nt!KiUnwaitThread BSOD

OSR_Community_User · November 16, 2006, 3:49am

Hi All,
I am facing a trivial problem. One of my clients test machines (VM
Win2k3 x86) gave a strange BSOD. I am looked through the dump not able to
find the source.
Strange thing is the dump shows the faulty driver name as ntkrnlpa.exe. The
dump shows during some timer expiration the BSOD appeared but I am not using
any timer object in my code. The stack trace is also not giving any clue why
the BSOD appeared. I tried to reporoduce the same with the same driver
installed but no luck. Can anybody help me to deduce the source of this BSOD
from the dump.
What this nt!KiTimerExpiration function does?
I searched for help but all the results says that there is some memory
leakage on the system. Can anybody help me with this?

The dump is as follows:
kd> !analyze -v
ERROR: FindPlugIns 8007007b
******************************
*************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8082e981, address which referenced memory

Debugging Details:

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiUnwaitThread+13
8082e981 897204 mov [edx+0x4],esi

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8082e981 to 80886099

STACK_TEXT:
8089448c 8082e981 badb0d00 00000000 808944b0 nt!KiTrap0E+0x2a1
80894504 8082eebb 00000000 ffdffa40 ffdff120 nt!KiUnwaitThread+0x13
808945b0 8082f51d 00000000 00000000 02016a7b nt!KiTimerExpiration+0x12f
80894600 808873c7 00000000 0000000e 00000000 nt!KiRetireDpcList+0x65
80894604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x2f

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!KiUnwaitThread+13
8082e981 897204 mov [edx+0x4],esi

FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiUnwaitThread+13

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42435b14

FAILURE_BUCKET_ID: 0xA_W_nt!KiUnwaitThread+13

BUCKET_ID: 0xA_W_nt!KiUnwaitThread+13

Followup: MachineOwner

Thanks,
GIRI

Tim_Roberts · November 16, 2006, 12:51pm

Giri wrote:

Hi All,
I am facing a trivial problem. One of my clients test machines (VM
Win2k3 x86) gave a strange BSOD. I am looked through the dump not able
to find the source.
Strange thing is the dump shows the faulty driver name as ntkrnlpa.exe.

That’s the NT kernel for a machine with the Intel PAE extensions enabled.

The dump shows during some timer expiration the BSOD appeared but I am
not using any timer object in my code. The stack trace is also not
giving any clue why the BSOD appeared. I tried to reporoduce the same
with the same driver installed but no luck. Can anybody help me to
deduce the source of this BSOD from the dump.
What this nt!KiTimerExpiration function does?

Surely you can guess that from the name and the stack trace. It’s
scanning through it’s list of pending timers, looking for the timers
that have expired so that it can fire off the appropriate DPC.

I searched for help but all the results says that there is some
memory leakage on the system. Can anybody help me with this?

The usual cause of a crash like this is that someone freed the memory
for a kernel timer without first stopping the timer. When the timer
expired and the kernel went to look at the structure to schedule the
callback, the KTIMER memory had been zeroed, resulting in the bad
pointer you see here.

This could also be the result of writing into random memory, such as
clearing a buffer that had been freed, or clearing more bytes than had
been allocated. You should probably run this with the driver verifier
to validate all of the pool allocations.

It is also possible, of course, that it wasn’t your driver’s fault.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.