
02 fffff880`009cab30 fffff800`02ebf6bc nt! ?? ::FNODOBFM::`string'+0x83d
03 fffff880`009cab70 fffff800`02ebf13d nt!_C_specific_handler+0x8c
04 fffff880`009cabe0 fffff800`02ebdf15 nt!RtlpExecuteHandlerForException+0xd
05 fffff880`009cac10 fffff800`02ecee81 nt!RtlDispatchException+0x415
06 fffff880`009cb2f0 fffff800`02e92f42 nt!KiDispatchException+0x135
07 fffff880`009cb990 fffff800`02e9184a nt!KiExceptionDispatch+0xc2
08 fffff880`009cbb70 fffff880`0474c17b nt!KiGeneralProtectionFault+0x10a
09 fffff880`009cbd00 fffff880`01a72419 pacer!PcFilterSendNetBufferLists+0xb
0a fffff880`009cbe00 fffff880`01b2e5d5 ndis!ndisSendNBLToFilter+0x69
0b fffff880`009cbe60 fffff880`01c61eb6 ndis!NdisSendNetBufferLists+0x85
0c fffff880`009cbec0 fffff880`01c67afb tcpip!IpNlpFastSendDatagram+0x496
0d fffff880`009cc270 fffff880`01c886f4 tcpip!TcpTcbHeaderSend+0x47b
0e fffff880`009cc420 fffff880`01c63745 tcpip!TcpFlushDelay+0x204
0f fffff880`009cc500 fffff880`01c4667c tcpip!TcpPreValidatedReceive+0x3e5
10 fffff880`009cc5d0 fffff880`01c57712 tcpip!IpFlcReceivePreValidatedPackets+0x5bc
11 fffff880`009cc730 fffff800`02ea01f8 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xa2
12 fffff880`009cc780 fffff880`01c57e42 nt!KeExpandKernelStackAndCalloutEx+0xd8
13 fffff880`009cc860 fffff880`01b2e0eb tcpip!FlReceiveNetBufferListChain+0xb2
14 fffff880`009cc8d0 fffff880`01af7ad6 ndis!ndisMIndicateNetBufferListsToOpen+0xdb
15 fffff880`009cc940 fffff880`01a7a5d4 ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
16 fffff880`009ccdc0 fffff880`01a7a549 ndis!ndisMTopReceiveNetBufferLists+0x24
17 fffff880`009cce00 fffff880`01a7a4e0 ndis!ndisFilterIndicateReceiveNetBufferLists+0x29
18 fffff880`009cce40 fffff880`04cc64eb ndis!NdisFIndicateReceiveNetBufferLists+0x50
19 fffff880`009cce80 00000000`00000003 bflwfx64+0xf4eb
1a fffff880`009cce88 00000000`00000020 0x3
1b fffff880`009cce90 00000000`00000001 0x20
1c fffff880`009cce98 fffffa80`0dac19f0 0x1
1d fffff880`009ccea0 00000000`00000000 0xfffffa80`0dac19f0

A lot of network stuff on the stack. Big tldr; Bigfoot Networks Bandwidth Control Wireless NDIS Light Weight Filter driver calls NDIS to do a lot of NBL stuff (net buffer list), and we hit an unhandled exception.

3: kd> .trap fffff880`009cbb70
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=effbfa80108a0780
rdx=fffffa801270d830 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800474c17b rsp=fffff880009cbd00 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000001 r10=0000000000000000
r11=fffffa801270daae r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
pacer!PcFilterSendNetBufferLists+0xb:
fffff880`0474c17b 83791402        cmp     dword ptr [rcx+14h],2 ds:effbfa80`108a0794=????????

The exception occurred on this instruction, which is a compare instruction that's comparing 2 with rcx+14.

3: kd> !pte effbfa80108a0780
                                           VA effbfa80108a0780
PXE at FFFFF6FB7DBEDFA8    PPE at FFFFF6FB7DBF5000    PDE at FFFFF6FB7EA00420    PTE at FFFFF6FD40084500
Unable to get PXE FFFFF6FB7DBEDFA8
WARNING: noncanonical VA, accesses will fault !

rcx's contains a noncanoncial virtual address (invalid), there an access violation occurred. In kernel-mode, that's a big no-no. This is ultimately why the 0x1E bug check was thrown.

Honestly, I've seen this before. It's always a pain because Atheros bought our Bigfoot networks (guys in charge of Killer drivers) and Atheros' drivers have a track record of absolutely horrible development.

The only thing I can really recommend is just making sure your Killer network drivers are up to date via MSI's site.

 

[Foresto]

So basically the problems are caused by the killer network drivers and there is no solution to that currently? If thats the case, then I will just have to live with it till they decide to fix it. Thanks Patrick, I will inform you if I get any new BSOD.

 

[Patrick]

Well, there's generally a solution to this problem, but the drivers/software is buggy so it takes some head bashing to eventually get it right.

1. Ensure your Killer network drivers are at least version.

2. Try this workaround first, even though it doesn't particularly pertain to your issue specifically - MSI USA - Online Technical Support FAQ

3. If above doesn't help, try this - https://forum-en.msi.com/index.php?topic=178064.0

 

[Foresto]

I got a new one - NTFS_FILE_SYSTEM

Dump:
View attachment 063015-4586-01.zip

 

[Patrick]

Downloaded, I'll take a look in a bit and post back by tonight.

 

[Patrick]

Do you by any chance have the kernel-dump of this specific 0x24 crash? If you haven't crashed since, check C:\Windows for MEMORY.DMP and upload that to a drive site and paste the link here.

It'll be good because then I can do some disassembly.

 

[Foresto]

https://drive.google.com/open?id=0Bxd8SJxAjOYNNllqUzU1QXE2Nms

Here.

 

[Patrick]

2: kd> .bugcheck
Bugcheck code 00000024
Arguments 00000000`001904fb fffff880`0cae01a8 fffff880`0cadfa00 fffff880`01484626

If we look at the 3rd argument for the context record, we can get the trapframe regarding the unhandled exception that caused the crash, as well as a good stack to work with.

2: kd> .cxr fffff880`0cadfa00
rax=fffffa80123f5060 rbx=0000000000000200 rcx=0000000000000200
rdx=ffffffffffffffff rsi=fffffa80111d1200 rdi=0000000000000000
rip=fffff88001484626 rsp=fffff8800cae03e0 rbp=fffffa80111d1208
 r8=ffffffffffffffff  r9=ffffffffffffffff r10=fffff80002e4a000
r11=00000000000004b6 r12=ffffffffffffffff r13=fffffa800fc26684
r14=0000000000004000 r15=0000000000000001
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
fltmgr!TreeUnlinkNoBalance+0x6:
fffff880`01484626 488b5118        mov     rdx,qword ptr [rcx+18h] ds:002b:00000000`00000218=????????????????

The exception occurred in fltmgr.sys as fltmgr!TreeUnlinkNoBalance attempted to access bogus memory. Which part of the instruction was bogus? rcx is, and we can tell just by looking at it - 0000000000000200.

2: kd> !pte 0000000000000200
                                           VA 0000000000000200
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000000    PTE at FFFFF68000000000
contains 4580000372984867  contains 02F0000373108867  contains 0350000372913867  contains 0000000000000000
pfn 372984    ---DA--UWEV  pfn 373108    ---DA--UWEV  pfn 372913    ---DA--UWEV  not valid

2: kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 fffff880`0cae03e0 fffff880`014822c8 fltmgr!TreeUnlinkNoBalance+0x6 [COLOR=#008000]// Exception occurred here[/COLOR]
01 fffff880`0cae0410 fffff880`014a02af fltmgr!TreeUnlinkMulti+0x148
02 fffff880`0cae0460 fffff880`014a29e9 fltmgr!DeleteNameCacheNodes+0x9f
03 fffff880`0cae04a0 fffff880`014b02bf fltmgr!PurgeStreamNameCache+0xa9
04 fffff880`0cae04e0 fffff880`014a7a10 fltmgr!FltpPurgeVolumeNameCache+0x7f
05 fffff880`0cae0520 fffff880`014a2b9b fltmgr! ?? ::NNGAKEGL::`string'+0x1a04
06 fffff880`0cae0560 fffff880`01482eca fltmgr!FltpReinstateNameCachingAllFrames+0x4b
07 fffff880`0cae0590 fffff800`02ec2f51 fltmgr!FltpPassThroughCompletion+0x8a
08 fffff880`0cae05d0 fffff880`016297fc nt!IopfCompleteRequest+0x341
09 fffff880`0cae06c0 fffff880`016b43a6 Ntfs!NtfsExtendedCompleteRequestInternal+0x11c
0a fffff880`0cae0700 fffff880`01626ef4 Ntfs!NtfsCommonSetInformation+0xecd
0b fffff880`0cae07e0 fffff880`0147fbcf Ntfs!NtfsFsdSetInformation+0x124
0c fffff880`0cae0860 fffff880`0147e6df fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
0d fffff880`0cae08f0 fffff800`0319be33 fltmgr!FltpDispatch+0xcf
0e fffff880`0cae0950 fffff800`02ebdb53 nt!NtSetInformationFile+0x91f
0f fffff880`0cae0a70 00000000`7766de2a nt!KiSystemServiceCopyEnd+0x13
10 00000000`15a3e538 00000000`00000000 0x7766de2a

2: kd> ub fffff88001484626
fltmgr!ExFreeToNPagedLookasideList+0x5a:
fffff880`0148461a 90              nop
fffff880`0148461b 90              nop
fffff880`0148461c 90              nop
fffff880`0148461d 90              nop
fffff880`0148461e 90              nop
fffff880`0148461f 90              nop
fltmgr!TreeUnlinkNoBalance:
fffff880`01484620 fff3            push    rbx
fffff880`01484622 4883ec20        sub     rsp,20h

Not too sure where the data in rcx is being obtained from.

Are you using a hard disk or an SSD? If the former, run Seatools as I'm curious.

SeaTools | Seagate

You can run it via Windows or DOS. Do note that the only difference is simply the environment you're running it in. In Windows, if you are having what you believe to be driver related issues that may cause conflicts or a false positive, it may be a wise decision to choose the most minimal testing environment (DOS). I always recommend running Seatools in DOS if absolutely possible.

-- Run all tests EXCEPT: Fix All and anything Advanced.

 

[Foresto]

Im running an SSD and HDD. The system is installed on SSD and HDD is just data storage.

 

[Patrick]

Run Seatools on the data storage drive, and regarding the SSD, be 100% sure its firmware is completely up to date.

 

[Foresto]

Ran the DOS Seatools and it said "No hard drives detected". Gonna try the Windows one. As for firmware:


EDIT: Seems like neither windows nor DOS is finding anything to scan.

 

[Patrick]

You need to change from AHCI to IDE in BIOS then. I'd be careful though with that since you're using an SSD, and I'd actually try the Windows one first.

 

[Foresto]

Done the change and as soon as the screen went into "Welcome to Windows" I get bluescreen and pc restarts. Had to change back to AHCI to make it work again.

Trying with the DOS one now.

 

[Patrick]

Yeah, just make sure that changing back will allow you to boot back into Windows after you run the DOS diagnostic.

You can theoretically edit a value in the registry to allow you to boot into Windows with IDE after a reboot, but there's really no point + sometimes it doesn't work due to SSD setups.

 

[Foresto]

Ran all the tests you told me to and everything went with PASSED.

 

[Patrick]

Wow this is really testing me. Have you crashed since that 0x24 bug check?

 

[Foresto]

No crashes till now. Was waiting at least 24h to check.

Also, I followed this: 2. Try this workaround first, even though it doesn't particularly pertain to your issue specifically - MSI USA - Online Technical Support FAQ | and nothing crashed since, so maybe it was after all the network drivers.

 

[Patrick]

Well, we'll see. Keep me updated.

 

[Foresto]

Crashed again. IRQL_NOT_LESS_OR_EQUAL with ntoskrnl and iusb3hc.sys

View attachment 070315-5319-01.zip

 

[Patrick]

Okay, well, the bad news is regardless of passing diagnostics I am almost certain this is a hardware issue. I've tried to investigate every which way I personally can to see if this is a driver problem, but I don't see it.

0: kd> .bugcheck
Bugcheck code 0000000A
Arguments 00000000`48f61bff 00000000`00000002 00000000`00000000 fffff800`02fc0775

So we tried to access pageable memory at an IRQL that was too high, and the memory could have also been bad.

0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff800`00b99ff8 fffff800`02ec9e69 : 00000000`0000000a 00000000`48f61bff 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`00b9a000 fffff800`02ec8ae0 : fffffa80`10adc9f0 00000001`00000000 00000000`00000000 fffff800`03049e80 : nt!KiBugCheckDispatch+0x69
fffff800`00b9a140 fffff800`02fc0775 : fffff800`03049e80 fffffa80`10969520 fffffa80`109695d8 fffffa80`109695d8 : nt!KiPageFault+0x260 (TrapFrame @ fffff800`00b9a140) [COLOR=#008000]//  Trapframe for exception[/COLOR]
fffff800`00b9a2d0 fffff800`02fc09ab : 00000000`0000006c 00000000`00000000 00000027`5b54800e 00000016`8b005fa6 : nt!PpmPerfRecordUtility+0x1f5
fffff800`00b9a340 fffff800`02f848bc : 00000000`00000000 00000000`00100100 fffff800`03049e80 fffff800`00b9a4c0 : nt!PpmCheckRecordAllUtility+0xfb
fffff800`00b9a3d0 fffff800`02fc1400 : 00000000`0034278e fffff800`00b9a4c0 00000000`00000001 fffff800`02ed364a : nt!PpmCheckRun+0x8c
fffff800`00b9a400 fffff800`02ed672c : fffffa80`11b6a410 00000000`00000000 fffffa80`40640a88 00000000`00000000 : nt!PpmCheckStart+0x40
fffff800`00b9a430 fffff800`02ed65c6 : fffff800`03070f70 00000000`00305f63 00000000`00000000 00000000`00000000 : nt!KiProcessTimerDpcTable+0x6c
fffff800`00b9a4a0 fffff800`02ed64ae : 00000073`2540ec91 fffff800`00b9ab18 00000000`00305f63 fffff800`0304cee8 : nt!KiProcessExpiredTimerList+0xc6
fffff800`00b9aaf0 fffff800`02ed6297 : 00000027`5b5472c1 00000027`00305f63 00000027`5b5472aa 00000000`00000063 : nt!KiTimerExpiration+0x1be
fffff800`00b9ab90 fffff800`02ec25ca : fffff800`03049e80 fffff800`03057cc0 00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277
fffff800`00b9ac40 00000000`00000000 : fffff800`00b9b000 fffff800`00b95000 fffff800`00b9ac00 00000000`00000000 : nt!KiIdleLoop+0x5a

0: kd> .trap fffff800`00b9a140
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000002a30 rbx=0000000000000000 rcx=00000000000000e8
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002fc0775 rsp=fffff80000b9a2d0 rbp=fffffa8010969520
 r8=00000000000024b6  r9=000000000000006c r10=0000000000000000
r11=00000000000000e8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!PpmPerfRecordUtility+0x1f5:
fffff800`02fc0775 490fafc0        imul    rax,r8

Integer multiplication instruction, specifically multiplying both registers and storing the result in the first operand.

rax * r8 = value in (rax).

Small dump so we can't check the contents of either registers, but just looking at them, they both look really invalid to say the least.

0: kd> !irql
Debugger saved IRQL for processor 0x0 -- 2 (DISPATCH_LEVEL)

We were also at DISPATCH_LEVEL IRQL (2), so that's another problem. Bad memory + IRQL too high = 0xA bug check.

So what caused the bad contents + improper IRQL? Well, since it's a small dump, not much we can really do other than same guesswork based on the stack we can see.

0: kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 fffff800`00b9a2d0 fffff800`02fc09ab nt!PpmPerfRecordUtility+0x1f5
01 fffff800`00b9a340 fffff800`02f848bc nt!PpmCheckRecordAllUtility+0xfb
02 fffff800`00b9a3d0 fffff800`02fc1400 nt!PpmCheckRun+0x8c
03 fffff800`00b9a400 fffff800`02ed672c nt!PpmCheckStart+0x40
04 fffff800`00b9a430 fffff800`02ed65c6 nt!KiProcessTimerDpcTable+0x6c
05 fffff800`00b9a4a0 fffff800`02ed64ae nt!KiProcessExpiredTimerList+0xc6
06 fffff800`00b9aaf0 fffff800`02ed6297 nt!KiTimerExpiration+0x1be
07 fffff800`00b9ab90 fffff800`02ec25ca nt!KiRetireDpcList+0x277
08 fffff800`00b9ac40 00000000`00000000 nt!KiIdleLoop+0x5a

The processor comes out of idle and straight away retires a DPC list, likely a response to another processor's IPI (inter-processor interrupt). From here we'd usually run a handy command called !timer, but since it's a small dump...

0: kd> !timer
fffff78000000000: Unable to get shared data

Not too helpful, really.

Anyway, all of this timer stuff like (PpmCheckStart - executes algorithm that powers the PPM) is in direct relation to the performance check of your processor. Given we're pagefaulting during such activites is a really really big hint of a CPU problem, or motherboard. It's hardware is what I'm trying to unfortunately get at here.