Strange WIN2012R2 BSOD MI_CHECK_KERNEL_NOEXECUTE_FAULT

NTDEV
1

Hello,

I am seeing a strange Win2012R2 BSOD.
We have a WFP driver to inspect inbound/outbound traffic.
However this intermittent problem is seen only on Win2012R2 and even after applying all the correct symbols I am not able to resolve the call stack which leads to this BSOD.

RetAddr : Args to Child : Call Site

00 fffff80400d9dba0 : 0000000000000000 fffff804008dce50 ffffe001a80038ca 80000001339f1963 : hal!HalpAcpiPmRegisterReadPort+0x1b 01 fffff80400dbd213 : ffffe001a7429038 fffff80400759501 0000000000000010 0000000000000082 : hal!HalpAcpiPmRegisterRead+0x30
02 fffff804007c6e01 : fffff6fb7dbf0000 0000000000000004 ffff0fa60438a724 fffff804007c76ee : hal!HaliHaltSystem+0x53 03 fffff804007c6a4d : fffff80400000004 0000000000000020 00000000000000fc 00000000000000fc : nt!KiBugCheckDebugBreak+0x99
04 fffff804007513a4 : 80000001339f1963 0000000000000000 ffffd001b668ee02 0000000000000000 : nt!KeBugCheck2+0xc49 05 fffff804006e796c : 00000000000000fc ffffe001a80038ca 80000001339f1963 ffffd001b668eef0 : nt!KeBugCheckEx+0x104
06 fffff804007f558f : ffffd001b668eeb0 fffff804009b8ee9 ffffd001b668eeb0 0000000000000000 : nt!MI_CHECK_KERNEL_NOEXECUTE_FAULT+0x64 07 fffff804006448c3 : 0000000000000000 80000001339f1963 ffffd001b668ee89 0000000000000000 : nt!MiRaisedIrqlFault+0x1c7
08 fffff8040075e957 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0x103 09 ffffe001a80038ca : ffffe001a84e7e65 b3b74bdee4453415 ffffd001b668f100 ffffe001a84dd15c : nt!KiPageFault+0x317
0a ffffe001a84e7e65 : b3b74bdee4453415 ffffd001b668f100 ffffe001a84dd15c 0000000000000001 : 0xffffe001a80038ca
0b b3b74bdee4453415 : ffffd001b668f100 ffffe001a84dd15c 0000000000000001 ffffe001a5864be0 : 0xffffe001a84e7e65
0c ffffd001b668f100 : ffffe001a84dd15c 0000000000000001 ffffe001a5864be0 0000000000000000 : 0xb3b74bdee4453415
0d ffffe001a84dd15c : 0000000000000001 ffffe001a5864be0 0000000000000000 0000000000000000 : 0xffffd001b668f100
0e 0000000000000001 : ffffe001a5864be0 0000000000000000 0000000000000000 ffffd001b668f2f8 : 0xffffe001a84dd15c
0f ffffe001a5864be0 : 0000000000000000 0000000000000000 ffffd001b668f2f8 0000000000000000 : 0x1 10 0000000000000000 : 0000000000000000 ffffd001b668f2f8 0000000000000000 fffff80400922ee8 : 0xffffe001`a5864be0

According to trap frame analysis - the 0xffffe001`a80038ca is the faulting address and it has no Execute permissions.

2: kd> !pte 0xffffe001`a80038ca
VA ffffe001a80038ca
PXE at FFFFF6FB7DBEDE00 PPE at FFFFF6FB7DBC0030 PDE at FFFFF6FB78006A00 PTE at FFFFF6F000D40018
contains 000000000054D863 contains 000000000054C863 contains 000000000D7E3863 contains 80000001339F1963
pfn 54d —DA–KWEV pfn 54c —DA–KWEV pfn d7e3 —DA–KWEV pfn 1339f1 -G-DA–KW-V

This address range specified for 0xffffe001a80038ca does not fall in the range of any loaded module. also when the addresses 0xffffe001a84e7e65, 0xb3b74bdee4453415, 0xb3b74bdee4453415 are unassembled they seem strange and I am not sure why instructions at 0xffffe001`a80038ca are being executed.

I don’t have access to private symbols.

Can anyone please tell me how to troubleshoot this further, I want to understand what is leading to this BSOD?
Thanks.

2

some more details

2: kd> .trap ffffd001b668eef0 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000080040031 rbx=0000000000000000 rcx=fffff6fb7dbedf80 rdx=ffffd001b668f450 rsi=0000000000000000 rdi=0000000000000000 rip=ffffe001a80038ca rsp=ffffd001b668f088 rbp=ffffd001b668f100 r8=0000000000000000 r9=0000000000000000 r10=7010008004002001 r11=0000000080050031 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc ffffe001a80038ca 0000 add byte ptr [rax],al ds:0000000080040031=?? 2: kd> u 0xffffe001a80038ca
ffffe001a80038ca 0000 add byte ptr [rax],al ffffe001a80038cc 0000 add byte ptr [rax],al
ffffe001a80038ce 0000 add byte ptr [rax],al ffffe001a80038d0 0000 add byte ptr [rax],al
ffffe001a80038d2 0000 add byte ptr [rax],al ffffe001a80038d4 0000 add byte ptr [rax],al
ffffe001a80038d6 0000 add byte ptr [rax],al ffffe001a80038d8 0000 add byte ptr [rax],al
2: kd> u 0xffffe001a80038c8 ffffe001a80038c8 0000 add byte ptr [rax],al
ffffe001a80038ca 0000 add byte ptr [rax],al ffffe001a80038cc 0000 add byte ptr [rax],al
ffffe001a80038ce 0000 add byte ptr [rax],al ffffe001a80038d0 0000 add byte ptr [rax],al
ffffe001a80038d2 0000 add byte ptr [rax],al ffffe001a80038d4 0000 add byte ptr [rax],al
ffffe001a80038d6 0000 add byte ptr [rax],al 2: kd> u 0xffffe001a84e7e63
ffffe001a84e7e63 b1ff mov cl,0FFh ffffe001a84e7e65 85c0 test eax,eax
ffffe001a84e7e67 740b je ffffe001a84e7e74
ffffe001a84e7e69 488bd3 mov rdx,rbx ffffe001a84e7e6c 498bcd mov rcx,r13
ffffe001a84e7e6f e8f2bdb1ff call ffffe001a8003c66
ffffe001a84e7e74 0f20e1 mov rcx,cr4 ffffe001a84e7e77 48f7c180000200 test rcx,20080h