none
NDIS LWF driver causes a BSOD RRS feed

  • Question

  • The driver will send some packets to remote computer, the following code is the sending part. The code works fine in ether-net card without problem. But whenever we switch to a wi-fi, it causes a blue screen. Any idea?

    NDIS_STATUS SendNdisPacket(POI_FILTER pFilter, PBYTE pPktBuffer, ULONG nPktLength, ULONG nPktHeaderLength)
    {
        PBYTE                               pBuf = NULL;
        PMDL                                pMDL = NULL;
        PNET_BUFFER_LIST                    pNBL = NULL;
        PFILTER_SEND_NETBUFLIST_RSVD        pSendRsvd = NULL;
        ULONG                               SendFlags = 0;

        FILTER_ACQUIRE_LOCK(&pFilter->SendLock, FALSE);
        pBuf = (PBYTE)NdisAllocateMemoryWithTagPriority(pFilter->FilterHandle, nPktLength + 1500, FILTER_ALLOC_TAG, LowPoolPriority);
        if( pBuf == NULL ) {
            FILTER_RELEASE_LOCK(&pFilter->SendLock, FALSE);
            return NDIS_STATUS_RESOURCES;
        }
        NdisMoveMemory(pBuf, pPktBuffer, nPktLength);
        pMDL = NdisAllocateMdl(pFilter->FilterHandle, pBuf, nPktHeaderLength);
        if( pMDL == NULL ) {
            if( pBuf ) {
                NdisFreeMemory(pBuf, 0, 0);
            }
            FILTER_RELEASE_LOCK(&pFilter->SendLock, FALSE);
            return NDIS_STATUS_RESOURCES;
        } else {
            pMDL->Next = NdisAllocateMdl(pFilter->FilterHandle, pBuf+nPktHeaderLength, nPktLength-nPktHeaderLength);
        }
        pNBL = NdisAllocateNetBufferAndNetBufferList(pFilter->UserSendNetBufferListPool, sizeof(FILTER_SEND_NETBUFLIST_RSVD), 0, pMDL, 0, nPktLength);
        if( pNBL == NULL ) {
            FILTER_RELEASE_LOCK(&pFilter->SendLock, FALSE);
            return NDIS_STATUS_RESOURCES;
        }
        FILTER_RELEASE_LOCK(&pFilter->SendLock, FALSE);
        pSendRsvd = (PFILTER_SEND_NETBUFLIST_RSVD)pNBL->Context;
        if( pSendRsvd ) {
            pSendRsvd->CustomPacket = 1;
            pSendRsvd->SendPoolHandle = pFilter->UserSendNetBufferListPool;
        }
        pNBL->SourceHandle = pFilter->FilterHandle;
        SendFlags |= NDIS_SEND_FLAGS_CHECK_FOR_LOOPBACK;
        NdisFSendNetBufferLists(pFilter->FilterHandle, pNBL, NDIS_DEFAULT_PORT_NUMBER, SendFlags);

        return NDIS_STATUS_SUCCESS;
    }

    VOID FilterSendNetBufferListsComplete(IN NDIS_HANDLE FilterModuleContext, IN PNET_BUFFER_LIST NetBufferLists, IN ULONG SendCompleteFlags)
    {
        POI_FILTER                          pFilter = (POI_FILTER)FilterModuleContext;
        ULONG                               NumOfSendCompletes = 0;
        BOOLEAN                             DispatchLevel = FALSE;
        PFILTER_SEND_NETBUFLIST_RSVD        pSendRsvd = NULL;
        PNET_BUFFER_LIST                    pCurrNBL = NULL;
        PNET_BUFFER_LIST                    pNextNBL = NULL;
        PNET_BUFFER                         pNB = NULL;
        PMDL                                pCurrMDL = NULL;
        PMDL                                pNextMDL = NULL;
        PVOID                               pDataBuffer = NULL;
        ULONG                               ulDataLength = 0;

        DebugPrint("*** NetworkDriverOI: ===>SendNBLComplete(), NetBufferList = %p\n", NetBufferLists);

        DispatchLevel = NDIS_TEST_SEND_AT_DISPATCH_LEVEL(SendCompleteFlags);
        pCurrNBL = NetBufferLists;
        while( pCurrNBL != NULL ) {
            pNextNBL = NET_BUFFER_LIST_NEXT_NBL(pCurrNBL);
            NET_BUFFER_LIST_NEXT_NBL(pCurrNBL) = NULL;
            pSendRsvd = (PFILTER_SEND_NETBUFLIST_RSVD)pCurrNBL->Context;
            if( pSendRsvd && pSendRsvd->SendPoolHandle == pFilter->UserSendNetBufferListPool && pSendRsvd->CustomPacket == 1 ) {
                FILTER_ACQUIRE_LOCK(&pFilter->SendLock, DispatchLevel);
                // This is a custom packet, we need free it
                pNB = NET_BUFFER_LIST_FIRST_NB(pCurrNBL);
                while( pNB != NULL ) {
                    pCurrMDL = NET_BUFFER_FIRST_MDL(pNB);
                    while( pCurrMDL != NULL ) {
                        pDataBuffer = NULL;
                        ulDataLength = 0;
                        pNextMDL = NDIS_MDL_LINKAGE(pCurrMDL);
                        NdisQueryMdl(pCurrMDL, (PVOID *)&pDataBuffer, &ulDataLength, NormalPagePriority);
                        if( pDataBuffer != NULL ) {
                            NdisFreeMemory(pDataBuffer, 0, 0);
                        }
                        NdisFreeMdl(pCurrMDL);
                        pCurrMDL = pNextMDL;
                    }
                    pNB = NET_BUFFER_NEXT_NB(pNB);
                }
                FILTER_RELEASE_LOCK(&pFilter->SendLock, DispatchLevel);
            } else {
                NdisFSendNetBufferListsComplete(pFilter->FilterHandle, pCurrNBL, SendCompleteFlags);
            }
            pCurrNBL = pNextNBL;
        }

        DebugPrint("*** NetworkDriverOI: <===SendNBLComplete()\n");
    }

    Wednesday, May 22, 2013 8:44 PM

Answers

  • Ah, I overlooked that error.  This is incorrect:

    pSendRsvd = (PFILTER_SEND_NETBUFLIST_RSVD)pCurrNBL->Context;

    The NBL->Context pointer is not where you start writing your context data.  You should use a macro like NET_BUFFER_LIST_CONTEXT_DATA_START to access the context data.

    Wednesday, May 29, 2013 11:07 PM

All replies

  • Start with the output of !analyze -v and make sure symbols are correct

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, May 22, 2013 9:52 PM
  • Unless you push a context onto all send NBLs, you aren't guaranteed that it's safe to access NBL->Context for all NBLs that come up through sendcomplete.  It's safer (and faster) to identify your NBLs by looking at NBL->SourceHandle.

    I don't see any code to free the NBL?

    Remember the MTU can be >1500 if jumbo frames are enabled.

    Typically you'd need to increment a refcount of some sort when sending your own packet, so that you can honor the pause rule "Must wait for NDIS to return all outstanding send requests that the driver originated"

    Failure to allocate an NBL leaks the MDL & buffer.

    Why do you need to hold a lock while allocating memory and NBLs?  Likewise, why hold the lock while freeing the memory?

    With the !analyze -v output, also attach !ndiskd.miniport on the miniport that your filter is attached to.

    Wednesday, May 22, 2013 10:09 PM
  • It seems that it is a random crash. Here is !analyze -v output

    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: 0000000000000000, The exception code that was not handled
    Arg2: 0000000000000000, The address that the exception occurred at
    Arg3: 0000000000000000, Parameter 0 of the exception
    Arg4: 0000000000000000, Parameter 1 of the exception

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (Win32) 0 (0) - The operation completed successfully.

    FAULTING_IP:
    +3164626536633236
    00000000`00000000 ??              ???

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  0000000000000000

    ERROR_CODE: (NTSTATUS) 0 - STATUS_WAIT_0

    BUGCHECK_STR:  0x1E_0

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    PROCESS_NAME:  NiPagingServer

    CURRENT_IRQL:  2

    EXCEPTION_RECORD:  fffff80000ba2ab8 -- (.exr 0xfffff80000ba2ab8)
    ExceptionAddress: fffff88003a565f5 (USBPORT!USBPORT_DereferenceDeviceHandle+0x00000000000000ad)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: ffffffffffffffff
    Attempt to read from address ffffffffffffffff

    TRAP_FRAME:  fffff80000ba2b60 -- (.trap 0xfffff80000ba2b60)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=01fffa80019ac300 rbx=0000000000000000 rcx=fffffa800200a010
    rdx=0000000048766544 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff88003a565f5 rsp=fffff80000ba2cf0 rbp=0000000000000000
     r8=0000000048766544  r9=0000000000000000 r10=fffffa8000ce5210
    r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz ac po cy
    USBPORT!USBPORT_DereferenceDeviceHandle+0xad:
    fffff880`03a565f5 488b4320        mov     rax,qword ptr [rbx+20h] ds:00000000`00000020=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff8000297ad92 to fffff8000288b490

    STACK_TEXT:  
    fffff800`00ba13f8 fffff800`0297ad92 : 00000000`00000000 fffffa80`00de3660 00000000`00000065 fffff800`028cf178 : nt!RtlpBreakWithStatusInstruction
    fffff800`00ba1400 fffff800`0297bb7e : 00000000`00000003 00000000`00000000 fffff800`028cf9d0 00000000`0000001e : nt!KiBugCheckDebugBreak+0x12
    fffff800`00ba1460 fffff800`0289375b : 00000000`00000000 00000000`00000000 fffff800`00ba1340 00000000`0000004f : nt!KeBugCheck2+0x71e
    fffff800`00ba1b30 fffff800`02893619 : 00000000`0000001e fffff800`00ba2fb0 fffff800`00ba2310 fffff800`00ba1c90 : nt!KeBugCheckEx+0x11b
    fffff800`00ba1b70 fffff800`0288affe : 00000000`00000000 00000000`00000000 fffff800`00ba2310 fffff800`028bf2a0 : nt!KiBugCheckReturn+0x5
    fffff800`00ba1ba0 fffff800`028bef6d : fffff800`02a9aa10 fffff800`029d6c78 fffff800`02813000 fffff800`00ba2ab8 : nt!KiKernelCalloutExceptionHandler+0xe
    fffff800`00ba1bd0 fffff800`028bdd45 : fffff800`029da028 fffff800`00ba1c48 fffff800`00ba2ab8 fffff800`02813000 : nt!RtlpExecuteHandlerForException+0xd
    fffff800`00ba1c00 fffff800`028cedc1 : fffff800`00ba2ab8 fffff800`00ba2310 fffff800`00000000 fffffa80`0200a010 : nt!RtlDispatchException+0x415
    fffff800`00ba22e0 fffff800`02892cc2 : fffff800`00ba2ab8 01fffa80`019ac2e0 fffff800`00ba2b60 fffffa80`0200a0e8 : nt!KiDispatchException+0x135
    fffff800`00ba2980 fffff800`028915ca : 00000000`00000000 fffffa80`0225da18 fffffa80`0225d1a0 fffff880`03a30783 : nt!KiExceptionDispatch+0xc2
    fffff800`00ba2b60 fffff880`03a565f5 : fffffa80`0225d050 00000000`00000000 fffffa80`0200a010 fffffa80`0225d1a0 : nt!KiGeneralProtectionFault+0x10a
    fffff800`00ba2cf0 fffff880`03a41614 : fffffa80`0225d050 fffffa80`021aa402 00000000`00000000 fffffa80`0225d1a0 : USBPORT!USBPORT_DereferenceDeviceHandle+0xad
    fffff800`00ba2d50 fffff880`03a41b0f : fffffa80`0149c902 fffffa80`031d3a00 00000000`ffffffff fffffa80`0225deb0 : USBPORT!USBPORT_Core_iCompleteDoneTransfer+0x9f8
    fffff800`00ba2e30 fffff880`03a3f66f : fffffa80`0225deb0 fffffa80`0225d1a0 fffffa80`0225e050 00000000`00000000 : USBPORT!USBPORT_Core_iIrpCsqCompleteDoneTransfer+0x3a7
    fffff800`00ba2e90 fffff880`03a30f89 : fffffa80`0225d050 00000000`00000000 fffffa80`0225de02 fffffa80`0225deb0 : USBPORT!USBPORT_Core_UsbIocDpc_Worker+0xf3
    fffff800`00ba2ed0 fffff800`0289eb1c : fffff800`02a05e80 fffffa80`0225deb0 fffffa80`0225dec8 00000000`0000ffff : USBPORT!USBPORT_Xdpc_Worker+0x1d9
    fffff800`00ba2f00 fffff800`02896165 : 00000000`00000000 fffffa80`00de3660 00000000`00000000 fffff880`03a30db0 : nt!KiRetireDpcList+0x1bc
    fffff800`00ba2fb0 fffff800`02895f7c : fffffa80`022591a0 fffff880`03a5b3cc fffffa80`022591a0 00000000`00000000 : nt!KxRetireDpcList+0x5
    fffff880`0598eea0 fffff800`028df453 : fffff800`0288f4b6 fffff800`0288f522 ffffffff`ff880c8e fffffa80`01c10601 : nt!KiDispatchInterruptContinue
    fffff880`0598eed0 fffff800`0288f522 : ffffffff`ff880c8e fffffa80`01c10601 fffffa80`018480c0 fffffa80`03275970 : nt!KiDpcInterruptBypass+0x13
    fffff880`0598eee0 fffff800`02e0b17e : fffff800`02e0c790 fffffa80`035fe9b8 fffff880`01119801 fffffa80`01875d78 : nt!KiInterruptDispatch+0x212
    fffff880`0598f078 fffff800`02e0c790 : fffffa80`035fe9b8 fffff880`01119801 fffffa80`01875d78 00000000`00000000 : hal!HalpGetPmTimerPerfCounterValue+0x10
    fffff880`0598f080 fffff800`02879122 : 00000000`00369e99 fffffa80`01e20000 00000000`4b466650 fffffa80`01c86a70 : hal!KeQueryPerformanceCounter+0x9c
    fffff880`0598f0b0 fffff800`02975a1d : fffff880`00020000 00000000`00000201 fffff880`00000000 fffff880`0598f188 : nt!EtwpReserveTraceBuffer+0xe2
    fffff880`0598f150 fffff800`02975c26 : 00000000`00000200 00000000`00000000 fffff800`00000002 fffff800`0294209e : nt!EtwpLogKernelEvent+0x24d
    fffff880`0598f1f0 fffff800`0298952d : fffff880`0598f3d8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!EtwpTraceKernelEvent+0xa6
    fffff880`0598f240 fffff880`0114b692 : fffff8a0`000acff0 fffff880`0598f430 fffff880`0598f3d8 00000000`00000000 : nt!EtwpTraceFileName+0xdd
    fffff880`0598f2d0 fffff880`0114bba8 : fffff880`00000047 fffff8a0`0195e900 fffff880`0598f4b0 fffff880`0598f4b0 : fileinfo!FIStreamLog+0x1be
    fffff880`0598f3a0 fffff880`0114b3c8 : fffff8a0`0195e900 00000000`00000000 fffff880`0598f4b0 fffff880`0598f4b0 : fileinfo!FIStreamSetFileInfo+0x14c
    fffff880`0598f410 fffff880`01149bdb : fffff140`01771247 00000000`00000001 00000000`00000000 00000000`00000d90 : fileinfo!FIStreamGetInfo+0x17c
    fffff880`0598f490 fffff880`010fa288 : 00000000`00000000 fffff8a0`0195e900 fffffa80`03574fb8 00000000`00000000 : fileinfo!FIPostCreateCallback+0x1c7
    fffff880`0598f520 fffff880`010f8d1b : fffffa80`01c11030 fffffa80`031dbd80 fffffa80`01c776b0 fffffa80`01c778d0 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`0598f5f0 fffff880`011182b9 : fffffa80`03574c60 fffffa80`01c10010 fffffa80`03574c00 fffffa80`019de8e0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    fffff880`0598f680 fffff800`02b91495 : 00000000`00000005 fffffa80`035e6cc8 fffffa80`034edb10 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`0598f730 fffff800`02b8dd38 : fffffa80`0194acd0 fffff800`00000000 fffffa80`035e6b10 fffffa80`00000001 : nt!IopParseDevice+0x5a5
    fffff880`0598f8c0 fffff800`02b8ef56 : 00000000`00000000 fffffa80`035e6b10 fffff8a0`01ec7010 fffffa80`00cd9f30 : nt!ObpLookupObjectName+0x588
    fffff880`0598f9b0 fffff800`02b9085c : 00000000`00000000 00000000`00000000 fffffa80`02831c01 fffffa80`032f20f0 : nt!ObOpenObjectByName+0x306
    fffff880`0598fa80 fffff800`02b7c134 : 00000000`0472efc0 fffff8a0`00100001 00000000`0472f008 00000000`0472f038 : nt!IopCreateFile+0x2bc
    fffff880`0598fb20 fffff800`028928d3 : fffffa80`035f7b30 00000000`00000001 fffffa80`00de3660 fffff800`02b8aa34 : nt!NtOpenFile+0x58
    fffff880`0598fbb0 00000000`7772164a : 000007fe`fd96592e 00000000`0472f018 00000000`0472f030 00000000`00000268 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0472ef38 000007fe`fd96592e : 00000000`0472f018 00000000`0472f030 00000000`00000268 00000000`00000003 : ntdll!NtOpenFile+0xa
    00000000`0472ef40 000007fe`fd99d739 : 00000000`00000000 00000000`0472f880 00000000`01f55310 00000000`00020001 : KERNELBASE!FindFirstFileExW+0x1ee
    00000000`0472f310 00000001`3fca3c97 : ffffffff`80000002 00000000`0472f60c 00000000`0472f918 00000000`01f74018 : KERNELBASE!FindFirstFileA+0x59
    00000000`0472f5f0 ffffffff`80000002 : 00000000`0472f60c 00000000`0472f918 00000000`01f74018 00000000`00000001 : NiPagingServer+0x3c97
    00000000`0472f5f8 00000000`0472f60c : 00000000`0472f918 00000000`01f74018 00000000`00000001 00000000`01f5e828 : 0xffffffff`80000002
    00000000`0472f600 00000000`0472f918 : 00000000`01f74018 00000000`00000001 00000000`01f5e828 ffffffff`fffffffe : 0x472f60c
    00000000`0472f608 00000000`01f74018 : 00000000`00000001 00000000`01f5e828 ffffffff`fffffffe 00000000`0472f918 : 0x472f918
    00000000`0472f610 00000000`00000001 : 00000000`01f5e828 ffffffff`fffffffe 00000000`0472f918 00000000`0472f880 : 0x1f74018
    00000000`0472f618 00000000`01f5e828 : ffffffff`fffffffe 00000000`0472f918 00000000`0472f880 00000000`0472f610 : 0x1
    00000000`0472f620 ffffffff`fffffffe : 00000000`0472f918 00000000`0472f880 00000000`0472f610 00000000`01f5e828 : 0x1f5e828
    00000000`0472f628 00000000`0472f918 : 00000000`0472f880 00000000`0472f610 00000000`01f5e828 ffffffff`fffffffe : 0xffffffff`fffffffe
    00000000`0472f630 00000000`0472f880 : 00000000`0472f610 00000000`01f5e828 ffffffff`fffffffe 00000000`000a0009 : 0x472f918
    00000000`0472f638 00000000`0472f610 : 00000000`01f5e828 ffffffff`fffffffe 00000000`000a0009 00000000`00000002 : 0x472f880
    00000000`0472f640 00000000`01f5e828 : ffffffff`fffffffe 00000000`000a0009 00000000`00000002 00000000`00000000 : 0x472f610
    00000000`0472f648 ffffffff`fffffffe : 00000000`000a0009 00000000`00000002 00000000`00000000 00000000`00000000 : 0x1f5e828
    00000000`0472f650 00000000`000a0009 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffffff`fffffffe
    00000000`0472f658 00000000`00000002 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`74ad8d94 : 0xa0009
    00000000`0472f660 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`74ad8d94 00000000`0472f7b0 : 0x2


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    USBPORT!USBPORT_DereferenceDeviceHandle+ad
    fffff880`03a565f5 488b4320        mov     rax,qword ptr [rbx+20h]

    SYMBOL_STACK_INDEX:  b

    SYMBOL_NAME:  USBPORT!USBPORT_DereferenceDeviceHandle+ad

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: USBPORT

    IMAGE_NAME:  USBPORT.SYS

    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7a670

    FAILURE_BUCKET_ID:  X64_0x1E_0_USBPORT!USBPORT_DereferenceDeviceHandle+ad

    BUCKET_ID:  X64_0x1E_0_USBPORT!USBPORT_DereferenceDeviceHandle+ad

    Followup: MachineOwner
    ---------

    Thursday, May 23, 2013 3:34 PM
  • kd> !ndiskd.miniports
    RTL8192su.sys, v1.0
      fffffa80020891a0 NetLuidIndex  0, IfIndex 13,  D-Link DWA-130 Wireless N USB Adapter
    rassstp.sys, v0.0
      fffffa80022c31a0 NetLuidIndex  0, IfIndex  2,  WAN Miniport (SSTP)
    raspptp.sys, v0.0
      fffffa80022ba1a0 NetLuidIndex  3, IfIndex  4,  WAN Miniport (PPTP)
    raspppoe.sys, v0.0
      fffffa80022de1a0 NetLuidIndex  0, IfIndex  5,  WAN Miniport (PPPOE)
    ndiswan.sys, v0.0
      fffffa80022ae1a0 NetLuidIndex  0, IfIndex  6,  WAN Miniport (IPv6)
      fffffa80022ac1a0 NetLuidIndex  4, IfIndex  8,  WAN Miniport (IP)
      fffffa80022aa1a0 NetLuidIndex  1, IfIndex  7,  WAN Miniport (Network Monitor)
    rasl2tp.sys, v0.0
      fffffa800229d1a0 NetLuidIndex  2, IfIndex  3,  WAN Miniport (L2TP)
    AgileVpn.sys, v1.0
      fffffa80022991a0 NetLuidIndex  1, IfIndex 10,  WAN Miniport (IKEv2)
    tunnel.sys, v1.0
      fffffa80022361a0 NetLuidIndex  5, IfIndex 12,  Teredo Tunneling Pseudo-Interface
      fffffa80022341a0 NetLuidIndex  4, IfIndex 14,  Microsoft ISATAP Adapter
    kd> !ndiskd.miniport
        MiniDriver         Miniport            Name                                _
        fffffa8002084020   fffffa80020891a0    D-Link DWA-130 Wireless N USB Adapter
        fffffa80022c2cd0   fffffa80022c31a0    WAN Miniport (SSTP)
        fffffa80022b98f0   fffffa80022ba1a0    WAN Miniport (PPTP)
        fffffa80022b0270   fffffa80022de1a0    WAN Miniport (PPPOE)
        fffffa80022a4260   fffffa80022ae1a0    WAN Miniport (IPv6)
        fffffa80022a4260   fffffa80022ac1a0    WAN Miniport (IP)
        fffffa80022a4260   fffffa80022aa1a0    WAN Miniport (Network Monitor)
        fffffa800229b140   fffffa800229d1a0    WAN Miniport (L2TP)
        fffffa8002298020   fffffa80022991a0    WAN Miniport (IKEv2)
        fffffa8001ffc9b0   fffffa80022361a0    Teredo Tunneling Pseudo-Interface
        fffffa8001ffc9b0   fffffa80022341a0    Microsoft ISATAP Adapter
    kd> !ndiskd.miniport fffffa80020891a0


    MINIPORT

        D-Link DWA-130 Wireless N USB Adapter

        Ndis Handle        fffffa80020891a0
        Ndis API Version   v6.20
        Adapter Context    fffffa8002400000
        Miniport Driver    fffffa8002084020 - RTL8192su.sys  v1.0
        Ndis Verifier      [No flags set]

        Media Type         802.3
        Physical Medium    Native802.11
        Device Path        \??\USB#VID_07D1&PID_3300#00e04c000001#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{7ACD46C5-0CDB-43EA-918F-B1EAAEFC0CFC}
        Device Object      fffffa8002089050
        MAC Address        ac-f1-df-86-5f-78


    STATE

        Miniport           Running
        Device PnP         Started
        Datapath           Normal
        Interface          Up
        Media              Connected
        Power              D0
        References         0n55
        User Handles       0
        Automatic Resets   1
        Resets Requested   0
        Pending OID        None
        Flags              2c456000
            ↑ NOT_BUS_MASTER, CHECK_FOR_LOOPBACK, DEFAULT_PORT_ACTIVATED,
            SUPPORTS_MEDIA_SENSE, DOES_NOT_DO_LOOPBACK, MEDIA_CONNECTED
        PnPFlags           00610021
            ↑ PM_SUPPORTED, DEVICE_POWER_ENABLED, RECEIVED_START, HARDWARE_DEVICE,
            NDIS_WDM_DRIVER


    BINDINGS

        Filter List        Filter              Filter Driver      Context          _
        WFP LightWeight Filter-0000
                           fffffa8003184c90    fffffa8001ca3d60   fffffa8003184a30
        QoS Packet Scheduler-0000
                           fffffa8003182c90    fffffa8001ce0b40   fffffa800392dde0
        PCAUSA Sample IP Redirector Filter-0000
                           fffffa8003183c90    fffffa8001ce9210   fffffa80019fd010
        NetworkDriverOI: Observer Infrastructure Network Driver-0000
                           fffffa8003185c90    fffffa8001ce8d10   fffffa8000d14db0
        Native WiFi Filter Driver-0000
                           fffffa8003172c90    fffffa8003806350   fffffa8003bce810
        Virtual WiFi Filter Driver-0000
                           fffffa8003181c90    fffffa8001cdf880   fffffa8003bd8310

        Open List          Open                Protocol           Context          _
        TCPIP6             fffffa8003bec8d0    fffffa80018e5a70   fffffa800318fba0
        TCPIP              fffffa8003be2190    fffffa80018e6850   fffffa800318aba0
        LLTDIO             fffffa8003be28d0    fffffa8003806010   fffffa8003bdd3e0
        RSPNDR             fffffa800187e190    fffffa800380d320   fffffa8003bdd6b0
        NDISUIO            fffffa800187e8d0    fffffa800380c9e0   fffffa8003c3ee00
        VMONILA            fffffa8003bd3130    fffffa8003802a00   fffffa8003c3a1a0


    MORE INFORMATION

         → Driver handlers                      → Task offloads
         → Power management                     → PM protocol offloads
         → Pending OIDs                         → Timers
         → Pending NBLs                         → Receive Side Throttling
         → Wake-on-LAN (WoL)                    → Packet filter
         → Receive queues                       → Receive filtering
         → NDIS ports                           → NIC switch
    Thursday, May 23, 2013 3:35 PM
  • Your filter is evidentially causing the miniport to crash in the USB stack.  It looks like this is in the I/O path, which makes the packet-handling code look more suspicious.

    Based on the code I've seen, I'm guessing that your filter is illegally sending an NBL down twice without waiting for it to be completed back to your filter.  This might cause the miniport to attempt to send the same data down to the hardware, and see a corruption of its own internal bookkeeping.

    Thursday, May 23, 2013 11:03 PM
  • tried once more, it shows some different crash information:

    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: fffffa80019421a3, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
    Arg4: fffff8800481f094, address which referenced memory

    Debugging Details:
    ------------------


    WRITE_ADDRESS:  fffffa80019421a3 Nonpaged pool

    CURRENT_IRQL:  2

    FAULTING_IP:
    nwifi!MP6SendOneNBL+1b4
    fffff880`0481f094 41895c2c10      mov     dword ptr [r12+rbp+10h],ebx

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xD1

    PROCESS_NAME:  ObsInfr.exe

    TRAP_FRAME:  fffff88005d604e0 -- (.trap 0xfffff88005d604e0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8001941e90
    rdx=0000000000000303 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8800481f094 rsp=fffff88005d60670 rbp=fffffa8001941e90
     r8=0000000000000000  r9=00000000646e5344 r10=fffffa8001875580
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz na pe nc
    nwifi!MP6SendOneNBL+0x1b4:
    fffff880`0481f094 41895c2c10      mov     dword ptr [r12+rbp+10h],ebx ds:f2e0:1ea0=????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff800029ccd92 to fffff800028dd490

    STACK_TEXT:  
    fffff880`05d5fc28 fffff800`029ccd92 : fffffa80`019421a3 fffffa80`01fcbb60 00000000`00000065 fffff800`02921178 : nt!RtlpBreakWithStatusInstruction
    fffff880`05d5fc30 fffff800`029cdb7e : 00000000`00000003 00000000`00000000 fffff800`029219d0 00000000`000000d1 : nt!KiBugCheckDebugBreak+0x12
    fffff880`05d5fc90 fffff800`028e5744 : fffffa80`00cbf4b0 00000000`00000001 00000045`00000000 fffff800`0288f790 : nt!KeBugCheck2+0x71e
    fffff880`05d60360 fffff800`028e4be9 : 00000000`0000000a fffffa80`019421a3 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx+0x104
    fffff880`05d603a0 fffff800`028e3860 : fffffa80`037bf320 00000000`00000050 fffffa80`00000000 00000000`00000001 : nt!KiBugCheckDispatch+0x69
    fffff880`05d604e0 fffff880`0481f094 : 00000000`00000001 00000000`00000000 00000000`00000001 00000000`00000001 : nt!KiPageFault+0x260
    fffff880`05d60670 fffff880`0481f51b : fffffa80`03137010 fffff880`01503110 fffffa80`03137010 fffffa80`00000000 : nwifi!MP6SendOneNBL+0x1b4
    fffff880`05d607c0 fffff880`04824f67 : 00000000`00000300 fffffa80`01941cb0 00000000`00000000 00000000`00000000 : nwifi!MP6SendNBLInternal+0x67
    fffff880`05d60810 fffff880`014a1624 : fffffa80`0313ac90 fffffa80`01941cb0 fffffa80`00000000 00000000`00000002 : nwifi!FilterSendNetBufferLists+0x7f
    fffff880`05d60840 fffff880`03784d21 : fffffa80`01941cb0 fffffa80`00db3540 fffffa80`0205773c fffff880`00000000 : ndis!NdisFSendNetBufferLists+0x64
    fffff880`05d60880 fffff880`0378703e : fffffa80`0313b010 fffffa80`02057700 fffffa80`0000003c fffffa80`00db3540 : NetworkDriverOI!SendNdisPacket+0x1a1 [c:\c\observ60\vxd\networkdriveroi\networkdriveroi.c @ 1504]
    fffff880`05d60900 fffff880`03780689 : fffffa80`01ced060 fffffa80`0387a7d0 00000000`00000001 00000000`20206f49 : NetworkDriverOI!SendIcmpPingPacket+0x3de [c:\c\observ60\vxd\networkdriveroi\networkdriveroi.c @ 2301]
    fffff880`05d60980 fffff880`0153e547 : fffffa80`01ced060 fffffa80`0387a7d0 fffffa80`01ced060 00000000`00000001 : NetworkDriverOI!FilterDeviceIoControl+0x179 [c:\c\observ60\vxd\networkdriveroi\device.c @ 143]
    fffff880`05d609d0 fffff800`02bfff97 : fffffa80`00db3540 fffff880`05d60ca0 fffffa80`00db3540 fffffa80`0387a7d0 : ndis!ndisDummyIrpHandler+0xb7
    fffff880`05d60a10 fffff800`02c007f6 : 00000000`00000b00 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
    fffff880`05d60b40 fffff800`028e48d3 : 00000000`00000003 00000000`00000bb8 00000000`000292d0 00000000`175fe9e0 : nt!NtDeviceIoControlFile+0x56
    fffff880`05d60bb0 00000000`77c2138a : 000007fe`fdd1b939 00000000`00000060 00000000`00300000 00000000`00000052 : nt!KiSystemServiceCopyEnd+0x13
    00000000`175fe938 000007fe`fdd1b939 : 00000000`00000060 00000000`00300000 00000000`00000052 00000000`00000052 : ntdll!NtDeviceIoControlFile+0xa
    00000000`175fe940 00000000`77ac683f : 00000000`80002018 00000000`0b605878 00000000`0b605878 00000000`0b636550 : KERNELBASE!DeviceIoControl+0x75
    00000000`175fe9b0 000007fe`f4512212 : 00000000`00000000 00000000`00000000 00000000`175febe0 00000000`10562e60 : kernel32!DeviceIoControlImplementation+0x7f
    00000000`175fea00 00000000`00000000 : 00000000`00000000 00000000`175febe0 00000000`10562e60 00000000`00000000 : DYNMAPLA!ObsdSendIcmpPingPacket+0x62


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nwifi!MP6SendOneNBL+1b4
    fffff880`0481f094 41895c2c10      mov     dword ptr [r12+rbp+10h],ebx

    SYMBOL_STACK_INDEX:  6

    SYMBOL_NAME:  nwifi!MP6SendOneNBL+1b4

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nwifi

    IMAGE_NAME:  nwifi.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bcc3b

    FAILURE_BUCKET_ID:  X64_0xD1_nwifi!MP6SendOneNBL+1b4

    BUCKET_ID:  X64_0xD1_nwifi!MP6SendOneNBL+1b4

    Followup: MachineOwner
    ---------

    Friday, May 24, 2013 1:56 PM
  • more information:

    (1) if I enable verifier on either nwifi.sys or our driver, it doesn't blue screen and works fine. Also our driver is working fine in ethernet card.

    (2) How to send packet:

    App passes a structure to driver through "[IRP_MJ_DEVICE_CONTROL]", and NDIS filter driver will generate the packet and send out using "SendNdisPacket()".

    • Edited by Shubin Friday, May 24, 2013 6:11 PM
    Friday, May 24, 2013 5:07 PM
  • Have to write some feed back again.

    It seems that we found the problem:

    pNBL = NdisAllocateNetBufferAndNetBufferList(pFilter->UserSendNetBufferListPool, sizeof(FILTER_SEND_NETBUFLIST_RSVD), 0, pMDL, 0, nPktLength);

    if change the ContextSize to 0, the driver will work fine with wifi. The size of FILTER_SEND_NETBUFLIST_RSVD is 16 which is equal to MEMORY_ALLOCATION_ALIGNMENT.

    If we need the use the context, how to fix the problem? Why the ContextSize works with wired ethernet interface, but crashes with wifi (USB adapter)?

    Wednesday, May 29, 2013 9:20 PM
  • Ah, I overlooked that error.  This is incorrect:

    pSendRsvd = (PFILTER_SEND_NETBUFLIST_RSVD)pCurrNBL->Context;

    The NBL->Context pointer is not where you start writing your context data.  You should use a macro like NET_BUFFER_LIST_CONTEXT_DATA_START to access the context data.

    Wednesday, May 29, 2013 11:07 PM