Windows 7: BSOD with kernel power while playing Diablo 3

The Rage Guy · 18 May 2012

Hi guys, my new rig specs as follows:

CPU: Intel i5 3570k with Asrock extreme 6
GFX: Palit GTX670
PSU: Corsair AX850
SSD Crucial m4 256gb
RAM: Gskill 8gb
OS: Windows 7 Ultimate 64bit

Everything running on stock.

While i was playing Diablo 3, it suddenly BSOD, and i checked the event viewer, there was a Kernel power error:
BugcheckCode 194
BugcheckParameter1 0x7
BugcheckParameter2 0x109b
BugcheckParameter3 0x4060016
BugcheckParameter4 0xfffffa800c569650
SleepInProgress false
PowerButtonTimestamp 0

After that when playing again, i notice artifacts in D3 time to time.

Drivers and windows updated to latest version.

Attached is the minidump.

Would really appreciate inputs.

Thanks in advance!

Vir Gnarus · 18 May 2012

It looks like Avast filter driver for IPSec (aswrdr2.sys) is responsible, but given that this BSOD was caused by the driver trying to free pooled memory after it's already been pooled, it may either be Avast erroneously attempting to free the pooled memory a second time, or something else snuck in (most certainly another firewall, AV or other IPSec software/driver) and freed the pool, then Avast attempted to do so again and the system bugged out cuz of it. This can occur if you have multiple firewall or other AV and security software installed and running simultaneously. You should only have one firewall solution and one AV solution. If the AV solution includes firewall, it'll bump into your dedicated firewall software, and vice versa.

Unfortunately, this minidump cannot serve us further beyond this speculation. There are some related items I could check that could give us really good clues as to what may have freed this pool prior, but that data is not retained in a minidump.

If you wish, you can turn on Driver Verifier and let it crash again and send us the resulting minidump, since DV catch the problem earlier. For checks to select, do not select Force Pending I/O Requests, Low Resource Sim, or IRP Logging. You may select the rest of the checks. Remember to restart PC after everything is set up.

As for any potential solutions to this, aside from cleaning up your AV and firewall stuff, make sure to update both your network drivers and Avast. I see that the filter driver for Avast is pretty new, May 6, but there's always a chance a bug got introduced recently and Avast has already gone and fixed it.

Analysts:

!analyze -v output:

Code:

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 000000000000109b, (reserved)
Arg3: 0000000004060016, Memory contents of the pool block
Arg4: fffffa800c569650, Address of the block of pool being deallocated

Debugging Details:
------------------

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\modclass.ini, error 2

POOL_ADDRESS:  fffffa800c569650 Nonpaged pool

FREED_POOL_TAG:  Fwpp

BUGCHECK_STR:  0xc2_7_Fwpp

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002fbabe9 to fffff80002e901c0

STACK_TEXT:  
fffff880`069ed578 fffff800`02fbabe9 : 00000000`000000c2 00000000`00000007 00000000`0000109b 00000000`04060016 : nt!KeBugCheckEx
fffff880`069ed580 fffff880`01c701a1 : 00000000`00000000 fffff8a0`0194de40 fffffa80`0c569658 fffff880`01c68de4 : nt!ExDeferredFreePool+0x1201
fffff880`069ed630 fffff880`01c9ed68 : 00000000`00000000 fffffa80`0c569650 fffff8a0`017f8ec0 00000000`00000000 : fwpkclnt!WfpNamedPoolFree+0x19
fffff880`069ed660 fffff880`01c9946e : 00000000`00000000 fffff880`01c956a8 fffffa80`0c8faac0 fffff880`01c956a8 : fwpkclnt!FwppSessionDestroy+0x64
fffff880`069ed690 fffff880`0473992b : fffffa80`0c569650 00000000`000007ff fffff8a0`0194d058 fffffa80`0c3d6040 : fwpkclnt!FwpmEngineClose0+0x42
fffff880`069ed6d0 fffffa80`0c569650 : 00000000`000007ff fffff8a0`0194d058 fffffa80`0c3d6040 fffff880`0473e978 : aswrdr2+0x492b
fffff880`069ed6d8 00000000`000007ff : fffff8a0`0194d058 fffffa80`0c3d6040 fffff880`0473e978 fffffa80`06988c1c : 0xfffffa80`0c569650
fffff880`069ed6e0 fffff8a0`0194d058 : fffffa80`0c3d6040 fffff880`0473e978 fffffa80`06988c1c fffffa80`06988c1c : 0x7ff
fffff880`069ed6e8 fffffa80`0c3d6040 : fffff880`0473e978 fffffa80`06988c1c fffffa80`06988c1c fffff8a0`0194d030 : 0xfffff8a0`0194d058
fffff880`069ed6f0 fffff880`0473e978 : fffffa80`06988c1c fffffa80`06988c1c fffff8a0`0194d030 fffff8a0`0194d058 : 0xfffffa80`0c3d6040
fffff880`069ed6f8 fffffa80`06988c1c : fffffa80`06988c1c fffff8a0`0194d030 fffff8a0`0194d058 fffff8a0`0194bb10 : aswrdr2+0x9978
fffff880`069ed700 fffffa80`06988c1c : fffff8a0`0194d030 fffff8a0`0194d058 fffff8a0`0194bb10 00000000`00000000 : 0xfffffa80`06988c1c
fffff880`069ed708 fffff8a0`0194d030 : fffff8a0`0194d058 fffff8a0`0194bb10 00000000`00000000 fffff8a0`0194b980 : 0xfffffa80`06988c1c
fffff880`069ed710 fffff8a0`0194d058 : fffff8a0`0194bb10 00000000`00000000 fffff8a0`0194b980 fffff8a0`0194d060 : 0xfffff8a0`0194d030
fffff880`069ed718 fffff8a0`0194bb10 : 00000000`00000000 fffff8a0`0194b980 fffff8a0`0194d060 fffff800`0312557e : 0xfffff8a0`0194d058
fffff880`069ed720 00000000`00000000 : fffff8a0`0194b980 fffff8a0`0194d060 fffff800`0312557e 00000000`00000000 : 0xfffff8a0`0194bb10


STACK_COMMAND:  kb

FOLLOWUP_IP: 
fwpkclnt!WfpNamedPoolFree+19
fffff880`01c701a1 48b8faaddbbafaaddbba mov rax,0BADBADFABADBADFAh

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  fwpkclnt!WfpNamedPoolFree+19

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: fwpkclnt

IMAGE_NAME:  fwpkclnt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce79321

FAILURE_BUCKET_ID:  X64_0xc2_7_Fwpp_fwpkclnt!WfpNamedPoolFree+19

BUCKET_ID:  X64_0xc2_7_Fwpp_fwpkclnt!WfpNamedPoolFree+19

Followup: MachineOwner
---------

The stack unwind is not clean. However, we can at least extract that aswrdr2.sys is involved, which is the Avast WFP Redirect Driver. WFP is Windows Filtering Platform, which as described here, is responsible for allowing 3rd party drivers and software to filter network activity. We can tell from the top half of the callstack that Avast driver called into fwpkclnt.sys, which FWP/IPsec Kernel-Mode API driver, to evidently close a filtering session (hence the call to fwpkclnt!FwpmEngineClose+0x42). At this time the IPSec driver is doing cleanup work, including freeing the related named pool memory that it's been using for the session (fwpkclnt!WfpNamedPoolFree+0x19). You can verify this by using !pool on the relevant block of pool (you can determine this by looking at Arg4 of the bugchcek, as well as POOL_ADDRESS in the !analyze -v output):

Code:

3: kd> !pool fffffa800c569650
Pool page fffffa800c569650 region is Nonpaged pool
 fffffa800c569000 size:   90 previous size:    0  (Allocated)  Vad 
 fffffa800c569090 size:   90 previous size:   90  (Allocated)  Vad 
 fffffa800c569120 size:   90 previous size:   90  (Allocated)  Vad 
 fffffa800c5691b0 size:   90 previous size:   90  (Allocated)  Vad 
 fffffa800c569240 size:   c0 previous size:   90  (Allocated)  FMsl
 fffffa800c569300 size:  160 previous size:   c0  (Allocated)  Ntfx
 fffffa800c569460 size:   80 previous size:  160  (Allocated)  Even (Protected)
 fffffa800c5694e0 size:  160 previous size:   80  (Allocated)  Ntfx
*fffffa800c569640 size:   60 previous size:  160  (Free ) *Fwpp
		Pooltag Fwpp : Windows Filtering Platform export driver., Binary : fwpkclnt.sys
 fffffa800c5696a0 size:  160 previous size:   60  (Allocated)  Ntfx
 fffffa800c569800 size:  1e0 previous size:  160  (Allocated)  MmCi
 fffffa800c5699e0 size:  220 previous size:  1e0  (Allocated)  MmCi
 fffffa800c569c00 size:   60 previous size:  220  (Allocated)  Icp 
 fffffa800c569c60 size:   80 previous size:   60  (Allocated)  Even (Protected)
 fffffa800c569ce0 size:   20 previous size:   80  (Allocated)  ViMm
 fffffa800c569d00 size:   50 previous size:   20  (Allocated)  VadS
 fffffa800c569d50 size:   90 previous size:   50  (Allocated)  Vad 
 fffffa800c569de0 size:  220 previous size:   90  (Allocated)  MmCi

As you can tell, it doesn't look like any other driver incidentally freed pool beyond is allocation and ended up freeing Fwpp as well. Everything else is allocated and currently in use, and the adjacent allocations are Ntfx (which is general allocation from Ntfs.sys, of which the name is self-explanatory). So I don't see any ugliness there. This really just looks like either two drivers fighting over the same pool allocation, or Avast did just bug out and attempted to free the pool allocation twice, possibly by attempting to close its filtering session twice. I personally can't tell beyond this. That's why Driver Verifier is helpful.

The Rage Guy · 18 May 2012

thank you sir! my friend suggested me to install to the beta drivers for my gtx670 301.40, and mentioned that 670 are actually failed 680 cores. that maybe the reason for the artifacting.

i will try with the new drivers and monitor the situation. if it still crashes i will proceed with the verifier.

thank you again for the help!

Windows 7: BSOD with kernel power while playing Diablo 3

BSOD with kernel power while playing Diablo 3 problems?