crashing ndislwf my fault or pacer.sys's fault?

NTDEV
1

(Yeah I know it’s probably mine, but I’m at a dead end…)

There is a previous thread about this
http://www.osronline.com/showthread.cfm?link=210582
But I’m pretty sure that my driver is already doing the correct thing of not calling NdisFSendNetBufferListsComplete() on anything that’s mine, which it was implied that person wasn’t doing.

Here’s my analyze -v output

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8c2ec748, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
ndis!ndisMSendCompleteNetBufferListsInternal+b9
8c2ec748 8938 mov dword ptr [eax],edi

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: 82970a4c – (.trap 0xffffffff82970a4c)
ErrCode = 00000002
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=853850e0 edi=85533580
eip=8c2ec748 esp=82970ac0 ebp=82970af8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndis!ndisMSendCompleteNetBufferListsInternal+0xb9:
8c2ec748 8938 mov dword ptr [eax],edi ds:0023:00000000=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 82926fc5 to 828b54b4

STACK_TEXT:
82970614 82926fc5 00000003 1594df74 00000065 nt!RtlpBreakWithStatusInstruction
82970664 82927ac1 00000003 00000000 8c2ec748 nt!KiBugCheckDebugBreak+0x1c
82970a2c 8289085b 0000000a 00000000 00000002 nt!KeBugCheck2+0x68b
82970a2c 8c2ec748 0000000a 00000000 00000002 nt!KiTrap0E+0x2cf
82970af8 8c2885e2 85533580 85519318 00000001 ndis!ndisMSendCompleteNetBufferListsInternal+0xb9
82970b0c 9132b848 86980b38 85519318 00000001 ndis!NdisFSendNetBufferListsComplete+0x3a
82970b30 8c2885e2 869807b8 85519318 00000001 pacer!PcFilterSendNetBufferListsComplete+0xb4
82970b44 91360892 8697e7c8 85519318 00000001 ndis!NdisFSendNetBufferListsComplete+0x3a
82970b68 8c2ecf0a 8697a738 85519318 00000001 ndislwf!FilterSendNetBufferListsComplete+0x102 [c:\ndislwf-test\filter.c @ 1229]
82970b8c 93bb503c 853850e0 85519318 00000001 ndis!NdisMSendNetBufferListsComplete+0xa4
82970bb8 93bb2858 865fa000 00000000 82970be4 e1y6032!ProcessTransmitInterrupts+0x1ac
82970be8 93bb2aaf 005fa000 853850e0 82970c10 e1y6032!E1000HandleInterrupt+0x188
82970bf8 93bb2b4a 865fa000 00000000 82970c40 e1y6032!E1000HandleInterruptEx+0xf
82970c10 8c2da301 865fa000 00000000 00000000 e1y6032!E1000MessageInterruptDPC+0x1a
82970c50 8c2859f4 864502b4 004501a0 00000000 ndis!ndisMiniportDpc+0xda
82970c78 828b24f5 864502b4 864501a0 00000000 ndis!ndisInterruptDpc+0xaf
82970cd4 828b2358 82973d20 8297d280 00000000 nt!KiExecuteAllDpcs+0xf9
82970d20 828b2178 00000000 0000000e 00000000 nt!KiRetireDpcList+0xd5
82970d24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38

STACK_COMMAND: kb

FOLLOWUP_IP:
pacer!PcFilterSendNetBufferListsComplete+b4
9132b848 5b pop ebx

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+b4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: pacer

IMAGE_NAME: pacer.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc916

FAILURE_BUCKET_ID: 0xD1_pacer!PcFilterSendNetBufferListsComplete+b4

BUCKET_ID: 0xD1_pacer!PcFilterSendNetBufferListsComplete+b4

Followup: MachineOwner

And here’s what my code at c:\ndislwf-test\filter.c looks like (I’m pretty sure it’s basically default example code):

VOID
FilterSendNetBufferListsComplete(
IN NDIS_HANDLE FilterModuleContext,
IN PNET_BUFFER_LIST NetBufferLists,
IN ULONG SendCompleteFlags
)
/*++

Routine Description:

SendNetBufferListComplete

Arguments:

Return Value:

NONE

–*/
{
PMS_FILTER pFilter = (PMS_FILTER)FilterModuleContext;
ULONG NumOfSendCompletes = 0;
BOOLEAN DispatchLevel;
PNET_BUFFER_LIST CurrNbl;

DEBUGP(DL_TRACE, (“===>SendNBLComplete, NetBufferList: %p.\n”, NetBufferLists));

//
// if necessary, undo any modifications to the NetBufferList thate were performed “on the way down”
//
if (pFilter->TrackSends)
{
CurrNbl = NetBufferLists;
while (CurrNbl)
{
NumOfSendCompletes++;
CurrNbl = NET_BUFFER_LIST_NEXT_NBL(CurrNbl);
}
DispatchLevel = NDIS_TEST_SEND_AT_DISPATCH_LEVEL(SendCompleteFlags);
FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);
pFilter->OutstandingSends -= NumOfSendCompletes;
FILTER_LOG_SEND_REF(2, pFilter, PrevNbl, pFilter->OutstandingSends);
FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);
}
//Don’t call NdisFSendNetBufferListsComplete for our own packets, just free them
if(NetBufferLists->NdisPoolHandle != gNblPoolHandle){
NdisFSendNetBufferListsComplete(pFilter->FilterHandle, NetBufferLists, SendCompleteFlags);
}
else{
NdisFreeNetBufferList(NetBufferLists);
}
DEBUGP(DL_TRACE, (“<===SendNBLComplete.\n”));
}

So the point is that I don’t ever call NdisFSendNetBufferListsComplete() on anything that’s not from my pool (gNblPoolHandle). This is only very sporatically occuring, it’s not every time, so I’m not clear who is at fault.

Thanks for your help

Justin

2

What I see here is a NULL pointer dereference. It is also happening at
DPC level, but that’s a minor detail.

Did you chech the parameters you are passing to make sure that sone
critical parameter is not NULL? If nothing else, sprinkle some ASSERT
statements around asserting that things which souldn’t be NULL are, in
fact, non-NULL. If it isn’t in your parameters, then you could be passing
a reference to a structure which is in some unexpected, and hence invalid,
state. Showing the relevant source from your driver might be useful.

Also, make sure you are not passing an uninitialized pointer in.

These are my usual first thoughts when I see these kinds of errors.
joe

(Yeah I know it’s probably mine, but I’m at a dead end…)

There is a previous thread about this
http://www.osronline.com/showthread.cfm?link=210582
But I’m pretty sure that my driver is already doing the correct thing of
not calling NdisFSendNetBufferListsComplete() on anything that’s mine,
which it was implied that person wasn’t doing.

Here’s my analyze -v output

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8c2ec748, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
ndis!ndisMSendCompleteNetBufferListsInternal+b9
8c2ec748 8938 mov dword ptr [eax],edi

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: 82970a4c – (.trap 0xffffffff82970a4c)
ErrCode = 00000002
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=853850e0
edi=85533580
eip=8c2ec748 esp=82970ac0 ebp=82970af8 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
ndis!ndisMSendCompleteNetBufferListsInternal+0xb9:
8c2ec748 8938 mov dword ptr [eax],edi
ds:0023:00000000=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 82926fc5 to 828b54b4

STACK_TEXT:
82970614 82926fc5 00000003 1594df74 00000065
nt!RtlpBreakWithStatusInstruction
82970664 82927ac1 00000003 00000000 8c2ec748 nt!KiBugCheckDebugBreak+0x1c
82970a2c 8289085b 0000000a 00000000 00000002 nt!KeBugCheck2+0x68b
82970a2c 8c2ec748 0000000a 00000000 00000002 nt!KiTrap0E+0x2cf
82970af8 8c2885e2 85533580 85519318 00000001
ndis!ndisMSendCompleteNetBufferListsInternal+0xb9
82970b0c 9132b848 86980b38 85519318 00000001
ndis!NdisFSendNetBufferListsComplete+0x3a
82970b30 8c2885e2 869807b8 85519318 00000001
pacer!PcFilterSendNetBufferListsComplete+0xb4
82970b44 91360892 8697e7c8 85519318 00000001
ndis!NdisFSendNetBufferListsComplete+0x3a
82970b68 8c2ecf0a 8697a738 85519318 00000001
ndislwf!FilterSendNetBufferListsComplete+0x102 [c:\ndislwf-test\filter.c @
1229]
82970b8c 93bb503c 853850e0 85519318 00000001
ndis!NdisMSendNetBufferListsComplete+0xa4
82970bb8 93bb2858 865fa000 00000000 82970be4
e1y6032!ProcessTransmitInterrupts+0x1ac
82970be8 93bb2aaf 005fa000 853850e0 82970c10
e1y6032!E1000HandleInterrupt+0x188
82970bf8 93bb2b4a 865fa000 00000000 82970c40
e1y6032!E1000HandleInterruptEx+0xf
82970c10 8c2da301 865fa000 00000000 00000000
e1y6032!E1000MessageInterruptDPC+0x1a
82970c50 8c2859f4 864502b4 004501a0 00000000 ndis!ndisMiniportDpc+0xda
82970c78 828b24f5 864502b4 864501a0 00000000 ndis!ndisInterruptDpc+0xaf
82970cd4 828b2358 82973d20 8297d280 00000000 nt!KiExecuteAllDpcs+0xf9
82970d20 828b2178 00000000 0000000e 00000000 nt!KiRetireDpcList+0xd5
82970d24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38

STACK_COMMAND: kb

FOLLOWUP_IP:
pacer!PcFilterSendNetBufferListsComplete+b4
9132b848 5b pop ebx

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+b4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: pacer

IMAGE_NAME: pacer.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc916

FAILURE_BUCKET_ID: 0xD1_pacer!PcFilterSendNetBufferListsComplete+b4

BUCKET_ID: 0xD1_pacer!PcFilterSendNetBufferListsComplete+b4

Followup: MachineOwner

And here’s what my code at c:\ndislwf-test\filter.c looks like (I’m pretty
sure it’s basically default example code):

VOID
FilterSendNetBufferListsComplete(
IN NDIS_HANDLE FilterModuleContext,
IN PNET_BUFFER_LIST NetBufferLists,
IN ULONG SendCompleteFlags
)
/*++

Routine Description:

SendNetBufferListComplete

Arguments:

Return Value:

NONE

–*/
{
PMS_FILTER pFilter = (PMS_FILTER)FilterModuleContext;
ULONG NumOfSendCompletes = 0;
BOOLEAN DispatchLevel;
PNET_BUFFER_LIST CurrNbl;

DEBUGP(DL_TRACE, (“===>SendNBLComplete, NetBufferList: %p.\n”,
NetBufferLists));

//
// if necessary, undo any modifications to the NetBufferList thate
were performed “on the way down”
//
if (pFilter->TrackSends)
{
CurrNbl = NetBufferLists;
while (CurrNbl)
{
NumOfSendCompletes++;
CurrNbl = NET_BUFFER_LIST_NEXT_NBL(CurrNbl);
}
DispatchLevel =
NDIS_TEST_SEND_AT_DISPATCH_LEVEL(SendCompleteFlags);
FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);
pFilter->OutstandingSends -= NumOfSendCompletes;
FILTER_LOG_SEND_REF(2, pFilter, PrevNbl,
pFilter->OutstandingSends);
FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);
}
//Don’t call NdisFSendNetBufferListsComplete for our own packets, just
free them
if(NetBufferLists->NdisPoolHandle != gNblPoolHandle){
NdisFSendNetBufferListsComplete(pFilter->FilterHandle,
NetBufferLists, SendCompleteFlags);
}
else{
NdisFreeNetBufferList(NetBufferLists);
}
DEBUGP(DL_TRACE, (“<===SendNBLComplete.\n”));
}

So the point is that I don’t ever call NdisFSendNetBufferListsComplete()
on anything that’s not from my pool (gNblPoolHandle). This is only very
sporatically occuring, it’s not every time, so I’m not clear who is at
fault.

Thanks for your help

Justin

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer