NDIS_BUGCHECK_WAIT_EVENT_HIGH_IRQL BSOD in NPF_RemoveFromGroupOpenArray

[kobykahane]

On Windows 10 2004, with npcap 0.9992, after opening Wireshark immediately after resuming the computer from standby, I got the following BSOD:

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BUGCODE_NDIS_DRIVER (7c)
The operating system detected an error in a networking driver.
The BUGCODE_NDIS_DRIVER bugcheck identifies problems in network drivers.
Often, the defect is caused by a NDIS miniport driver. You can get a complete
list of NDIS miniport drivers using !ndiskd.netadapter.  You can get a
big-picture overview of the network stack with !ndiskd.netreport.
Arguments:
Arg1: 0000000000000014, NDIS_BUGCHECK_WAIT_EVENT_HIGH_IRQL
	A network driver called NdisWaitEvent at an illegal
	IRQL.
Arg2: 0000000000000002, The actual IRQL
Arg3: 0000000000000000, Zero.
Arg4: 0000000000000000, Zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on KOBYK

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 1

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 76

    Key  : Analysis.System
    Value: CreateObject


ADDITIONAL_XML: 1

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


BUGCHECK_CODE:  7c

BUGCHECK_P1: 14

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  System

STACK_TEXT:  
ffffb902`46336c78 fffff807`61c6850e : 00000000`0000007c 00000000`00000014 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffb902`46336c80 fffff807`67f233b6 : 00000000`00000000 00000000`7872444e 00000000`00000000 00000000`0000006a : ndis!NdisWaitEvent+0x1f7ce
ffffb902`46336cc0 fffff807`67f242b9 : ffff8d8d`7f6ab050 ffff8d8d`7f6ab050 00000000`30505741 ffff8d8d`00000000 : npcap!NPF_DoInternalRequest+0xfa [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 3189] 
ffffb902`46336e30 fffff807`67f23226 : ffff8d8d`7f0200ff ffff8d8d`00000000 ffff8d8d`6a12f0b0 00000000`00000006 : npcap!NPF_RemoveFromGroupOpenArray+0x101 [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 1438] 
ffffb902`46336e90 fffff807`67f23185 : ffff8d8d`8e2d0a70 ffffb902`46336fc0 ffff8d8d`7f6ab050 00000000`00000000 : npcap!NPF_DetachOpenInstance+0x52 [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 630] 
ffffb902`46336ee0 fffff807`61d26384 : ffff8d8d`8e2d0a70 fffff807`61cf3048 fffff807`61cf3048 ffff8d8d`8884edd0 : npcap!NPF_DetachAdapter+0x21 [c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c @ 2337] 
ffffb902`46336f10 fffff807`61d47a0e : fffff807`61cf3048 ffff8d8d`9b20b1a0 ffff8d8d`8e2d0a70 ffff8d8d`8e2d0a70 : ndis!ndisFInvokeDetach+0x68
ffffb902`46336f50 fffff807`61d25f09 : ffffd404`93b51b50 ffff8d8d`8e2d0a70 00000000`00000000 ffff8d8d`8f568300 : ndis!ndisDetachFilterInner+0x282
ffffb902`46336ff0 fffff807`61d21874 : 00000000`00000000 ffffb902`46337150 00000000`00000009 ffff8d8d`9b20c590 : ndis!ndisDetachFilter+0xb1
ffffb902`46337050 fffff807`61d142d8 : ffff8d8d`9b20b1a0 ffff8d8d`9b20b1a0 ffff8d8d`9b20c608 ffff8d8d`9b20c590 : ndis!Ndis::BindEngine::Iterate+0xd4f0
ffffb902`463371d0 fffff807`61d0d906 : ffff8d8d`9b20c590 ffffb902`46337300 00000000`00000000 00000000`00000000 : ndis!Ndis::BindEngine::UpdateBindings+0x98
ffffb902`46337220 fffff807`61d0d96c : ffff8d8d`9b20c590 00000000`00000000 ffff8d8d`9b20c590 fffff807`61d0b3ef : ndis!Ndis::BindEngine::DispatchPendingWork+0x76
ffffb902`46337250 fffff807`61d0b35d : ffff8d8d`9b20c590 ffffb902`46337300 00000000`00001000 00000000`00001000 : ndis!Ndis::BindEngine::ApplyBindChanges+0x54
ffffb902`463372a0 fffff807`61d45e4e : ffff8d8d`9b20b1a0 ffffb902`463373f0 ffff8d8d`9b20c590 ffff8d8d`682f4a50 : ndis!ndisMSetMiniportReadyForBinding+0x81
ffffb902`463372f0 fffff807`61c9014c : ffff8d8d`9b20b1a0 ffff8d8d`9b20b1a0 00000000`00000000 fffff807`61cf3048 : ndis!ndisPnPRemoveDevice+0x31e
ffffb902`46337530 fffff807`61d2dcbe : ffff8d8d`9b20b1a0 ffff8d8d`9b20b050 00000000`00000000 00000000`00000000 : ndis!ndisPnPRemoveDeviceEx+0x148
ffffb902`46337580 fffff807`61c5b626 : ffff8d8d`8424c870 ffffb902`46337630 00000000`00000000 ffff8d8d`9b20b1a0 : ndis!ndisPnPIrpRemoveDevice+0x10a
ffffb902`463375f0 fffff807`5d846d25 : 00000000`00000001 ffff8d8d`9b20b050 00000000`00000001 ffffb902`46337750 : ndis!ndisPnPDispatch+0x30306
ffffb902`46337660 fffff807`5dca610c : 00000000`00000000 ffff8d8d`9b20b050 ffffb902`46337750 fffff807`5dd389f8 : nt!IofCallDriver+0x55
ffffb902`463376a0 fffff807`5dd38701 : ffff8d8d`8c6c7e00 ffff8d8d`8c6c7e00 ffff8d8d`6a21fcc0 00000000`00000002 : nt!IopSynchronousCall+0xf8
ffffb902`46337710 fffff807`5d95a0fc : ffffd404`a4f06760 ffff8d8d`6a21fcc0 00000000`00000001 00000000`0000000a : nt!IopRemoveDevice+0x105
ffffb902`463377c0 fffff807`5dd382ca : ffff8d8d`6a21fcc0 00000000`00000016 00000000`00000000 cb3a4008`00200001 : nt!PnpRemoveLockedDeviceNode+0x1ac
ffffb902`46337820 fffff807`5dd37fff : ffff8d8d`6a21fcc0 ffffb902`463378a0 00000000`00000016 ffff8d8d`6a21fcc0 : nt!PnpDeleteLockedDeviceNode+0x4e
ffffb902`46337860 fffff807`5dd36ee3 : ffff8d8d`8c6c7e00 ffffd404`00000002 ffff8d8d`8c6c7e00 00000000`00000001 : nt!PnpDeleteLockedDeviceNodes+0xf7
ffffb902`463378e0 fffff807`5dd34e37 : ffffb902`46337a20 ffff8d8d`6a21fc00 ffffb902`46337a00 ffffd404`00000001 : nt!PnpProcessQueryRemoveAndEject+0x39b
ffffb902`463379c0 fffff807`5dcd393e : ffffd404`a4f06760 ffffd404`7dba6610 ffff8d8d`5dc7ba00 00000000`00000000 : nt!PnpProcessTargetDeviceEvent+0xeb
ffffb902`463379f0 fffff807`5d833f25 : ffff8d8d`7f061040 ffff8d8d`7f061040 ffff8d8d`5dc7ba20 ffff8d8d`9ae072f0 : nt!PnpDeviceEventWorker+0x2ce
ffffb902`46337a70 fffff807`5d946715 : ffff8d8d`7f061040 00000000`00000080 ffff8d8d`5dcb3080 00000000`00000000 : nt!ExpWorkerThread+0x105
ffffb902`46337b10 fffff807`5d9e5078 : ffffbe00`819da180 ffff8d8d`7f061040 fffff807`5d9466c0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffb902`46337b60 00000000`00000000 : ffffb902`46338000 ffffb902`46331000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


FAULTING_SOURCE_LINE:  c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c

FAULTING_SOURCE_FILE:  c:\users\nmap\source\repos\npcap\packetwin7\npf\npf\openclos.c

FAULTING_SOURCE_LINE_NUMBER:  3189

FAULTING_SOURCE_CODE:  
  3185: 	{
  3186: 		// Wait for this event which is signaled by NPF_InternalRequestComplete,
  3187: 		// which also sets RequestStatus appropriately
  3188: 		NdisWaitEvent(&FilterRequest.InternalRequestCompletedEvent, 0);
> 3189: 		Status = FilterRequest.RequestStatus;
  3190: 	}
  3191: 
  3192: 	if (Status == NDIS_STATUS_SUCCESS)
  3193: 	{
  3194: 		if (RequestType == NdisRequestSetInformation)


SYMBOL_NAME:  npcap!NPF_DoInternalRequest+fa

MODULE_NAME: npcap

IMAGE_NAME:  npcap.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  fa

FAILURE_BUCKET_ID:  0x7C_14_npcap!NPF_DoInternalRequest

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7fdbcd3a-81cd-f6ea-cdbb-42b9e01fd02d}

Followup:     MachineOwner
---------

The crash appears to be due to a call to NdisWaitEvent in high IRQL. The reason the IRQL is high appears to be the acquisition of a spin lock (pOpen->OpenInUseLock) in NPF_DetachOpenInstance before the call to NPF_RemoveFromGroupOpenArray, which eventually calls NPF_DoInternalRequest and attempts to wait for the pending OID request to complete in dispatch level.

The complete dump (~ 830 MB compressed) is available upon request, if necessary.
npcap_mini.zip

[dmiller-nmap]

Thanks for this very detailed bug report! We'll look into this right away.