Hello,
I am facing random 7E bugchecks with my TDI filter driver. It occurs only on some win7 machines (2-3 times a week). The callstack is always the same.
If I check the IRP from the callstack arguments, it says “IRP signature does not match, probably not an IRP”. This makes me think that some other driver is corrupting the IRP.
Is there any way I can find which driver is corrupting the IRP?
Callstack:
0: kd> kP
Child-SP RetAddr Call Site
fffff8800452f0c8 fffff80003a05614 nt!KeBugCheckEx
fffff8800452f0d0 fffff800039c0231 nt!PspUnhandledExceptionInSystemThread+0x24
fffff8800452f110 fffff800036bec4c nt! ?? ::NNGAKEGL::string'+0x221d fffff8800452f140 fffff800036be6cd nt!_C_specific_handler+0x8c fffff8800452f1b0 fffff800036bd4a5 nt!RtlpExecuteHandlerForException+0xd fffff8800452f1e0 fffff800036ce431 nt!RtlDispatchException+0x415 fffff8800452f8c0 fffff80003692542 nt!KiDispatchException+0x135 fffff8800452ff60 fffff800036910ba nt!KiExceptionDispatch+0xc2 fffff88004530140 fffff88004e1e800 nt!KiPageFault+0x23a fffff880045302d8 fffff88004e82893 afd!AfdCheckAndReferenceEndpoint+0x2 fffff880045302e0 fffff88009e76704 afd!AfdReceiveDatagramEventHandler+0x53 fffff880045303d0 fffff880032588b0 ngfilter!SimulateReceiveDatagram( void \* context = 0x0000000000000000,
class IpEndPoint * srcIp = 0xfffffa800924ee01, void \* buffer = 0xfffffa800924ed10,
unsigned long bufferSize = 0x26)+0xd0 [g:\autobuilder..\client\ngfilter\tdidispatch.cpp @ 756]
fffff880045304d0 fffff88003258bdb ngvpn!FilterDnRequest(
struct _IRP * irp = 0xfffffa8004e9c000, struct _IO_STACK_LOCATION \* ios = 0xfffffa8009322a00,
class IpEndPoint * ipe = 0xfffffa8009322920, struct TdiIrpData \* irpData = 0xfffff8800325d2d0,
unsigned long * bytesDiscarded = 0xfffff880045308e0)+0x1b0 [g:\autobuilder\..\client\ngvpn\rthread.cpp @ 403] fffff880045308a0 fffff80003931b8a ngvpn!RouteThread( void \* data = 0x000000000200d418)+0x29b [g:\autobuilder..\client\ngvpn\rthread.cpp @ 219]
fffff88004530c00 fffff800036848e6 nt!PspSystemThreadStartup+0x5a
fffff88004530c40 0000000000000000 nt!KxStartSystemThread+0x16
0: kd> !irp 0xfffffa80`04e9c000
IRP signature does not match, probably not an IRP. Use any flag to force.
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff88004e1e800, The address that the exception occurred at
Arg3: fffff88004530098, Exception Record Address
Arg4: fffff8800452f8f0, Context Record Address
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
afd!AfdCheckAndReferenceEndpoint+2
fffff880`04e1e800 8b4138 mov eax,dword ptr [rcx+38h]
EXCEPTION_RECORD: fffff88004530098 – (.exr 0xfffff88004530098)
ExceptionAddress: fffff88004e1e800 (afd!AfdCheckAndReferenceEndpoint+0x0000000000000002)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000038
Attempt to read from address 0000000000000038
CONTEXT: fffff8800452f8f0 – (.cxr 0xfffff8800452f8f0;r)
rax=ffff000000b0a1ee rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000022 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004e1e800 rsp=fffff880045302d8 rbp=fffff88004530438
r8=fffff88004530460 r9=0000000000000000 r10=fffff88004530460
r11=0000000000000022 r12=fffffa80092a3070 r13=fffff88004530430
r14=fffffa800924ed88 r15=fffff88004530a80
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
afd!AfdCheckAndReferenceEndpoint+0x2:
fffff88004e1e800 8b4138 mov eax,dword ptr [rcx+38h] ds:002b:0000000000000038=???
Last set context:
rax=ffff000000b0a1ee rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000022 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004e1e800 rsp=fffff880045302d8 rbp=fffff88004530438
r8=fffff88004530460 r9=0000000000000000 r10=fffff88004530460
r11=0000000000000022 r12=fffffa80092a3070 r13=fffff88004530430
r14=fffffa800924ed88 r15=fffff88004530a80
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
afd!AfdCheckAndReferenceEndpoint+0x2:
fffff88004e1e800 8b4138 mov eax,dword ptr [rcx+38h] ds:002b:0000000000000038=???
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000038
READ_ADDRESS: 0000000000000038
FOLLOWUP_IP:
ngfilter!SimulateReceiveDatagram+d0 [g:\autobuilder..\client\ngfilter\tdidispatch.cpp @ 756]
fffff880`09e76704 3d160000c0 cmp eax,0C0000016h
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
LAST_CONTROL_TRANSFER: from fffff88004e82893 to fffff88004e1e800
STACK_TEXT:
fffff880045302d8 fffff88004e82893 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : afd!AfdCheckAndReferenceEndpoint+0x2
fffff880045302e0 fffff88009e76704 : 0000000000000026 fffff880045303e0 fffff88004530400 0000000000000801 : afd!AfdReceiveDatagramEventHandler+0x53
fffff880045303d0 fffff880032588b0 : 0000000000000000 fffffa800924ee01 fffffa800924ed10 0000000000000026 : ngfilter!SimulateReceiveDatagram+0xd0 [g:\autobuilder..\client\ngfilter\tdidispatch.cpp @ 756]
fffff880045304d0 fffff88003258bdb : fffffa8004e9c000 fffffa8009322a00 fffffa8009322920 fffff8800325d2d0 : ngvpn!FilterDnRequest+0x1b0 [g:\autobuilder\builds..\client\ngvpn\rthread.cpp @ 403]
fffff880045308a0 fffff80003931b8a : 000000000200d418 fffffa800b285040 0000000000000080 fffffa8004e9c040 : ngvpn!RouteThread+0x29b [g:\autobuilder\builds..\client\ngvpn\rthread.cpp @ 219]
fffff88004530c00 fffff800036848e6 : fffff8000380fe80 fffffa800b285040 fffff8000381dcc0 0000000000000000 : nt!PspSystemThreadStartup+0x5a
fffff88004530c40 0000000000000000 : fffff88004531000 fffff8800452b000 fffff880045300b0 0000000000000000 : nt!KxStartSystemThread+0x16
FAULTING_SOURCE_LINE: g:\autobuilder..\client\ngfilter\tdidispatch.cpp
FAULTING_SOURCE_FILE: g:\autobuilder..\client\ngfilter\tdidispatch.cpp
FAULTING_SOURCE_LINE_NUMBER: 756
FAULTING_SOURCE_CODE:
752: buffer,
753: &recvIrp
754: );
755:
756: if (status == STATUS_MORE_PROCESSING_REQUIRED && recvIrp) {
757:
758: // complete the receive datagram IRP
759: //
760: ULONG bytesRemaining = bufferSize - bytesTaken;
761: PIO_STACK_LOCATION recvIos = IoGetCurrentIrpStackLocation(recvIrp);
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: ngfilter!SimulateReceiveDatagram+d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ngfilter
IMAGE_NAME: ngfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5484fc44
STACK_COMMAND: .cxr 0xfffff8800452f8f0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_ngfilter!SimulateReceiveDatagram+d0
BUCKET_ID: X64_0x7E_ngfilter!SimulateReceiveDatagram+d0
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7e_ngfilter!simulatereceivedatagram+d0
FAILURE_ID_HASH: {e7f07498-b6e2-2d50-a054-20587bb9dab5}