DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

wesley · September 17, 2013, 7:52am

Loading User Symbols

Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {b03a9890, 2, 0, b434c170}

*** ERROR: Module load completed but symbols could not be loaded for RwDrv.sys
Probably caused by : RwDrv.sys ( RwDrv+2170 )

Followup: MachineOwner

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b03a9890, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b434c170, address which referenced memory

Debugging Details:

READ_ADDRESS: b03a9890 Paged pool

CURRENT_IRQL: 2

FAULTING_IP:
RwDrv+2170
b434c170 ff7708 push dword ptr [edi+8]

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

TRAP_FRAME: b2f1db68 -- (.trap 0xffffffffb2f1db68)
ErrCode = 00000000
eax=b2f1dcd0 ebx=b2f1dc7c ecx=000000d8 edx=00003ff8 esi=b03a9a9c edi=b03a9888
eip=b434c170 esp=b2f1dbdc ebp=b2f1dbf8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
RwDrv+0x2170:
b434c170 ff7708 push dword ptr [edi+8] ds:0023:b03a9890=94983ab0
Resetting default scope

LAST_CONTROL_TRANSFER: from 825a1d9b to 825285e0

STACK_TEXT:
b2f1db48 825a1d9b 0000000a b03a9890 00000002 nt!KiBugCheck2
b2f1db48 b434c170 0000000a b03a9890 00000002 nt!KiTrap0E+0x1b3
WARNING: Stack unwind information not available. Following frames may be wrong.
b2f1dbf8 8270f4af 00f1dc7c aa428950 b2bb3c3c RwDrv+0x2170
b2f1dc40 826feafc b2f1dc7c b2f1dc60 b2bb3be8 nt!PnpNotifyDriverCallback+0x6e
b2f1dcac 826ffe95 b2bb3c3c 82638578 a7a2ba00 nt!PnpNotifyDeviceClassChange+0x1f1
b2f1dcdc 8248a1c9 b0f3f078 a7a2ba00 00000000 nt!PnpDeviceEventWorker+0x22a
b2f1dd34 824b9b1b 00010000 e83681b3 00000000 nt!ExpWorkerThread+0x111
b2f1dd70 825a3579 8248a0bc 00010000 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND: kb

FOLLOWUP_IP:
RwDrv+2170
b434c170 ff7708 push dword ptr [edi+8]

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: RwDrv+2170

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: RwDrv

IMAGE_NAME: RwDrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51a0b658

FAILURE_BUCKET_ID: AV_VRF_RwDrv+2170

BUCKET_ID: AV_VRF_RwDrv+2170

Followup: MachineOwner

Follwing are some my analyzing results:

a6f24af8 821244af 00f24b7c 8ac81fa0 8b5826ac RwDrv+0x2170
a6f24b40 82113afc a6f24b7c a6f24b60 8b582658 nt!PnpNotifyDriverCallback+0x6e
a6f24bac 82114e95 8b5826ac 8204d578 aea28800 nt!PnpNotifyDeviceClassChange+0x1f1
a6f24bdc 81e9f1c9 b143d6a8 aea28800 00000000 nt!PnpDeviceEventWorker+0x22a
a6f24c34 81eceb1b 00010000 15da6966 00000000 nt!ExpWorkerThread+0x111
a6f24c70 81fb8579 81e9f0bc 00010000 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
2.
TRAP_FRAME: a6f24a68 -- (.trap 0xffffffffa6f24a68)
ErrCode = 00000000
eax=a6f24bd0 ebx=a6f24b7c ecx=000000d8 edx=00003ff8 esi=8b479bec edi=8b4799d8
eip=b77ca170 esp=a6f24adc ebp=a6f24af8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
RwDrv+0x2170:
b77ca170 ff7708 push dword ptr [edi+8] ds:0023:8b4799e0=e499478b
3.
!pool 8b4799e0

8b479968 size: 68 previous size: 38 (Allocated) FIcs
*8b4799d0 size: 228 previous size: 68 (Allocated) *joid
Owning component : Unknown (update pooltag.txt)
8b479bf8 size: 8 previous size: 228 (Free) Free

!pool 8b5826ac
8b582638 size: 18 previous size: 20 (Allocated) CMIn
*8b582650 size: 158 previous size: 18 (Allocated) *PnpK
Pooltag PnpK : PNPMGR device event entry, Binary : nt!pnp
8b5827a8 size: 20 previous size: 158 (Allocated) PnpX

0: kd> dc 8b4799d0 L100
8b4799d0 0645080d 64696f6a 00000003 00da00d8 ..E.joid........
8b4799e0 8b4799e4 003f005c 005c003f 00530055 ..G..?.?..U.S.
8b4799f0 00530042 004f0054 00230052 00690044 B.S.T.O.R.#.D.i.
8b479a00 006b0073 00560026 006e0065 0026005f s.k.&.V.e.n..&.
8b479a10 00720050 0064006f 0050005f 00740061 P.r.o.d..P.a.t.
8b479a20 00690072 0074006f 004d005f 006d0065 r.i.o.t..M.e.m.
8b479a30 0072006f 00260079 00650052 005f0076 o.r.y.&.R.e.v..
8b479a40 004d0050 00500041 00300023 00300037 P.M.A.P.#.0.7.0.
8b479a50 00320038 00430039 00420046 00330039 8.2.9.C.F.B.9.3.
8b479a60 00330046 00350033 00260035 00230030 F.3.3.5.5.&.0.#.
8b479a70 0035007b 00660033 00360035 00300033 {.5.3.f.5.6.3.0.
8b479a80 002d0037 00360062 00660062 0031002d 7.-.b.6.b.f.-.1.
8b479a90 00640031 002d0030 00340039 00320066 1.d.0.-.9.4.f.2.
8b479aa0 0030002d 00610030 00630030 00310039 -.0.0.a.0.c.9.1.
8b479ab0 00660065 00380062 007d0062 00000000 e.f.b.8.b.}.....
8b479ac0 00000000 00000000 00000000 00000000 ................
kd> dc 8b582650 L100
8b582650 062b0403 4b706e50 8b582658 8b582658 ..+.PnpKX&X.X&X.
8b582660 00000000 00000000 00000000 00000000 ................
8b582670 00000000 00000000 00000001 00000000 ................
8b582680 00000000 00000000 cb3a4005 11d046f0 .........@:..F..
8b582690 60008fb0 3f051397 00000002 00000000 ...`...?........
8b5826a0 00000000 0000011c 00000000 53f56307 .............c.S
8b5826b0 11d0b6bf a000f294 8bfb1ec9 003f005c .............?.
8b5826c0 005c003f 00530055 00530042 004f0054 ?..U.S.B.S.T.O.
8b5826d0 00230052 00690044 006b0073 00560026 R.#.D.i.s.k.&.V.
8b5826e0 006e0065 0026005f 00720050 0064006f e.n._.&.P.r.o.d.
8b5826f0 0050005f 00740061 00690072 0074006f _.P.a.t.r.i.o.t.
8b582700 004d005f 006d0065 0072006f 00260079 .M.e.m.o.r.y.&.
8b582710 00650052 005f0076 004d0050 00500041 R.e.v..P.M.A.P.
8b582720 00300023 00300037 00320038 00430039 #.0.7.0.8.2.9.C.
8b582730 00420046 00330039 00330046 00350033 F.B.9.3.F.3.3.5.
8b582740 00260035 00230030 0035007b 00660033 5.&.0.#.{.5.3.f.
8b582750 00360035 00300033 002d0037 00360062 5.6.3.0.7.-.b.6.
8b582760 00660062 0031002d 00640031 002d0030 b.f.-.1.1.d.0.-.
8b582770 00340039 00320066 0030002d 00610030 9.4.f.2.-.0.0.a.
8b582780 00630030 00310039 00660065 00380062 0.c.9.1.e.f.b.8.
8b582790 007d0062 00000000 00000000 00000000 b.}.............
8b5827a0 00000000 00000000 0604042b 58706e50 ........+...PnpX
8b5827b0 911995d0 911e1fa8 8291c600 00000000 ................

kd> !devnode 0 1
InstancePath is "STORAGE\Volume_??USBSTOR#Disk&Ven&Prod_Patriot_Memory&Rev_PMAP#070829CFB93F3355&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"

!usb_tree

!device_info 0xbe138850, !devstack c336e108
Current Device State: WaitingForPDOReportedMissing.WaitingForDevicePortEventsWithPortOff
Desc: Patriot Memory
USB\VID_13FE&PID_3100&REV_0100 Phison Electronics Corp.
!ucx_device 0xbe546ee8 !xhci_deviceslots 0x8897cff0 0 !xhci_info 0x8897cff0
***Orphaned Device - may be due to open handle ***

another BSOD also happened when access the memory with content with:
USBSTOR#Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP#070829CFB93F3355&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"

How to dig into this BSOD?
Does it related to RwDrv.SYS or any other driver, such as USBStor.sys
Or does my hardware have issue?

Daniel_Terhell · September 17, 2013, 8:04am

>Probably caused by : RwDrv.sys ( RwDrv+2170 )

Looks like the RW utility is crashing your system. I would look for an
update or contact the author.

//Daniel

wesley · September 18, 2013, 1:15am

Why the blue screen always happen (in my lab, twice) when access the memory with content “USBSTOR#Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP#070829CFB93F3355&0#{53f56307-b6bf-
11d0-94f2-00a0c91efb8b}”

OSR_Community_User · September 18, 2013, 1:27am

Because something is wrong?

You need to give a LOT more information on what is going on here!
joe

Why the blue screen always happen (in my lab, twice) when access the
memory with content
“USBSTOR#Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP#070829CFB93F3355&0#{53f56307-b6bf-
11d0-94f2-00a0c91efb8b}”

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Daniel_Terhell · September 18, 2013, 3:40am

Because the support utility appears to have a bug reading from paged pool at
elevated IRQL. Have you tried reproducing the problem without RW running
(and RwDrv.sys unloaded) ? If not, why do you care ?

//Daniel

Why the blue screen always happen (in my lab, twice) when access the memory
with content
“USBSTOR#Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP#070829CFB93F3355&0#{53f56307-b6bf-
11d0-94f2-00a0c91efb8b}”

wesley · September 18, 2013, 10:09pm

I try to dig out the BSOD root cause.
It is a practice for all windows driver developers.