IM driver send custom NBL BSOD

hello all,
In IM driver ,I send custom NBL in MPSendNetBufferLists ,like this

CurrNbl = NetBufferLists;
while (CurrNbl )
{
NDIS_STATUS Status ;
UCHAR PayloadCopy[ETH_MAX_PACKET_SIZE];
ULONG OrigPayloadl;
ULONG nNewPayloadl = 0;
PUCHAR pNewPayload = NULL ;

NextNbl = NET_BUFFER_LIST_NEXT_NBL(CurrNbl);
NET_BUFFER_LIST_NEXT_NBL(CurrNbl) = NULL;
do
{

res = GetOneNetBufferListData(CurrNbl, PayloadCopy, &OrigPayloadl);

Status = MakeNblBuffer(PayloadCopy, OrigPayloadl, &pNewPayload, &nNewPayloadl );

//old NBL return
NdisMSendNetBufferListsComplete(pVElan->MiniportAdapterHandle, CurrNbl, SendCompleteFlags);

//new NBL redirect
SendFlags = NDIS_SEND_FLAGS_DISPATCH_LEVEL ;

if(pVElan->pAdapt && pVElan->BindingHandle && (pVElan->pAdapt->BindingState == MuxAdapterBindingRunning) )
{
Nbl = ExpandNBL(pVElan->pAdapt, nNewPayloadl, pNewPayload, CurrNbl->SourceHandle);
NdisSendNetBufferLists(pVElan->BindingHandle, Nbl, NDIS_DEFAULT_PORT_NUMBER, SendFlags);
}

Status = NDIS_STATUS_SUCCESS;

}while(FALSE);

CurrNbl = NextNbl;
}

and free NBL in PtSendNBLComplete like this
while (pCurrNBL)
{
pNextNBL = NET_BUFFER_LIST_NEXT_NBL(pCurrNBL);
NET_BUFFER_LIST_NEXT_NBL(pCurrNBL) = NULL;

///////////
pSendRsvd = (PSEND_NETBUFLIST_RSVD)NET_BUFFER_LIST_CONTEXT_DATA_START(pCurrNBL);

do
{

// free memory
pNB = NET_BUFFER_LIST_FIRST_NB(pCurrNBL);

while( pNB != NULL )
{
pCurrMDL = NET_BUFFER_FIRST_MDL(pNB);
ASSERT( pCurrMDL != NULL );
{
pDataBuffer = NULL;
ulDataLength = 0;

NdisQueryMdl(pCurrMDL, (PVOID *)&pDataBuffer, &ulDataLength, NormalPagePriority);
ASSERT( pDataBuffer != NULL ) ;
NDIS_MDL_LINKAGE(pCurrMDL) = (MDL *)0;
NdisFreeMdl(pCurrMDL);

NdisFreeMemory(pDataBuffer, 0, 0);
}
pNB = NET_BUFFER_NEXT_NB(pNB);
}

}
while(FALSE)

///////////////////////////////
pCurrNBL = pNextNBL;
}

windbg information

STACK_TEXT:
8078aa94 8e8b520b 8078aac0 8e91c0c8 00000000 tcpip!IppLoopbackEnqueue+0x23
8078aaec 8e8b4270 8e91c0c8 00000000 00000000 tcpip!IppFragmentPackets+0x309
8078ab24 8e891813 8e91c0c8 8871e544 8871e5e0 tcpip!IppDispatchSendPacketHelper+0x266
8078abc4 8e8922fe 0071e544 8a9ac300 88764bc0 tcpip!IppPacketizeDatagrams+0x8d6
8078ac44 8e893baf 00000000 8a94b200 8e91c0c8 tcpip!IppSendDatagramsCommon+0x67f
8078ac64 8e89414b 8e91c0c8 8078ac80 8a94b178 tcpip!IppSendDatagrams+0x2a
8078acf8 8e85f7af 0194b178 8a9dd838 899f5320 tcpip!IppSendDirect+0xad
8078ad3c 8e85f6de 8a9dd838 8078ad90 8a77a0b0 tcpip!Ipv6pSendRouterSolicitationOnSubInterface+0xb4
8078ad5c 8e8a49ab 8a94b178 8078ad90 8a77a0b0 tcpip!Ipv6pSendRouterSolicitationOnAllSubInterfaces+0x2c
8078ada4 8e8a2588 8a94b178 00000000 8e91e7dc tcpip!Ipv6pRouterDiscoveryTimeout+0x91
8078adc4 8e8a28d0 88764c10 8e918e00 00000000 tcpip!Ipv6pInterfaceSetTimeout+0xdc
8078adf0 8e8a2698 8e91c0c8 8078ae7c 8078ae4c tcpip!IppCompartmentSetTimeout+0x8a
8078ae00 8e8a2681 8e91c0c8 84e8e73a 8e929e00 tcpip!IppProtocolTimeout+0xf
8078ae08 84e8e73a 8e929e00 00000000 386e5ced tcpip!IppTimeout+0x4f
8078ae4c 84e8e6dd 84f41e20 8078af78 00000001 nt!KiProcessTimerDpcTable+0x51
8078af38 84e8e59a 84f41e20 8078af78 00000000 nt!KiProcessExpiredTimerList+0x101
8078afac 84e8c54e 0001600a cfd03a84 00000000 nt!KiTimerExpiration+0x25c
8078aff4 84e8bd1c cfd03a34 00000000 00000000 nt!KiRetireDpcList+0xcb
8078aff8 cfd03a34 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
WARNING: Frame IP not in any known module. Following frames may be wrong.
84e8bd1c 00000000 0000001a 00d6850f bb830000 0xcfd03a34

Can someone give me some advice? thanks

Sure.
The WindBG output lacks the most important information - a call to KeBugCheckEx when the crash happened.

Try

!analyze -v

command.

I test sereral times and windbg output is same
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 3ea00000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8e880fc8, address which referenced memory

Debugging Details:

READ_ADDRESS: GetPointerFromAddress: unable to read from 84faf850
Unable to read MiSystemVaType memory at 84f8e780
3ea00000

CURRENT_IRQL: 2

FAULTING_IP:
tcpip!IppLoopbackEnqueue+23
8e880fc8 8b0e mov ecx,dword ptr [esi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 8e8c420b to 8e880fc8

STACK_TEXT:
84f6c6c4 8e8c420b 84f6c6f0 8e92b0c8 00000000 tcpip!IppLoopbackEnqueue+0x23
84f6c71c 8e8c3270 8e92b0c8 00000000 00000000 tcpip!IppFragmentPackets+0x309
84f6c754 8e8a0813 8e92b0c8 8871b544 8871b5e0 tcpip!IppDispatchSendPacketHelper+0x266
84f6c7f4 8e8a12fe 0071b544 87c8c650 88769550 tcpip!IppPacketizeDatagrams+0x8d6
84f6c874 8e8a2baf 00000000 8a392e00 8e92b0c8 tcpip!IppSendDatagramsCommon+0x67f
84f6c894 8e8a314b 8e92b0c8 84f6c8b0 8a392da8 tcpip!IppSendDatagrams+0x2a
84f6c928 8e86e7af 01392da8 891fda60 89bf9860 tcpip!IppSendDirect+0xad
84f6c96c 8e86e6de 891fda60 84f6c9c0 89088020 tcpip!Ipv6pSendRouterSolicitationOnSubInterface+0xb4
84f6c98c 8e8b39ab 8a392da8 84f6c9c0 89088020 tcpip!Ipv6pSendRouterSolicitationOnAllSubInterfaces+0x2c
84f6c9d4 8e8b1588 8a392da8 00000001 8e92d7dc tcpip!Ipv6pRouterDiscoveryTimeout+0x91
84f6c9f4 8e8b18d0 887695a0 8e927e00 00000001 tcpip!Ipv6pInterfaceSetTimeout+0xdc
84f6ca20 8e8b1698 8e92b0c8 84f6cab8 84f6ca7c tcpip!IppCompartmentSetTimeout+0x8a
84f6ca30 8e8b1681 8e92b0c8 84ebc73a 8e938e00 tcpip!IppProtocolTimeout+0xf
84f6ca38 84ebc73a 8e938e00 00000000 66a6c62e tcpip!IppTimeout+0x4f
84f6ca7c 84ebc6dd 84f6fe20 84f6cba8 00000001 nt!KiProcessTimerDpcTable+0x51
84f6cb68 84ebc59a 84f6fe20 84f6cba8 00000000 nt!KiProcessExpiredTimerList+0x101
84f6cbdc 84eba54e 00006c83 8a7c4728 84f79480 nt!KiTimerExpiration+0x25c
84f6cc20 84eba378 00000000 0000000e 00000000 nt!KiRetireDpcList+0xcb
84f6cc24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38

STACK_COMMAND: kb

FOLLOWUP_IP:
tcpip!IppLoopbackEnqueue+23
8e880fc8 8b0e mov ecx,dword ptr [esi]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: tcpip!IppLoopbackEnqueue+23

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: tcpip

IMAGE_NAME: tcpip.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 58e3b335

FAILURE_BUCKET_ID: 0xD1_tcpip!IppLoopbackEnqueue+23

BUCKET_ID: 0xD1_tcpip!IppLoopbackEnqueue+23

Followup: MachineOwner