mullvad-wireguard.sys driver randomly crashes pc

[RileySpier]

Is it a bug?

• I know this is an issue with the app, and contacting Mullvad support is not relevant.

I have checked if others have reported this already

• I have checked the issue tracker to see if others have reported similar issues.

Current Behavior

the mullvad-wireguard.sys driver randomly crashes pc via BugCheck (found in EventViewer) and created MEMORY.DMP

Expected Behavior

should not crash

Steps to Reproduce

1. start your pc
2. install mullvad
3. wait to crash and check event viewer after to see a BugCheck failure entry with created memory dump

Failure Logs

nt!KeBugCheckEx:
fffff802`035fe580 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffffc82`500451b0=000000000000000a
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000001100000288, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8020344f554, address which referenced memory

Debugging Details:
------------------

Unable to load image \SystemRoot\System32\drivers\mullvad-wireguard.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1125

    Key  : Analysis.Elapsed.mSec
    Value: 20521

    Key  : Analysis.IO.Other.Mb
    Value: 14

    Key  : Analysis.IO.Read.Mb
    Value: 1

    Key  : Analysis.IO.Write.Mb
    Value: 22

    Key  : Analysis.Init.CPU.mSec
    Value: 515

    Key  : Analysis.Init.Elapsed.mSec
    Value: 222526

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 90

    Key  : Analysis.Version.DbgEng
    Value: 10.0.27725.1000

    Key  : Analysis.Version.Description
    Value: 10.2408.27.01 amd64fre

    Key  : Analysis.Version.Ext
    Value: 1.2408.27.1

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0xa

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xa

    Key  : Bugcheck.Code.TargetModel
    Value: 0xa

    Key  : Failure.Bucket
    Value: AV_nldrv!unknown_function

    Key  : Failure.Hash
    Value: {2877fa40-0854-70e6-1e7c-9a331eebdc60}

    Key  : Hypervisor.Enlightenments.Value
    Value: 0

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 0

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 0

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 0

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 131072

    Key  : Hypervisor.Flags.ValueHex
    Value: 20000

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 0

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  a

BUGCHECK_P1: 1100000288

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8020344f554

FILE_IN_CAB:  MEMORY.DMP

FAULTING_THREAD:  ffffa8874127f040

READ_ADDRESS: unable to get nt!PspSessionIdBitmap
 0000001100000288 

PROCESS_NAME:  System

TRAP_FRAME:  fffffc82500452f0 -- (.trap 0xfffffc82500452f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffa8963a3019f8 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffa8873a301b80 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8020344f554 rsp=fffffc8250045488 rbp=ffffa8873a2016a0
 r8=0000001100000278  r9=0000000000000000 r10=0000000000000001
r11=ffffa8873a2016a0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!RtlRbRemoveNode+0x3b4:
fffff802`0344f554 41f6401001      test    byte ptr [r8+10h],1 ds:00000011`00000288=??
Resetting default scope

STACK_TEXT:  
xxxxxxxx`500451a8 xxxxxxxx`03612da9     : 00000000`0000000a 00000011`00000288 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
xxxxxxxx`500451b0 xxxxxxxx`0360e778     : 00000000`00000000 ffffa887`412c9364 00000000`000003f9 00000000`00000000 : nt!KiBugCheckDispatch+0x69
xxxxxxxx`500452f0 xxxxxxxx`0344f554     : ffffa887`33c02100 ffffffff`ffffffff fffff802`034b0127 00000000`00000001 : nt!KiPageFault+0x478
xxxxxxxx`50045488 xxxxxxxx`034b0127     : 00000000`00000001 00000000`08000000 ffffa887`3a100e80 00000000`00000008 : nt!RtlRbRemoveNode+0x3b4
xxxxxxxx`500454a0 xxxxxxxx`034afeda     : 00000000`00000008 fffff802`034b0af9 00000000`00000008 ffffa887`00000000 : nt!RtlpHpSegPageRangeAllocate+0x107
xxxxxxxx`50045540 xxxxxxxx`0354deb9     : fffffc82`500456d0 00000000`00008000 00000000`00000000 00000000`74019bed : nt!RtlpHpSegAlloc+0x5a
xxxxxxxx`500455a0 xxxxxxxx`0354de3c     : ffffa887`33c02340 00000000`00000001 00000000`00008000 ffffa887`33c02340 : nt!RtlpHpSegSubAllocate+0x3d
xxxxxxxx`500455f0 xxxxxxxx`034ba629     : ffffa887`33c02340 00000000`01400020 00000000`00008000 00000000`00008000 : nt!RtlpHpSegLfhAllocate+0x1c
xxxxxxxx`50045630 xxxxxxxx`0344c87e     : ffffffff`00000020 ffffffff`00000010 fffffc82`00000000 00000000`0000000f : nt!RtlpHpLfhSubsegmentCreate+0x135
xxxxxxxx`500456c0 xxxxxxxx`0344b241     : ffffa887`33c02340 ffffa887`33c06700 ffffa887`33c06e00 00000000`00000020 : nt!RtlpHpLfhSlotAllocate+0xcbe
xxxxxxxx`50045810 xxxxxxxx`03bb8074     : 00000000`00000002 00000000`00000011 00000000`6c6d656d 00000000`00000000 : nt!ExAllocateHeapPool+0x2b1
xxxxxxxx`50045950 xxxxxxxx`08ce24a6     : 00000000`000425f4 00000000`00000000 00000000`00000000 fffffc82`00000000 : nt!ExAllocatePoolWithTag+0x64
xxxxxxxx`500459a0 xxxxxxxx`08ce0dea     : fffffc82`50045ef0 fffffc82`50045b10 fffffc82`00000000 ffffa887`00000008 : nldrv+0x224a6
xxxxxxxx`50045a10 xxxxxxxx`08cd8b63     : 00000000`00000000 00000000`00000000 fffffc82`500465a8 00000000`00000000 : nldrv+0x20dea
xxxxxxxx`50045e70 xxxxxxxx`08cd9af5     : ffffa887`406a8c20 00000000`00000000 00000000`00000000 00000000`00000100 : nldrv+0x18b63
xxxxxxxx`50045ed0 xxxxxxxx`0868c89e     : 00000000`00000002 fffffc82`500465a8 ffffa887`39c08a48 00000000`00004500 : nldrv+0x19af5
xxxxxxxx`50045f60 xxxxxxxx`0868870b     : 00000000`00000010 fffffc82`50046548 ffffa887`38388cf0 ffffa887`38b50360 : NETIO!ProcessCallout+0x83e
xxxxxxxx`500460e0 xxxxxxxx`08882a0c     : ffffa887`3842b120 ffffa887`38388cf0 00000000`00000000 ffff9249`00000000 : NETIO!KfdClassify+0x8bb
xxxxxxxx`500464e0 xxxxxxxx`08822323     : 00000000`00000001 fffffc82`50046770 ffffa887`39a48300 ffffa887`38388cf0 : tcpip+0x122a0c
xxxxxxxx`50046620 xxxxxxxx`0879e6d8     : 0004b043`000000ff 00000000`00000000 00000000`ffffffff 00000000`00000040 : tcpip+0xc2323
xxxxxxxx`50046950 xxxxxxxx`0879d22a     : ffffa887`3839f8a8 ffffa887`0080308a fffffc82`50046d10 fffff802`0878c401 : tcpip+0x3e6d8
xxxxxxxx`50046c10 xxxxxxxx`0879ce04     : fffffc82`50047500 00000000`00000000 fffff802`08959a70 ffffa887`412da680 : tcpip+0x3d22a
xxxxxxxx`50046d90 xxxxxxxx`0878c091     : 00000000`00000000 00000000`00000000 00000000`0000bb01 00000000`00000000 : tcpip+0x3ce04
xxxxxxxx`50046dd0 xxxxxxxx`0878a83c     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip+0x2c091
xxxxxxxx`50047270 xxxxxxxx`0878a585     : 00000000`00000000 fffff802`0878a570 fffffc82`500476f0 fffffc82`500476f0 : tcpip+0x2a83c
xxxxxxxx`500475e0 xxxxxxxx`034909e8     : fffffc82`50047760 00000000`00000000 00000000`00000003 00000000`00000003 : tcpip+0x2a585
xxxxxxxx`50047610 xxxxxxxx`0349095d     : fffff802`0878a570 fffffc82`500476f0 ffffa887`38377b40 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78
xxxxxxxx`50047680 xxxxxxxx`087daa0b     : 00000000`00001001 00000000`00000fff ffffa887`40410d00 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
xxxxxxxx`500476c0 xxxxxxxx`1a2965fc     : ffffa887`38a726f0 00000000`00000001 ffffa887`386dd540 00000000`000000c0 : tcpip+0x7aa0b
xxxxxxxx`50047740 xxxxxxxx`1a294c5c     : 00000000`58707249 00000000`00000000 ffffa887`386dd540 ffffa887`38a726f0 : afd!WskProIRPSendMessages+0xdc
xxxxxxxx`500477c0 xxxxxxxx`035705a7     : ffffa887`38a726f0 fffff802`034b6d71 00000000`00000000 00000000`00000050 : afd!AfdWskDispatchInternalDeviceControl+0x3c
xxxxxxxx`500477f0 xxxxxxxx`0370942b     : 00000000`02745b74 00000000`00000001 ffffa887`386dd540 00000000`00000000 : nt!IopfCallDriver+0x53
xxxxxxxx`50047830 xxxxxxxx`03636fb1     : 00000000`02745b74 ffffa887`38a726f0 ffffa887`40be6d00 00000000`00000000 : nt!IopPerfCallDriver+0xb3
xxxxxxxx`50047860 xxxxxxxx`1a297187     : ffffa887`3f0f8ad0 10000000`00000000 00000000`00010851 00000000`00000000 : nt!IofCallDriver+0x1ecd71
xxxxxxxx`500478a0 xxxxxxxx`2f5cd6ef     : 00000000`02745b74 00000000`00000000 00000000`02745b74 00000000`000000ff : afd!WskProAPISendMessages+0x67
xxxxxxxx`500478d0 xxxxxxxx`2f5cc14b     : ffffa887`45ae1010 00000000`00000000 00000000`00000000 ffffa887`4dc880b0 : mullvad_wireguard+0x1d6ef
xxxxxxxx`50047950 xxxxxxxx`2f5cc2e6     : ffffa887`38ca8000 00000000`00000000 00000000`00000000 ffffa887`38ca8000 : mullvad_wireguard+0x1c14b
xxxxxxxx`500479a0 xxxxxxxx`2f5cc5c6     : 00000000`00000001 ffffa887`38ca8000 00000000`00000000 ffffa887`45ae1010 : mullvad_wireguard+0x1c2e6
xxxxxxxx`500479d0 xxxxxxxx`2f5c830c     : ffffa887`3f0f8ad8 ffffa887`45ae1010 ffffa887`3f0f8ad0 ffffa887`38ca8348 : mullvad_wireguard+0x1c5c6
xxxxxxxx`50047a90 xxxxxxxx`0355a025     : ffffa887`4127f040 ffffa887`4127f040 fffff802`2f5c8260 00000000`00000000 : mullvad_wireguard+0x1830c
xxxxxxxx`50047b10 xxxxxxxx`03607588     : fffff802`00b17180 ffffa887`4127f040 fffff802`03559fd0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
xxxxxxxx`50047b60 00000000`00000000     : fffffc82`50048000 fffffc82`50041000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME:  nldrv+224a6

MODULE_NAME: nldrv

IMAGE_NAME:  nldrv.sys

STACK_COMMAND:  .process /r /p 0xffffa887342d9100; .thread 0xffffa8874127f040 ; kb

BUCKET_ID_FUNC_OFFSET:  224a6

FAILURE_BUCKET_ID:  AV_nldrv!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {2877fa40-0854-70e6-1e7c-9a331eebdc60}

Followup:     MachineOwner
---------

the ``mullvad-report.log`` file contained no useful info with matching timestamps

Operating system version

10.0.19041.1

Mullvad VPN app version

2024.7

Additional Information

due to this issue the system was reinstalled and the issue was still present after only after installing latest mullvad

[dlon]

Do you know if this also affects the WireGuard app? If you have the time to test this, we might be able to fix this faster, so we'd appreciate it very much!

[dlon]

Have you checked whether disabling NetLimiter makes any difference?

[RileySpier]

Do you know if this also affects the WireGuard app? If you have the time to test this, we might be able to fix this faster, so we'd appreciate it very much!

hi david,
thanks for checking out the issue.
i have not yet tested the WireGuard app itself since i have not used it standalone.
though what i can say so far is switching to OpenVPN in the tunnel protocol solved the crashes.

also good find on the net limiter. ill disable it and let you know after switching back to WireGuard as tunnel protocol in mullvad.

[dlon]

Closing this as a duplicate of some similar issues:

#5857
#7294

We will work on a fix soon.