Can't load _NET_BUFFER_LIST from .pdb files

Hii all ,

I am facing some issue when i remote debugging a appplication . I load correct .pdb files and symbol path .

*****************my symbol path setting using Windbg ******************

kd> !sym noisy
noisy mode - symbol prompts on

kd> .sympath D:\Windows7_x86_64_kmod_release;SRV*c:\symbol*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: d:\windows7_x86_64_kmod_release;srv*c:\symbol*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: d:\windows7_x86_64_kmod_release;srv*c:\symbol*http://msdl.microsoft.com/download/symbols
Symbol search path is: D:\Windows7_x86_64_kmod_release;SRV*c:\symbol*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: d:\windows7_x86_64_kmod_release;srv*c:\symbol*http://msdl.microsoft.com/download/symbols

************* Symbol Path validation summary **************
Response Time (ms) Location
OK D:\Windows7_x86_64_kmod_release\
Deferred SRV*c:\symbol*http://msdl.microsoft.com/download/symbols

***************************************************

and after that

kd> .reload

i checked the symbol file checking using .sympath

kd> .sympath
Symbol search path is: D:\Windows7_x86_64_kmod_release;SRV*c:\symbol*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: d:\windows7_x86_64_kmod_release;srv*c:\symbol*http://msdl.microsoft.com/download/symbols

************* Symbol Path validation summary **************
Response Time (ms) Location
OK D:\Windows7_x86_64_kmod_release\
Deferred SRV*c:\symbol*http://msdl.microsoft.com/download/symbols

After that i want to get NET_BUFFER_LIST from VM player so i done ctrl+break to stop Vm .

i tried :


kd> dt _NET_BUFFER_LIST
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _NET_BUFFER_LIST ***
*** ***
*************************************************************************
Symbol _NET_BUFFER_LIST not found.


and but it works fine when i run :

kd> dt ndis!_NET_BUFFER_LIST

kd> dt _NET_BUFFER_LIST
ndis!_NET_BUFFER_LIST
+0x000 Next : Ptr64 _NET_BUFFER_LIST
+0x008 FirstNetBuffer : Ptr64 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x010 Context : Ptr64 _NET_BUFFER_LIST_CONTEXT
+0x018 ParentNetBufferList : Ptr64 _NET_BUFFER_LIST
+0x020 NdisPoolHandle : Ptr64 Void
+0x030 NdisReserved : [2] Ptr64 Void
+0x040 ProtocolReserved : [4] Ptr64 Void
+0x060 MiniportReserved : [2] Ptr64 Void
+0x070 Scratch : Ptr64 Void
+0x078 SourceHandle : Ptr64 Void
+0x080 NblFlags : Uint4B
+0x084 ChildRefCount : Int4B
+0x088 Flags : Uint4B
+0x08c Status : Int4B
+0x090 NetBufferListInfo : [19] Ptr64 Void

kd> dt NET_BUFFER_LIST_NEXT_NBL

not working ::

and my code contain function like :

****************

VOID CMiniport::SendNetBufferLists(
__in PNET_BUFFER_LIST NetBufferLists,
__in NDIS_PORT_NUMBER /* PortNumber */,
__in ULONG SendFlags
) {
#if defined(PacketTracingDebugOutput)
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “>>> CMiniport::SendNetBufferLists():\n”);
#endif /* PacketTracingDebugOutput */

PNET_BUFFER_LIST pNetBufferList = NetBufferLists;
PNET_BUFFER_LIST pNextNetBufferList = NULL;
while (pNetBufferList) {
pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);

m_ul64XmitOk ++;

NET_BUFFER_LIST_STATUS(pNetBufferList) = m_ulPausedState ? NDIS_STATUS_PAUSED : NDIS_STATUS_SUCCESS;
NdisMSendNetBufferListsComplete(m_hAdapter, pNetBufferList, SendFlags);

pNetBufferList = pNextNetBufferList;
}

#if defined(PacketTracingDebugOutput)
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “<<< CMiniport::SendNetBufferLists(): exited\n”);
#endif /* PacketTracingDebugOutput */
}

*****************************

I need to check NET_BUFFER_LIST

so i done

kd> dt NET_BUFFER_LIST PNetBufferList
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: NET_BUFFER_LIST ***
*** ***
*************************************************************************
Symbol NET_BUFFER_LIST not found.

Why my private symbol is not loading ? or any command to identify NET_BUFFER_LIST ?

i want to see pNetBufferList from my code .

Thanks & regards

I also checked

kd>dt _NET_BUFFER_LIST PnetBufferList

ndis!_NET_BUFFER_LIST
cannot find specified field members .

xxxxx@gmail.com wrote:

Hii all ,

I am facing some issue when i remote debugging a appplication . I load correct .pdb files and symbol path .

kd> .sympath
Symbol search path is: D:\Windows7_x86_64_kmod_release;SRV*c:\symbol*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: d:\windows7_x86_64_kmod_release;srv*c:\symbol*http://msdl.microsoft.com/download/symbols

And did you remember to copy your PDB files to
D:\Windows7_x86_64_kmod_release ? Actually, the fact that it finds your
source code suggests that you did.

and my code contain function like :

****************

VOID CMiniport::SendNetBufferLists(
__in PNET_BUFFER_LIST NetBufferLists,
__in NDIS_PORT_NUMBER /* PortNumber */,
__in ULONG SendFlags
) {
#if defined(PacketTracingDebugOutput)
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “>>> CMiniport::SendNetBufferLists():\n”);
#endif /* PacketTracingDebugOutput */

PNET_BUFFER_LIST pNetBufferList = NetBufferLists;
PNET_BUFFER_LIST pNextNetBufferList = NULL;
while (pNetBufferList) {

*****************************

I need to check NET_BUFFER_LIST

so i done

kd> dt NET_BUFFER_LIST PNetBufferList

And can you see that PNetBufferList is not the same as pNetBufferList?

I also checked

kd>dt _NET_BUFFER_LIST PnetBufferList

ndis!_NET_BUFFER_LIST
cannot find specified field members .

Right, because PnetBufferList is STILL not the same as pNetBufferList.
How could you not have seen that?

Why my private symbol is not loading ? or any command to identify NET_BUFFER_LIST ?

i want to see pNetBufferList from my code .

Then that’s what you have to type.

There’s one more important thing you may be missing. Your
pNetBufferList variable is on the stack. That variable only exists if
the debugger is currently stopped inside CMiniPort::SendNetBufferLists.
You can’t just use Ctrl-Break and try to look at that variable, because
unless your function is running, there is no such variable. This is why
you need to set breakpoints, and step past the line where the value is
copied.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

pnet != PNet but if you want to use pnet pr PNET or pNeT of pneT use -y

like dt ndis!_NET->tablcomplete -y PnEt [address]

also reload ndis with .reload /f ndis

ndis!_NETxxx i == YOURDRV!_NETxxx so you can use either

On 2/5/16, Tim Roberts wrote:
> xxxxx@gmail.com wrote:
>> Hii all ,
>>
>> I am facing some issue when i remote debugging a appplication . I load
>> correct .pdb files and symbol path .
>> …
>> kd> .sympath
>> Symbol search path is:
>> D:\Windows7_x86_64_kmod_release;SRVc:\symbolhttp://msdl.microsoft.com/download/symbols
>> Expanded Symbol search path is:
>> d:\windows7_x86_64_kmod_release;srvc:\symbolhttp://msdl.microsoft.com/download/symbols
>
> And did you remember to copy your PDB files to
> D:\Windows7_x86_64_kmod_release ? Actually, the fact that it finds your
> source code suggests that you did.
>
>
>> and my code contain function like :
>>
>> ***************
>>
>> VOID CMiniport::SendNetBufferLists(
>> in PNET_BUFFER_LIST NetBufferLists,
>>
in NDIS_PORT_NUMBER /
PortNumber /,
>> __in ULONG SendFlags
>> ) {
>> #if defined(PacketTracingDebugOutput)
>> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “>>>
>> CMiniport::SendNetBufferLists():\n”);
>> #endif /
PacketTracingDebugOutput */
>>
>> PNET_BUFFER_LIST pNetBufferList = NetBufferLists;
>> PNET_BUFFER_LIST pNextNetBufferList = NULL;
>> while (pNetBufferList) {
>> …
>>*****************************
>>
>> I need to check NET_BUFFER_LIST
>>
>> so i done
>>
>> kd> dt NET_BUFFER_LIST PNetBufferList
>
> And can you see that PNetBufferList is not the same as pNetBufferList?
>
>
>> I also checked
>>
>> kd>dt _NET_BUFFER_LIST PnetBufferList
>>
>> ndis!_NET_BUFFER_LIST
>> cannot find specified field members .
>
> Right, because PnetBufferList is STILL not the same as pNetBufferList.
> How could you not have seen that?
>
>
>> Why my private symbol is not loading ? or any command to identify
>> NET_BUFFER_LIST ?
>>
>> i want to see pNetBufferList from my code .
>
> Then that’s what you have to type.
>
> There’s one more important thing you may be missing. Your
> pNetBufferList variable is on the stack. That variable only exists if
> the debugger is currently stopped inside CMiniPort::SendNetBufferLists.
> You can’t just use Ctrl-Break and try to look at that variable, because
> unless your function is running, there is no such variable. This is why
> you need to set breakpoints, and step past the line where the value is
> copied.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:></http:>

Thanks for your replay

I copied all pdb files to D:\Windows7_x86_64_kmod_release . Why this .pdb files is not loading when i call dt _NET_BUFFER_LIST ? So should i put Dbgbreakpoint() function inside VOID CMiniport::SendNetBufferLists() to acess this pNetBufferlist value ?

Hi raj ,thanks for your suggestions . So i have my own driver . One is MYVNET.sys and other is MYMUX.sys

kd> MYMUX !_NET_BUFFER_LIST So should i use like this to obtain netbuffer list ?

xxxxx@gmail.com wrote:

So should i put Dbgbreakpoint() function inside VOID CMiniport::SendNetBufferLists() to acess this pNetBufferlist value ?

You don’t need to modify the code. Once your system is running, break
in with Ctrl-Break and type
bp CMiniport::SendNetBufferLists

You may need to qualify it with the driver name the first time:
bp MYMUX!CMiniport::SendNetBufferLists

I’m really astonished that we’re still talking about this a week later.
Have you never done debugging of a user-mode application?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

ok thanks again for your quick replay . yeah . I noticed that question . At that time , I am worrying about the symbols and Pdb files . I have another doubt , If i got BSOD at remote debugging time , can i verify the values inside NET_BUFFER_LIST ? . because i am doing to reproduce the crash and checking the NET_BUFFER_LIST values now .

xxxxx@gmail.com wrote:

ok thanks again for your quick replay . yeah . I noticed that question . At that time , I am worrying about the symbols and Pdb files . I have another doubt , If i got BSOD at remote debugging time , can i verify the values inside NET_BUFFER_LIST ? . because i am doing to reproduce the crash and checking the NET_BUFFER_LIST values now .

Can’t you figure this out for yourself? If it crashes inside your
function, then clearly you can examine the variables in your function.
If it crashes in some other location, then your variables do not exist.

This is why I suggested a week or two ago that you start debug printing
your buffer list addresses, so you at least have numbers to look at when
it crashes.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts wrote:

I’m really astonished that we’re still talking about this a week later.

Really? You are? I’m not.

Now i got again symbol path error when i open windbg like :

Error: Attempts to access ‘D:\v4.5.0.002_Win10\build\output\Windows7_x86_64_kmod_release’ failed: 0x3 - The system cannot find the path specified.

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Error D:\v4.5.0.002_Win10\build\output\Windows7_x86_64_kmod_release
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;D:\v4.5.0.002_Win10\build\output\Windows7_x86_64_kmod_release
Executable search path is:

***************************

What is happening here ??

my pdb files are inside this location . i verified correctly . But debugger shows like this . why ?

it works when i change D:\ to C:\

But after that set breakpoints for function , i got like this error :

kd> bp nsmuxtun!CFilter::SendNetBufferLists
Couldn’t resolve error at ‘nsmuxtun!CFilter::SendNetBufferLists’

so i again tried like :

kd> bu CFilter::SendNetBufferLists
*** Bp expression ‘CFilter::SendNetBufferLists’ contains symbols not qualified with module name.

after! sym noisy

kd> !sym noisy
noisy mode - symbol prompts on

kd> .sympath
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;C:\Users\Windows7_x86_64_kmod_release\
Expanded Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;c:\users\windows7_x86_64_kmod_release\

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols*http://msdl.microsoft.com/download/symbols
OK

so path is ok now . but after that

kd> .reload /f nsmuxtun.sys

SYMSRV: c:\symbols\nsmuxtun.pdb\DF7F3584E5F54918821143A443775F3F1\nsmuxtun.pdb not found

SYMSRV: http://msdl.microsoft.com/download/symbols/nsmuxtun.pdb/DF7F3584E5F54918821143A443775F3F1/nsmuxtun.pdb not found

DBGHELP: c:\users\windows7_x86_64_kmod_release\nsmuxtun.pdb - mismatched pdb

DBGHELP: c:\users\windows7_x86_64_kmod_release\sys\nsmuxtun.pdb - file not found
DBGHELP: c:\users\windows7_x86_64_kmod_release\symbols\sys\nsmuxtun.pdb - file not found

DBGHELP: C:\Users\build\output\Windows7_x86_64_kmod_release\nsmuxtun.pdb - file not found

DBGHELP: Couldn’t load mismatched pdb for nsmuxtun.sys
*** ERROR: Module load completed but symbols could not be loaded for nsmuxtun.sys
DBGHELP: nsmuxtun - no symbols loaded
*** Unable to resolve unqualified symbol in Bp expression ‘CFilter::SendNetBufferLists’.
*** Unable to resolve unqualified symbol in Bp expression ‘CFilter::SendNetBufferLists’.

************* Symbol Loading Error Summary **************
Module name Error
nsmuxtun The system cannot find the file specified : srv*c:\symbols*http://msdl.microsoft.com/download/symbols
The SYMSRV client failed to find a file in the UNC store, or there
is an invalid UNC store (an invalid path or the pingme.txt file is
not present in the root directory), or the file is present in the
symbol server exclusion list.

PDB not found : c:\users\windows7_x86_64_kmod_release\symbols\sys\nsmuxtun.pdb
Unable to locate the .pdb file in this location

On Feb 5, 2016, at 11:56 PM, xxxxx@gmail.com wrote:

But after that set breakpoints for function , i got like this error :

kd> bp nsmuxtun!CFilter::SendNetBufferLists
Couldn’t resolve error at 'nsmuxtun!CFilter::SendNetBufferLists’

kd> .reload /f nsmuxtun.sys

DBGHELP: c:\users\windows7_x86_64_kmod_release\nsmuxtun.pdb - mismatched pdb
DBGHELP: c:\users\windows7_x86_64_kmod_release\sys\nsmuxtun.pdb - file not found
DBGHELP: c:\users\windows7_x86_64_kmod_release\symbols\sys\nsmuxtun.pdb - file not found
DBGHELP: C:\Users\build\output\Windows7_x86_64_kmod_release\nsmuxtun.pdb - file not found

DBGHELP: Couldn’t load mismatched pdb for nsmuxtun.sys

The error message seems pretty clear. The PDB in your symbol directory doesn’t match the SYS file you are running. Remember that the PDB file must be from the exact same build that produced your SYS. If you do another build, you have to copy the PDB again.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

yeah . I add latest pdb files to this path now . So bp not working but bu command working

kd>bu nsmuxtun!CFilter::SendNetBufferLists

but after that i want to get pNetBufferList

kd>dt nsmuxtun!_NET_BUFFER_LIST pNetBufferList
cannot find specified field membere

why debugger can’t find this value ?

when i type

kd>dt ndis!_NET_BUFFER_LIST

+0x000 Next : Ptr64 _NET_BUFFER_LIST
+0x008 FirstNetBuffer : Ptr64 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x010 Context : Ptr64 _NET_BUFFER_LIST_CONTEXT
+0x018 ParentNetBufferList : Ptr64 _NET_BUFFER_LIST
+0x020 NdisPoolHandle : Ptr64 Void
+0x030 NdisReserved : [2] Ptr64 Void
+0x040 ProtocolReserved : [4] Ptr64 Void
+0x060 MiniportReserved : [2] Ptr64 Void
+0x070 Scratch : Ptr64 Void
+0x078 SourceHandle : Ptr64 Void
+0x080 NblFlags : Uint4B
+0x084 ChildRefCount : Int4B
+0x088 Flags : Uint4B
+0x08c Status : Int4B
+0x090 NetBufferListInfo : [19] Ptr64 Void

and

kd>dt nsmuxtun!_NET_BUFFER_LIST

+0x000 Next : Ptr64 _NET_BUFFER_LIST
+0x008 FirstNetBuffer : Ptr64 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x010 Context : Ptr64 _NET_BUFFER_LIST_CONTEXT
+0x018 ParentNetBufferList : Ptr64 _NET_BUFFER_LIST
+0x020 NdisPoolHandle : Ptr64 Void
+0x030 NdisReserved : [2] Ptr64 Void
+0x040 ProtocolReserved : [4] Ptr64 Void
+0x060 MiniportReserved : [2] Ptr64 Void
+0x070 Scratch : Ptr64 Void
+0x078 SourceHandle : Ptr64 Void
+0x080 NblFlags : Uint4B
+0x084 ChildRefCount : Int4B
+0x088 Flags : Uint4B
+0x08c Status : Int4B
+0x090 NetBufferListInfo : [19] Ptr64 Void

why both this value same ?

i want to see whether netbufferlist coming correctly inside SendBufferList function inside my nsmuxtun symbol . What i do next ?

Mr Vinay you should try to understand the basics of the operation
before posting innumerable posts that makes no sense

dt displays the type of the input

_NET_BUFFER_LIST is a structure

the members of the structure are also displayed when you do dt

as you see Pnetxxxxx is not a member of that structure

Pnetxx is something you defined in your code

you cannot pass that to dt and expect windbg to understand it

you cannot ask a donkey to be become a princess just by sticking a
piece of paper with the name of princess to the ugly donkey

the donkey stays a donkey even it is named princess

a simple usage for dt is shown below please study it thoroughly
understand the basics read the documentation try 1000 times on
different structures and if you still don’t understand find someone
else to get the job done

kd> dt ndis!_NET_BUFFER_LIST 863e1e88
_NET_BUFFER_LIST
+0x000 Next : 0x863e1e88 _NET_BUFFER_LIST
+0x004 FirstNetBuffer : 0x863e1e88 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x008 Context : (null)
+0x00c ParentNetBufferList : 0x0014011c _NET_BUFFER_LIST
+0x010 NdisPoolHandle : 0x8638e280 Void
+0x018 NdisReserved : [2] 0x6f69754e Void
+0x020 ProtocolReserved : [4] (null)
+0x030 MiniportReserved : [2] (null)
+0x038 Scratch : (null)
+0x03c SourceHandle : (null)
+0x040 NblFlags : 0x4000004
+0x044 ChildRefCount : 0n0
+0x048 Flags : 0
+0x04c Status : 0n0
+0x050 NetBufferListInfo : [19] (null)
kd>

you either find the address that points to the Net_buffer_list in your
code and pass it or use the proper expression

passing PNetxxxx is never going to work period

On 2/7/16, xxxxx@gmail.com wrote:
> yeah . I add latest pdb files to this path now . So bp not working but bu
> command working
>
> kd>bu nsmuxtun!CFilter::SendNetBufferLists
>
> but after that i want to get pNetBufferList
>
>
> kd>dt nsmuxtun!_NET_BUFFER_LIST pNetBufferList
> cannot find specified field membere
>
> why debugger can’t find this value ?
>
> when i type
>
> kd>dt ndis!_NET_BUFFER_LIST
>
> +0x000 Next : Ptr64 _NET_BUFFER_LIST
> +0x008 FirstNetBuffer : Ptr64 _NET_BUFFER
> +0x000 Link : _SLIST_HEADER
> +0x010 Context : Ptr64 _NET_BUFFER_LIST_CONTEXT
> +0x018 ParentNetBufferList : Ptr64 _NET_BUFFER_LIST
> +0x020 NdisPoolHandle : Ptr64 Void
> +0x030 NdisReserved : [2] Ptr64 Void
> +0x040 ProtocolReserved : [4] Ptr64 Void
> +0x060 MiniportReserved : [2] Ptr64 Void
> +0x070 Scratch : Ptr64 Void
> +0x078 SourceHandle : Ptr64 Void
> +0x080 NblFlags : Uint4B
> +0x084 ChildRefCount : Int4B
> +0x088 Flags : Uint4B
> +0x08c Status : Int4B
> +0x090 NetBufferListInfo : [19] Ptr64 Void
>
>
> and
>
>
> kd>dt nsmuxtun!_NET_BUFFER_LIST
>
> +0x000 Next : Ptr64 _NET_BUFFER_LIST
> +0x008 FirstNetBuffer : Ptr64 _NET_BUFFER
> +0x000 Link : _SLIST_HEADER
> +0x010 Context : Ptr64 _NET_BUFFER_LIST_CONTEXT
> +0x018 ParentNetBufferList : Ptr64 _NET_BUFFER_LIST
> +0x020 NdisPoolHandle : Ptr64 Void
> +0x030 NdisReserved : [2] Ptr64 Void
> +0x040 ProtocolReserved : [4] Ptr64 Void
> +0x060 MiniportReserved : [2] Ptr64 Void
> +0x070 Scratch : Ptr64 Void
> +0x078 SourceHandle : Ptr64 Void
> +0x080 NblFlags : Uint4B
> +0x084 ChildRefCount : Int4B
> +0x088 Flags : Uint4B
> +0x08c Status : Int4B
> +0x090 NetBufferListInfo : [19] Ptr64 Void
>
>
> why both this value same ?
>
> i want to see whether netbufferlist coming correctly inside SendBufferList
> function inside my nsmuxtun symbol . What i do next ?
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:></http:>

xxxxx@gmail.com wrote:

kd>bu nsmuxtun!CFilter::SendNetBufferLists

but after that i want to get pNetBufferList

kd>dt nsmuxtun!_NET_BUFFER_LIST pNetBufferList
cannot find specified field membere

why debugger can’t find this value ?

Did the debugger actually stop at the breakpoint?

when i type

kd>dt ndis!_NET_BUFFER_LIST

Did you read the documentation in the help file about the “dt” command?
I shouldn’t have to keep reminding you that Google and the help files
are WAY faster than this mailing list. When you type

dt structure_name

it shows you the layout of the structure, including the offset and type
of each member. And that’s exactly what you got:

+0x000 Next : Ptr64 _NET_BUFFER_LIST
+0x008 FirstNetBuffer : Ptr64 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x010 Context : Ptr64 _NET_BUFFER_LIST_CONTEXT
+0x018 ParentNetBufferList : Ptr64 _NET_BUFFER_LIST
+0x020 NdisPoolHandle : Ptr64 Void
+0x030 NdisReserved : [2] Ptr64 Void
+0x040 ProtocolReserved : [4] Ptr64 Void
+0x060 MiniportReserved : [2] Ptr64 Void
+0x070 Scratch : Ptr64 Void
+0x078 SourceHandle : Ptr64 Void
+0x080 NblFlags : Uint4B
+0x084 ChildRefCount : Int4B
+0x088 Flags : Uint4B
+0x08c Status : Int4B
+0x090 NetBufferListInfo : [19] Ptr64 Void

If you want it to show you the contents of a specific instance of that
data structure in memory, then I hope it is OBVIOUS that you have to
tell it the address of the structure you want to see, as in:

dt _NET_BUFFER_LIST 0xffff800012345670

If your symbols are available, then you can use variable names:

dt _NET_BUFFER_LIST pNetBufferList

But if the debugger is stopped at a point where that symbol is not
found, then that command tells the debugger to show you the layout of
_NET_BUFFER_LIST…pNetBufferList. Since that member does not exist, you
get an error.

Remember that your function creates pNetBufferList partway through.
Unless the debugger is stopped after that point, pNetBufferList does not
yet exist. After you stop at the breakpoint, you’ll have to single step
up to the line where that variable is created.

However, as I recall, your code just copies one of its parameters into
that variable. Thus, you should be able to refer to the parameter name
as well.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for your valuable replay …

Now i done physical machine kernel debugging using 2 machine . I connected with host ip and port .It worked successfully . I can see all driver logs through windbg .

can u guys please help me to understand how i debug for a bluescreen problem . I got crash inside

" Filter driver SendNetBufferListComplete function " when i access context data .

i think my code will help u to get more details :

**********************************************************

Filter SendBufferListComplete function :

*************************************************************

SendNetBufferListsComplete(
IN PNET_BUFFER_LIST NetBufferLists,
IN ULONG SendCompleteFlags )
{

PNET_BUFFER_LIST pNetBufferList = NULL ;
pNetBufferList = NetBufferLists;

PNET_BUFFER_LIST pNextNetBufferList = NULL;

while ( NULL != pNetBufferList) {

pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);

NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;

PNET_BUFFER_LIST pParentNetBufferList = pNetBufferList->ParentNetBufferList;

if (pParentNetBufferList != NULL) {

NDIS_STATUS status =
NET_BUFFER_LIST_STATUS(pNetBufferList);

if(NULL != pNetBufferList)
NdisFreeNetBufferList(pNetBufferList);

if (NdisInterlockedDecrement(&pParentNetBufferList->ChildRefCount) == 0)
{
NET_BUFFER_LIST_STATUS(pParentNetBufferList) = status;
NdisFSendNetBufferListsComplete(m_hFilter, pParentNetBufferList,
SendCompleteFlags);
}

} else {

if((pNetBufferList !=
NULL)&&((pNetBufferList->SourceHandle == m_hFilter)) ) {

PVOID pBuffer = NULL ;

>>> crash here pBuffer = *((PVOID*)

NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));

PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));

if(NULL != pMdl)
NdisFreeMdl(pMdl);

if(NULL != pBuffer)
delete (UCHAR*) pBuffer;

if(NULL != pNetBufferList)
NdisFreeNetBufferList(pNetBufferList);

}
else
{
NdisFSendNetBufferListsComplete(m_hFilter, pNetBufferList,
SendCompleteFlags);
}

NdisInterlockedDecrement(&m_nSendNetBufferListCount);
pNetBufferList = NULL ;
pNetBufferList = pNextNetBufferList;

}

}
**************************************************************
i got crash on pBuffer = *((PVOID*)

NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));

code . So i should check this pNetBufferList valid or not ? but i checked NULL in side while loop . i don’t know why this occur ?

and my crash report ::



BAD_POOL_CALLER (c2) condition Windbg report


*************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1200, 10005, ffffe000bc82a760}

Unable to load image \SystemRoot\system32\DRIVERS\nsmuxtun.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nsmuxtun.sys
fffff8002e0bbce0: Unable to get special pool info
fffff8002e0bbce0: Unable to get special pool info
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
Probably caused by : nsmuxtun.sys (
nsmuxtun!CFilter::SendNetBufferListsComplete+80 )

Followup: MachineOwner

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, (reserved)
Arg3: 0000000000010005, Memory contents of the pool block
Arg4: ffffe000bc82a760, Address of the block of pool being deallocated

Debugging Details:

POOL_ADDRESS: ffffe000bc82a760

FREED_POOL_TAG: NSNS

BUGCHECK_STR: 0xc2_7_NSNS

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: chrome.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff8002e09a42a to fffff8002df57fa0

STACK_TEXT:
ffffd001648d01e8 fffff8002e09a42a : 00000000000000c2 0000000000000007
0000000000001200 0000000000010005 : nt!KeBugCheckEx
ffffd001648d01f0 fffff801bdee06a8 : ffffe000ba49a0b8 ffffe000bb05fe38
0000000000000000 0000000000000000 : nt!ExFreePoolWithTag+0x114a
ffffd001648d02c0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 :
nsmuxtun!CFilter::SendNetBufferListsComplete+0x80
[c:\users\dell3\desktop\v4.5.0.002_win10\src\cpp\client\driver\multiplexer\window
s\ndis62\filter.cpp @ 496]

STACK_COMMAND: kb

FOLLOWUP_IP:
nsmuxtun!CFilter::SendNetBufferListsComplete+80
[c:\users\dell3\desktop\v4.5.0.002_win10\src\cpp\client\driver\multiplexer\window
s\ndis62\filter.cpp @ 496]
fffff801`bdee06a8 ?? ???

FAULTING_SOURCE_CODE:
492: } else {
493: if(pNetBufferList != NULL) {
494: PVOID pBuffer = *(PVOID*)
NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList);
495: PMDL pMdl =
NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));

496: if(pMdl)
497: NdisFreeMdl(pMdl);
498: if(pBuffer)
499: delete (UCHAR*) pBuffer;
500: NdisFreeNetBufferList(pNetBufferList);
501: }

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nsmuxtun!CFilter::SendNetBufferListsComplete+80

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nsmuxtun

IMAGE_NAME: nsmuxtun.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5693552e

FAILURE_BUCKET_ID:
X64_0xc2_7_NSNS_nsmuxtun!CFilter::SendNetBufferListsComplete+80

BUCKET_ID: X64_0xc2_7_NSNS_nsmuxtun!CFilter::SendNetBufferListsComplete+80

Followup: MachineOwner

**************************************************************

I CHECKED :::

i checked for filter pause status in each function . but it’s not in pause state . But this is fine in receive function . Only send buffer list is the problem .

My doubts ::

So my question are

  1. Should i put dbgbreak() inside this function ? if i put break points for this function using bp or bu command , how can i my debugger break when i got crash ?

  2. What should i check to analyze this type of crash ? pNetbuffer or context or any other details ( i attached minidump report above)

  3. I know the scenario to reproduce the blue screen again . So when i get crashed , how can i get the packet ? or how can i get the packet address ?

  4. I set a pool tag name inside sendbufferlist function . So should i check this tag inside this function for debugging ?

  5. what are the commands should i use to acess context data of the pNetBufferlist ?

thanks

vinay kp wrote:

what are the commands should i use to acess context
data of the pNetBufferlist ?

Oh my god. Have you read a single thing anyone has said in this entire thread?

xxxxx@gmail.com wrote:

Now i done physical machine kernel debugging using 2 machine . I connected with host ip and port .It worked successfully . I can see all driver logs through windbg .

can u guys please help me to understand how i debug for a bluescreen problem . I got crash inside

i got crash on pBuffer = *((PVOID*)

NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));

code .

No, you didn’t, at least not in the crash you have included here. Look
at the analysis and at the stack trace. Your code called
ExFreePoolWithTag, and the system says you are trying to free memory
that was already freed. The debugger does its best to figure out where
it is in your code, but it isn’t always accurate. You have to use your
head.

The call to ExFreePoolWithTag is probably a result of the delete call,
but you’d have to do some disassembly to figure that out.

So i should check this pNetBufferList valid or not ? but i checked NULL in side while loop . i don’t know why this occur ?

This is what I have been trying to tell you for the last week.

and my crash report ::

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad
IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, (reserved)
Arg3: 0000000000010005, Memory contents of the pool block
Arg4: ffffe000bc82a760, Address of the block of pool being deallocated

You could look at the block of memory from that address, to see if it
looks like your context area.

STACK_COMMAND: kb

FOLLOWUP_IP:
nsmuxtun!CFilter::SendNetBufferListsComplete+80
[c:\users\dell3\desktop\v4.5.0.002_win10\src\cpp\client\driver\multiplexer\window
s\ndis62\filter.cpp @ 496]
fffff801`bdee06a8 ?? ???

Why is there no code here? Can you disassemble this address with the
“u” command?

So my question are

  1. Should i put dbgbreak() inside this function ? if i put break points for this function using bp or bu command , how can i my debugger break when i got crash ?

The “bp” command is usually more convenient than putting DbgBreakPoint
calls into your code and rebuilding. I don’t understand the second
question. When you use the “bp” command, the debugger inserts a
breakpoint instruction in your code at that point. That causes an
exception, which the debugger traps and handles.

  1. What should i check to analyze this type of crash ? pNetbuffer or context or any other details ( i attached minidump report above)

I have told you this repeatedly.

  1. I set a pool tag name inside sendbufferlist function . So should i check this tag inside this function for debugging ?

You could. That might tell you how many blocks you have outstanding.

  1. what are the commands should i use to acess context data of the pNetBufferlist ?

I have told you this repeatedly. The debugger is not going to be able
to find your variables by name unless it is stopped inside your
function. In this dump, it is not stopped inside your function. It
stopped in ExFreePoolWithTag. This is why I have REPEATEDLY told you to
dump the interesting addresses using KdPrint. That way, when you get a
crash, you can look at the last net buffer list you got, and start
dumping it with “dt”.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for your replay . I tried to put some dbgprint command inside my crashing CFilter::SendBufferListComplete() function to obtain the NET_BUFFER_LIST address .
I analyzed the packets using dt command . Cn you check is this any wrong in the packet . All the packets are good . Then why crash is happening ?

I attached my Dbgprint Function code :

******************************************************************************
VOID CFilter::SendNetBufferListsComplete(
IN PNET_BUFFER_LIST NetBufferLists,
IN ULONG SendCompleteFlags
) {
PNET_BUFFER_LIST pNetBufferList = NetBufferLists;
PNET_BUFFER_LIST pNextNetBufferList = NULL;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " ### CFilter::SendNetBufferListsComplete () start:\n");
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " ===> SendNetBufferListsComplete() : NetBufferLists = %p.\n",NetBufferLists)
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " ### value of m_fPaused = %s\n",(m_fPaused)?“true”:“false”);
while (pNetBufferList) {
pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);
NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;
PNET_BUFFER_LIST pParentNetBufferList = pNetBufferList->ParentNetBufferList;
if (pParentNetBufferList != NULL) {
NDIS_STATUS status = NET_BUFFER_LIST_STATUS(pNetBufferList);
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " inside if loop : (parent) going to FREE pNetBufferList = %p \n",pNetBufferList);
NdisFreeNetBufferList(pNetBufferList);
if (NdisInterlockedDecrement(&pParentNetBufferList->ChildRefCount) == 0) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “calling NdisInterlockedDecrement(&pParentNetBufferList->ChildRefCount) \n”);
NET_BUFFER_LIST_STATUS(pParentNetBufferList) = status;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " calling NdisFSendNetBufferListsComplete() \n");
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " Sending packet to Protocol Driver \n");
NdisFSendNetBufferListsComplete(m_hFilter, pParentNetBufferList, SendCompleteFlags);
}
} else {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " else looop parent not exist\n");
if(pNetBufferList != NULL) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “going to get context of pNetBufferList = %p \n”,pNetBufferList);
PVOID pBuffer = *(PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList);
PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));
if(pMdl)
NdisFreeMdl(pMdl);
if(pBuffer)
delete (UCHAR*) pBuffer;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “going to FREE pNetBufferList = %p \n”,pNetBufferList);
NdisFreeNetBufferList(pNetBufferList);
}
}
NdisInterlockedDecrement(&m_nSendNetBufferListCount);
pNetBufferList = pNextNetBufferList;
}
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " ### CFilter::SendNetBufferListsComplete () End:\n");
}
******************************************************************************

and i got log using remote debugging with WinDbg :

******************************************************************************

CFilter::SendNetBufferLists () start:

value of m_fPaused = false

!!!CFilter::OutgoingNetBufferInput()
!!!CFilter::OutgoingNetBufferInput() End
packet status = packet accept
NET_BUFFER_LIST allocated : pNewNetBuffer =FFFFE001AA488860
!!!CFilter::OutgoingNetBufferInput()
!!!CFilter::OutgoingNetBufferInput() End
packet status = packet accept
NET_BUFFER_LIST allocated : pNewNetBuffer =FFFFE001A9ACEDF0
!!!CFilter::OutgoingNetBufferInput()
!!!CFilter::OutgoingNetBufferInput() End
packet status = packet accept
NET_BUFFER_LIST allocated : pNewNetBuffer =FFFFE001AA41CAB0

2nd value of m_fPaused = false

calling NdisFSendNetBufferLists()
Accepting – Sending Packets from Filter to Miniport Driver ( Underlying Driver )

CFilter::SendNetBufferLists () End:

CFilter::SendNetBufferListsComplete () start:

===> SendNetBufferListsComplete() : NetBufferLists = FFFFE001AA488860.

value of m_fPaused = false

inside if loop : (parent) going to FREE pNetBufferList = FFFFE001AA488860
inside if loop : (parent) going to FREE pNetBufferList = FFFFE001A9ACEDF0
inside if loop : (parent) going to FREE pNetBufferList = FFFFE001AA41CAB0
calling NdisInterlockedDecrement(&pParentNetBufferList->ChildRefCount)
calling NdisFSendNetBufferListsComplete()
Sending packet to Protocol Driver

CFilter::SendNetBufferListsComplete () End:

???### CFilter::SendNetBufferListsComplete () start:
===> SendNetBufferListsComplete() : NetBufferLists = FFFFE001A9ACEDF0.

value of m_fPaused = false

inside if loop : (parent) going to FREE pNetBufferList = FFFFE001A9ACEDF0
inside if loop : (parent) going to FREE pNetBufferList = FFFFE001AA488860
else looop parent not exist
going to get context of pNetBufferList = FFFFE001A930D2A0
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x000000d1
(0x000000000000000A,0x0000000000000002,0x0000000000000000,0xFFFFF801D282EF04)

Connected to Windows 8 9600 x64 target at (Wed Feb 10 21:04:36.214 2016 (UTC + 5:30)), ptr64 TRUE
Kernel Debugger connection established.
WARNING: Path element is empty
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {a, 2, 0, fffff801d282ef04}

“KERNEL32.DLL” was not found in the image list.
Debugger will attempt to load “KERNEL32.DLL” at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=,.
Unable to add module at 0000000000000000<br>Probably caused by : nsmuxtun.sys ( nsmuxtun!CFilter::SendNetBufferListsComplete+158 )<br><br>Followup: MachineOwner<br>---------<br><br>nt!DbgBreakPointWithStatus:<br>fffff80385976890 cc int 3
0: kd> !analyze -v


Bugcheck Analysis



DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000a, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff801d282ef04, address which referenced memory

Debugging Details:
------------------

“KERNEL32.DLL” was not found in the image list.
Debugger will attempt to load “KERNEL32.DLL” at given base 0000000000000000.<br><br>Please provide the full image name, including the extension (i.e. kernel32.dll)<br>for more reliable results.Base address and size overrides can be given as<br>.reload <image.ext>=<base>,<size>.<br>Unable to add module at 0000000000000000

READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
000000000000000a

CURRENT_IRQL: 2

FAULTING_IP:
nsmuxtun!CFilter::SendNetBufferListsComplete+158 [c:\users\dell3\desktop\code\s4.5.0.002_win10\src\cpp\client\driver\multiplexer\windows\ndis62\filter.cpp @ 629]
fffff801d282ef04 0fb7410a movzx eax,word ptr [rcx+0Ah]<br><br>DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT<br><br>BUGCHECK_STR: AV<br><br>PROCESS_NAME: chrome.exe<br><br>ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre<br><br>TRAP_FRAME: ffffd001e17de140 -- (.trap 0xffffd001e17de140)<br>NOTE: The trap frame does not contain all registers.<br>Some register values may be zeroed or incorrect.<br>rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000<br>rdx=000000000000003b rsi=0000000000000000 rdi=0000000000000000<br>rip=fffff801d282ef04 rsp=ffffd001e17de2d0 rbp=0000000000000000<br> r8=0000000000000050 r9=0000000000000000 r10=00000000ffffffff<br>r11=0000000000000000 r12=0000000000000000 r13=0000000000000000<br>r14=0000000000000000 r15=0000000000000000<br>iopl=0 nv up ei ng nz na pe nc<br>nsmuxtun!CFilter::SendNetBufferListsComplete+0x158:<br>fffff801d282ef04 0fb7410a movzx eax,word ptr [rcx+0Ah] ds:000000000000000a=????<br>Resetting default scope<br><br>LAST_CONTROL_TRANSFER: from fffff803859f9242 to fffff80385976890<br><br>STACK_TEXT: <br>ffffd001e17dd848 fffff803859f9242 : 0000000000000000 0000000000000000 ffffd001e17dd9b0 fffff803858cd198 : nt!DbgBreakPointWithStatus<br>ffffd001e17dd850 fffff803859f8b53 : 0000000000000003 ffffd001e17dd9b0 fffff8038597dc80 00000000000000d1 : nt!KiBugCheckDebugBreak+0x12<br>ffffd001e17dd8b0 fffff8038596fda4 : 0000000000000000 00001f80009102c0 fffff80100000000 00001f8000480260 : nt!KeBugCheck2+0x8ab<br>ffffd001e17ddfc0 fffff8038597b7e9 : 000000000000000a 000000000000000a 0000000000000002 0000000000000000 : nt!KeBugCheckEx+0x104<br>ffffd001e17de000 fffff8038597a03a : 0000000000000000 0000000000000000 fffff801d1ae4500 ffffd001e17de140 : nt!KiBugCheckDispatch+0x69<br>ffffd001e17de140 fffff801d282ef04 : ffffe001acba2030 ffffe001a930d2a0 fffff801d29111a0 ffffe001a930d2a0 : nt!KiPageFault+0x23a<br>ffffd001e17de2d0 fffff801d1ade98f : 0000000000000000 ffffd001e17de410 fffff801d282f948 0000000000000000 : nsmuxtun!CFilter::SendNetBufferListsComplete+0x158 [c:\users\dell3\desktop\code\s4.5.0.002_win10\src\cpp\client\driver\multiplexer\windows\ndis62\filter.cpp @ 629]<br>ffffd001e17de310 fffff801d28191cb : ffffe001a90151a0 ffffe001a9acedf0 ffffe001ab3178a8 0000000000000000 : ndis!NdisMSendNetBufferListsComplete+0x1df<br>ffffd001e17de480 fffff801d1adda21 : 0000000000000000 0000000000000000 fffff801d2910fc0 ffffe001abdd2ae0 : nsvnet!CMiniport::SendNetBufferLists+0x3f [c:\users\dell3\desktop\code\s4.5.0.002_win10\src\cpp\client\driver\vnet\windows\ndis62\miniport.cpp @ 778]<br>ffffd001e17de4b0 fffff801d1c8984b : ffffe001abe3d010 ffffe001acba2030 ffffe00100000000 0000000000000002 : ndis!NdisSendNetBufferLists+0x551<br>ffffd001e17de6a0 fffff801d1c88284 : fffff801d1e03180 0000000000000000 0000000200000000 0000000000000800 : tcpip!IppFragmentPackets+0x4cb<br>ffffd001e17de7e0 fffff801d1c87a59 : fffff801d1e03180 0000000000000000 0000000000000000 0000000000006166 : tcpip!IppDispatchSendPacketHelper+0x94<br>ffffd001e17de970 fffff801d1c85fee : ffffe001abe052b0 ffffe001aa6fd3c8 0000000000000002 ffffd001e17dedc0 : tcpip!IppPacketizeDatagrams+0x2d9<br>ffffd001e17deb10 fffff801d1c8b189 : fffff801d1c4e420 0000000000000007 fffff801d1e03180 ffffe001aae4a780 : tcpip!IppSendDatagramsCommon+0x49e<br>ffffd001e17decf0 fffff801d1c80bc5 : ffffe001ad9fcd10 0000000000000002 ffffd001e17df0d2 ffffe001ac5f84c0 : tcpip!TcpTcbSend+0x55d<br>ffffd001e17df040 fffff801d1c8080c : 00000000000084e5 000000000026a754 0000000000000000 ffffd001e17df3f0 : tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xa5<br>ffffd001e17df070 fffff801d1c80cc8 : 0000000000000000 fffff801d1c91a11 ffffe001ad869400 0000000000000000 : tcpip!TcpEnqueueTcbSend+0x2ac<br>ffffd001e17df170 fffff803858e89a6 : 0000000000000000 ffffe001a9526cf0 0000000000000000 0000000000000004 : tcpip!TcpTlConnectionSendCalloutRoutine+0x28<br>ffffd001e17df1f0 fffff801d1c80f86 : fffff801d1c80ca0 ffffd001e17df310 ffffd001e17df700 fffff801d27836cb : nt!KeExpandKernelStackAndCalloutInternal+0xe6<br>ffffd001e17df2e0 fffff801d279e577 : ffffe001ad869450 ffffd001e17dfb80 0000000000000b4a 0000000000000b4a : tcpip!TcpTlConnectionSend+0x76<br>ffffd001e17df350 fffff801d2782451 : 00000000001bce80 ffffd001e01f0180 000000000000003d ffffe001a9526cf0 : afd!AfdFastConnectionSend+0x387<br>ffffd001e17df510 fffff80385bfb374 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : afd!AfdFastIoDeviceControl+0x441<br>ffffd001e17df880 fffff80385bfc146 : 0000000000000000 0000000c001f0003 0000000000000001 0000000009e8bf20 : nt!IopXxxControlFile+0x3d4<br>ffffd001e17dfa20 fffff8038597b4b3 : 0000000000000102 ffffd001e17dfad8 0000000000000000 fffff6fb00000001 : nt!NtDeviceIoControlFile+0x56<br>ffffd001e17dfa90 0000000077232772 : 0000000077232371 00000023772ed1bc 0000000000000023 00000000000000fe : nt!KiSystemServiceCopyEnd+0x13<br>000000000565eee8 0000000077232371 : 00000023772ed1bc 0000000000000023 00000000000000fe 000000000575f664 : wow64cpu!CpupSyscallStub+0x2<br>000000000565eef0 00000000771f323a : 0000000000000000 0000000077231503 0000000000000000 00000000771f3420 : wow64cpu!DeviceIoctlFileFault+0x31<br>000000000565efa0 00000000771f317e : 0000000000000000 0000000000000000 000000000565fd30 000000000565f5f0 : wow64!RunCpuSimulation+0xa<br>000000000565eff0 00007ffd2b0f6b84 : 0000000000000000 0000000000000000 00000000ff783000 0000000000000000 : wow64!Wow64LdrpInitialize+0x172<br>000000000565f530 00007ffd2b0f6a5a : 000000000565f5f0 0000000000000000 0000000000000000 00000000ff783000 : ntdll!_LdrpInitialize+0xd8<br>000000000565f5a0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe<br><br>STACK_COMMAND: kb<br><br>FOLLOWUP_IP: <br>nsmuxtun!CFilter::SendNetBufferListsComplete+158 [c:\users\dell3\desktop\code\s4.5.0.002_win10\src\cpp\client\driver\multiplexer\windows\ndis62\filter.cpp @ 629]<br>fffff801d282ef04 0fb7410a movzx eax,word ptr [rcx+0Ah]

FAULTING_SOURCE_LINE: c:\users\dell3\desktop\code\s4.5.0.002_win10\src\cpp\client\driver\multiplexer\windows\ndis62\filter.cpp

FAULTING_SOURCE_FILE: c:\users\dell3\desktop\code\s4.5.0.002_win10\src\cpp\client\driver\multiplexer\windows\ndis62\filter.cpp

FAULTING_SOURCE_LINE_NUMBER: 629

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: nsmuxtun!CFilter::SendNetBufferListsComplete+158

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nsmuxtun

IMAGE_NAME: nsmuxtun.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 56bb3d7d

BUCKET_ID_FUNC_OFFSET: 158

FAILURE_BUCKET_ID: AV_nsmuxtun!CFilter::SendNetBufferListsComplete

BUCKET_ID: AV_nsmuxtun!CFilter::SendNetBufferListsComplete

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_nsmuxtun!cfilter::sendnetbufferlistscomplete

FAILURE_ID_HASH: {1dfcf7bc-8e9e-f02a-5522-98cd1bf52fc8}

Followup: MachineOwner
---------
******************************************************************************

after that crash got . So my debugger break this . The last NET_BUFFER_LIST is got is FFFFE001A9ACEDF0 . and checking the parents of this net buffer list .

???### CFilter::SendNetBufferListsComplete () start:
===> SendNetBufferListsComplete() : NetBufferLists = FFFFE001A9ACEDF0.
### value of m_fPaused = false
inside if loop : (parent) going to FREE pNetBufferList = FFFFE001A9ACEDF0
inside if loop : (parent) going to FREE pNetBufferList = FFFFE001AA488860
else looop parent not exist
going to get context of pNetBufferList = FFFFE001A930D2A0
KDTARGET: Refreshing KD connection

i analyzed NET_BUFFER_LIST using dt like :

kd> dt nsmuxtun!_NET_BUFFER_LIST FFFFE001A9ACEDF0
+0x000 Next : 0xffffe001aa41cab0 _NET_BUFFER_LIST<br> +0x008 FirstNetBuffer : 0xffffe001a9acef50 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x000 NetBufferListHeader : _NET_BUFFER_LIST_HEADER
+0x010 Context : (null)
+0x018 ParentNetBufferList : 0xffffe001acba2030 _NET_BUFFER_LIST<br> +0x020 NdisPoolHandle : 0xffffe001ab313040 Void
+0x030 NdisReserved : [2] (null)
+0x040 ProtocolReserved : [4] (null)
+0x060 MiniportReserved : [2] (null)
+0x070 Scratch : (null)
+0x078 SourceHandle : 0xffffe001ab315740 Void<br> +0x080 NblFlags : 0<br> +0x084 ChildRefCount : 0n0<br> +0x088 Flags : 0<br> +0x08c Status : 0n0<br> +0x08c NdisReserved2 : 0<br> +0x090 NetBufferListInfo : [18] (null) <br><br>and after that when my driver fetch context of FFFFE001A930D2A0 NEt buffer list , it crashed . is it ?<br>kd&gt; dt nsmuxtun!_NET_BUFFER_LIST FFFFE001A930D2A0<br> +0x000 Next : (null) <br> +0x008 FirstNetBuffer : 0xffffe001a930d400 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x000 NetBufferListHeader : _NET_BUFFER_LIST_HEADER
+0x010 Context : (null)
+0x018 ParentNetBufferList : (null)
+0x020 NdisPoolHandle : 0xffffe001ab313040 Void<br> +0x030 NdisReserved : [2] (null) <br> +0x040 ProtocolReserved : [4] (null) <br> +0x060 MiniportReserved : [2] (null) <br> +0x070 Scratch : (null) <br> +0x078 SourceHandle : 0xffffe001ab315740 Void
+0x080 NblFlags : 0
+0x084 ChildRefCount : 0n0
+0x088 Flags : 0x2210040c
+0x08c Status : 0n0
+0x08c NdisReserved2 : 0
+0x090 NetBufferListInfo : [18] (null)

Is it any abnormal in my net buffer list ? This crash is happening when i run my driver more than 10 minutes . Why can’t i acss this context of net buffer list ? or should i analyze further more ? if it is what is the major areas i should check ?

Thanks</image.ext></image.ext>