Unable to get special pool info cause Blue screen when i run the driver

I am developing NDIS 6.2 Filter driver . After running my application i got Blue screen crash . With the help of WinDbg tool i took crash dumps . After nalyzing that dump , i got crash reason something like “Unable to get special pool info” . This is occur when i calling NET_BUFFER_LIST_CONTEXT_DATA_START in the driver code .

The Dump after !analyze -v :

********************************************************
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000a, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff800ddaa369a, address which referenced memory

Debugging Details:

READ_ADDRESS: fffff8021b4d3ce0: Unable to get special pool info
fffff8021b4d3ce0: Unable to get special pool info
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
000000000000000a

CURRENT_IRQL: 2

FAULTING_IP:
mymuxtun!CFilter::SendNetBufferListsComplete+6e [c:\users\multiplexer\windows\ndis62\filter.cpp @ 510]
fffff800`ddaa369a 0fb7410a movzx eax,word ptr [rcx+0Ah]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: chrome.exe

LAST_CONTROL_TRANSFER: from fffff8021b37bae9 to fffff8021b36ffa0

STACK_TEXT:
ffffd000786b5fe8 fffff8021b37bae9 : 000000000000000a 000000000000000a 0000000000000002 0000000000000000 : nt!KeBugCheckEx
ffffd000786b5ff0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nsmuxtun!CFilter::SendNetBufferListsComplete+6e [c:\users\windows\ndis62\filter.cpp @ 510]
fffff800`ddaa369a 0fb7410a movzx eax,word ptr [rcx+0Ah]

FAULTING_SOURCE_CODE:
506: if((pNetBufferList != NULL)&&((pNetBufferList->SourceHandle == m_hFilter)) ) {
507:
508: PVOID pBuffer = NULL ;
509: ASSERT(*((PVOID*)NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) != NULL);

510: pBuffer = *((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));
511: PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));
512:
513: if(NULL != pMdl)
514: NdisFreeMdl(pMdl);
515:

SYMBOL_NAME: mymuxtun!CFilter::SendNetBufferListsComplete+6e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: mymuxtun

IMAGE_NAME: mymuxtun.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 568fd1a3

FAILURE_BUCKET_ID: X64_0xD1_mymuxtun!CFilter::SendNetBufferListsComplete+6e

BUCKET_ID: X64_0xD1_mymuxtun!CFilter::SendNetBufferListsComplete+6e

Followup: MachineOwner

1: kd> k
Child-SP RetAddr Call Site
ffffd000786b5fe8 fffff8021b37bae9 nt!KeBugCheckEx
ffffd000786b5ff0 0000000000000000 nt!KiBugCheckDispatch+0x69

********************************************************

my attach function :

*********************************************************
Attach(
IN NDIS_HANDLE NdisFilterHandle,
IN PNDIS_FILTER_ATTACH_PARAMETERS AttachParameters )
{
m_hFilter = NdisFilterHandle;

NET_BUFFER_LIST_POOL_PARAMETERS netBufferListPoolParameters;
NdisZeroMemory(&netBufferListPoolParameters, sizeof(NET_BUFFER_LIST_POOL_PARAMETERS));
netBufferListPoolParameters.Header.Type = NDIS_OBJECT_TYPE_DEFAULT;
netBufferListPoolParameters.Header.Size = NDIS_SIZEOF_NET_BUFFER_LIST_POOL_PARAMETERS_REVISION_1;
netBufferListPoolParameters.Header.Revision = NET_BUFFER_LIST_POOL_PARAMETERS_REVISION_1;
netBufferListPoolParameters.ProtocolId = NDIS_PROTOCOL_ID_DEFAULT;
netBufferListPoolParameters.fAllocateNetBuffer = TRUE;
netBufferListPoolParameters.ContextSize = 0;
netBufferListPoolParameters.PoolTag = MYMUXTUN_POOL_TAG;
netBufferListPoolParameters.DataSize = 0;

m_hNetBufferListPool = NdisAllocateNetBufferListPool(m_hFilter, &netBufferListPoolParameters);
if (m_hNetBufferListPool == NULL) {
status = NDIS_STATUS_RESOURCES;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “!!! [%p] Attach(): NdisAllocateNetBufferListPool(): failed\n”, this);
goto cfaExit;
}

NDIS_FILTER_ATTRIBUTES ndisFilterAttributes;
NdisZeroMemory(&ndisFilterAttributes, sizeof(NDIS_FILTER_ATTRIBUTES));
ndisFilterAttributes.Header.Type = NDIS_OBJECT_TYPE_FILTER_ATTRIBUTES;
ndisFilterAttributes.Header.Size = NDIS_SIZEOF_FILTER_ATTRIBUTES_REVISION_1;
ndisFilterAttributes.Header.Revision = NDIS_FILTER_ATTRIBUTES_REVISION_1;
ndisFilterAttributes.Flags = 0;

status = NdisFSetAttributes(NdisFilterHandle, this, &ndisFilterAttributes);
if (status != NDIS_STATUS_SUCCESS) {
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “!!! [%p] Attach(): NdisFSetAttributes(): failed, status %08X\n”, this, status);
goto cfaExit;
}

cfaExit:
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “<<< [%p] Attach(): exited, status %08X\n”, this, status);
return status;

}
*********************************************************

Send buffer list function ()

*********************************************************
SendNetBufferLists(
IN PNET_BUFFER_LIST NetBufferLists,
IN NDIS_PORT_NUMBER PortNumber,
IN ULONG SendFlags)
{
PNET_BUFFER_LIST pSendNetBufferList = NULL;
PNET_BUFFER_LIST pSendNetBufferListComplete = NULL;

PNET_BUFFER_LIST pNetBufferList = NetBufferLists;
PNET_BUFFER_LIST pNextNetBufferList = NULL;

while (pNetBufferList) {

pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);
NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;

if (pNetBufferList->ChildRefCount != 0) {

DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “!!! [%p]SendNetBufferLists(): pNetBufferList->ChildRefCount != 0\n”, this);

}

PNET_BUFFER pNetBuffer = NET_BUFFER_LIST_FIRST_NB(pNetBufferList);
PNET_BUFFER pNextNetBuffer = NULL;

while (pNetBuffer) {

pNextNetBuffer = NET_BUFFER_NEXT_NB(pNetBuffer);
u32_t nResult = OutgoingNetBufferInput(pNetBuffer);

PNET_BUFFER_LIST pNewNetBufferList = NdisAllocateNetBufferAndNetBufferList(m_hNetBufferListPool, 0, 0, NULL, 0, 0);

if (pNewNetBufferList == NULL) {

pNetBuffer = pNextNetBuffer;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_WARNING_LEVEL, “!!! [%p] CFilter::SendNetBufferLists(): NdisAllocateNetBufferAndNetBufferList(): failed\n”, this);
continue;
}

PNET_BUFFER pNewNetBuffer = NET_BUFFER_LIST_FIRST_NB(pNewNetBufferList);
NET_BUFFER_FIRST_MDL(pNewNetBuffer) = NET_BUFFER_FIRST_MDL(pNetBuffer);
NET_BUFFER_DATA_LENGTH(pNewNetBuffer) = NET_BUFFER_DATA_LENGTH(pNetBuffer);
NET_BUFFER_DATA_OFFSET(pNewNetBuffer) = NET_BUFFER_DATA_OFFSET(pNetBuffer);
NET_BUFFER_CURRENT_MDL(pNewNetBuffer) = NET_BUFFER_CURRENT_MDL(pNetBuffer);
NET_BUFFER_CURRENT_MDL_OFFSET(pNewNetBuffer) = NET_BUFFER_CURRENT_MDL_OFFSET(pNetBuffer);
NDIS_SET_NET_BUFFER_LIST_CANCEL_ID(pNewNetBufferList, NDIS_GET_NET_BUFFER_LIST_CANCEL_ID(pNetBufferList));
NdisCopySendNetBufferListInfo(pNewNetBufferList, pNetBufferList);

pNewNetBufferList->SourceHandle = m_hFilter;
pNewNetBufferList->ParentNetBufferList = pNetBufferList;

pNetBufferList->ChildRefCount ++;
NdisInterlockedIncrement(&m_nSendNetBufferListCount);

if (pSendNetBufferList != NULL) {

PNET_BUFFER_LIST pCurrentNetBufferList = pSendNetBufferList;

while (NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) != NULL) {
pCurrentNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList);
}

NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) = pNewNetBufferList;
} else {
pSendNetBufferList = pNewNetBufferList;
}

pNetBuffer = pNextNetBuffer;
}

if (pNetBufferList->ChildRefCount == 0) {
NET_BUFFER_LIST_STATUS(pNetBufferList) = NDIS_STATUS_SUCCESS;

if (pSendNetBufferListComplete != NULL) {

PNET_BUFFER_LIST pCurrentNetBufferList = pSendNetBufferListComplete;

while (NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) != NULL) {
pCurrentNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList);
}
NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) = pNetBufferList;
} else {
pSendNetBufferListComplete = pNetBufferList;
}
}

pNetBufferList = pNextNetBufferList;

}

if (pSendNetBufferList != NULL) {

NdisFSendNetBufferLists(m_hFilter, pSendNetBufferList, PortNumber, SendFlags);

}

if (pSendNetBufferListComplete != NULL) {

NdisFSendNetBufferListsComplete(m_hFilter, pSendNetBufferListComplete, SendFlags & NDIS_SEND_FLAGS_DISPATCH_LEVEL ? NDIS_SEND_COMPLETE_FLAGS_DISPATCH_LEVEL : 0);

}

}
**********************************************************

and the SendBufferListComplete function :

*************************************************************

SendNetBufferListsComplete(
IN PNET_BUFFER_LIST NetBufferLists,
IN ULONG SendCompleteFlags )
{

PNET_BUFFER_LIST pNetBufferList = NULL ;
pNetBufferList = NetBufferLists;

PNET_BUFFER_LIST pNextNetBufferList = NULL;

while ( NULL != pNetBufferList) {

pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);

NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;

PNET_BUFFER_LIST pParentNetBufferList = pNetBufferList->ParentNetBufferList;

if (pParentNetBufferList != NULL) {

NDIS_STATUS status = NET_BUFFER_LIST_STATUS(pNetBufferList);

if(NULL != pNetBufferList)
NdisFreeNetBufferList(pNetBufferList);

if (NdisInterlockedDecrement(&pParentNetBufferList->ChildRefCount) == 0) {
NET_BUFFER_LIST_STATUS(pParentNetBufferList) = status;
NdisFSendNetBufferListsComplete(m_hFilter, pParentNetBufferList, SendCompleteFlags);
}

} else {

if((pNetBufferList != NULL)&&((pNetBufferList->SourceHandle == m_hFilter)) ) {

PVOID pBuffer = NULL ;

ASSERT(*((PVOID*)NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) != NULL);

pBuffer = *((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));

PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));

if(NULL != pMdl)
NdisFreeMdl(pMdl);

if(NULL != pBuffer)
delete (UCHAR*) pBuffer;

if(NULL != pNetBufferList)
NdisFreeNetBufferList(pNetBufferList);

}
else
{
NdisFSendNetBufferListsComplete(m_hFilter, pNetBufferList, SendCompleteFlags);
}

NdisInterlockedDecrement(&m_nSendNetBufferListCount);
pNetBufferList = NULL ;
pNetBufferList = pNextNetBufferList;

}

}
**************************************************************

and in packetoutput () function :

*************************************************

u32_t CFilter::PacketOutput(
IN u8_t* pBuffer,
IN u32_t nLength
) {

UCHAR* pPacket = new UCHAR[nLength];
NdisMoveMemory(pPacket, pBuffer, nLength);

PMDL pMdl = NdisAllocateMdl(m_hFilter, pPacket, nLength);
if (pMdl == NULL) {
delete pPacket;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_WARNING_LEVEL, “!!! [%p]
CFilter::PacketOutput(): NdisAllocateMdl(): failed\n”, this);
goto cfpoExit;
}

PNET_BUFFER_LIST pNetBufferList =
NdisAllocateNetBufferAndNetBufferList(m_hNetBufferListPool, sizeof(PVOID), 0,
pMdl, 0, nLength);
if (pNetBufferList != NULL) {
*((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) = pPacket;
NdisInterlockedIncrement(&m_nSendNetBufferListCount);
NdisFSendNetBufferLists(m_hFilter, pNetBufferList, 0, 0);
} else {
NdisFreeMdl(pMdl);
delete pPacket;
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_WARNING_LEVEL, “!!! [%p]
CFilter::PacketOutput(): NdisAllocateNetBufferAndNetBufferList(): failed\n”,
this);
goto cfpoExit;
}

}

****************************************

and packetoutput () is called by CFilter::Status() function ;

The debugger pointed to NET_BUFFER_LIST_CONTEXT_DATA_START . what is the problem ? Where is the memory corruption ? No problems in packetoutput function . same process there . When i done same process in " NdisSendNetBufferListComplete() " it causes bluescreen . Why ?

please help me

Your code is getting a null pointer reference, see Arg1 with address 000000000000000a.

You do realize each layer of driver in the stack can allocate NBL context space, and testing for it not being null means either your driver or some driver higher up allocated context space, which offhand doesn’t seem like a very useful test.

Can you tell us why you think it’s useful to try and test if an NBL has a context space? It might be the context space of a higher layer driver, so this is not a useful test if your driver allocated context space.

Perhaps you’re expecting to access some data from the context space of a driver above you, which is not something you should do, as that data is private to whatever driver owns it, and may change based on operating conditions or the version of the driver or how different filters get layered.

Jan

On 1/10/16, 3:29 AM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:

>I am developing NDIS 6.2 Filter driver . After running my application i got Blue screen crash . With the help of WinDbg tool i took crash dumps . After nalyzing that dump , i got crash reason something like “Unable to get special pool info” . This is occur when i calling NET_BUFFER_LIST_CONTEXT_DATA_START in the driver code .
>
>The Dump after !analyze -v :
>
>
>1: kd> !analyze -v
>***********************
>*
> Bugcheck Analysis
>
>
>
>DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
>An attempt was made to access a pageable (or completely invalid) address at an
>interrupt request level (IRQL) that is too high. This is usually
>caused by drivers using improper addresses.
>If kernel debugger is available get stack backtrace.
>Arguments:
>Arg1: 000000000000000a, memory referenced
>Arg2: 0000000000000002, IRQL
>Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
>Arg4: fffff800ddaa369a, address which referenced memory
>
>Debugging Details:
>------------------
>
>
>READ_ADDRESS: fffff8021b4d3ce0: Unable to get special pool info
>fffff8021b4d3ce0: Unable to get special pool info
>unable to get nt!MmPoolCodeStart
>unable to get nt!MmPoolCodeEnd
> 000000000000000a
>
>CURRENT_IRQL: 2
>
>FAULTING_IP:
>mymuxtun!CFilter::SendNetBufferListsComplete+6e [c:\users\multiplexer\windows\ndis62\filter.cpp @ 510]
>fffff800ddaa369a 0fb7410a movzx eax,word ptr [rcx+0Ah]<br>&gt;<br>&gt;CUSTOMER_CRASH_COUNT: 1<br>&gt;<br>&gt;DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT<br>&gt;<br>&gt;BUGCHECK_STR: 0xD1<br>&gt;<br>&gt;PROCESS_NAME: chrome.exe<br>&gt;<br>&gt;LAST_CONTROL_TRANSFER: from fffff8021b37bae9 to fffff8021b36ffa0<br>&gt;<br>&gt;STACK_TEXT: <br>&gt;ffffd000786b5fe8 fffff8021b37bae9 : 000000000000000a 000000000000000a 0000000000000002 0000000000000000 : nt!KeBugCheckEx<br>&gt;ffffd000786b5ff0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69<br>&gt;<br>&gt;<br>&gt;STACK_COMMAND: .bugcheck ; kb<br>&gt;<br>&gt;FOLLOWUP_IP: <br>&gt;nsmuxtun!CFilter::SendNetBufferListsComplete+6e [c:\users\windows\ndis62\filter.cpp @ 510]<br>&gt;fffff800ddaa369a 0fb7410a movzx eax,word ptr [rcx+0Ah]
>
>FAULTING_SOURCE_CODE:
> 506: if((pNetBufferList != NULL)&&((pNetBufferList->SourceHandle == m_hFilter)) ) {
> 507:
> 508: PVOID pBuffer = NULL ;
> 509: ASSERT(((PVOID)NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) != NULL);
>> 510: pBuffer = ((PVOID) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));
> 511: PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));
> 512:
> 513: if(NULL != pMdl)
> 514: NdisFreeMdl(pMdl);
> 515:
>
>
>SYMBOL_NAME: mymuxtun!CFilter::SendNetBufferListsComplete+6e
>
>FOLLOWUP_NAME: MachineOwner
>
>MODULE_NAME: mymuxtun
>
>IMAGE_NAME: mymuxtun.sys
>
>DEBUG_FLR_IMAGE_TIMESTAMP: 568fd1a3
>
>FAILURE_BUCKET_ID: X64_0xD1_mymuxtun!CFilter::SendNetBufferListsComplete+6e
>
>BUCKET_ID: X64_0xD1_mymuxtun!CFilter::SendNetBufferListsComplete+6e
>
>Followup: MachineOwner
>---------
>
>1: kd> k
>Child-SP RetAddr Call Site
>ffffd000786b5fe8 fffff8021b37bae9 nt!KeBugCheckEx
>ffffd000786b5ff0 0000000000000000 nt!KiBugCheckDispatch+0x69
>
>
>
>
>my attach function :
>
>
>Attach(
> IN NDIS_HANDLE NdisFilterHandle,
> IN PNDIS_FILTER_ATTACH_PARAMETERS AttachParameters )
>{
> m_hFilter = NdisFilterHandle;
>
> NET_BUFFER_LIST_POOL_PARAMETERS netBufferListPoolParameters;
> NdisZeroMemory(&netBufferListPoolParameters, sizeof(NET_BUFFER_LIST_POOL_PARAMETERS));
> netBufferListPoolParameters.Header.Type = NDIS_OBJECT_TYPE_DEFAULT;
> netBufferListPoolParameters.Header.Size = NDIS_SIZEOF_NET_BUFFER_LIST_POOL_PARAMETERS_REVISION_1;
> netBufferListPoolParameters.Header.Revision = NET_BUFFER_LIST_POOL_PARAMETERS_REVISION_1;
> netBufferListPoolParameters.ProtocolId = NDIS_PROTOCOL_ID_DEFAULT;
> netBufferListPoolParameters.fAllocateNetBuffer = TRUE;
> netBufferListPoolParameters.ContextSize = 0;
> netBufferListPoolParameters.PoolTag = MYMUXTUN_POOL_TAG;
> netBufferListPoolParameters.DataSize = 0;
>
> m_hNetBufferListPool = NdisAllocateNetBufferListPool(m_hFilter, &netBufferListPoolParameters);
> if (m_hNetBufferListPool == NULL) {
> status = NDIS_STATUS_RESOURCES;
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “!!! [%p] Attach(): NdisAllocateNetBufferListPool(): failed\n”, this);
> goto cfaExit;
> }
>
> NDIS_FILTER_ATTRIBUTES ndisFilterAttributes;
> NdisZeroMemory(&ndisFilterAttributes, sizeof(NDIS_FILTER_ATTRIBUTES));
> ndisFilterAttributes.Header.Type = NDIS_OBJECT_TYPE_FILTER_ATTRIBUTES;
> ndisFilterAttributes.Header.Size = NDIS_SIZEOF_FILTER_ATTRIBUTES_REVISION_1;
> ndisFilterAttributes.Header.Revision = NDIS_FILTER_ATTRIBUTES_REVISION_1;
> ndisFilterAttributes.Flags = 0;
>
> status = NdisFSetAttributes(NdisFilterHandle, this, &ndisFilterAttributes);
> if (status != NDIS_STATUS_SUCCESS) {
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “!!! [%p] Attach(): NdisFSetAttributes(): failed, status %08X\n”, this, status);
> goto cfaExit;
> }
>
>cfaExit:
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_TRACE_LEVEL, “<<< [%p] Attach(): exited, status %08X\n”, this, status);
> return status;
>
>}
>
>
>
>Send buffer list function ()
>
>
>SendNetBufferLists(
> IN PNET_BUFFER_LIST NetBufferLists,
> IN NDIS_PORT_NUMBER PortNumber,
> IN ULONG SendFlags)
>{
> PNET_BUFFER_LIST pSendNetBufferList = NULL;
> PNET_BUFFER_LIST pSendNetBufferListComplete = NULL;
>
> PNET_BUFFER_LIST pNetBufferList = NetBufferLists;
> PNET_BUFFER_LIST pNextNetBufferList = NULL;
>
>
>while (pNetBufferList) {
>
> pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);
> NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;
>
> if (pNetBufferList->ChildRefCount != 0) {
>
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, “!!! [%p]SendNetBufferLists(): pNetBufferList->ChildRefCount != 0\n”, this);
>
> }
>
> PNET_BUFFER pNetBuffer = NET_BUFFER_LIST_FIRST_NB(pNetBufferList);
> PNET_BUFFER pNextNetBuffer = NULL;
>
>
> while (pNetBuffer) {
>
> pNextNetBuffer = NET_BUFFER_NEXT_NB(pNetBuffer);
> u32_t nResult = OutgoingNetBufferInput(pNetBuffer);
>
>
> PNET_BUFFER_LIST pNewNetBufferList = NdisAllocateNetBufferAndNetBufferList(m_hNetBufferListPool, 0, 0, NULL, 0, 0);
>
> if (pNewNetBufferList == NULL) {
>
> pNetBuffer = pNextNetBuffer;
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_WARNING_LEVEL, “!!! [%p] CFilter::SendNetBufferLists(): NdisAllocateNetBufferAndNetBufferList(): failed\n”, this);
> continue;
> }
>
>
> PNET_BUFFER pNewNetBuffer = NET_BUFFER_LIST_FIRST_NB(pNewNetBufferList);
> NET_BUFFER_FIRST_MDL(pNewNetBuffer) = NET_BUFFER_FIRST_MDL(pNetBuffer);
> NET_BUFFER_DATA_LENGTH(pNewNetBuffer) = NET_BUFFER_DATA_LENGTH(pNetBuffer);
> NET_BUFFER_DATA_OFFSET(pNewNetBuffer) = NET_BUFFER_DATA_OFFSET(pNetBuffer);
> NET_BUFFER_CURRENT_MDL(pNewNetBuffer) = NET_BUFFER_CURRENT_MDL(pNetBuffer);
> NET_BUFFER_CURRENT_MDL_OFFSET(pNewNetBuffer) = NET_BUFFER_CURRENT_MDL_OFFSET(pNetBuffer);
> NDIS_SET_NET_BUFFER_LIST_CANCEL_ID(pNewNetBufferList, NDIS_GET_NET_BUFFER_LIST_CANCEL_ID(pNetBufferList));
> NdisCopySendNetBufferListInfo(pNewNetBufferList, pNetBufferList);
>
> pNewNetBufferList->SourceHandle = m_hFilter;
> pNewNetBufferList->ParentNetBufferList = pNetBufferList;
>
> pNetBufferList->ChildRefCount ++;
> NdisInterlockedIncrement(&m_nSendNetBufferListCount);
>
> if (pSendNetBufferList != NULL) {
>
> PNET_BUFFER_LIST pCurrentNetBufferList = pSendNetBufferList;
>
> while (NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) != NULL) {
> pCurrentNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList);
> }
>
> NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) = pNewNetBufferList;
> } else {
> pSendNetBufferList = pNewNetBufferList;
> }
>
> pNetBuffer = pNextNetBuffer;
> }
>
>
> if (pNetBufferList->ChildRefCount == 0) {
> NET_BUFFER_LIST_STATUS(pNetBufferList) = NDIS_STATUS_SUCCESS;
>
> if (pSendNetBufferListComplete != NULL) {
>
> PNET_BUFFER_LIST pCurrentNetBufferList = pSendNetBufferListComplete;
>
> while (NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) != NULL) {
> pCurrentNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList);
> }
> NET_BUFFER_LIST_NEXT_NBL(pCurrentNetBufferList) = pNetBufferList;
> } else {
> pSendNetBufferListComplete = pNetBufferList;
> }
> }
>
> pNetBufferList = pNextNetBufferList;
>
> }
>
>
>if (pSendNetBufferList != NULL) {
>
> NdisFSendNetBufferLists(m_hFilter, pSendNetBufferList, PortNumber, SendFlags);
>
> }
>
> if (pSendNetBufferListComplete != NULL) {
>
> NdisFSendNetBufferListsComplete(m_hFilter, pSendNetBufferListComplete, SendFlags & NDIS_SEND_FLAGS_DISPATCH_LEVEL ? NDIS_SEND_COMPLETE_FLAGS_DISPATCH_LEVEL : 0);
>
> }
>
>}
>
>
>and the SendBufferListComplete function :
>
>
>
>
>SendNetBufferListsComplete(
> IN PNET_BUFFER_LIST NetBufferLists,
> IN ULONG SendCompleteFlags )
>{
>
> PNET_BUFFER_LIST pNetBufferList = NULL ;
> pNetBufferList = NetBufferLists;
>
> PNET_BUFFER_LIST pNextNetBufferList = NULL;
>
> while ( NULL != pNetBufferList) {
>
> pNextNetBufferList = NET_BUFFER_LIST_NEXT_NBL(pNetBufferList);
>
> NET_BUFFER_LIST_NEXT_NBL(pNetBufferList) = NULL;
>
> PNET_BUFFER_LIST pParentNetBufferList = pNetBufferList->ParentNetBufferList;
>
> if (pParentNetBufferList != NULL) {
>
> NDIS_STATUS status = NET_BUFFER_LIST_STATUS(pNetBufferList);
>
> if(NULL != pNetBufferList)
> NdisFreeNetBufferList(pNetBufferList);
>
> if (NdisInterlockedDecrement(&pParentNetBufferList->ChildRefCount) == 0) {
> NET_BUFFER_LIST_STATUS(pParentNetBufferList) = status;
> NdisFSendNetBufferListsComplete(m_hFilter, pParentNetBufferList, SendCompleteFlags);
> }
>
> } else {
>
> if((pNetBufferList != NULL)&&((pNetBufferList->SourceHandle == m_hFilter)) ) {
>
> PVOID pBuffer = NULL ;
>
> ASSERT(((PVOID)NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) != NULL);
>
> pBuffer = ((PVOID) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));
>
> PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));
>
> if(NULL != pMdl)
> NdisFreeMdl(pMdl);
>
> if(NULL != pBuffer)
> delete[] (UCHAR) pBuffer;
>
> if(NULL != pNetBufferList)
> NdisFreeNetBufferList(pNetBufferList);
>
> }
> else
> {
> NdisFSendNetBufferListsComplete(m_hFilter, pNetBufferList, SendCompleteFlags);
> }
>
> NdisInterlockedDecrement(&m_nSendNetBufferListCount);
> pNetBufferList = NULL ;
> pNetBufferList = pNextNetBufferList;
>
>
> }
>
>}
>**************************************************************
>
>and in packetoutput () function :
>
>
>
>u32_t CFilter::PacketOutput(
> IN u8_t pBuffer,
> IN u32_t nLength
>) {
>
>UCHAR pPacket = new UCHAR[nLength];
> NdisMoveMemory(pPacket, pBuffer, nLength);
>
> PMDL pMdl = NdisAllocateMdl(m_hFilter, pPacket, nLength);
> if (pMdl == NULL) {
> delete[] pPacket;
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_WARNING_LEVEL, “!!! [%p]
>CFilter::PacketOutput(): NdisAllocateMdl(): failed\n”, this);
> goto cfpoExit;
> }
>
> PNET_BUFFER_LIST pNetBufferList =
>NdisAllocateNetBufferAndNetBufferList(m_hNetBufferListPool, sizeof(PVOID), 0,
>pMdl, 0, nLength);
> if (pNetBufferList != NULL) {
> ((PVOID) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) = pPacket;
> NdisInterlockedIncrement(&m_nSendNetBufferListCount);
> NdisFSendNetBufferLists(m_hFilter, pNetBufferList, 0, 0);
> } else {
> NdisFreeMdl(pMdl);
> delete[] pPacket;
> DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_WARNING_LEVEL, “!!! [%p]
>CFilter::PacketOutput(): NdisAllocateNetBufferAndNetBufferList(): failed\n”,
>this);
> goto cfpoExit;
> }
>
>}
>
>********************************
>
>and packetoutput () is called by CFilter::Status() function ;
>
>The debugger pointed to NET_BUFFER_LIST_CONTEXT_DATA_START . what is the problem ? Where is the memory corruption ? No problems in packetoutput function . same process there . When i done same process in " NdisSendNetBufferListComplete() " it causes bluescreen . Why ?
>
>please help me
>
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list online at: http:
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

So should I remove this piece of line ?

***********************

pBuffer = *((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));

if(pBuffer)

delete[UCHAR*] pBuffer;

************************

From my SendNetBufferListsComplete ( ) function ?

and in packetoutput () function I just create a array like :

u32_t CFilter::PacketInput(
IN u8_t* pBuffer,
IN u32_t nLength
)
{
UCHAR* pPacket = new UCHAR[nLength];
NdisMoveMemory(pPacket, pBuffer, nLength);

PMDL pMdl = NdisAllocateMdl(m_hFilter, pPacket, nLength);

if (pMdl == NULL) {
delete pPacket;
goto cfpiExit;
}

and after that

PNET_BUFFER_LIST pNetBufferList = NdisAllocateNetBufferAndNetBufferList(m_hNetBufferListPool, sizeof(PVOID), 0, pMdl, 0, nLength);

if (pNetBufferList != NULL) {

*((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) = pPacket;
NdisInterlockedIncrement(&m_nReceiveNetBufferListCount);

NdisFIndicateReceiveNetBufferLists(m_hFilter, pNetBufferList, 0, 1, 0);

} else {
NdisFreeMdl(pMdl);
delete pPacket;
goto cfpiExit;
}

But I didn’t use any " NdisAllocateNetBufferListContext " function . I just create

UCHAR* pPacket = new UCHAR[nLength];
NdisMoveMemory(pPacket, pBuffer, nLength);

like this and in SendNetBufferListComplete ( ) freeing memory . But crash happened when I call NET_BUFFER_LIST_CONTEXT_DATA_START function .

If you need NBL context space, can you tell us why you don’t call NdisAllocateNetBufferListContext? If you declare the NBL pool as having context space preallocated, NdisAllocateNetBufferListContext is extremely efficient. After you allocate context space, you call NET_BUFFER_LIST_CONTEXT_DATA_START to get a pointer to the allocated space.

If you’re allocating the packets, which I assume is the case since you call new char and NdisAllocateNetBufferAndNetBufferList,there may be sufficient space (4 pointers worth) for your context needs already in the NET_BUFFER structure. As you create the packets, the NET_BUFFER fields MiniportReserved are not used by anybody below you. You would just go:

myNetBuffer->MiniportReserved[0] = pPacket

Jan

On 1/10/16, 11:14 PM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:

>But I didn’t use any " NdisAllocateNetBufferListContext " function . I just create
>

After commenting the 2 lines of codes from SendnetBufferlistComplete() function

************************
// pBuffer = *((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList));

PMDL pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(pNetBufferList));

if(NULL != pMdl)
NdisFreeMdl(pMdl);

//if(NULL != pBuffer)
// delete (UCHAR*) pBuffer;

if(NULL != pNetBufferList)
NdisFreeNetBufferList(pNetBufferList);

*****************************

I got another blue screen on NdisFreeNetBufferList(pNetBufferList);

the dumps is :

*******************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, (reserved)
Arg3: 0000000000010005, Memory contents of the pool block
Arg4: ffffe000bc82a760, Address of the block of pool being deallocated

Debugging Details:

POOL_ADDRESS: ffffe000bc82a760

FREED_POOL_TAG: NSNS

BUGCHECK_STR: 0xc2_7_NSNS

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: chrome.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff8002e09a42a to fffff8002df57fa0

STACK_TEXT:
ffffd001648d01e8 fffff8002e09a42a : 00000000000000c2 0000000000000007 0000000000001200 0000000000010005 : nt!KeBugCheckEx
ffffd001648d01f0 fffff801bdee06a8 : ffffe000ba49a0b8 ffffe000bb05fe38 0000000000000000 0000000000000000 : nt!ExFreePoolWithTag+0x114a
ffffd001648d02c0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : mymuxtun!CFilter::SendNetBufferListsComplete+0x7c [c:\users\windows\ndis62\filter.cpp @ 520]

STACK_COMMAND: kb

FOLLOWUP_IP:
mymuxtun!CFilter::SendNetBufferListsComplete+7c [c:\users\windows\ndis62\filter.cpp @ 520]
fffff801`bdee06a8 488bcb mov rcx,rbx

FAULTING_SOURCE_CODE:
516: //if(NULL != pBuffer)
517: // delete (UCHAR*) pBuffer;
518:
519: if(NULL != pNetBufferList)

520: NdisFreeNetBufferList(pNetBufferList);
521: }
522: else
523: {
524: NdisFSendNetBufferListsComplete(m_hFilter, pNetBufferList, SendCompleteFlags);
525: }

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: mymuxtun!CFilter::SendNetBufferListsComplete+7c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: mymuxtun

IMAGE_NAME: mymuxtun.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5693552e

FAILURE_BUCKET_ID: X64_0xc2_7_NSNS_mymuxtun!CFilter::SendNetBufferListsComplete+7c

BUCKET_ID: X64_0xc2_7_NSNS_mymuxtun!CFilter::SendNetBufferListsComplete+7c

Followup: MachineOwner

1: kd> !pool ffffe000bc82a760

Pool page ffffe000bc82a760 region is Unknown
ffffe000bc82a000 size: 50 previous size: 0 (Allocated) NSNS
ffffe000bc82a050 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82a0a0 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82a0f0 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82a140 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82a190 size: 40 previous size: 50 (Free ) Krnl
ffffe000bc82a1d0 size: 50 previous size: 40 (Allocated) NSNS
ffffe000bc82a220 size: 90 previous size: 50 (Allocated) NSNS
ffffe000bc82a2b0 size: 30 previous size: 90 (Allocated) Krnl
ffffe000bc82a2e0 size: 30 previous size: 30 (Allocated) NSNS
ffffe000bc82a310 size: 50 previous size: 30 (Allocated) NSNS
ffffe000bc82a360 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82a3b0 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82a400 size: 10 previous size: 50 (Free) Free
ffffe000bc82a410 size: 50 previous size: 10 (Allocated) NSNS
ffffe000bc82a460 size: 50 previous size: 50 (Allocated) VadS
ffffe000bc82a4b0 size: 70 previous size: 50 (Allocated) IE1Q
ffffe000bc82a520 size: 30 previous size: 70 (Allocated) NSNS
ffffe000bc82a550 size: 110 previous size: 30 (Allocated) MmCa
ffffe000bc82a660 size: 10 previous size: 110 (Free) Free
ffffe000bc82a670 size: 50 previous size: 10 (Allocated) NSNS
ffffe000bc82a6c0 size: 40 previous size: 50 (Allocated) WfpH
ffffe000bc82a700 size: 50 previous size: 40 (Allocated) NSNS
ffffe000bc82a750 size: 10 previous size: 50 (Free) Free
*ffffe000bc82a760 size: 50 previous size: 10 (Allocated) *NSNS
Pooltag NSNS : Net server allocations
ffffe000bc82a7b0 size: 70 previous size: 50 (Allocated) NSNS
ffffe000bc82a820 size: 50 previous size: 70 (Allocated) NSNS
ffffe000bc82a870 size: 10 previous size: 50 (Free) Free
ffffe000bc82a880 size: 30 previous size: 10 (Allocated) WfpH
ffffe000bc82a8b0 size: 50 previous size: 30 (Allocated) NSNS
ffffe000bc82a900 size: 90 previous size: 50 (Allocated) NSNS
ffffe000bc82a990 size: 90 previous size: 90 (Allocated) NSNS
ffffe000bc82aa20 size: 30 previous size: 90 (Allocated) NSNS
ffffe000bc82aa50 size: 50 previous size: 30 (Allocated) NSNS
ffffe000bc82aaa0 size: 30 previous size: 50 (Allocated) Krnl
ffffe000bc82aad0 size: 30 previous size: 30 (Allocated) NSNS
ffffe000bc82ab00 size: 60 previous size: 30 (Allocated) NSNS
ffffe000bc82ab60 size: 80 previous size: 60 (Allocated) Ntfr
ffffe000bc82abe0 size: 1d0 previous size: 80 (Allocated) ND
ffffe000bc82adb0 size: 60 previous size: 1d0 (Allocated) Io
ffffe000bc82ae10 size: 10 previous size: 60 (Free) Free
ffffe000bc82ae20 size: 30 previous size: 10 (Allocated) NSNS
ffffe000bc82ae50 size: 50 previous size: 30 (Allocated) NSNS
ffffe000bc82aea0 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82aef0 size: 50 previous size: 50 (Allocated) NSNS
ffffe000bc82af40 size: c0 previous size: 50 (Allocated) NSNS

1: kd> ub .

nt!KiBugCheck3+0x12:
fffff8002df57f92 90 nop fffff8002df57f93 cc int 3
fffff8002df57f94 cc int 3 fffff8002df57f95 cc int 3
fffff8002df57f96 cc int 3 fffff8002df57f97 cc int 3
fffff8002df57f98 cc int 3 fffff8002df57f99 0f1f8000000000 nop dword ptr [rax]

*********************************************************

what happens ? driver is overflowed now ? How I fix this ? should remove the context space ?

so should I declare like this in my

PacketInput(
IN u8_t* pBuffer,
IN u32_t nLength
) {

UCHAR* pPacket = new UCHAR[nLength];
NdisMoveMemory(pPacket, pBuffer, nLength);

PMDL pMdl = NdisAllocateMdl(m_hFilter, pPacket, nLength);

PNET_BUFFER_LIST pNetBufferList = NdisAllocateNetBufferAndNetBufferList(m_hNetBufferListPool, sizeof(PVOID), 0, pMdl, 0, nLength);

if (pNetBufferList != NULL) {

*** --------here------ **********
pNetBufferList->MiniportReserved[0] = pPacket;
*** should I uncomment ??? *************
/// *((PVOID*) NET_BUFFER_LIST_CONTEXT_DATA_START(pNetBufferList)) = pPacket;

NdisInterlockedIncrement(&m_nReceiveNetBufferListCount);

NdisFIndicateReceiveNetBufferLists(m_hFilter, pNetBufferList, 0, 1, 0);
} else {
NdisFreeMdl(pMdl);
delete pPacket;
goto cfpiExit;
}

}