Re: [Wireshark-dev] Npcap 0.03 call for test

Mon, 10 Aug 2015 03:42:00 -0700 

Hi Jim, Pascal,

This IRQL_NOT_LESS_OR_EQUAL (a) BSoD seems to be caused by
NdisAcquireSpinLock call in function NPF_StartUsingOpenInstance has
referred to freed Open struct memory, I have tried to fix it in latest
installer, you may try it at:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r6.exe

Cheers,
Yang


On Fri, Aug 7, 2015 at 9:51 AM, Jim Young <jyo...@gsu.edu> wrote:

> Hello Yang,
>
>
> After installing 0.03-r5 on my Windows 8.1 system I too am see a BSOD when
> starting Wireshark, tshark or dumpcap.
>
> Like Pascal's Bugcheck Analysis my crashes are also reporting bug check
> string: IRQL_NOT_LESS_OR_EQUAL (a)
>
> 2: kd> .symfix C:\Symbols
>
> 2: kd> .reload
>
> Loading Kernel Symbols
>
> ...............................................................
>
> ................................................................
>
> .......................................
>
> Loading User Symbols
>
> .....................................
>
> Loading unloaded module list
>
> ........
>
> 2: kd> !analyze -v
>
>
> *******************************************************************************
>
> *
>     *
>
> *                        Bugcheck Analysis
>     *
>
> *
>     *
>
>
> *******************************************************************************
>
>
> IRQL_NOT_LESS_OR_EQUAL (a)
>
> An attempt was made to access a pageable (or completely invalid) address
> at an
>
> interrupt request level (IRQL) that is too high.  This is usually
>
> caused by drivers using improper addresses.
>
> If a kernel debugger is available get the stack backtrace.
>
> Arguments:
>
> Arg1: 000000000000a620, memory referenced
>
> Arg2: 0000000000000002, IRQL
>
> Arg3: 0000000000000001, bitfield :
>
> bit 0 : value 0 = read operation, 1 = write operation
>
> bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
> chips which support this level of status)
>
> Arg4: fffff802a914e0cc, address which referenced memory
>
>
> Debugging Details:
>
> ------------------
>
>
> *** ERROR: Module load completed but symbols could not be loaded for
> npf.sys
>
> *** ERROR: Symbol file could not be found.  Defaulted to export symbols
> for packet.dll -
>
>
> WRITE_ADDRESS: unable to get nt!MmNonPagedPoolStart
>
> unable to get nt!MmSizeOfNonPagedPoolInBytes
>
>  000000000000a620
>
>
> CURRENT_IRQL:  2
>
>
> FAULTING_IP:
>
> nt!KeAcquireSpinLockRaiseToDpc+1c
>
> fffff802`a914e0cc f0480fba2900    lock bts qword ptr [rcx],0
>
>
> DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
>
>
> BUGCHECK_STR:  AV
>
>
> PROCESS_NAME:  dumpcap.exe
>
>
> ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
>
>
> TRAP_FRAME:  ffffd0009e22a600 -- (.trap 0xffffd0009e22a600)
>
> NOTE: The trap frame does not contain all registers.
>
> Some register values may be zeroed or incorrect.
>
> rax=0000000000000002 rbx=0000000000000000 rcx=000000000000a620
>
> rdx=ffffe00024ae9a70 rsi=0000000000000000 rdi=0000000000000000
>
> rip=fffff802a914e0cc rsp=ffffd0009e22a790 rbp=ffffd0009e22ab80
>
>  r8=ffffe00022bf3610  r9=000000000000000e r10=0000000000000801
>
> r11=ffffe00025387040 r12=0000000000000000 r13=0000000000000000
>
> r14=0000000000000000 r15=0000000000000000
>
> iopl=0         nv up ei pl zr na po nc
>
> nt!KeAcquireSpinLockRaiseToDpc+0x1c:
>
> fffff802`a914e0cc f0480fba2900    lock bts qword ptr [rcx],0
> ds:00000000`0000a620=????????????????
>
> Resetting default scope
>
>
> LAST_CONTROL_TRANSFER:  from fffff802a91d27e9 to fffff802a91c6ca0
>
>
> STACK_TEXT:
>
> ffffd000`9e22a4b8 fffff802`a91d27e9 : 00000000`0000000a 00000000`0000a620
> 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
>
> ffffd000`9e22a4c0 fffff802`a91d103a : 00000000`00000001 00000000`00000000
> 00000000`00000000 ffffd000`9e22a730 : nt!KiBugCheckDispatch+0x69
>
> ffffd000`9e22a600 fffff802`a914e0cc : 00000000`00000001 ffffc001`00000000
> ffffc001`6f840a01 00000000`00000000 : nt!KiPageFault+0x23a
>
> ffffd000`9e22a790 fffff801`c221b19a : 00000000`00000000 ffffe000`2529b080
> 00000000`00000001 ffffd000`9e22ab80 : nt!KeAcquireSpinLockRaiseToDpc+0x1c
>
> ffffd000`9e22a7c0 fffff801`c221ba38 : 00000000`00001ef0 ffffe000`24ae9a00
> 00000000`00000000 ffffd000`00000000 : npf+0x319a
>
> ffffd000`9e22a7f0 fffff802`a949b77f : 00000000`00000001 ffffe000`24ae9a70
> ffffe000`24ae9a70 00000000`00000001 : npf+0x3a38
>
> ffffd000`9e22a880 fffff802`a949ad22 : ffffd000`9e22aa38 00000000`00000000
> 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
>
> ffffd000`9e22aa20 fffff802`a91d24b3 : ffffe000`25299080 ffffd000`001f0003
> 00000004`a71ecc08 00000004`00000000 : nt!NtDeviceIoControlFile+0x56
>
> ffffd000`9e22aa90 00007fff`16ff123a : 00007fff`14375fe3 00007f71`9a924c5b
> 00000000`00000003 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
>
> 00000004`a71ecbb8 00007fff`14375fe3 : 00007f71`9a924c5b 00000000`00000003
> 00000000`00000000 00000000`00000013 : ntdll!NtDeviceIoControlFile+0xa
>
> 00000004`a71ecbc0 00007fff`16b01bb0 : 00000000`00001ef0 00007fff`16f9713a
> 00000000`00000020 00000000`00000000 : KERNELBASE!DeviceIoControl+0x121
>
> 00000004`a71ecc30 00007fff`0f4c3d65 : 00000004`a73a4960 00000004`a71ecf20
> ffffffff`ffffffff 00000004`a71ecf20 :
> KERNEL32!DeviceIoControlImplementation+0x80
>
> 00000004`a71ecc80 00000004`a73a4960 : 00000004`a71ecf20 ffffffff`ffffffff
> 00000004`a71ecf20 00000000`00000000 : packet+0x3d65
>
> 00000004`a71ecc88 00000004`a71ecf20 : ffffffff`ffffffff 00000004`a71ecf20
> 00000000`00000000 00000000`00000000 : 0x00000004`a73a4960
>
> 00000004`a71ecc90 ffffffff`ffffffff : 00000004`a71ecf20 00000000`00000000
> 00000000`00000000 00000004`a71eccd0 : 0x00000004`a71ecf20
>
> 00000004`a71ecc98 00000004`a71ecf20 : 00000000`00000000 00000000`00000000
> 00000004`a71eccd0 00000000`00000000 : 0xffffffff`ffffffff
>
> 00000004`a71ecca0 00000000`00000000 : 00000000`00000000 00000004`a71eccd0
> 00000000`00000000 00000004`a73a4960 : 0x00000004`a71ecf20
>
>
>
> STACK_COMMAND:  kb
>
>
> FOLLOWUP_IP:
>
> npf+319a
>
> fffff801`c221b19a 4032ff          xor     dil,dil
>
>
> SYMBOL_STACK_INDEX:  4
>
>
> SYMBOL_NAME:  npf+319a
>
>
> FOLLOWUP_NAME:  MachineOwner
>
>
> MODULE_NAME: npf
>
>
> IMAGE_NAME:  npf.sys
>
>
> DEBUG_FLR_IMAGE_TIMESTAMP:  55c32fb5
>
>
> FAILURE_BUCKET_ID:  AV_npf+319a
>
>
> BUCKET_ID:  AV_npf+319a
>
>
> ANALYSIS_SOURCE:  KM
>
>
> FAILURE_ID_HASH_STRING:  km:av_npf+319a
>
>
> FAILURE_ID_HASH:  {bf4ae29b-3505-fe6e-b8b7-41bfb9d08cf8}
>
>
> Followup: MachineOwner
>
> ---------
>
>
> Best regards,
>
> Jim Y.
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
>

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to