[Haitham1979]

Hi All,

 

I am facing a problem with my domain controller it gives me blue screen, tcpip.sys.  

 

I've attached thye mini dump files.

 

There server is Dell PowerEdge R170, with Windown Server 2008 Standered .

 

Thanks,

haitham

 

 

 

Attached Files

•  Minidump.zip   554.34KB   582 downloads

[Advertisements]

You'll be glad to know this is a pretty simple error and should be very easy to resolve.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000000000ff, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffffa60010287f0, address which referenced memory

So an attempt to read invalid memory (0xff) at an IRQL of 2 (DPC/Dispatch level) had occurred.

4: kd> .trap 0xfffffa6001a5a410
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000000000ff rbx=0000000000000000 rcx=0000000000004440
rdx=fffffa800c954010 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa60010287f0 rsp=fffffa6001a5a5a0 rbp=0000000000000000
 r8=0000000000000000  r9=fffffa800c954010 r10=0000000000000000
r11=fffffa6001a5a580 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
tcpip! ?? ::FNODOBFM::`string'+0x29057:
fffffa60`010287f0 8b08            mov     ecx,dword ptr [rax] ds:00000000`000000ff=????????

So an attempt to copy the address which was stored as a pointer in the rax registers was copied to the ecx register which resulted in a memory write to 0xff.

This address is invalid, although the page table entries aren't saved the first usable address I believe is 0x10000 but even this is reserved for user mode boot processes.

fffffa60`01a5a2c8 fffff800`01abd1ee : 00000000`0000000a 00000000`000000ff 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffa60`01a5a2d0 fffff800`01abc0cb : 00000000`00000000 fffffa60`0114d050 00000000`00000002 fffffa80`08c3b870 : nt!KiBugCheckDispatch+0x6e
fffffa60`01a5a410 fffffa60`010287f0 : 00000000`00000000 fffffa80`08c3b870 00000000`00000000 fffffa80`046ea400 : nt!KiPageFault+0x20b
fffffa60`01a5a5a0 fffffa60`010534dd : fffffa60`011463e8 00000000`00000020 fffffa80`0468e000 fffffa80`07834030 : tcpip! ?? ::FNODOBFM::`string'+0x29057
fffffa60`01a5a680 fffffa60`01063921 : fffffa80`0c7fa3e0 00000000`00000000 00000000`00000001 00000000`00000001 : tcpip!IpFlcReceivePackets+0x8ad
fffffa60`01a5a880 fffffa60`01062ccb : fffffa80`0c7fa3e0 00000000`00000000 00000000`00000011 fffffa80`046d2080 : tcpip!IpFlcReceivePreValidatedPackets+0x831
fffffa60`01a5a9e0 fffffa60`009b20bc : fffffa80`0c969aa0 00000000`00000000 fffffa80`0c969a00 fffffa80`048151a0 : tcpip!FlReceiveNetBufferListChain+0x9b
fffffa60`01a5aa30 fffffa60`0097aa5c : fffffa80`0c969aa0 00000000`00000000 fffffa80`0c7c7620 00000000`00000000 : NDIS!ndisMIndicateNetBufferListsToOpen+0xac
fffffa60`01a5aa80 fffffa60`0085985e : fffffa80`048151a0 00000000`00000000 fffffa80`08dea6d0 fffffa60`02a094c5 : NDIS!ndisMDispatchReceiveNetBufferLists+0x36c
fffffa60`01a5af00 fffffa60`0080f6f7 : 00000000`00000000 fffffa80`08c3b870 00001306`00000000 ffff0000`03045c5e : NDIS!ndisMDispatchReceiveNetBufferListsWithLock+0xde
fffffa60`01a5af70 fffffa60`02a1a6db : 00000000`00000000 00000000`00000000 fffffa80`08c3b870 fffffa80`08dc3000 : NDIS!NdisMIndicateReceiveNetBufferLists+0x67
fffffa60`01a5afb0 00000000`00000000 : 00000000`00000000 fffffa80`08c3b870 fffffa80`08dc3000 00000000`00000001 : basp+0x126db

In the callstack we can see basp calling ndis (Network Driver Interface Specification) processing net buffer lists over a network, tcpip (Transmission Control Protocol/Internet Protocol) receives the data and probably tries to save it, it uses a bad instruction pointer and therefore accesses the wrong address.

 

basp is the Broadcom Advanced Server Program driver which is making bad calls.

4: kd> lmvm basp
start             end                 module name
fffffa60`02a08000 fffffa60`02a25000   basp     T (no symbols)           
    Loaded symbol image file: basp.sys
    Image path: \SystemRoot\system32\DRIVERS\basp.sys
    Image name: basp.sys
    Timestamp:        Mon May 10 23:10:49 2010 (4BE88469)
    CheckSum:         0002377F
    ImageSize:        0001D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

With this driver being over four years old I'm not surprised it's causing problems.

 

You should be able to update it here.

 

http://www.broadcom....loaddrivers.php

 

Any other problems let me know.

[Jared44]

You'll be glad to know this is a pretty simple error and should be very easy to resolve.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000000000ff, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffffa60010287f0, address which referenced memory

So an attempt to read invalid memory (0xff) at an IRQL of 2 (DPC/Dispatch level) had occurred.

4: kd> .trap 0xfffffa6001a5a410
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000000000ff rbx=0000000000000000 rcx=0000000000004440
rdx=fffffa800c954010 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa60010287f0 rsp=fffffa6001a5a5a0 rbp=0000000000000000
 r8=0000000000000000  r9=fffffa800c954010 r10=0000000000000000
r11=fffffa6001a5a580 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
tcpip! ?? ::FNODOBFM::`string'+0x29057:
fffffa60`010287f0 8b08            mov     ecx,dword ptr [rax] ds:00000000`000000ff=????????

So an attempt to copy the address which was stored as a pointer in the rax registers was copied to the ecx register which resulted in a memory write to 0xff.

This address is invalid, although the page table entries aren't saved the first usable address I believe is 0x10000 but even this is reserved for user mode boot processes.

fffffa60`01a5a2c8 fffff800`01abd1ee : 00000000`0000000a 00000000`000000ff 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffa60`01a5a2d0 fffff800`01abc0cb : 00000000`00000000 fffffa60`0114d050 00000000`00000002 fffffa80`08c3b870 : nt!KiBugCheckDispatch+0x6e
fffffa60`01a5a410 fffffa60`010287f0 : 00000000`00000000 fffffa80`08c3b870 00000000`00000000 fffffa80`046ea400 : nt!KiPageFault+0x20b
fffffa60`01a5a5a0 fffffa60`010534dd : fffffa60`011463e8 00000000`00000020 fffffa80`0468e000 fffffa80`07834030 : tcpip! ?? ::FNODOBFM::`string'+0x29057
fffffa60`01a5a680 fffffa60`01063921 : fffffa80`0c7fa3e0 00000000`00000000 00000000`00000001 00000000`00000001 : tcpip!IpFlcReceivePackets+0x8ad
fffffa60`01a5a880 fffffa60`01062ccb : fffffa80`0c7fa3e0 00000000`00000000 00000000`00000011 fffffa80`046d2080 : tcpip!IpFlcReceivePreValidatedPackets+0x831
fffffa60`01a5a9e0 fffffa60`009b20bc : fffffa80`0c969aa0 00000000`00000000 fffffa80`0c969a00 fffffa80`048151a0 : tcpip!FlReceiveNetBufferListChain+0x9b
fffffa60`01a5aa30 fffffa60`0097aa5c : fffffa80`0c969aa0 00000000`00000000 fffffa80`0c7c7620 00000000`00000000 : NDIS!ndisMIndicateNetBufferListsToOpen+0xac
fffffa60`01a5aa80 fffffa60`0085985e : fffffa80`048151a0 00000000`00000000 fffffa80`08dea6d0 fffffa60`02a094c5 : NDIS!ndisMDispatchReceiveNetBufferLists+0x36c
fffffa60`01a5af00 fffffa60`0080f6f7 : 00000000`00000000 fffffa80`08c3b870 00001306`00000000 ffff0000`03045c5e : NDIS!ndisMDispatchReceiveNetBufferListsWithLock+0xde
fffffa60`01a5af70 fffffa60`02a1a6db : 00000000`00000000 00000000`00000000 fffffa80`08c3b870 fffffa80`08dc3000 : NDIS!NdisMIndicateReceiveNetBufferLists+0x67
fffffa60`01a5afb0 00000000`00000000 : 00000000`00000000 fffffa80`08c3b870 fffffa80`08dc3000 00000000`00000001 : basp+0x126db

In the callstack we can see basp calling ndis (Network Driver Interface Specification) processing net buffer lists over a network, tcpip (Transmission Control Protocol/Internet Protocol) receives the data and probably tries to save it, it uses a bad instruction pointer and therefore accesses the wrong address.

 

basp is the Broadcom Advanced Server Program driver which is making bad calls.

4: kd> lmvm basp
start             end                 module name
fffffa60`02a08000 fffffa60`02a25000   basp     T (no symbols)           
    Loaded symbol image file: basp.sys
    Image path: \SystemRoot\system32\DRIVERS\basp.sys
    Image name: basp.sys
    Timestamp:        Mon May 10 23:10:49 2010 (4BE88469)
    CheckSum:         0002377F
    ImageSize:        0001D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

With this driver being over four years old I'm not surprised it's causing problems.

 

You should be able to update it here.

 

http://www.broadcom....loaddrivers.php

 

Any other problems let me know.