Hi all,

I?m looking for some help deciphering a strange crash dump.

I was getting an IRQL_NOT_LESS_OR_EQUAL bugcheck on boot when testing a
filter driver I?m developing in a hyper-v VM (using secure boot). There was
no debugger attached at the time, so I booted in safe mode to pull the dump
from disk. However the bugcheck was still happening when booting in safe
mode. I now have the dump after mounting the drive to retrieve it, however
I?m not entirely sure what?s happening.

It appears the idle thread on processor 0 is calling the bugcheck after
issuing a page fault at a high IRQL, but the stack looks unreliable.
KeBugcheckEx was called with an IRQL of FF, but !irql states as as being 0

0: kd> !analyze -v
****************************************************************************
***
*???
? *
*??? Bugcheck
Analysis??? *
*???
? *
****************************************************************************
***

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high.? This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff80000263070, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80000263070, address which referenced memory

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING:? 10240.16384.amd64fre.th1.150709-1700

DUMP_TYPE:? 0

BUGCHECK_P1: fffff80000263070

BUGCHECK_P2: ff

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80000263070

READ_ADDRESS:? fffff80000263070

CURRENT_IRQL:? 0

FAULTING_IP:
+0
fffff800`00263070 ??? ???

ADDITIONAL_DEBUG_TEXT:? The trap occurred when interrupts are disabled on
the target.

BUGCHECK_STR:? DISABLED_INTERRUPT_FAULT

CPU_COUNT: 2

CPU_MHZ: 9c4

CPU_VENDOR:? AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 2

CPU_STEPPING: 0

DEFAULT_BUCKET_ID:? WIN8_DRIVER_FAULT

PROCESS_NAME:? System

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

TRAP_FRAME:? fffff8008625c520 – (.trap 0xfffff8008625c520)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000400000f0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=fffff8008625c6b0 rbp=fffff8008496e180
r8=00000000ffffffff? r9=00000000ffffffff r10=00000000ffffffff
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0??? nv up di pl nz na pe nc
00000000`00000000 ??? ???
Resetting default scope

IP_IN_FREE_BLOCK: 0

LAST_CONTROL_TRANSFER:? from fffff800847625a9 to fffff80084757c20

FAILED_INSTRUCTION_ADDRESS:
+0
fffff800`00263070 ??? ???

STACK_TEXT:?
fffff8008625c0b8 fffff800847625a9 : 000000000000000a fffff80000263070
00000000000000ff 0000000000000000 : nt!KeBugCheckEx
fffff8008625c0c0 fffff80084760dc8 : ffffe00013a019b0 0000000000000000
0000000000000000 fffff800846530c7 : nt!KiBugCheckDispatch+0x69
fffff8008625c200 fffff80000263070 : fffff80084757c61 0000000000000256
0000000000000000 0000000000000000 : nt!KiPageFault+0x248
fffff8008625c398 fffff80084757c61 : 0000000000000256 0000000000000000
0000000000000000 0000000000000001 : 0xfffff80000263070 fffff8008625c3a0 fffff800847625a9 : 000000000000000a 0000000000000000 00000000000000ff 0000000000000000 : nt!KeBugCheckEx+0x41 fffff8008625c3e0 fffff80084760dc8 : 0000000000000000 0000000000000000 0000000000000000 00001f8000000000 : nt!KiBugCheckDispatch+0x69 fffff8008625c520 0000000000000000 : ffffe000139cfcb0 fffff8008482cd70 ffffe00014c99010 fffff800`5bec1e17 : nt!KiPageFault+0x248

STACK_COMMAND:? kb

THREAD_SHA1_HASH_MOD_FUNC:? 6307cd818e7d6e0cabc70066446c0046c31bd7e9

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:? b55f691509d4ed139499681e9de1fabd3ef554bf

THREAD_SHA1_HASH_MOD:? ee8fcf1fb60cb6e3e2f60ddbed2ec02b5748a693

FOLLOWUP_IP:
nt!KiPageFault+248
fffff800`84760dc8 33c0??? xor??? eax,eax

FAULT_INSTR_CODE:? ffb0c033

SYMBOL_STACK_INDEX:? 2

SYMBOL_NAME:? nt!KiPageFault+248

FOLLOWUP_NAME:? MachineOwner

MODULE_NAME: nt

IMAGE_NAME:? ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:? 559f3c1a

IMAGE_VERSION:? 10.0.10240.16384

BUCKET_ID_FUNC_OFFSET:? 248

FAILURE_BUCKET_ID:? DISABLED_INTERRUPT_FAULT_CODE_AV_BAD_IP_nt!KiPageFault

BUCKET_ID:? DISABLED_INTERRUPT_FAULT_CODE_AV_BAD_IP_nt!KiPageFault

PRIMARY_PROBLEM_CLASS:?
DISABLED_INTERRUPT_FAULT_CODE_AV_BAD_IP_nt!KiPageFault

TARGET_TIME:? 2016-05-31T10:25:16.000Z

OSBUILD:? 10240

OSSERVICEPACK:? 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:? 272

PRODUCT_TYPE:? 1

OSPLATFORM_TYPE:? x64

OSNAME:? Windows 10

OSEDITION:? Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:?

USER_LCID:? 0

OSBUILD_TIMESTAMP:? 2015-07-10 04:29:30

BUILDDATESTAMP_STR:? 150709-1700

BUILDLAB_STR:? th1

BUILDOSVER_STR:? 10.0.10240.16384.amd64fre.th1.150709-1700

ANALYSIS_SESSION_ELAPSED_TIME: 904

ANALYSIS_SOURCE:? KM

FAILURE_ID_HASH_STRING:?
km:disabled_interrupt_fault_code_av_bad_ip_nt!kipagefault

FAILURE_ID_HASH:? {f2ab72c5-099d-9077-bfcf-ba12aa825b36}

Followup:??? MachineOwner

0: kd> !running -it

System Processors:? (0000000000000003)
? Idle Processors:? (0000000000000000)

??? Prcbs??? Current??? (pri) Next??? (pri) Idle
? 0??? fffff8008496e180? fffff800849e4740 ( 0) ffffe00014c8f040 (14)
fffff800849e4740? …

Child-SP??? RetAddr??? Call Site

00 fffff8008625c0b8 fffff800847625a9 nt!KeBugCheckEx
01 fffff8008625c0c0 fffff80084760dc8 nt!KiBugCheckDispatch+0x69
02 fffff8008625c200 fffff80000263070 nt!KiPageFault+0x248
03 fffff8008625c398 fffff80084757c61 0xfffff80000263070 04 fffff8008625c3a0 fffff800847625a9 nt!KeBugCheckEx+0x41 05 fffff8008625c3e0 fffff80084760dc8 nt!KiBugCheckDispatch+0x69 06 fffff8008625c520 00000000`00000000 nt!KiPageFault+0x248

? 1??? ffffd00127b35180? ffffe00013a01840 (31)???
ffffd00127b41b40? …

Child-SP??? RetAddr??? Call Site

00 ffffd001279ccb90 fffff8008467cc2f nt!KiIpiSendRequestEx+0xa0
01 ffffd001279ccbe0 fffff80084631e9d nt!KxFlushEntireTb+0x8f
02 ffffd001279ccc40 fffff8008461dd28 nt!MiFlushTbList+0x5fd
03 ffffd001279cce30 fffff80084b59ea3 nt!MiDeleteSystemPagableVm+0x4f8
04 ffffd001279ccff0 fffff80084b59d01 nt!MiFreeInitializationCode+0x143
05 ffffd001279cd060 fffff80084b598a8 nt!MiFreeDriverInitialization+0xc9
06 ffffd001279cd0b0 fffff80084b57e4a nt!IopLoadDriver+0x710
07 ffffd001279cd380 fffff80084b57a74 nt!IopLoadUnloadDriver+0x4e
08 ffffd001279cd3c0 fffff80084762263 nt!NtLoadDriver+0x200
09 ffffd001279cd470 fffff8008475aab0 nt!KiSystemServiceCopyEnd+0x13
0a ffffd001279cd608 fffff8005ca80297 nt!KiServiceLinkage
0b ffffd001279cd610 fffff80084b59780 BasicDisplay!DriverEntry+0x277
0c ffffd001279cd840 fffff80084dd2489 nt!IopLoadDriver+0x5e8
0d ffffd001279cdb10 fffff80084de993e nt!IopInitializeSystemDrivers+0x149
0e ffffd001279cdba0 fffff80084b845be nt!IoInitSystem+0x16
0f ffffd001279cdbd0 fffff800846f06d8 nt!Phase1Initialization+0x2a
10 ffffd001279cdc00 fffff8008475cd06 nt!PspSystemThreadStartup+0x58
11 ffffd001279cdc60 0000000000000000 nt!KiStartSystemThread+0x16

0: kd> !pcr 0
KPCR for Processor 0 at fffff8008496e000:
??? Major 1 Minor 1
??? NtTib.ExceptionList: fffff80086254000
??? ??? NtTib.StackBase: fffff80086255070
??? ?? NtTib.StackLimit: 0000000000000000
??? NtTib.SubSystemTib: fffff8008496e000
??? ??? NtTib.Version: 000000008496e180
??? ? NtTib.UserPointer: fffff8008496e7f0
??? ??? NtTib.SelfTib: 0000000000000000

??? ??? SelfPcr: 0000000000000000
??? ??? Prcb: fffff8008496e180
??? ??? Irql: 0000000000000000
??? ??? IRR: 0000000000000000
??? ??? IDR: 0000000000000000
??? ??? InterruptMode: 0000000000000000
??? ??? IDT: 0000000000000000
??? ??? GDT: 0000000000000000
??? ??? TSS: 0000000000000000

??? ??? CurrentThread: fffff800849e4740
??? ??? NextThread: ffffe00014c8f040
??? ??? IdleThread: fffff800849e4740

??? ??? DpcQueue: Unable to read
nt!_KDPC_DATA.DpcListHead.Flink @ fffff80084970f00

0: kd> !prcb
PRCB for Processor 0 at fffff8008496e180:
Current IRQL – 0
Threads-- Current fffff800849e4740 Next ffffe00014c8f040 Idle
fffff800849e4740
Processor Index 0 Number (0, 0) GroupSetMember 1
Interrupt Count – 000006f4
Times – Dpc 00000002 Interrupt 00000001
Kernel 00000149 User 00000000

0: kd> lm
start end module name
fffff8005b800000 fffff8005b823000 tm (deferred)
fffff8005b830000 fffff8005b847000 PSHED (deferred)
fffff8005b850000 fffff8005b85b000 BOOTVID (deferred)
fffff8005b860000 fffff8005b86e000 cmimcext (deferred)
fffff8005b870000 fffff8005b87c000 ntosext (deferred)
fffff8005b880000 fffff8005b919000 CI (deferred)
fffff8005b920000 fffff8005b97c000 msrpc (deferred)
fffff8005b980000 fffff8005b9e2000 FLTMGR (deferred)
fffff8005b9f0000 fffff8005ba17000 ksecdd (deferred)
fffff8005ba20000 fffff8005babc000 clipsp (deferred)
fffff8005bac0000 fffff8005bb9c000 Wdf01000 (deferred)
fffff8005bba0000 fffff8005bbb3000 WDFLDR (deferred)
fffff8005bbc0000 fffff8005bbe3000 acpiex (deferred)
fffff8005bbf0000 fffff8005bbfd000 WppRecorder (deferred)
fffff8005bc00000 fffff8005bc98000 cng (deferred)
fffff8005bca0000 fffff8005bd30000 ACPI (deferred)
fffff8005bd30000 fffff8005bd3c000 WMILIB (deferred)
fffff8005bd50000 fffff8005bd6f000 WindowsTrustedRT (deferred)

fffff8005bd70000 fffff8005bd7b000 WindowsTrustedRTProxy (deferred)

fffff8005bd80000 fffff8005bd92000 pcw (deferred)
fffff8005bda0000 fffff8005bdab000 msisadrv (deferred)
fffff8005bdb0000 fffff8005be05000 pci (deferred)
fffff8005be10000 fffff8005be1f000 vdrvroot (deferred)
fffff8005be20000 fffff8005be3e000 pdc (deferred)
fffff8005be40000 fffff8005be59000 CEA (deferred)
fffff8005be60000 fffff8005be82000 partmgr (deferred)
fffff8005be90000 fffff8005beb8000 vmbus (deferred)
fffff8005bec0000 fffff8005bed8000 vmbkmcl (deferred)
fffff8005bee0000 fffff8005beef000 winhv (deferred)
fffff8005bef0000 fffff8005c016000 NDIS (deferred)
fffff8005c020000 fffff8005c096000 NETIO (deferred)
fffff8005c0a0000 fffff8005c0ab000 intelide (deferred)
fffff8005c0b0000 fffff8005c0c1000 PCIIDEX (deferred)
fffff8005c0d0000 fffff8005c148000 spaceport (deferred)
fffff8005c150000 fffff8005c168000 volmgr (deferred)
fffff8005c170000 fffff8005c1ce000 volmgrx (deferred)
fffff8005c1d0000 fffff8005c1ed000 mountmgr (deferred)
fffff8005c1f0000 fffff8005c1fc000 atapi (deferred)
fffff8005c200000 fffff8005c235000 ataport (deferred)
fffff8005c240000 fffff8005c25c000 EhStorClass (deferred)
fffff8005c260000 fffff8005c279000 fileinfo (deferred)
fffff8005c280000 fffff8005c2b8000 Wof (deferred)
fffff8005c2c0000 fffff8005c30b000 WdFilter (deferred)
fffff8005c360000 fffff8005c37d000 mcupdate_AuthenticAMD (deferred)

fffff8005c380000 fffff8005c390000 werkernel (deferred)
fffff8005c390000 fffff8005c3f4000 CLFS (deferred)
fffff8005c400000 fffff8005c65f000 tcpip (deferred)
fffff8005c660000 fffff8005c6c6000 fwpkclnt (deferred)
fffff8005c6d0000 fffff8005c6fa000 wfplwfs (deferred)
fffff8005c700000 fffff8005c710000 vmstorfl (deferred)
fffff8005c710000 fffff8005c7af000 fvevol (deferred)
fffff8005c7b0000 fffff8005c810000 volsnap (deferred)
fffff8005c810000 fffff8005c854000 rdyboost (deferred)
fffff8005c860000 fffff8005c883000 mup (deferred)
fffff8005c8a0000 fffff8005c8be000 disk (deferred)
fffff8005c8c0000 fffff8005c920000 CLASSPNP (deferred)
fffff8005c940000 fffff8005c959000 crashdmp (deferred)
fffff8005c970000 fffff8005c97f000 dump_dumpata (deferred)
fffff8005c990000 fffff8005c99c000 dump_atapi (deferred)
fffff8005c9c0000 fffff8005c9da000 dump_dumpfve (deferred)
fffff8005c9e0000 fffff8005ca11000 cdrom (deferred)
fffff8005ca20000 fffff8005ca3c000 filecrypt (deferred)
fffff8005ca40000 fffff8005ca4c000 tbs (deferred)
fffff8005ca50000 fffff8005ca5a000 Null (deferred)
fffff8005ca60000 fffff8005ca6a000 Beep (deferred)
fffff8005ca70000 fffff8005ca84000 BasicDisplay (deferred)
fffff8005ca90000 fffff8005caa5000 watchdog (deferred)
fffff8005cab0000 fffff8005cc9a000 dxgkrnl (deferred)
fffff8005d270000 fffff8005d481000 NTFS (deferred)
fffff8005d490000 fffff8005d49e000 storvsc (deferred)
fffff8005d4a0000 fffff8005d511000 storport (deferred)
fffff8005d520000 fffff8005d52d000 Fs_Rec (deferred)
fffff8005d530000 fffff8005d55d000 ksecpkg (deferred)
fffff80083780000 fffff8008378e000 kdcom (deferred)
fffff8008460b000 fffff80084e5d000 nt (pdb symbols)
fffff80084e5d000 fffff80084ece000 hal (deferred)

Boot it with the debugger connected in verbose mode.
The bugcheck happens during boot-loadable driver load.

All signs point to access to code or data in INIT section after it was unloaded.

Yeah that’s what I’d hope to do, however this is happening in our automated
test environment which doesn’t have the ability to attach kernel debuggers,
so I have to make do with post-mortem.

I’m not sure why this would happen in driver load phase. This is a clean
Windows install and my driver isn’t a boot driver so it shouldn’t be loading
in safe mode.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@broadcom.com
Sent: 31 May 2016 18:20
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Bugcheck on idle thread?

Boot it with the debugger connected in verbose mode.
The bugcheck happens during boot-loadable driver load.

All signs point to access to code or data in INIT section after it was
unloaded.

—
NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

Do you have INIT section?

Just a quick follow up on this.

We’ve found the reason for the crash, although I haven’t yet done any
research as to why it was happening, I was pretty surprised at the cause.

Our automation system was inadvertently setting debug=yes in the BCD from an
earlier debugging requirement. This is fine normally, however when secure
boot was turned on it was bugchecking the OS. This was happening in safe
mode too. I’m not sure if this is a Microsoft bug or if it’s by design, but
due to the bugcheck code I’d lean towards it being a bug.

I haven’t reproduced it locally as I use vmware workstation which doesn’t
have secure boot functionality. However it was reproducible in all of our
hyper-v automation VMs when secure boot was turned on. It went away when we
turned secure boot off.

We’ve now obviously removed the BCD entry and all is well.

Ged.

-----Original Message-----
From: Ged Murphy [mailto:xxxxx@gmail.com]
Sent: 31 May 2016 19:10
To: ‘Windows System Software Devs Interest List’
Subject: RE: [ntdev] Bugcheck on idle thread?

Yeah that’s what I’d hope to do, however this is happening in our automated
test environment which doesn’t have the ability to attach kernel debuggers,
so I have to make do with post-mortem.

I’m not sure why this would happen in driver load phase. This is a clean
Windows install and my driver isn’t a boot driver so it shouldn’t be loading
in safe mode.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@broadcom.com
Sent: 31 May 2016 18:20
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Bugcheck on idle thread?

Boot it with the debugger connected in verbose mode.
The bugcheck happens during boot-loadable driver load.

All signs point to access to code or data in INIT section after it was
unloaded.

—
NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

Hi,

You will not be able to set Debug=yes in a secure boot environment (unless you somehow have a Debug-signed policy). BCDedit will actually give you an error. So something seems to have gone awry with this machine or maybe its firmware…