ndislwf: crash-pacer!PcFilterSendNetBufferListsComplete+b4

NTDEV
1

hi all,
I copy the NetBufferLists in FilterSendNetBufferLists function , and send it(prepare for modifying the NB).But the OS crashed, I traced the code and found error occurred when the NdisFSendNetBufferListsComplete was execued in FilterSendNetBufferListsComplete .

In FilterSendNetBufferLists, i copy the NBL like this:
pCopyNBL = NdisAllocateNetBufferAndNetBufferList(
pFilter->SNBLPool,
0,
0, // back fill size
pFirstMDL,
0, // Data offset
dataLength);
pMDLAddress = (PUCHAR)NdisAllocateMemoryWithTagPriority(pFilter->FilterHandle, dataLength, FILTER_ALLOC_TAG, LowPoolPriority);
pnewMdl = NdisAllocateMdl(pFilter->FilterHandle, pMDLAddress, dataLength);
NdisMoveMemory(pMDLAddress, pAddress, dataLength);
NET_BUFFER_DATA_LENGTH(NET_BUFFER_LIST_FIRST_NB(pNetBufferList)) = TotalLength;
NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;

Then i use the NdisFSendNetBufferLists to send the copy NBL, and use NdisFSendNetBufferListsComplete to block the original NBL.

i queue the modify NBLs in pFilter->NblCreatNbl, then in the FilterSendNetBufferListsComplete, i free the copy NBL like this:
FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);
if( GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ) )
{
NdisFreeNetBufferList(GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ));
}
FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);

Maybe i allocate or free the NBL in the wrong way?
And where should i free the space allocated by NdisAllocateMemoryWithTagPriority in the FilterSendNetBufferLists?

the windbg info is like this:
STACK_TEXT:
8078a91c 83d2008f 00000003 4e038166 00000065 nt!RtlpBreakWithStatusInstruction
8078a96c 83d20b8d 00000003 00000002 00000002 nt!KiBugCheckDebugBreak+0x1c
8078ad30 83c825cb 0000000a 00000002 00000002 nt!KeBugCheck2+0x68b
8078ad30 00000002 0000000a 00000002 00000002 nt!KiTrap0E+0x2cf
WARNING: Frame IP not in any known module. Following frames may be wrong.
8078adc0 882e18a6 11d0b1f3 86949320 00000001 0x2
8078ae0c 8827d51d 00000000 86949320 00000001 ndis!ndisMSendCompleteNetBufferListsInternal+0x217
8078ae20 88605848 85d65c70 86949320 00000001 ndis!NdisFSendNetBufferListsComplete+0x3a
8078ae44 8827d51d 85d65898 86949320 00000001 pacer!PcFilterSendNetBufferListsComplete+0xb4
8078ae58 881ec77a 8648b810 86949320 00000001 ndis!NdisFSendNetBufferListsComplete+0x3a
8078ae7c 882e1f0a 85d10028 86949320 00000001 ndislwf!FilterSendNetBufferListsComplete+0x15a [z:\coding\app_ndis\filter.c @ 1132]
8078aea0 92c5a4c6 85e2e0e0 86949320 00000001 ndis!NdisMSendNetBufferListsComplete+0xa4
8078aecc 92c577a6 856f7160 8644ccf0 00000001 E1G60I32!ProcessTransmitInterrupts+0x12e
8078aee4 882cf89a 016f7160 00000000 8078af10 E1G60I32!E1000HandleInterrupt+0xa8
8078af20 8827aa0f 8644cd04 0044ccf0 00000000 ndis!ndisMiniportDpc+0xe2
8078af48 83cb91b5 8644cd04 8644ccf0 00000000 ndis!ndisInterruptDpc+0xaf
8078afa4 83cb9018 83d6bd20 8699b398 00000000 nt!KiExecuteAllDpcs+0xf9
8078aff4 83cb87dc 960ff748 00000000 00000000 nt!KiRetireDpcList+0xd5
8078aff8 960ff748 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
83cb87dc 00000000 0000001a 00d6850f bb830000 0x960ff748

STACK_COMMAND: kb

FOLLOWUP_IP:
pacer!PcFilterSendNetBufferListsComplete+b4
88605848 5b pop ebx

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+b4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: pacer

IMAGE_NAME: pacer.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc916

FAILURE_BUCKET_ID: 0xD1_CODE_AV_BAD_IP_pacer!PcFilterSendNetBufferListsComplete+b4

BUCKET_ID: 0xD1_CODE_AV_BAD_IP_pacer!PcFilterSendNetBufferListsComplete+b4

Followup: MachineOwner

Thanks for your time!

2

I assume that you have modified your FilterSendNetBufferListsComplete
routine so it toes NOT call NdisFSendNetBufferListsComplete for your
modified NBL.

(Pacer would surely barf it it’s send complete handler was called with NBLs
that it did not send…).

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Sunday, August 14, 2011 6:22 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] ndislwf: crash-pacer!PcFilterSendNetBufferListsComplete+b4

> hi all,
> I copy the NetBufferLists in FilterSendNetBufferLists function , and send
> it(prepare for modifying the NB).But the OS crashed, I traced the code
> and found error occurred when the NdisFSendNetBufferListsComplete was
> execued in FilterSendNetBufferListsComplete .
>
> In FilterSendNetBufferLists, i copy the NBL like this:
> pCopyNBL = NdisAllocateNetBufferAndNetBufferList(
> pFilter->SNBLPool,
> 0,
> 0, // back fill size
> pFirstMDL,
> 0, // Data offset
> dataLength);
> pMDLAddress =
> (PUCHAR)NdisAllocateMemoryWithTagPriority(pFilter->FilterHandle,
> dataLength, FILTER_ALLOC_TAG, LowPoolPriority);
> pnewMdl = NdisAllocateMdl(pFilter->FilterHandle, pMDLAddress, dataLength);
> NdisMoveMemory(pMDLAddress, pAddress, dataLength);
> NET_BUFFER_DATA_LENGTH(NET_BUFFER_LIST_FIRST_NB(pNetBufferList)) =
> TotalLength;
> NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;
>
> Then i use the NdisFSendNetBufferLists to send the copy NBL, and use
> NdisFSendNetBufferListsComplete to block the original NBL.
>
> i queue the modify NBLs in pFilter->NblCreatNbl, then in the
> FilterSendNetBufferListsComplete, i free the copy NBL like this:
> FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);
> if( GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ) )
> {
> NdisFreeNetBufferList(GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ));
> }
> FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);
>
> Maybe i allocate or free the NBL in the wrong way?
> And where should i free the space allocated by
> NdisAllocateMemoryWithTagPriority in the FilterSendNetBufferLists?
>
> the windbg info is like this:
> STACK_TEXT:
> 8078a91c 83d2008f 00000003 4e038166 00000065
> nt!RtlpBreakWithStatusInstruction
> 8078a96c 83d20b8d 00000003 00000002 00000002 nt!KiBugCheckDebugBreak+0x1c
> 8078ad30 83c825cb 0000000a 00000002 00000002 nt!KeBugCheck2+0x68b
> 8078ad30 00000002 0000000a 00000002 00000002 nt!KiTrap0E+0x2cf
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 8078adc0 882e18a6 11d0b1f3 86949320 00000001 0x2
> 8078ae0c 8827d51d 00000000 86949320 00000001
> ndis!ndisMSendCompleteNetBufferListsInternal+0x217
> 8078ae20 88605848 85d65c70 86949320 00000001
> ndis!NdisFSendNetBufferListsComplete+0x3a
> 8078ae44 8827d51d 85d65898 86949320 00000001
> pacer!PcFilterSendNetBufferListsComplete+0xb4
> 8078ae58 881ec77a 8648b810 86949320 00000001
> ndis!NdisFSendNetBufferListsComplete+0x3a
> 8078ae7c 882e1f0a 85d10028 86949320 00000001
> ndislwf!FilterSendNetBufferListsComplete+0x15a
> [z:\coding\app_ndis\filter.c @ 1132]
> 8078aea0 92c5a4c6 85e2e0e0 86949320 00000001
> ndis!NdisMSendNetBufferListsComplete+0xa4
> 8078aecc 92c577a6 856f7160 8644ccf0 00000001
> E1G60I32!ProcessTransmitInterrupts+0x12e
> 8078aee4 882cf89a 016f7160 00000000 8078af10
> E1G60I32!E1000HandleInterrupt+0xa8
> 8078af20 8827aa0f 8644cd04 0044ccf0 00000000 ndis!ndisMiniportDpc+0xe2
> 8078af48 83cb91b5 8644cd04 8644ccf0 00000000 ndis!ndisInterruptDpc+0xaf
> 8078afa4 83cb9018 83d6bd20 8699b398 00000000 nt!KiExecuteAllDpcs+0xf9
> 8078aff4 83cb87dc 960ff748 00000000 00000000 nt!KiRetireDpcList+0xd5
> 8078aff8 960ff748 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
> 83cb87dc 00000000 0000001a 00d6850f bb830000 0x960ff748
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> pacer!PcFilterSendNetBufferListsComplete+b4
> 88605848 5b pop ebx
>
> SYMBOL_STACK_INDEX: 7
>
> SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+b4
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: pacer
>
> IMAGE_NAME: pacer.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc916
>
> FAILURE_BUCKET_ID:
> 0xD1_CODE_AV_BAD_IP_pacer!PcFilterSendNetBufferListsComplete+b4
>
> BUCKET_ID:
> 0xD1_CODE_AV_BAD_IP_pacer!PcFilterSendNetBufferListsComplete+b4
>
> Followup: MachineOwner
>
> Thanks for your time!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

3

thanks, Thomas.
I use NdisFSendNetBufferLists for the modified NBL, and NdisFSendNetBufferListsComplete for the original NBL in the FilterSendNetBufferLists.

Then in the FilterSendNetBufferListsComplete, i add some code, try to free the modified NBLs like this:( i saved the modified NBL in the pFilter->NblCreatNbl)
FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);
if( GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ) )
{
NdisFreeNetBufferList(GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ));
}
FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);

what’s the proper way to deal with these?

4

Do you modify all NBLs that are sent?

I would think that in FilterSendNetBufferListsComplete you would examine
each NBL and fetch it’s PoolHandle. If it was your SNBLPool then you would
free YOUR NBL. IF it wasn’t your SBDNBPool then you would call
NdisFSendNetBufferListsComplete.

Your NblCreatNbl queue doesn’t need to be a member of your pFilter. Is needs
only to be local to your FilterSendNetBufferLists callback. After you exit
FilterSendNetBufferLists you no longer need the queue. After it is sent the
queue is useless (and dangerous…). You don’t even need a lock on the
queue. It only needs to exist in your send routine on the stack.

Just check the NBL pool handle in send complete and do something sensible
there.

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Sunday, August 14, 2011 10:21 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] ndislwf:
crash-pacer!PcFilterSendNetBufferListsComplete+b4

> thanks, Thomas.
> I use NdisFSendNetBufferLists for the modified NBL, and
> NdisFSendNetBufferListsComplete for the original NBL in the
> FilterSendNetBufferLists.
>
> Then in the FilterSendNetBufferListsComplete, i add some code, try to free
> the modified NBLs like this:( i saved the modified NBL in the
> pFilter->NblCreatNbl)
> FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);
> if( GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ) )
> {
> NdisFreeNetBufferList(GET_NBL_QUEUE_HEAD( &pFilter->NblCreatNbl ));
> }
> FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);
>
> what’s the proper way to deal with these?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

5

ha, i could send the modified NBL.

Thanks, Thomas.