none
Windows 10 LagTeam crash in TeamQueryObject RRS feed

  • Question

  • Sys: Windows 10 latest official

    Hardware: 2 port Intel 1000PT with Lag Team over both ports.

    Driver: Ndis 5 LWFilter driver that collects UDP stream data.

    there are at least 2 different locations where NdisImplatform!implatTeamQueryObject crashes both time invalid memory access.

    also i have seen IRQL page fault there.

    this happens while either my user mode application or some windows component tries to do DeviceIO. and the dispatch accessing corrupted data.

    so my question is, what data is that function accessing, could it be that I supplied incorrect data while registering the driver?

    if its not my fault. is there a plan to fix this.

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff800a1b13906, Address of the instruction which caused the bugcheck
    Arg3: ffffd00024837840, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.


    STACK_TEXT:  
    ffffd000`24838260 fffff800`9c5e804c : 00000000`000000d8 00000000`00000300 00000000`000000d8 00000000`00000000 : NdisImPlatform!implatTeamQueryObject+0x196
    ffffd000`248382a0 fffff800`9c5545b5 : ffffe001`eecc7820 00000000`00000000 ffffd000`24838360 00060080`000000d8 : ndis!ndisNsiGetInterfaceRodInformation+0x1ac
    ffffd000`24838330 fffff800`9c699b9e : ffffd000`24838490 ffffe001`edb50010 ffffe001`f0477000 00000000`00000000 : ndis!ndisNsiGetAllInterfaceInformation+0x445
    ffffd000`248383f0 fffff800`9ce521b1 : ffffe001`f0477000 ffffe001`00000070 00000000`00000000 00000000`00000070 : NETIO!NsiEnumerateObjectsAllParametersEx+0x5fe
    ffffd000`248385d0 fffff800`9ce51e21 : 00000000`00000000 ffffe001`ef2e01b0 ffffe001`ef2e00e0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
    ffffd000`248387c0 fffff802`496b0c4d : 00000000`00000000 ffffe001`ef2e00e0 ffffe001`ef2e00e0 fffff580`10804000 : nsiproxy!NsippDispatch+0x61
    ffffd000`24838800 fffff802`496b0526 : 000000d2`f02fcdb8 ffffd000`24838b80 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x71d
    ffffd000`24838a20 fffff802`493ccb63 : ffffe001`efc76040 000000d2`f02fcd98 ffffd000`24838aa8 000000d2`efec1040 : nt!NtDeviceIoControlFile+0x56
    ffffd000`24838a90 00007ffb`7c8d356a : 00007ffb`7a471ab2 000000d2`ed5ed3d0 000000d2`f02fcf50 00000000`00000258 : nt!KiSystemServiceCopyEnd+0x13
    000000d2`f02fce48 00007ffb`7a471ab2 : 000000d2`ed5ed3d0 000000d2`f02fcf50 00000000`00000258 00000000`0000063c : ntdll!NtDeviceIoControlFile+0xa
    000000d2`f02fce50 00007ffb`768a43b8 : 00000000`00000001 00007ffb`768c8a98 00000000`00000000 000000d2`f02fd0a0 : NSI!NsiAllocateAndGetTable+0x2a2
    000000d2`f02fd010 00007ffb`68d99bdc : 00000000`00000000 00000000`00009002 0000d201`582efa1a 00000000`00000000 : IPHLPAPI!InternalGetIfTable2Ex+0xb8
    000000d2`f02fd130 00007ffb`68d98f43 : 00000000`00000000 000000d2`f02fd280 00007ffb`68e2c1a8 00000000`80070426 : Windows_Networking_Connectivity!EnumerateEthernetAndTunnelInterfaces+0x5c [d:\th\net\netprofiles\winrt\networkinformation\lib\util.cpp @ 566]
    000000d2`f02fd180 00007ffb`68d98b55 : 000000d2`f02fd928 00000000`00000000 000000d2`f02fde40 00007ffb`68d98a20 : Windows_Networking_Connectivity!Windows::Networking::Connectivity::NetworkInformationPrivateServer::CreateConnectedProfile+0x343 [d:\th\net\netprofiles\winrt\networkinformation\lib\networkinformationprivateserver.cpp @ 576]
    000000d2`f02fd8c0 00007ffb`7a4fb0b3 : 00000000`00000002 000000d2`ed5faa40 000000d2`f02fd980 000000d2`f02fde40 : Windows_Networking_Connectivity!Windows::Networking::Connectivity::NetworkInformationPrivateServer::GetInternetConnectionProfile+0x135 [d:\th\net\netprofiles\winrt\networkinformation\lib\networkinformationprivateserver.cpp @ 316]
    000000d2`f02fd970 00007ffb`7a55d903 : 00000000`00000000 000000d2`f02fe130 000000d2`ed527a10 00007ffb`68e10090 : RPCRT4!Invoke+0x73
    000000d2`f02fd9c0 00007ffb`7a4eaa8d : 00000000`00000000 000000d2`f02fe300 00000000`00000000 000000d2`f01f68f0 : RPCRT4!Ndr64StubWorker+0xbe3
    000000d2`f02fe080 00007ffb`7a8c4b4c : 00000000`00000000 000000d2`f02fe2a0 00007ffb`68e10680 00007ffb`79d3fd3e : RPCRT4!NdrStubCall3+0xbd
    000000d2`f02fe0f0 00007ffb`7a976a82 : 000000d2`00000001 000000d2`ed57d510 000000d2`ed527a10 00000000`00000000 : combase!CStdStubBuffer_Invoke+0xcc [d:\th\com\combase\ndr\ndrole\stub.cxx @ 1529]
    000000d2`f02fe130 00007ffb`7a9209d5 : 00000000`00000000 000000d2`f02fe2b0 000000d2`f02fe218 00007ffb`7a96f960 : combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x62 [d:\th\com\combase\dcomrem\excepn.hxx @ 91]
    000000d2`f02fe1a0 00007ffb`7a90fb5e : 00007ffb`68d9f860 000000d2`f02fe530 000000d2`ed57d510 00007ffb`68df4228 : combase!DefaultStubInvoke+0x235 [d:\th\com\combase\dcomrem\channelb.cxx @ 1808]
    000000d2`f02fe3c0 00007ffb`7a911a60 : 00000000`00000000 00000000`00000000 00000000`00000000 000000d2`ed5f3e50 : combase!ServerCall::ContextInvoke+0x46e [d:\th\com\combase\dcomrem\ctxchnl.cxx @ 1548]
    000000d2`f02fe690 00007ffb`7a91444f : 000000d2`efe49ae0 000000d2`efe49ae0 000000d2`ed580c70 00006684`7f564c1f : combase!AppInvoke+0x350 [d:\th\com\combase\dcomrem\channelb.cxx @ 1546]
    000000d2`f02fe840 00007ffb`7a913584 : 000000d2`ed580e18 000000d2`ed580c70 000000d2`ed580c70 000000d2`efea8b30 : combase!ComInvokeWithLockAndIPID+0x54f [d:\th\com\combase\dcomrem\channelb.cxx @ 2614]
    000000d2`f02fead0 00007ffb`7a494e93 : 000000d2`ed816540 00000000`00000000 00007ffb`7a912780 00007ffb`7a912780 : combase!ThreadInvoke+0xe04 [d:\th\com\combase\dcomrem\channelb.cxx @ 6854]
    000000d2`f02fed40 00007ffb`7a493b1a : 00007ffb`7aa79700 000000d2`f02fefa0 000000d2`f02fefa0 000000d2`efea89e0 : RPCRT4!DispatchToStubInCNoAvrf+0x33
    000000d2`f02fed90 00007ffb`7a494920 : 000000d2`ed56f6c0 000000d2`efea8b30 00000000`00000000 000000d2`ed56f6c0 : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x29a
    000000d2`f02feea0 00007ffb`7a4a9e68 : 000000d2`ed56f6c0 00007ffb`7a493002 000000d2`efeb7ae0 00000000`00000000 : RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x160
    000000d2`f02fef40 00007ffb`7a4aa91f : 00000000`000e4735 00007ffb`7a4a8b90 00000000`00000000 000000d2`efe40cf0 : RPCRT4!LRPC_SCALL::DispatchRequest+0x288
    000000d2`f02ff020 00007ffb`7a4d8063 : 000000d2`00000000 000000d2`efe96770 000000d2`efea89e0 00000000`00000000 : RPCRT4!LRPC_SCALL::HandleRequest+0x8df
    000000d2`f02ff110 00007ffb`7a4d68d9 : 000000d2`ed520a70 000000d2`efe96770 000000d2`ed520a70 000000d2`ed520a70 : RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x1e3
    000000d2`f02ff190 00007ffb`7a4e6ca2 : 00000000`00000000 000000d2`ed520b78 00007ffb`7c87aad0 00007ffb`7a574ea4 : RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29
    000000d2`f02ff2e0 00007ffb`7c87b8d9 : 000000d2`00000000 000000d2`f016f6a0 00007ffb`7a4e6bf0 00007ffb`79c70000 : RPCRT4!LrpcIoComplete+0xb2
    000000d2`f02ff380 00007ffb`7c87992e : 00000000`00000006 00007ffb`7c87b600 000000d2`f015a220 00000000`00000000 : ntdll!TppAlpcpExecuteCallback+0x239
    000000d2`f02ff430 00007ffb`7a3d2d92 : 00000000`00000000 00007ffb`7c879040 000000d2`ed504e80 00000000`00000000 : ntdll!TppWorkerThread+0x8ee
    000000d2`f02ff830 00007ffb`7c849f64 : 00007ffb`7a3d2d70 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
    000000d2`f02ff860 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34

    AULTING_IP:
    NdisImPlatform!implatTeamQueryObject+196
    fffff800`a1b13906 4183b8c800000003 cmp     dword ptr [r8+0C8h],3

    CONTEXT:  ffffd00024837840 -- (.cxr 0xffffd00024837840)
    rax=0000000000000008 rbx=f5ef2010ffffe001 rcx=0000000000000000
    rdx=0000000000000000 rsi=ffffe001f5ef78f0 rdi=ffffe001f04786d0
    rip=fffff800a1b13906 rsp=ffffd00024838260 rbp=0000000000000000
     r8=f5ef2010ffffdff1  r9=ffffe001f04787a0 r10=00001ffe0fb87e70
    r11=0000000000000008 r12=0000000000000001 r13=ffffe001f04786d0
    r14=ffffe001f5ef79f0 r15=0000000000000000
    iopl=0         nv up ei ng nz na po cy
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
    NdisImPlatform!implatTeamQueryObject+0x196:
    fffff800`a1b13906 4183b8c800000003 cmp     dword ptr [r8+0C8h],3 ds:002b:f5ef2010`ffffe0b9=????????


    fffff800`a1b138f7 498d5810        lea     rbx,[r8+10h]
    fffff800`a1b138fb 493bde          cmp     rbx,r14
    fffff800`a1b138fe 7469            je      NdisImPlatform!implatTeamQueryObject+0x1f9 (fffff800`a1b13969)
    fffff800`a1b13900 8b0502490100    mov     eax,dword ptr [NdisImPlatform!Global+0xa8 (fffff800`a1b28208)]
    fffff800`a1b13906 4183b8c800000003 cmp     dword ptr [r8+0C8h],3        << puff
    fffff800`a1b1390e 7c49            jl      NdisImPlatform!implatTeamQueryObject+0x1e9 (fffff800`a1b13959)
    fffff800`a1b13910 448bda          mov     r11d,edx
    fffff800`a1b13913 85c0            test    eax,eax
    fffff800`a1b13915 7442            je      NdisImPlatform!implatTeamQueryObject+0x1e9 (fffff800`a1b13959)
    fffff800`a1b13917 418bc3          mov     eax,r11d
    fffff800`a1b1391a 4c8d4f40        lea     r9,[rdi+40h]




    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80030fd3939, Address of the instruction which caused the bugcheck
    Arg3: ffffd001a28f5840, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.


    callstack:
    fffd001`a28f6260 fffff800`2f34804c : 00000000`000000d8 00000000`00000300 00000000`000000d8 00000000`00000000 : NdisImPlatform!implatTeamQueryObject+0x1c9
    ffffd001`a28f62a0 fffff800`2f2b45b5 : ffffe001`14a60010 00000000`00000000 ffffd001`a28f6360 00060080`000000d8 : ndis!ndisNsiGetInterfaceRodInformation+0x1ac
    ffffd001`a28f6330 fffff800`2f3f9b9e : ffffd001`a28f6490 ffffe001`14d9fa20 ffffe001`16ae3000 00000000`00000000 : ndis!ndisNsiGetAllInterfaceInformation+0x445
    ffffd001`a28f63f0 fffff800`302921b1 : ffffe001`16ae3000 ffffe001`00000070 00000000`00000000 00000000`00000070 : NETIO!NsiEnumerateObjectsAllParametersEx+0x5fe
    ffffd001`a28f65d0 fffff800`30291e21 : 00000000`00000000 ffffe001`11d249b0 ffffe001`11d248e0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
    ffffd001`a28f67c0 fffff802`09eb8c4d : 00000000`00000000 ffffe001`11d248e0 ffffe001`11d248e0 fffff580`10804000 : nsiproxy!NsippDispatch+0x61
    ffffd001`a28f6800 fffff802`09eb8526 : 00000035`5baff2d8 ffffd001`a28f6b80 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x71d
    ffffd001`a28f6a20 fffff802`09bd4b63 : ffffe001`11d10080 00000035`5baff2b8 ffffd001`a28f6aa8 00000035`5906f1b0 : nt!NtDeviceIoControlFile+0x56
    ffffd001`a28f6a90 00007ffb`ca6b356a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000035`5baff368 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`ca6b356a



    regs:
    rax=000300000000ffff rbx=ffffe00115e55b76 rcx=0000000000000040
    rdx=0000000000000000 rsi=ffffe00115e55a80 rdi=ffffe00116ae4248
    rip=fffff80030fd3939 rsp=ffffd001a28f6260 rbp=0000000000000012
     r8=ffffe00115e55b66  r9=ffffe00116ae4288 r10=00001ffee951bdb8
    r11=0000000000000000 r12=0000000000000001 r13=ffffe00116ae4248
    r14=ffffe00115e55b80 r15=0000000000000000
    iopl=0         nv up ei pl nz ac po cy
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010217
    NdisImPlatform!implatTeamQueryObject+0x1c9:
    fffff800`30fd3939 488b4c01d0      mov     rcx,qword ptr [rcx+rax-30h] ds:002b:00030000`0001000f=????????????????

    fucktion dasm:

    NdisImPlatform!implatTeamQueryObject+0x1be:
    fffff800`30fd392e 498b8000010000  mov     rax,qword ptr [r8+100h]
    fffff800`30fd3935 4b8d0c0a        lea     rcx,[r10+r9]
    fffff800`30fd3939 488b4c01d0      mov     rcx,qword ptr [rcx+rax-30h] << puff
    fffff800`30fd393e 490109          add     qword ptr [r9],rcx
    fffff800`30fd3941 4d8d4908        lea     r9,[r9+8]
    fffff800`30fd3945 4883ed01        sub     rbp,1
    fffff800`30fd3949 75e3            jne     NdisImPlatform!implatTeamQueryObject+0x1be (fffff800`30fd392e)

    Thursday, February 11, 2016 1:54 PM

All replies