Syatem crash in tcpip!TcpBeginTcbSend+33e

Hello All,

We have NDIS6.0 based modifying LWF. We are having BSOD issue with some NIC on windows 7.

From Arg1(000000000000001c), looks like that tcpip is accessing(modify) member of some structure pointer which is NULL.
(lock add dword ptr [rax+1Ch],1 -> Looks like Interlocked increment)

Can anyone points out what tcpip is doing inside TcpBeginTcbSend function?

=====================================================
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000001c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff88001863b4e, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 000000000000001c

CURRENT_IRQL: 2

FAULTING_IP:
tcpip!TcpBeginTcbSend+33e
fffff880`01863b4e f083401c01 lock add dword ptr [rax+1Ch],1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: fffff880066a1430 – (.trap 0xfffff880066a1430)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa800212e230
rdx=fffffa800212e2e8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001863b4e rsp=fffff880066a15c0 rbp=fffff880066a16d0
r8=fffffa800212e220 r9=fffffa800212e230 r10=fffffa800212e160
r11=fffff880066a1814 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
tcpip!TcpBeginTcbSend+0x33e:
fffff88001863b4e f083401c01 lock add dword ptr [rax+1Ch],1 ds:000000000000001c=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800030d41a9 to fffff800030d4c00

STACK_TEXT:
fffff880066a12e8 fffff800030d41a9 : 000000000000000a 000000000000001c 0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff880066a12f0 fffff800030d2e20 : 0000000000000002 fffffa8002f69880 fffffa8001d987f0 0000000000000001 : nt!KiBugCheckDispatch+0x69
fffff880066a1430 fffff88001863b4e : 0000000000000001 fffffa800618b4c0 0000000000000000 000000000000000c : nt!KiPageFault+0x260
fffff880066a15c0 fffff88001868049 : ffff000007fc9754 badbadfabadbad01 0000000000007c94 0000000000000001 : tcpip!TcpBeginTcbSend+0x33e
fffff880066a1840 fffff88001885a26 : 0000000000000000 fffffa8001d12401 fffff88001968128 fffff8800187cee2 : tcpip!TcpTcbSend+0x1d9
fffff880066a1ac0 fffff880018635f5 : fffffa8001d98a00 0000000000000000 0000000000000000 fffff880066a1e00 : tcpip!TcpFlushDelay+0x316
fffff880066a1ba0 fffff8800185b547 : fffffa80026c2410 fffffa80026a5000 fffffa80000089c8 00000000000089c8 : tcpip!TcpPreValidatedReceive+0x3e5
fffff880066a1c70 fffff8800185b0ba : 0000000000000000 fffff8800196e9a0 fffff880066a1e30 fffffa8001d987f0 : tcpip!IppDeliverListToProtocol+0x97
fffff880066a1d30 fffff8800185a6b9 : fffff8800196e9a0 fffffa8001c44100 fffff880066a1da0 fffff880066a1e20 : tcpip!IppProcessDeliverList+0x5a
fffff880066a1dd0 fffff8800185835f : fffffa8001d987f0 fffffa80026b3000 fffff8800196e9a0 0000000002f63701 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880066a1eb0 fffff88001857952 : fffffa8002cfa2a0 0000000000000000 fffffa8002f63701 0000000000000001 : tcpip!IpFlcReceivePackets+0x64f
fffff880066a20b0 fffff88001856dea : fffffa8002f637d0 fffff880066a21e0 fffffa8002f637d0 0000000000000000 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2
fffff880066a2190 fffff800030e0878 : fffffa8001d987f0 0000000000004800 fffffa8005aa1130 0000000000000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xda
fffff880066a21e0 fffff880018574b2 : fffff88001856d10 0000000000000000 fffffa8000000002 fffff88003602000 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880066a22c0 fffff880017070eb : fffffa8002f65010 0000000000000000 fffffa8002b8f1a0 fffff88004a03633 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff880066a2330 fffff880016d0ad6 : fffff88000000000 0000000000000000 0000000000000000 0000000000000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
fffff880066a23a0 fffff880016529c4 : fffffa8002b8f1a0 0000000000000002 0000000000000001 fffff88001649eef : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff880066a2820 fffff88001652939 : fffffa8002f77580 0000000000000000 0000000000000003 fffffa8002aa69f4 : ndis!ndisMTopReceiveNetBufferLists+0x24
fffff880066a2860 fffff880016528d0 : fffffa8002aa69e0 fffffa8002aa69e0 fffffa8002aa69e0 fffffa8002aa6a22 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x29
fffff880066a28a0 fffff88003c7c48c : fffffa8002f77580 fffffa8002aa69e0 fffffa8002f77580 fffffa8002aa69e0 : ndis!NdisFIndicateReceiveNetBufferLists+0x50
fffff880066a28e0 fffff88003c7b69c : fffffa8002aa69e0 0000000000000000 0000000000000000 fffffa8002aa0800 : mylwf!UF_SendPacketToProtocol+0x80
fffff880066a2920 fffff88003c8143f : 0000000000000000 fffffa8000000003 0000000000000000 fffffa8002f77580 : mylwf!FLT_FilterReceivedPacket+0x14c
fffff880066a2950 fffff88003c8082f : fffffa80031b9b40 0000000000000000 fffffa8002f77580 fffffa8000000000 : mylwf!filterProcessNBLReceive+0xeb
fffff880066a29b0 fffff8800166b4f7 : fffffa8001d98701 fffffa8002b8f1a0 fffffa80031b9b40 0000000000000001 : mylwf!FilterReceiveNetBufferLists+0xb3
fffff880066a2a10 fffff880053a3551 : fffffa80031b9b40 fffffa8002f81c20 fffffa8002c5e490 0000000000000000 : ndis! ?? ::FNODOBFM::string'+0xcf1f fffff880066a2a60 fffff880053a6c4d : 0000000000000000 fffff880066a2bd8 fffffa80000000c2 fffff800000015e0 : L1C62x64+0x7551 fffff880066a2b20 fffff880016d3e6b : fffff880016ac110 fffffa8002b8f1a0 0000000000000000 0000000000000000 : L1C62x64+0xac4d fffff880066a2b60 fffff8800165c94d : 0000000000000002 000000000000000a 0000000000000000 0000000000000000 : ndis! ?? ::DKGKHJNI::string’+0x17e7
fffff880066a2bd0 fffff88001682f3d : 0000000000000002 0000000000000002 0000000000000000 fffffa8002c5ff58 : ndis!ndisQueuedMiniportDpcWorkItem+0xcd
fffff880066a2c70 fffff80003372ede : 000000000eb3637a fffffa8005aa1130 0000000000000080 fffffa8005aa1130 : ndis!ndisReceiveWorkerThread+0x1bd
fffff880066a2d00 fffff800030c5906 : fffff880009e9180 fffffa8005aa1130 fffffa8003fdb060 0000000000000021 : nt!PspSystemThreadStartup+0x5a
fffff880066a2d40 0000000000000000 : fffff880066a3000 fffff8800669d000 fffff880066a29c0 0000000000000000 : nt!KiStartSystemThread+0x16

0: kd> !ndiskd.miniport
MiniDriver Miniport Name
fffffa8002f14b60 fffffa8002e751a0 BlackBerry Virtual Private Network
fffffa8002b776a0 fffffa8002c6e1a0 WAN Miniport (SSTP)
fffffa8002b6f6a0 fffffa8002c611a0 WAN Miniport (PPTP)
fffffa8002b676a0 fffffa8002c5b1a0 WAN Miniport (PPPOE)
fffffa8002b5e6a0 fffffa8002c571a0 WAN Miniport (IPv6)
fffffa8002b5e6a0 fffffa8002c591a0 WAN Miniport (IP)
fffffa8002b5e6a0 fffffa8002c551a0 WAN Miniport (Network Monitor)
fffffa8002b526a0 fffffa8002c531a0 WAN Miniport (L2TP)
fffffa8002c18c60 fffffa8002c1f1a0 WAN Miniport (IKEv2)
fffffa8002b8e460 fffffa8002b8f1a0 Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
0: kd> !ndiskd.miniport fffffa8002b8f1a0

MINIPORT

Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)

Ndis handle fffffa8002b8f1a0
Ndis API version v6.20
Adapter context fffffa8002c5e000
Miniport driver fffffa8002b8e460 - L1C v6.0
Network interface fffffa80026d1870

Media type 802.3
Device instance PCI\VEN_1969&DEV_1073&SUBSYS_E0001458&REV_C0\4&354b1e15&0&00E2
Device object fffffa8002b8f050 More information
MAC address 1c-6f-65-f8-f7-40

STATE

Miniport Running
Device PnP Started
Datapath Normal
Interface Up
Media Connected
Power D0
References 0n12
Total resets 0
Pending OID None
Flags BUS_MASTER, SG_DMA, DEFAULT_PORT_ACTIVATED,
SUPPORTS_MEDIA_SENSE, DOES_NOT_DO_LOOPBACK,
MEDIA_CONNECTED
PnP flags PM_SUPPORTED, DEVICE_POWER_ENABLED,
DEVICE_POWER_WAKE_ENABLE, RECEIVED_START,
HARDWARE_DEVICE

BINDINGS

Open List Open Protocol Context
RSPNDR fffffa80047f95b0 fffffa80047f9cf0 fffffa8004809010
LLTDIO fffffa80047f88d0 fffffa80047f8010 fffffa8004801d40
TCPIP6 fffffa8002f748d0 fffffa80026c8cf0 fffffa8002f6aa80
TCPIP fffffa8002f65010 fffffa80026c7370 fffffa8002f637d0

Filter List Filter Filter Driver Context
WFP LightWeight Filter-0000
fffffa8002f631d0 fffffa80029ba160 fffffa8002f61d90
QoS Packet Scheduler-0000
fffffa8002f619b0 fffffa8002a94010 fffffa8002f62f20
Network Filter Driver-0000
fffffa8002f77a90 fffffa8002a79740 fffffa8002f77580

MORE INFORMATION

Driver handlers Task offloads
Power management PM protocol offloads
Pending OIDs Timers
Pending NBLs
Wake-on-LAN (WoL) Packet filter
Receive queues Receive filtering
RSS NIC switch
Hardware resources
NDIS ports WMI guids
0: kd> !ndiskd.interface fffffa80026d1870

INTERFACE

Local Area Connection

Ndis handle fffffa80026d1870
IfProvider fffffa80026623d0 - The NDIS interface provider
Provider context fffffa8002b8f1a0

ifType IF_TYPE_ETHERNET_CSMACD
Media type 802.3
Physical medium 802.3
Access type BROADCAST
Direction type SEND_AND_RECEIVE
Connection type DEDICATED

ifConnectorPresent Yes

Network fffffa80026c8690 - [Unnamed network]
Compartment fffffa80026c8010 - Compartment #1

IDENTIFIERS

ifAlias Local Area Connection
ifDescr Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
ifName (NET_LUID) 06:09
ifPhysAddress 1c-6f-65-f8-f7-40

ifIndex 0n11
ifGuid ccb2ef16-0c93-40ed-9c07-eddd28a67811

STATE

Connected Connected
ifOperStatus UP

Link speed 100000000 (100 Mbps)
ifMtu 0n1500
Duplex FullDuplex

Refer to RFC 2863 for definitions of many of these terms
0: kd> !ndiskd.miniport fffffa8002b8f1a0 -offloads

TASK OFFLOADS

Offload type Current config Hardware capability
Large Send Offload v1 (LSOv1) with TCP/IPv4
Encapsulation 802_3 802_3
Max size 0n64000 0n64000
Min segments 2 2
IP options Yes Yes
TCP options No No

Checksum offload with TCP/IPv4 on transmit path
Encapsulation 802_3 802_3
IP checksum Yes Yes
TCP checksum Yes Yes
UDP checksum Yes Yes
IP options No No
TCP options Yes Yes

Checksum offload with TCP/IPv4 on receive path
Encapsulation 802_3 802_3
IP checksum Yes Yes
TCP checksum Yes Yes
UDP checksum Yes Yes
IP options Yes Yes
TCP options Yes Yes

Checksum offload with TCP/IPv6 on transmit path
Encapsulation 802_3 802_3
TCP checksum Yes Yes
UDP checksum Yes Yes
IP extensions No No
TCP options Yes Yes

Checksum offload with TCP/IPv6 on receive path
Encapsulation 802_3 802_3
TCP checksum Yes Yes
UDP checksum Yes Yes
IP extensions Yes Yes
TCP options Yes Yes

PM protocol offloads
0: kd> !ndiskd.pendingnbls fffffa8002b8f1a0

PHASE 1/3: Found 19 NBL pool(s).
PHASE 2/3: Found 106 freed NBL(s).

Pending Nbl Currently held by
No pending NBLs were found.

PHASE 3/3: Found 0 pending NBL(s) of 1144 total NBL(s).
Search complete.
0: kd> !ndiskd.miniport fffffa8002b8f1a0 -rss

RECEIVE-SIDE SCALING

Hardware Capabilities
RSS is not supported on this miniport

Filtered Capabilities
RSS is not supported on this binding stack

Current Parameters
RSS is not enabled

=====================================================

Regards,
Rajendra.