BSOD occurs when teaming is configured

NTDEV
1

Hello,

I want to send the UDP packets using NDIS 6.x lwf and it works good in typical environment.
But if teaming is configured, it occurs BSOD after packet transmission.
And I found that some packets were transmitted normally (I checked it with the WireShark). It appears that a problem has occurred since some packets were successfully transmitted.

The problematic environment was teamed with two ports of the Intel I350-T2V2 NIC in the Windows 10 1709.

Is there something I missed? or was there a mistake in memory management?

I implemented the the driver as following;

  • FilterAttach

    NET_BUFFER_LIST_POOL_PARAMETERS NetBufferListPoolParameters;
    NdisZeroMemory(&NetBufferListPoolParameters, sizeof(NET_BUFFER_LIST_POOL_PARAMETERS));

NetBufferListPoolParameters.Header.Type = NDIS_OBJECT_TYPE_DEFAULT;
NetBufferListPoolParameters.Header.Revision = NET_BUFFER_LIST_POOL_PARAMETERS_REVISION_1;
NetBufferListPoolParameters.Header.Size = sizeof(NET_BUFFER_LIST_POOL_PARAMETERS);
NetBufferListPoolParameters.ProtocolId = NDIS_PROTOCOL_ID_DEFAULT;
NetBufferListPoolParameters.fAllocateNetBuffer = TRUE;
NetBufferListPoolParameters.PoolTag = ‘pLbN’;
NetBufferListPoolParameters.ContextSize = sizeof(FILTER_SEND_NETBUFLIST_RSVD); // 16 byte
NetBufferListPoolParameters.DataSize = 0;

pFilter->hSendNetBufferList = NdisAllocateNetBufferListPool(pFilter->hNdisFilter, &NetBufferListPoolParameters);

  • SendPacket

    FILTER_ACQUIRE_LOCK(&Adapter->Lock, bFalse);
    pBuf = (PBYTE)NdisAllocateMemoryWithTagPriority(Adapter->hNdisFilter, PacketLength, ‘ddnS’, LowPoolPriority);
    if(pBuf == NULL)
    {
    FILTER_RELEASE_LOCK(&Adapter->Lock, bFalse);
    Status = NDIS_STATUS_FAILURE;
    __leave;
    }

RtlCopyMemory(pBuf, PacketData, PacketLength);

pMDL = NdisAllocateMdl(Adapter->hNdisFilter, pBuf, PacketLength);
if(pMDL == NULL)
{
FILTER_RELEASE_LOCK(&Adapter->Lock, bFalse);
Status = NDIS_STATUS_FAILURE;
__leave;
}
pMDL->Next = NULL;

pNBL = NdisAllocateNetBufferAndNetBufferList(Adapter->hSendNetBufferList, sizeof(FILTER_SEND_NETBUFLIST_RSVD), 0, pMDL, 0, PacketLength);
if(pNBL == NULL)
{
FILTER_RELEASE_LOCK(&Adapter->Lock, bFalse);
Status = NDIS_STATUS_FAILURE;
__leave;
}

FILTER_RELEASE_LOCK(&Adapter->Lock, bFalse);

pSendRsvd = (PFILTER_SEND_NETBUFLIST_RSVD)pNBL->Context;
if(pSendRsvd)
{
pSendRsvd->bCustomPkt = TRUE;
pSendRsvd->hSendPool = Adapter->hSendNetBufferList;
}

pNBL->SourceHandle = Adapter->hNdisFilter;

ULONG ulSendFlags = NDIS_SEND_FLAGS_DISPATCH_LEVEL;
NdisFSendNetBufferLists(Adapter->hNdisFilter, pNBL, NDIS_DEFAULT_PORT_NUMBER, ulSendFlags);

  • SendNetbufferListsComplete

    DispatchLevel = NDIS_TEST_SEND_AT_DISPATCH_LEVEL(SendCompleteFlags);
    pCurrNBL = NetBufferLists;

while(pCurrNBL != NULL)
{
pNextNBL = NET_BUFFER_LIST_NEXT_NBL(pCurrNBL);
NET_BUFFER_LIST_NEXT_NBL(pCurrNBL) = NULL;

pSendRsvd = (PFILTER_SEND_NETBUFLIST_RSVD)pCurrNBL->Context;

if(pSendRsvd && (pSendRsvd->hSendPool == pFilter->hSendNetBufferList) && (pSendRsvd->bCustomPkt == TRUE))
{
FILTER_ACQUIRE_LOCK(&pFilter->Lock, DispatchLevel);

pNB = NET_BUFFER_LIST_FIRST_NB(pCurrNBL);
while(pNB != NULL)
{
pCurrMDL = NET_BUFFER_FIRST_MDL(pNB);
while(pCurrMDL != NULL)
{
pDataBuffer = NULL;
ulDataLength = 0;

pNextMdl = NDIS_MDL_LINKAGE(pCurrMDL);

NdisQueryMdl(pCurrMDL, (PVOID*)&pDataBuffer, &ulDataLength, NormalPagePriority);

if(pDataBuffer != NULL)
NdisFreeMemory(pDataBuffer, 0, 0);

NdisFreeMdl(pCurrMDL);
pCurrMDL = pNextMdl;
}

pNB = NET_BUFFER_NEXT_NB(pNB);
}

FILTER_RELEASE_LOCK(&pFilter->Lock, DispatchLevel);
}
else
{
NdisFSendNetBufferListsComplete(pFilter->hNdisFilter, pCurrNBL, SendCompleteFlags);
}

pCurrNBL = pNextNBL;
}

The strange thing is that when I check the WinDbg, the problem location is displayed as iansw60e.sys (the intel ANS driver).
Here’s what I’ve seen with windbg:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {b, 2, 1, fffff805d341cf37}

*** ERROR: Module load completed but symbols could not be loaded for iansw60e.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for e1r65x64.sys -
Probably caused by : iansw60e.sys ( iansw60e+78d8 )

Followup: MachineOwner

nt!DbgBreakPointWithStatus:
fffff800`94c195a0 cc int 3
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000b, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff805d341cf37, address which referenced memory

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 16299.15.amd64fre.rs3_release.170928-1534

DUMP_TYPE: 0

BUGCHECK_P1: b

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff805d341cf37

WRITE_ADDRESS: 000000000000000b

CURRENT_IRQL: 2

FAULTING_IP:
ndis!NdisFreeNetBufferListContext+27
fffff805`d341cf37 664101780a add word ptr [r8+0Ah],di

CPU_COUNT: 8

CPU_MHZ: e10

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: 9

CPU_MICROCODE: 6,9e,9,0 (F,M,S,R) SIG: 84’00000000 (cache) 84’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

ANALYSIS_SESSION_HOST:

ANALYSIS_SESSION_TIME: 03-21-2018 11:32:20.0409

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

TRAP_FRAME: fffff80097a430a0 – (.trap 0xfffff80097a430a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff808fc54e7260 rbx=0000000000000000 rcx=ffff808fc65bb030
rdx=ffff808fc54e7260 rsi=0000000000000000 rdi=0000000000000000
rip=fffff805d341cf37 rsp=fffff80097a43230 rbp=fffff80097a43300
r8=0000000000000001 r9=fffff80093539180 r10=fffff80093539b40
r11=ffff808fc662fc80 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
ndis!NdisFreeNetBufferListContext+0x27:
fffff805d341cf37 664101780a add word ptr [r8+0Ah],di ds:000000000000000b=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80094c9f362 to fffff80094c195a0

STACK_TEXT:
fffff80097a42798 fffff80094c9f362 : 000000000000000b fffff80094eb5380 fffff80097a42900 fffff80094bdb540 : nt!DbgBreakPointWithStatus
fffff80097a427a0 fffff80094c9ebe7 : 0000000000000003 fffff80097a42900 fffff80094c26c40 00000000000000d1 : nt!KiBugCheckDebugBreak+0x12
fffff80097a42800 fffff80094c11617 : 0000000000000000 0000000000000000 ffff808fc65bb030 0000000000000000 : nt!KeBugCheck2+0x937
fffff80097a42f20 fffff80094c24529 : 000000000000000a 000000000000000b 0000000000000002 0000000000000001 : nt!KeBugCheckEx+0x107
fffff80097a42f60 fffff80094c20659 : fffff80097a430b0 0000000000000000 00000001ffffffff fffffff600000002 : nt!KiBugCheckDispatch+0x69
fffff80097a430a0 fffff805d341cf37 : 0000000000000001 fffff805d58c475a ffff808f00000b8a fffff805704c624e : nt!KiPageFault+0x519
fffff80097a43230 fffff805d6d178d8 : ffff808fc65bb030 fffff80097a432e0 fffff80097a432e0 0000000000000000 : ndis!NdisFreeNetBufferListContext+0x27
fffff80097a43260 fffff805d6d17666 : ffff808fc1d1d000 fffff80097a43399 0000000000000001 fffff80097a43300 : iansw60e+0x78d8
fffff80097a432a0 fffff805d6d12c69 : ffff808fc203b1a0 0000000000000000 ffff808fc65bb030 0000000000000000 : iansw60e+0x7666
fffff80097a432d0 fffff805d33e3a0e : ffff808fb60cd3b8 ffff808fc4d50010 0000000000000019 ffff808fc4d50010 : iansw60e+0x2c69
fffff80097a43330 fffff805d33e37d3 : ffff808fc203b1a0 ffff808fc65bb030 ffff808f00000001 0000000000000001 : ndis!ndisMSendCompleteNetBufferListsInternal+0x14e
fffff80097a43400 fffff805d9e140bc : ffff808fc203b1a0 fffff80097a43559 ffff808fc1620000 fffff80097a43702 : ndis!NdisMSendNetBufferListsComplete+0x213
fffff80097a434f0 fffff805d9e1e31a : ffff808fb9da8970 ffff808fc1620000 ffff808fc1620001 ffff808fc1620000 : e1r65x64!DriverEntry+0x10aac
fffff80097a435c0 fffff805d9e1e5eb : ffff808fb9d99d90 0000000100000000 0000000100000000 000000000000002c : e1r65x64!DriverEntry+0x1ad0a
fffff80097a43630 fffff805d9e1dd7c : 0000000000000002 0000000000000000 fffff80000000000 0000000000000000 : e1r65x64!DriverEntry+0x1afdb
fffff80097a436c0 fffff805d33da4cd : 0000000000000000 fffff80094b4ff1c ffff808fc654f00e 0000000000000000 : e1r65x64!DriverEntry+0x1a76c
fffff80097a43700 fffff80094b61f62 : 0000000000000000 0000000000000000 fffff80093539180 fffff80000000002 : ndis!ndisInterruptDpc+0x17d
fffff80097a43820 fffff80094b6165f : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiExecuteAllDpcs+0x1d2
fffff80097a43960 fffff80094c14dfa : 0000000000000000 fffff80093539180 00000000001a6f79 0000000000000000 : nt!KiRetireDpcList+0xdf
fffff80097a43b60 0000000000000000 : fffff80097a44000 fffff80097a3d000 0000000000000000 0000000000000000 : nt!KiIdleLoop+0x5a

THREAD_SHA1_HASH_MOD_FUNC: 52d4b39016faa3d81020915521c9d9d1b75f8abe

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6c06ec6c3841d4022861feaa9e5480a019c9d36b

THREAD_SHA1_HASH_MOD: ee5e93e81c0481410168018d3230b7e29970dcd9

FOLLOWUP_IP:
iansw60e+78d8
fffff805`d6d178d8 4d85f6 test r14,r14

FAULT_INSTR_CODE: 74f6854d

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: iansw60e+78d8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: iansw60e

IMAGE_NAME: iansw60e.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 59134b85

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 78d8

FAILURE_BUCKET_ID: AV_iansw60e!unknown_function

BUCKET_ID: AV_iansw60e!unknown_function

PRIMARY_PROBLEM_CLASS: AV_iansw60e!unknown_function

TARGET_TIME: 2018-03-21T02:31:01.000Z

OSBUILD: 16299

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2018-03-01 14:36:55

BUILDDATESTAMP_STR: 170928-1534

BUILDLAB_STR: rs3_release

BUILDOSVER_STR: 10.0.16299.15.amd64fre.rs3_release.170928-1534

ANALYSIS_SESSION_ELAPSED_TIME: 11ef

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_iansw60e!unknown_function

FAILURE_ID_HASH: {cd5b1893-26c2-2096-95a3-a2481b304d32}

Followup: MachineOwner

2

I do not know why, but I have encountered this problem when using context data of NBL, and I’ve fixed this by removing it.