KDNIC has a DRIVER_IRQL_NOT_LESS_OR_EQUAL bug?

Sooncheol_Won · September 6, 2019, 2:29pm

My LWF driver worked well on various Intel and Realtek network adapters over one year but always shows a blue screen on KDNIC.

I suppose KDNIC has a wrong ownership of NET_BUFFER or NET_BUFFER_LIST which is allocated and deallocated by my LWF driver.

My LWF driver deallocates buffers like below and I think there is no bug.

void HSendNetBufferListsCompleteHandler(FilterModuleContext *filterModuleContext, PNET_BUFFER_LIST netBufferLists, ULONG sendCompleteFlags)
{
	PNET_BUFFER_LIST prev = NULL, free;
	for (PNET_BUFFER_LIST i = netBufferLists; i != NULL;)
	{
		if (i->SourceHandle == filterModuleContext->filterModuleHandle)
		{
			// this is my NET_BUFFER_LIST
			if (prev == NULL) netBufferLists = NET_BUFFER_LIST_NEXT_NBL(i);
			else NET_BUFFER_LIST_NEXT_NBL(prev) = NET_BUFFER_LIST_NEXT_NBL(i);
			free = i;
		}
		else
		{
			// this is not my NET_BUFFER_LIST
			prev = i;
			free = NULL;
		}
		i = NET_BUFFER_LIST_NEXT_NBL(i);
		if (free != NULL) onSent(free); // deallocates NET_BUFFERs and a NET_BUFFER_LIST
	}

	if (netBufferLists != NULL) NdisFSendNetBufferListsComplete(filterModuleContext->filterModuleHandle, netBufferLists, sendCompleteFlags);
}

I observed that HSendNetBufferListsCompleteHandler() is called from KDNIC like below.

0: kd> k
 # Child-SP          RetAddr           Call Site
00 fffff805`1429a768 fffff805`1191eba3 foreDiskNF!HSendNetBufferListsCompleteHandler
01 fffff805`1429a770 fffff805`1191bc63 NDIS!ndisCallSendCompleteHandler+0x33
02 fffff805`1429a7b0 fffff805`13432892 NDIS!NdisMSendNetBufferListsComplete+0x163
03 fffff805`1429a8a0 fffff805`13432cef kdnic!TXNblRelease+0x36
04 fffff805`1429a8d0 fffff805`13432a14 kdnic!TCBFree+0x23
05 fffff805`1429a900 fffff805`0fad9d79 kdnic!TXSendCompleteDpc+0x134
06 fffff805`1429a940 fffff805`0fad8ad9 nt!KiProcessExpiredTimerList+0x169
07 fffff805`1429aa30 fffff805`0fbd82c4 nt!KiRetireDpcList+0x4e9
08 fffff805`1429ac60 00000000`00000000 nt!KiIdleLoop+0x84

Strange thing is that the LWF driver works well for a while but the blue screen occurs always after “KDTARGET: Refreshing KD connection” debug message is printed.

I can’t post the blue screen log below because this page limits the body length so I attached the log as a file.

Thank you for any helps.