BSOD in iusb3xhc.sys

NTDEV
1

Hi,

I am using the new intel usb 3 driver for windows 7 and when I restart my operating system with a usb 3 device, I get the below BSOD. I am trying to find some help in what could the driver be doing while this bsod happens. Please let me know if you have any pointers on how to debug this issue. Thanks in advance.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000198, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88003c90100, address which referenced memory

Debugging Details:

READ_ADDRESS: 0000000000000198

CURRENT_IRQL: 2

FAULTING_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

DPC_STACK_BASE: FFFFF80000BA2FB0

TRAP_FRAME: fffff80000ba2bf0 – (.trap 0xfffff80000ba2bf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff88003c90100 rbx=0000000000000000 rcx=fffffa801a66b010
rdx=0000000000895440 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003c90100 rsp=fffff80000ba2d88 rbp=fffffa8019ecb000
r8=0000000000000000 r9=0000000000989680 r10=fffff88003cfb0e0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
iusb3xhc+0x12100:
fffff88003c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h] ds:0000000000000198=???
Resetting default scope

MISALIGNED_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

LAST_CONTROL_TRANSFER: from fffff80002a85469 to fffff80002a85ec0

STACK_TEXT:
fffff80000ba2aa8 fffff80002a85469 : 000000000000000a 0000000000000198 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffff80000ba2ab0 fffff80002a840e0 : fffffa801a6c4010 fffffa801a6c4102 0000000000000002 fffffa801a66b010 : nt!KiBugCheckDispatch+0x69
fffff80000ba2bf0 fffff88003c90100 : fffff88003cc7be2 fffffa801a66b010 0000000000000000 0000000000000000 : nt!KiPageFault+0x260
fffff80000ba2d88 fffffa8019df8d28 : fffff88003a025c2 0000000000000000 fffffa8019320470 fffffa801a7cdc02 : iusb3xhc+0x12100
fffff80000ba2e08 fffff88003a025c2 : 0000000000000000 fffffa8019320470 fffffa801a7cdc02 0000000000000000 : 0xfffffa8019df8d28 fffff80000ba2e10 fffff88003a05f02 : fffffa8019df8050 fffffa8019538390 0000000119538000 fffffa8000000001 : USBPORT!USBPORT_Xdpc_iSetState+0x2a fffff80000ba2e40 0000000000000022 : 0000000000000000 fffffa801a66b010 0000000000000000 fffff88003c94237 : USBPORT!USBPORT_CreateLegacyFdoSymbolicLink+0x102 fffff80000ba2eb0 0000000000000000 : fffffa801a66b010 0000000000000000 fffff88003c94237 00000000`00000000 : 0x22

STACK_COMMAND: kb

FOLLOWUP_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: iusb3xhc+12100

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: hardware

IMAGE_NAME: hardware

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: X64_IP_MISALIGNED_iusb3xhc.sys

BUCKET_ID: X64_IP_MISALIGNED_iusb3xhc.sys

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_ip_misaligned_iusb3xhc.sys

FAILURE_ID_HASH: {dbe10e71-2561-e88c-0568-b9f19daad948}

Followup: MachineOwner

2

> Arg1: 0000000000000198, memory referenced

Most likely, a reference thru a null pointer to some struct.
Try to get in touch with the owner of the PCI vendor id 8086, send them
the dump. Bug happens even to them.

– pa

On 27-Mar-2015 00:14, xxxxx@vmware.com wrote:

Hi,

I am using the new intel usb 3 driver for windows 7 and when I restart my operating system with a usb 3 device, I get the below BSOD. I am trying to find some help in what could the driver be doing while this bsod happens. Please let me know if you have any pointers on how to debug this issue. Thanks in advance.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000198, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88003c90100, address which referenced memory

Debugging Details:

READ_ADDRESS: 0000000000000198

CURRENT_IRQL: 2

FAULTING_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

DPC_STACK_BASE: FFFFF80000BA2FB0

TRAP_FRAME: fffff80000ba2bf0 – (.trap 0xfffff80000ba2bf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff88003c90100 rbx=0000000000000000 rcx=fffffa801a66b010
rdx=0000000000895440 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003c90100 rsp=fffff80000ba2d88 rbp=fffffa8019ecb000
r8=0000000000000000 r9=0000000000989680 r10=fffff88003cfb0e0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
iusb3xhc+0x12100:
fffff88003c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h] ds:0000000000000198=???
Resetting default scope

MISALIGNED_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

LAST_CONTROL_TRANSFER: from fffff80002a85469 to fffff80002a85ec0

STACK_TEXT:
fffff80000ba2aa8 fffff80002a85469 : 000000000000000a 0000000000000198 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffff80000ba2ab0 fffff80002a840e0 : fffffa801a6c4010 fffffa801a6c4102 0000000000000002 fffffa801a66b010 : nt!KiBugCheckDispatch+0x69
fffff80000ba2bf0 fffff88003c90100 : fffff88003cc7be2 fffffa801a66b010 0000000000000000 0000000000000000 : nt!KiPageFault+0x260
fffff80000ba2d88 fffffa8019df8d28 : fffff88003a025c2 0000000000000000 fffffa8019320470 fffffa801a7cdc02 : iusb3xhc+0x12100
fffff80000ba2e08 fffff88003a025c2 : 0000000000000000 fffffa8019320470 fffffa801a7cdc02 0000000000000000 : 0xfffffa8019df8d28 fffff80000ba2e10 fffff88003a05f02 : fffffa8019df8050 fffffa8019538390 0000000119538000 fffffa8000000001 : USBPORT!USBPORT_Xdpc_iSetState+0x2a fffff80000ba2e40 0000000000000022 : 0000000000000000 fffffa801a66b010 0000000000000000 fffff88003c94237 : USBPORT!USBPORT_CreateLegacyFdoSymbolicLink+0x102 fffff80000ba2eb0 0000000000000000 : fffffa801a66b010 0000000000000000 fffff88003c94237 00000000`00000000 : 0x22

STACK_COMMAND: kb

FOLLOWUP_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: iusb3xhc+12100

3

Look like this is due to the iusb3xhc.sys driver trying to dereference a NULL pointer. The faulting instruction was using dereference a pointer stored in the rsi register which contains zero. See rsi=0000000000000000, and the faulting instruction, mov ecx,dword ptr [rsi+198h]. In additional, you will find it useful to get the symbol for this driver.

Tai-Hing

Date: Thu, 26 Mar 2015 18:14:12 -0400
From: xxxxx@vmware.com
To: xxxxx@lists.osr.com
Subject: [ntdev] BSOD in iusb3xhc.sys

Hi,

I am using the new intel usb 3 driver for windows 7 and when I restart my operating system with a usb 3 device, I get the below BSOD. I am trying to find some help in what could the driver be doing while this bsod happens. Please let me know if you have any pointers on how to debug this issue. Thanks in advance.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000198, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88003c90100, address which referenced memory

Debugging Details:

READ_ADDRESS: 0000000000000198

CURRENT_IRQL: 2

FAULTING_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

DPC_STACK_BASE: FFFFF80000BA2FB0

TRAP_FRAME: fffff80000ba2bf0 – (.trap 0xfffff80000ba2bf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff88003c90100 rbx=0000000000000000 rcx=fffffa801a66b010
rdx=0000000000895440 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003c90100 rsp=fffff80000ba2d88 rbp=fffffa8019ecb000
r8=0000000000000000 r9=0000000000989680 r10=fffff88003cfb0e0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
iusb3xhc+0x12100:
fffff88003c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h] ds:0000000000000198=???
Resetting default scope

MISALIGNED_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

LAST_CONTROL_TRANSFER: from fffff80002a85469 to fffff80002a85ec0

STACK_TEXT:
fffff80000ba2aa8 fffff80002a85469 : 000000000000000a 0000000000000198 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffff80000ba2ab0 fffff80002a840e0 : fffffa801a6c4010 fffffa801a6c4102 0000000000000002 fffffa801a66b010 : nt!KiBugCheckDispatch+0x69
fffff80000ba2bf0 fffff88003c90100 : fffff88003cc7be2 fffffa801a66b010 0000000000000000 0000000000000000 : nt!KiPageFault+0x260
fffff80000ba2d88 fffffa8019df8d28 : fffff88003a025c2 0000000000000000 fffffa8019320470 fffffa801a7cdc02 : iusb3xhc+0x12100
fffff80000ba2e08 fffff88003a025c2 : 0000000000000000 fffffa8019320470 fffffa801a7cdc02 0000000000000000 : 0xfffffa8019df8d28 fffff80000ba2e10 fffff88003a05f02 : fffffa8019df8050 fffffa8019538390 0000000119538000 fffffa8000000001 : USBPORT!USBPORT_Xdpc_iSetState+0x2a fffff80000ba2e40 0000000000000022 : 0000000000000000 fffffa801a66b010 0000000000000000 fffff88003c94237 : USBPORT!USBPORT_CreateLegacyFdoSymbolicLink+0x102 fffff80000ba2eb0 0000000000000000 : fffffa801a66b010 0000000000000000 fffff88003c94237 00000000`00000000 : 0x22

STACK_COMMAND: kb

FOLLOWUP_IP:
iusb3xhc+12100
fffff880`03c90100 8b8e98010000 mov ecx,dword ptr [rsi+198h]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: iusb3xhc+12100

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: hardware

IMAGE_NAME: hardware

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: X64_IP_MISALIGNED_iusb3xhc.sys

BUCKET_ID: X64_IP_MISALIGNED_iusb3xhc.sys

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_ip_misaligned_iusb3xhc.sys

FAILURE_ID_HASH: {dbe10e71-2561-e88c-0568-b9f19daad948}

Followup: MachineOwner

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Pavel A. wrote:

> Arg1: 0000000000000198, memory referenced

Most likely, a reference thru a null pointer to some struct.
Try to get in touch with the owner of the PCI vendor id 8086, send them
the dump.

I assume you know who that is without even looking…


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

Thank you for your comments. Currently I am running this driver across our emulated xhci controller which behaves like an intel controller. This BSOD occurs during restart of the virtual machine when a device is plugged into the controller before restart.

I will get in touch with them.
I wanted to gather more information about the functions USBPORT!USBPORT_Xdpc_iSetState
USBPORT!USBPORT_CreateLegacyFdoSymbolicLink and look into our xhci emulation for any bugs while I report to them. Kindly let me know if you guys have any idea about what the driver could probably be doing while accessing the null pointer.

Is there anyway that I can get symbols of this driver publicly?

Thanks in advance for all the help.

6

Just a thought, but is your emulated xhci controller software based?

If so, perhaps it’s memory your emulator is responsible for which is paged out when it shouldn’t be.

David

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@vmware.com
Sent: 27 March 2015 00:15
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] BSOD in iusb3xhc.sys

Thank you for your comments. Currently I am running this driver across our emulated xhci controller which behaves like an intel controller. This BSOD occurs during restart of the virtual machine when a device is plugged into the controller before restart.

I will get in touch with them.
I wanted to gather more information about the functions USBPORT!USBPORT_Xdpc_iSetState USBPORT!USBPORT_CreateLegacyFdoSymbolicLink and look into our xhci emulation for any bugs while I report to them. Kindly let me know if you guys have any idea about what the driver could probably be doing while accessing the null pointer.

Is there anyway that I can get symbols of this driver publicly?

Thanks in advance for all the help.
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com