Two Servers Crashing - and a partridge in a..

Please help...why would my system dump at the tdtcp.sys file? Here is the debugger file. There is another crashing as well and will post later.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b15270ee, address which referenced memory

Debugging Details:
------------------

DBGHELP: ntdll.dll\3E802494ba000\ntdll.dll - OK
DBGENG: Partial symbol load found image ntdll.dll\3E802494ba000\ntdll.dll.
DBGHELP: ntdll - public symbols
ntdll.pdb\3E800DDD2\ntdll.pdb
DBGHELP: TDTCP - public symbols
tdtcp.pdb\820189ADC6094A1889475615E003E5AC1\tdtcp.pdb
SYMSRV: tcpip.pd_ from http://msdl.microsoft.com/download/symbols: 180654 bytes copied
DBGHELP: tcpip - public symbols
tcpip.pdb\471846DDF72D4D6195488E9DD171FAC52\tcpip.pdb
SYMSRV: ndis.pd_ from http://msdl.microsoft.com/download/symbols: 131117 bytes copied
DBGHELP: NDIS - public symbols
ndis.pdb\8EABA86C4E9D4FA1BA1306D4D1A543092\ndis.pdb
SYMSRV: b57xp32.pdb\0ED5732416CB4587908D7D7B356298D21\b57xp32.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/b57xp32.pdb/0ED5732416CB4587908D7D7B356298D21/b57xp32.pdb not found
DBGHELP: C:\src\WINXP.32\Obj\i386\b57xp32.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for b57xp32.sys
DBGHELP: b57xp32 - no symbols loaded
DBGHELP: ntkrnlmp.exe\3E8015C6266000\ntkrnlmp.exe - OK
DBGHELP: TDTCP.SYS\3E7FFF1Ca000\TDTCP.SYS - OK
SYMSRV: tcpip.sy_ from http://msdl.microsoft.com/download/symbols: 170122 bytes copied
DBGHELP: tcpip.sys\3E800D7162000\tcpip.sys - OK
SYMSRV: b57xp32.sys\3ECC2C1F2ad00\b57xp32.sys not found
SYMSRV: http://msdl.microsoft.com/download/symbols/b57xp32.sys/3ECC2C1F2ad00/b57xp32.sys not found
SYMSRV: b57xp32.sys\3ECC2C1F2ad00\b57xp32.sys not found
SYMSRV: http://msdl.microsoft.com/download/symbols/b57xp32.sys/3ECC2C1F2ad00/b57xp32.sys not found
SYMSRV: b57xp32.sys\3ECC2C1F2ad00\b57xp32.sys not found
SYMSRV: http://msdl.microsoft.com/download/symbols/b57xp32.sys/3ECC2C1F2ad00/b57xp32.sys not found
SYMSRV: NDIS.sy_ from http://msdl.microsoft.com/download/symbols: 90849 bytes copied
DBGHELP: NDIS.sys\3E80172F41000\NDIS.sys - OK

READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
TDTCP!_TdWriteCompleteRoutine+20
b15270ee 8b0b mov ecx,[ebx]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 804f01d4 to b15270ee

TRAP_FRAME: f789e898 -- (.trap fffffffff789e898)
ErrCode = 00000000
eax=00000002 ebx=00000000 ecx=8762bf0c edx=00000004 esi=8762bc70 edi=895f1008
eip=b15270ee esp=f789e90c ebp=f789e944 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
TDTCP!_TdWriteCompleteRoutine+0x20:
b15270ee 8b0b mov ecx,[ebx] ds:0023:00000000=????????
Resetting default scope

STACK_TEXT:
f789e914 804f01d4 00000000 895f1040 895f1008 TDTCP!_TdWriteCompleteRoutine+0x20
f789e944 b3fc0c54 f789e9b8 897da558 f789e9b8 nt!IopfCompleteRequest+0xa0
f789e95c b3fc1d3b 895f1040 00000000 000005b3 tcpip!TCPDataRequestComplete+0xa4
f789e978 b3fc27ac f789e9b8 f789ea88 8982de0e tcpip!CompleteSends+0x27
f789e9f0 b3fc163f 897c1638 cb73a8c0 6a76a8c0 tcpip!TCPRcv+0x1806
f789ea50 b3fc18dd 00000020 897c1638 00000000 tcpip!DeliverToUser+0x17b
f789eb04 b3fbff0f 897c1638 8982de22 00000033 tcpip!IPRcvPacket+0x66c
f789eb44 b3fbff81 00000000 8983d440 8982de00 tcpip!ARPRcvIndicationNew+0x147
f789eb80 f72631c6 897c1358 00000000 899fd130 tcpip!ARPRcvPacket+0x66
f789ebd4 f628bda8 899fd130 f789ed84 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x312
WARNING: Stack unwind information not available. Following frames may be wrong.
f789ef2c f629ddb0 898e4000 00000001 00000001 b57xp32+0x9da8
f789ef54 f6285066 898e4000 00000000 00000000 b57xp32+0x1bdb0
f789ef88 f7254025 898e4000 ffdff980 898e20cc b57xp32+0x3066
f789ef9c 804efdf0 898e20cc 898e20b8 00000000 NDIS!ndisMDpcX+0x1d
f789eff4 804e5ea6 a62b9c74 00000000 00000000 nt!KiRetireDpcList+0xc8


FOLLOWUP_IP:
TDTCP!_TdWriteCompleteRoutine+20
b15270ee 8b0b mov ecx,[ebx]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: TDTCP!_TdWriteCompleteRoutine+20

MODULE_NAME: TDTCP

IMAGE_NAME: TDTCP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 3e7fff1c

STACK_COMMAND: .trap fffffffff789e898 ; kb

BUCKET_ID: 0xD1_TDTCP!_TdWriteCompleteRoutine+20

Followup: MachineOwner
---------

eax=ffdff13c ebx=0000000a ecx=8581d600 edx=40000000 esi=ffdff120 edi=00000000
eip=805435b9 esp=f789e864 ebp=f789e87c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x19:
805435b9 5d pop ebp
ChildEBP RetAddr Args to Child
f789e87c 804e2f58 0000000a 00000000 00000002 nt!KeBugCheckEx+0x19 (FPO: [Non-Fpo])
f789e87c b15270ee 0000000a 00000000 00000002 nt!KiTrap0E+0x224 (FPO: [0,0] TrapFrame @ f789e898)
f789e914 804f01d4 00000000 895f1040 895f1008 TDTCP!_TdWriteCompleteRoutine+0x20 (FPO: [3,0,0])
f789e944 b3fc0c54 f789e9b8 897da558 f789e9b8 nt!IopfCompleteRequest+0xa0 (FPO: [Non-Fpo])
f789e95c b3fc1d3b 895f1040 00000000 000005b3 tcpip!TCPDataRequestComplete+0xa4 (FPO: [Non-Fpo])
f789e978 b3fc27ac f789e9b8 f789ea88 8982de0e tcpip!CompleteSends+0x27 (FPO: [1,0,0])
f789e9f0 b3fc163f 897c1638 cb73a8c0 6a76a8c0 tcpip!TCPRcv+0x1806 (FPO: [Non-Fpo])
f789ea50 b3fc18dd 00000020 897c1638 00000000 tcpip!DeliverToUser+0x17b (FPO: [Non-Fpo])
f789eb04 b3fbff0f 897c1638 8982de22 00000033 tcpip!IPRcvPacket+0x66c (FPO: [Non-Fpo])
f789eb44 b3fbff81 00000000 8983d440 8982de00 tcpip!ARPRcvIndicationNew+0x147 (FPO: [Non-Fpo])
f789eb80 f72631c6 897c1358 00000000 899fd130 tcpip!ARPRcvPacket+0x66 (FPO: [Non-Fpo])
f789ebd4 f628bda8 899fd130 f789ed84 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x312 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f789ef2c f629ddb0 898e4000 00000001 00000001 b57xp32+0x9da8
f789ef54 f6285066 898e4000 00000000 00000000 b57xp32+0x1bdb0
f789ef88 f7254025 898e4000 ffdff980 898e20cc b57xp32+0x3066
f789ef9c 804efdf0 898e20cc 898e20b8 00000000 NDIS!ndisMDpcX+0x1d (FPO: [4,0,0])
f789eff4 804e5ea6 a62b9c74 00000000 00000000 nt!KiRetireDpcList+0xc8 (FPO: [Non-Fpo])
start end module name

 

The IRP it is currently processing has a bogus completion routine. This could be caused by any of the drivers on the IRPstack, or pool corruption.

Since its generally a safe assumption to assume that TCPIP.SYS doesnt have a large bug like this in it (or there would be millions of people storming the castle with pitchforks). We need to look at what else is around.

b57xp32.sys This is a broadcom gigabit ethernet driver. You did not include the driver info, so you are on your own to determine if its up to date.

Code:

STACK_TEXT: 
f789e914 804f01d4 [B]00000000 895f1040 895f1008 [/B] TDTCP!_TdWriteCompleteRoutine+0x20
f789e944 b3fc0c54 [B]f789e9b8 897da558 f789e9b8 [/B] nt!IopfCompleteRequest+0xa0
f789e95c b3fc1d3b[B] 895f1040 00000000 000005b3 [/B] tcpip!TCPDataRequestComplete+0xa4
f789e978 b3fc27ac [B]f789e9b8 f789ea88 8982de0e [/B] tcpip!CompleteSends+0x27

One of the bolded number is an IRP, i cant recall which one of the top of my head. you can !irp it and try to find the bogus completion routine. You should !pool the irp address as well and see whats above it, as it may be just pool corruption.

 

0: kd> !Irp
Free build - use !irpfind to scan memory for any active IRPs
0: kd> !irpfind
unable to get nt!PoolBigPageTable
unable to get nt!PoolBigPageTableSize
unable to get large pool allocation table - either wrong symbols or pool tagging is disabled
unable to get nt!MmSizeOfNonPagedPoolInBytes
unable to get nt!MmNonPagedPoolExpansionStart

Searching NonPaged pool (81c00000 : 81c00000) for Tag: Irp?

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_POOL_HEADER ***
*** ***
*************************************************************************
0: kd> !pool 81c00000
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_POOL_HEADER ***
*** ***
*************************************************************************
unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
Pool page 81c00000 region is unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MiSessionPoolStart
unable to get nt!MiSessionPoolEnd
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
Unknown
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_POOL_HEADER ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_POOL_TRACKER_BIG_PAGES ***
*** ***
*************************************************************************
Cannot get _POOL_TRACKER_BIG_PAGES type size

 

I also contacted DELL for the GIG NIC card. There is a CAT 5 cable not a 5e that the GIG NICE is running on. Dell sent me a link for a driver update.

 

you will need to !irp 897da558 <enter> for each one of those 12 bolded addresses. one of them will match up and show you an irp. once you have that address, !pool on it.

 

I am not getting any data when I enter the command that you referenced.

 

Code:

lkd> !irp 86824008
Irp is active with 7 stacks 7 is current (= 0x86824150)
 No Mdl Thread 86741348:  Irp stack trace.
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000

                        Args: 00000000 00000000 00000000 00000000
>[  c, 2]   0  1 86b9b020 86ae5828 00000000-00000000    pending
               \FileSystem\Fastfat
                        Args: 00001000 00000c5b 00000000 00000000
lkd>
lkd> !irp 87654321
IRP signature does not match, probably not an IRP