VirtualBox

Ticket #6151 (new defect)

Opened 4 years ago

Last modified 3 years ago

BSOD: X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd => nVidia?

Reported by: ryancapp Owned by:
Priority: major Component: network/hostif
Version: VirtualBox 3.1.2 Keywords: BSOD, X64, D1, VBoxNetFlt
Cc: Guest type: other
Host type: Windows

Description

Loading Dump File [C:\Windows\Minidump\021010-32245-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols\* http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (3 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16385.amd64fre.win7_rtm.090713-1255 Machine Name: Kernel base = 0xfffff80002e54000 PsLoadedModuleList = 0xfffff80003091e50 Debug session time: Wed Feb 10 03:25:26.678 2010 (GMT-5) System Uptime: 0 days 0:14:30.474 Loading Kernel Symbols ............................................................... ................................................................ ................................................................ . Loading User Symbols Loading unloaded module list ...... *

  • *
  • Bugcheck Analysis *
  • *

*

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff880640acfcf, 2, 8, fffff880640acfcf}

Unable to load image \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys, Win32 error 0n2 * WARNING: Unable to verify timestamp for VBoxNetFlt.sys * ERROR: Module load completed but symbols could not be loaded for VBoxNetFlt.sys Probably caused by : VBoxNetFlt.sys ( VBoxNetFlt+81fd )

Followup: MachineOwner


2: kd> !analyze -v *

  • *
  • Bugcheck Analysis *
  • *

*

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: fffff880640acfcf, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000008, value 0 = read operation, 1 = write operation Arg4: fffff880640acfcf, address which referenced memory

Debugging Details:


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030fc0e0

fffff880640acfcf

CURRENT_IRQL: 2

FAULTING_IP: +0 fffff880`640acfcf ?? ???

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: fffff8800318b770 -- (.trap 0xfffff8800318b770) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000028 rdx=0000000000000045 rsi=0000000000000000 rdi=0000000000000000 rip=fffff880640acfcf rsp=fffff8800318b908 rbp=fffffa8008ae7018

r8=0000000000000000 r9=0000000000000028 r10=0000000000000001

r11=fffffa800a8efc00 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc fffff880`640acfcf ?? ??? Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002ec5469 to fffff80002ec5f00

FAILED_INSTRUCTION_ADDRESS: +0 fffff880`640acfcf ?? ???

STACK_TEXT: fffff8800318b628 fffff80002ec5469 : 000000000000000a fffff880640acfcf 0000000000000002 0000000000000008 : ntKeBugCheckEx fffff8800318b630 fffff80002ec40e0 : fffffa8007c35000 fffffa800a8efd30 fffffa8008cdf7a0 fffffa80084141a0 : ntKiBugCheckDispatch+0x69 fffff8800318b770 fffff880640acfcf : fffff8800185c0cb 0000000000000000 0000000000000001 fffffa8007c51c58 : ntKiPageFault+0x260 fffff8800318b908 fffff8800185c0cb : 0000000000000000 0000000000000001 fffffa8007c51c58 ffff0000028ec970 : 0xfffff880`640acfcf fffff8800318b910 fffff8800185c426 : 0000000000000006 fffffa8007c60000 0000000000000000 0000000008cdf701 : tcpip!Ipv4pValidateNetBuffer+0x19b fffff8800318b970 fffff8800185b272 : fffffa8008cf0210 0000000000000000 fffffa8008cdf701 0000000000000001 : tcpipIpFlcReceivePackets+0x256 fffff8800318bb70 fffff880018746ba : fffffa8008cdf7a0 fffff8800318bca0 fffffa8008cdf7a0 0000000000000000 : tcpipFlpReceiveNonPreValidatedNetBufferListChain+0x2b2 fffff8800318bc50 fffff80002ed564a : fffffa800a8efc00 fffff88003187000 0000000000004800 0000000000000000 : tcpipFlReceiveNetBufferListChainCalloutRoutine+0xda fffff8800318bca0 fffff880018740e2 : fffff880018745e0 fffff8800318bdb0 fffff8800318c102 0000000000000001 : ntKeExpandKernelStackAndCalloutEx+0xda fffff8800318bd80 fffff880017060eb : fffffa8008cf0820 0000000000000000 fffffa80084141a0 fffff88001651afe : tcpipFlReceiveNetBufferListChain+0xb2 fffff8800318bdf0 fffff880016cffc6 : fffffa8000000000 0000000000000000 0000000000000000 0000000000000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb fffff8800318be60 fffff88001652a24 : fffffa80084141a0 0000000000000002 0000000000000001 0000000000000000 : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6 fffff8800318c2e0 fffff880017068d5 : 0000000000000001 0000000000000000 fffffa80084141a0 0000000000000000 : ndis!ndisMTopReceiveNetBufferLists+0x24 fffff8800318c320 fffff880041681fd : 0000000000000000 0000000000000001 fffff88000000001 fffffa800a953a30 : ndis!ndisMIndicatePacketsToNetBufferLists+0x105 fffff8800318c3c0 0000000000000000 : 0000000000000001 fffff88000000001 fffffa800a953a30 0000000000000000 : VBoxNetFlt+0x81fd

STACK_COMMAND: kb

FOLLOWUP_IP: VBoxNetFlt+81fd fffff880`041681fd ?? ???

SYMBOL_STACK_INDEX: e

SYMBOL_NAME: VBoxNetFlt+81fd

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: VBoxNetFlt

IMAGE_NAME: VBoxNetFlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4b2a38e9

FAILURE_BUCKET_ID: X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd

BUCKET_ID: X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd

Followup: MachineOwner


Attachments

021010-32245-01.dmp Download (285.5 KB) - added by ryancapp 4 years ago.

Change History

Changed 4 years ago by ryancapp

comment:1 Changed 4 years ago by ryancapp

Additional notes: Bug check occurred after system reboot in response to February issued Windows updates.

Here is a list of updates installed prior to crash:

  1. Security Update for Windows 7 for x64-based Systems (KB978251)
  2. Update for Rights Management Services Client for Windows 7 for x64-based Systems (KB979099)
  3. Windows Malicious Software Removal Tool x64 - February 2010 (KB890830)
  4. Security Update for Windows 7 for x64-based Systems (KB975560)
  5. Cumulative Security Update for ActiveX Killbits for Windows 7 for x64-based Systems (KB978262)
  6. Security Update for Windows 7 for x64-based Systems (KB971468)

comment:2 Changed 4 years ago by misha

The minidump shows nothing wrong with the VBoxNetFlt behavior, and unfortunately we're not able to reproduce the problem on Win7 x64 following exactly the same steps you describe.

Did the BSOD happen only once after win update for you?
Do you have any custom networking-related software installed on your host (i.e. other virtualyzers, VPN, antivirus, firewall software, etc.)?

comment:3 Changed 4 years ago by ryancapp

Actually, I opened the full memory dump file and saw that the NVIDIA nForce network drivers seemed to play a role in the crash:

BugCheck D1, {fffff880640acfcf, 2, 8, fffff880640acfcf}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for VBoxNetFlt.sys - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for nvmf6264.sys - 
Probably caused by : VBoxNetFlt.sys ( VBoxNetFlt+81fd )
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff880640acfcf, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: fffff880640acfcf, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  fffff880640acfcf 

CURRENT_IRQL:  2

FAULTING_IP: 
+0
fffff880`640acfcf ??              ???

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

TRAP_FRAME:  fffff8800318b770 -- (.trap 0xfffff8800318b770)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000028
rdx=0000000000000045 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880640acfcf rsp=fffff8800318b908 rbp=fffffa8008ae7018
 r8=0000000000000000  r9=0000000000000028 r10=0000000000000001
r11=fffffa800a8efc00 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
fffff880`640acfcf ??              ???
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002ec5469 to fffff80002ec5f00

FAILED_INSTRUCTION_ADDRESS: 
+0
fffff880`640acfcf ??              ???

STACK_TEXT:  
fffff880`0318b628 fffff800`02ec5469 : 00000000`0000000a fffff880`640acfcf 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
fffff880`0318b630 fffff800`02ec40e0 : fffffa80`07c35000 fffffa80`0a8efd30 fffffa80`08cdf7a0 fffffa80`084141a0 : nt!KiBugCheckDispatch+0x69
fffff880`0318b770 fffff880`640acfcf : fffff880`0185c0cb 00000000`00000000 00000000`00000001 fffffa80`07c51c58 : nt!KiPageFault+0x260
fffff880`0318b908 fffff880`0185c0cb : 00000000`00000000 00000000`00000001 fffffa80`07c51c58 ffff0000`028ec970 : 0xfffff880`640acfcf
fffff880`0318b910 fffff880`0185c426 : 00000000`00000006 fffffa80`07c60000 00000000`00000000 00000000`08cdf701 : tcpip!Ipv4pValidateNetBuffer+0x19b
fffff880`0318b970 fffff880`0185b272 : fffffa80`08cf0210 00000000`00000000 fffffa80`08cdf701 00000000`00000001 : tcpip!IpFlcReceivePackets+0x256
fffff880`0318bb70 fffff880`018746ba : fffffa80`08cdf7a0 fffff880`0318bca0 fffffa80`08cdf7a0 00000000`00000000 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2
fffff880`0318bc50 fffff800`02ed564a : fffffa80`0a8efc00 fffff880`03187000 00000000`00004800 00000000`00000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xda
fffff880`0318bca0 fffff880`018740e2 : fffff880`018745e0 fffff880`0318bdb0 fffff880`0318c102 00000000`00000001 : nt!KeExpandKernelStackAndCalloutEx+0xda
fffff880`0318bd80 fffff880`017060eb : fffffa80`08cf0820 00000000`00000000 fffffa80`084141a0 fffff880`01651afe : tcpip!FlReceiveNetBufferListChain+0xb2
fffff880`0318bdf0 fffff880`016cffc6 : fffffa80`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
fffff880`0318be60 fffff880`01652a24 : fffffa80`084141a0 00000000`00000002 00000000`00000001 00000000`00000000 : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff880`0318c2e0 fffff880`017068d5 : 00000000`00000001 00000000`00000000 fffffa80`084141a0 00000000`00000000 : ndis!ndisMTopReceiveNetBufferLists+0x24
fffff880`0318c320 fffff880`041681fd : 00000000`00000000 00000000`00000001 fffff880`00000001 fffffa80`0a953a30 : ndis!ndisMIndicatePacketsToNetBufferLists+0x105
fffff880`0318c3c0 fffff880`0170f37b : 00000000`00000001 fffffa80`085b1550 00000000`00000000 fffffa80`07c01680 : VBoxNetFlt+0x81fd
fffff880`0318c550 fffff880`016d00eb : fffffa80`082521a0 fffff880`0318c960 00000000`00000001 fffffa80`09436000 : ndis!ethFilterDprIndicateReceivePacket+0x36b
fffff880`0318c620 fffff880`01649ef1 : fffffa80`082521a0 fffff880`04108601 00000000`00000001 fffffa80`08ae700a : ndis!ndisMDispatchReceiveNetBufferLists+0x2fb
fffff880`0318caa0 fffff880`040f0bcd : fffffa80`08ae5580 00000000`00000000 fffff880`0318cc10 00000000`3402003c : ndis!NdisMIndicateReceiveNetBufferLists+0xc1
fffff880`0318caf0 fffff880`0410950f : fffff880`04129d90 00000000`00000000 00000000`00000001 00000000`14020000 : nvmf6264+0x4bcd
fffff880`0318cb30 fffff880`0410906d : 00000000`14020000 fffff880`0318cc10 fffff880`00000000 00000000`00000000 : nvmf6264!PARAM_InitClient+0xfa17
fffff880`0318cbf0 fffff880`01649da5 : fffffa80`08b6a9a0 00000000`00000000 fffffa80`082521a0 fffffa80`082521a0 : nvmf6264!PARAM_InitClient+0xf575
fffff880`0318cc40 fffff800`02ed15dc : fffffa80`08b6ac38 00000000`00000000 00000000`00000000 fffff880`03164180 : ndis!ndisInterruptDpc+0x155
fffff880`0318ccd0 fffff800`02ece6fa : fffff880`03164180 fffff880`0316ef80 00000000`00000000 fffff880`01649c50 : nt!KiRetireDpcList+0x1bc
fffff880`0318cd80 00000000`00000000 : fffff880`0318d000 fffff880`03187000 fffff880`0318cd40 00000000`00000000 : nt!KiIdleLoop+0x5a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
VBoxNetFlt+81fd
fffff880`041681fd eb0f            jmp     VBoxNetFlt+0x820e (fffff880`0416820e)

SYMBOL_STACK_INDEX:  e

SYMBOL_NAME:  VBoxNetFlt+81fd

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: VBoxNetFlt

IMAGE_NAME:  VBoxNetFlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4b2a38e9

FAILURE_BUCKET_ID:  X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd

BUCKET_ID:  X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd

Followup: MachineOwner
---------

comment:4 Changed 4 years ago by frank

  • Summary changed from BSOD: X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd to BSOD: X64_0xD1_CODE_AV_BAD_IP_VBoxNetFlt+81fd => nVidia?

comment:5 Changed 4 years ago by ryancapp

nvmf6264 is a NVIDIA driver, which could be malforming data passed to VirtualBox. Although, there should be some kind of sanity check in place to avoid such a crash.

I'll have to look over the full back trace when I have some time and see even if I can reproduce it (only a one-time deal so far).

comment:6 Changed 3 years ago by frank

Please have a look at #7601 and try the test build posted there.

comment:7 Changed 3 years ago by Technologov

See Wish #6057

-Technologov

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use