Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NDIS_BUGCHECK_WAIT_EVENT_HIGH_IRQL BSOD in NPF_RemoveFromGroupOpenArray #181

Closed
kobykahane opened this issue Jun 4, 2020 · 1 comment
Closed

Comments

@kobykahane
Copy link

On Windows 10 2004, with npcap 0.9992, after opening Wireshark immediately after resuming the computer from standby, I got the following BSOD:

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BUGCODE_NDIS_DRIVER (7c)
The operating system detected an error in a networking driver.
The BUGCODE_NDIS_DRIVER bugcheck identifies problems in network drivers.
Often, the defect is caused by a NDIS miniport driver. You can get a complete
list of NDIS miniport drivers using !ndiskd.netadapter.  You can get a
big-picture overview of the network stack with !ndiskd.netreport.
Arguments:
Arg1: 0000000000000014, NDIS_BUGCHECK_WAIT_EVENT_HIGH_IRQL
	A network driver called NdisWaitEvent at an illegal
	IRQL.
Arg2: 0000000000000002, The actual IRQL
Arg3: 0000000000000000, Zero.
Arg4: 0000000000000000, Zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on KOBYK

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 1

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 76

    Key  : Analysis.System
    Value: CreateObject


ADDITIONAL_XML: 1

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


BUGCHECK_CODE:  7c

BUGCHECK_P1: 14

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  System

STACK_TEXT:  
ffffb902`46336c78 fffff807`61c6850e : 00000000`0000007c 00000000`00000014 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffb902`46336c80 fffff807`67f233b6 : 00000000`00000000 00000000`7872444e 00000000`00000000 00000000`0000006a : ndis!NdisWaitEvent+0x1f7ce
ffffb902`46336cc0 fffff807`67f242b9 : ffff8d8d`7f6ab050 ffff8d8d`7f6ab050 00000000`30505741 ffff8d8d`00000000 : npcap!NPF_DoInternalRequest+0xfa [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 3189] 
ffffb902`46336e30 fffff807`67f23226 : ffff8d8d`7f0200ff ffff8d8d`00000000 ffff8d8d`6a12f0b0 00000000`00000006 : npcap!NPF_RemoveFromGroupOpenArray+0x101 [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 1438] 
ffffb902`46336e90 fffff807`67f23185 : ffff8d8d`8e2d0a70 ffffb902`46336fc0 ffff8d8d`7f6ab050 00000000`00000000 : npcap!NPF_DetachOpenInstance+0x52 [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 630] 
ffffb902`46336ee0 fffff807`61d26384 : ffff8d8d`8e2d0a70 fffff807`61cf3048 fffff807`61cf3048 ffff8d8d`8884edd0 : npcap!NPF_DetachAdapter+0x21 [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 2337] 
ffffb902`46336f10 fffff807`61d47a0e : fffff807`61cf3048 ffff8d8d`9b20b1a0 ffff8d8d`8e2d0a70 ffff8d8d`8e2d0a70 : ndis!ndisFInvokeDetach+0x68
ffffb902`46336f50 fffff807`61d25f09 : ffffd404`93b51b50 ffff8d8d`8e2d0a70 00000000`00000000 ffff8d8d`8f568300 : ndis!ndisDetachFilterInner+0x282
ffffb902`46336ff0 fffff807`61d21874 : 00000000`00000000 ffffb902`46337150 00000000`00000009 ffff8d8d`9b20c590 : ndis!ndisDetachFilter+0xb1
ffffb902`46337050 fffff807`61d142d8 : ffff8d8d`9b20b1a0 ffff8d8d`9b20b1a0 ffff8d8d`9b20c608 ffff8d8d`9b20c590 : ndis!Ndis::BindEngine::Iterate+0xd4f0
ffffb902`463371d0 fffff807`61d0d906 : ffff8d8d`9b20c590 ffffb902`46337300 00000000`00000000 00000000`00000000 : ndis!Ndis::BindEngine::UpdateBindings+0x98
ffffb902`46337220 fffff807`61d0d96c : ffff8d8d`9b20c590 00000000`00000000 ffff8d8d`9b20c590 fffff807`61d0b3ef : ndis!Ndis::BindEngine::DispatchPendingWork+0x76
ffffb902`46337250 fffff807`61d0b35d : ffff8d8d`9b20c590 ffffb902`46337300 00000000`00001000 00000000`00001000 : ndis!Ndis::BindEngine::ApplyBindChanges+0x54
ffffb902`463372a0 fffff807`61d45e4e : ffff8d8d`9b20b1a0 ffffb902`463373f0 ffff8d8d`9b20c590 ffff8d8d`682f4a50 : ndis!ndisMSetMiniportReadyForBinding+0x81
ffffb902`463372f0 fffff807`61c9014c : ffff8d8d`9b20b1a0 ffff8d8d`9b20b1a0 00000000`00000000 fffff807`61cf3048 : ndis!ndisPnPRemoveDevice+0x31e
ffffb902`46337530 fffff807`61d2dcbe : ffff8d8d`9b20b1a0 ffff8d8d`9b20b050 00000000`00000000 00000000`00000000 : ndis!ndisPnPRemoveDeviceEx+0x148
ffffb902`46337580 fffff807`61c5b626 : ffff8d8d`8424c870 ffffb902`46337630 00000000`00000000 ffff8d8d`9b20b1a0 : ndis!ndisPnPIrpRemoveDevice+0x10a
ffffb902`463375f0 fffff807`5d846d25 : 00000000`00000001 ffff8d8d`9b20b050 00000000`00000001 ffffb902`46337750 : ndis!ndisPnPDispatch+0x30306
ffffb902`46337660 fffff807`5dca610c : 00000000`00000000 ffff8d8d`9b20b050 ffffb902`46337750 fffff807`5dd389f8 : nt!IofCallDriver+0x55
ffffb902`463376a0 fffff807`5dd38701 : ffff8d8d`8c6c7e00 ffff8d8d`8c6c7e00 ffff8d8d`6a21fcc0 00000000`00000002 : nt!IopSynchronousCall+0xf8
ffffb902`46337710 fffff807`5d95a0fc : ffffd404`a4f06760 ffff8d8d`6a21fcc0 00000000`00000001 00000000`0000000a : nt!IopRemoveDevice+0x105
ffffb902`463377c0 fffff807`5dd382ca : ffff8d8d`6a21fcc0 00000000`00000016 00000000`00000000 cb3a4008`00200001 : nt!PnpRemoveLockedDeviceNode+0x1ac
ffffb902`46337820 fffff807`5dd37fff : ffff8d8d`6a21fcc0 ffffb902`463378a0 00000000`00000016 ffff8d8d`6a21fcc0 : nt!PnpDeleteLockedDeviceNode+0x4e
ffffb902`46337860 fffff807`5dd36ee3 : ffff8d8d`8c6c7e00 ffffd404`00000002 ffff8d8d`8c6c7e00 00000000`00000001 : nt!PnpDeleteLockedDeviceNodes+0xf7
ffffb902`463378e0 fffff807`5dd34e37 : ffffb902`46337a20 ffff8d8d`6a21fc00 ffffb902`46337a00 ffffd404`00000001 : nt!PnpProcessQueryRemoveAndEject+0x39b
ffffb902`463379c0 fffff807`5dcd393e : ffffd404`a4f06760 ffffd404`7dba6610 ffff8d8d`5dc7ba00 00000000`00000000 : nt!PnpProcessTargetDeviceEvent+0xeb
ffffb902`463379f0 fffff807`5d833f25 : ffff8d8d`7f061040 ffff8d8d`7f061040 ffff8d8d`5dc7ba20 ffff8d8d`9ae072f0 : nt!PnpDeviceEventWorker+0x2ce
ffffb902`46337a70 fffff807`5d946715 : ffff8d8d`7f061040 00000000`00000080 ffff8d8d`5dcb3080 00000000`00000000 : nt!ExpWorkerThread+0x105
ffffb902`46337b10 fffff807`5d9e5078 : ffffbe00`819da180 ffff8d8d`7f061040 fffff807`5d9466c0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffb902`46337b60 00000000`00000000 : ffffb902`46338000 ffffb902`46331000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


FAULTING_SOURCE_LINE:  c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c

FAULTING_SOURCE_FILE:  c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c

FAULTING_SOURCE_LINE_NUMBER:  3189

FAULTING_SOURCE_CODE:  
  3185: 	{
  3186: 		// Wait for this event which is signaled by NPF_InternalRequestComplete,
  3187: 		// which also sets RequestStatus appropriately
  3188: 		NdisWaitEvent(&FilterRequest.InternalRequestCompletedEvent, 0);
> 3189: 		Status = FilterRequest.RequestStatus;
  3190: 	}
  3191: 
  3192: 	if (Status == NDIS_STATUS_SUCCESS)
  3193: 	{
  3194: 		if (RequestType == NdisRequestSetInformation)


SYMBOL_NAME:  npcap!NPF_DoInternalRequest+fa

MODULE_NAME: npcap

IMAGE_NAME:  npcap.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  fa

FAILURE_BUCKET_ID:  0x7C_14_npcap!NPF_DoInternalRequest

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7fdbcd3a-81cd-f6ea-cdbb-42b9e01fd02d}

Followup:     MachineOwner
---------

The crash appears to be due to a call to NdisWaitEvent in high IRQL. The reason the IRQL is high appears to be the acquisition of a spin lock (pOpen->OpenInUseLock) in NPF_DetachOpenInstance before the call to NPF_RemoveFromGroupOpenArray, which eventually calls NPF_DoInternalRequest and attempts to wait for the pending OID request to complete in dispatch level.

The complete dump (~ 830 MB compressed) is available upon request, if necessary.
npcap_mini.zip

@dmiller-nmap
Copy link
Contributor

Thanks for this very detailed bug report! We'll look into this right away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants