BSOD with DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) with Realtek Network adapter and Teefer.sys
search cancel

BSOD with DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) with Realtek Network adapter and Teefer.sys

book

Article ID: 269670

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection Cloud Endpoint Protection with Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response Endpoint Security Endpoint Security Complete Endpoint Security for Servers

Issue/Introduction

Under specific circumstances such as viewing multiple streams from multiple sources in Microsoft Teams, and or handling multiple video streams in multiple browsers you may see a BSOD occur with Symantec Endpoint Protection installed.

This issue specifically only occurs on devices running newer versions of the rtu53cx22x64.sys driver (Realtek has stated the difference appear between their 11.8 and 11.9 release versions)*** And SEP RU5, RU6 and or RU7.


The BSOD reported is : DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

WINDBG shows an initial output of :

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffd3252e352f70, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff8027d7712b4, address which referenced memory

AND

BUGCHECK_CODE:  d1
BUGCHECK_P1: ffffd3252e352f70
BUGCHECK_P2: 2
BUGCHECK_P3: 1
BUGCHECK_P4: fffff8027d7712b4
WRITE_ADDRESS:  ffffd3252e352f70 Nonpaged pool
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME:  System
TRAP_FRAME:  fffff40e509978c0 – (.trap 0xfffff40e509978c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000097ffffff68 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8027d7712b4 rsp=fffff40e50997a50 rbp=fffff40e50997de0
 r8=0000000000000006  r9=0000000000000000 r10=0000000000000011
r11=ffffd28d2e353000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
tcpip!IpFlcReceivePreValidatedPackets+0x974:
fffff802`7d7712b4 4e894c1808      mov     qword ptr [rax+r11+8],r9 ds:ffffd325`2e352f70=????????????????

Environment

Windows 10 post 1909LTS, Windows 11

Cause

The Realtek network adapter on the device with the BSOD is handing the Symantec Endpoint Protection TEEFER.SYS network filter driver a improper NBL NDIS_RECEIVE_FLAGS_RESOURCES flag while processing network frames.

(https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ndis/nc-ndis-filter_receive_net_buffer_lists)

This incomplete buffer list and flag when in conjunction with SEP's Teefer.sys filter driver in user mode causes a memory return\freeing action to a improperly addressed memory space and the BSOD occurs.

This issue is has not been seen to occur with OLDER driver revisions of the Realtek driver stack.



Resolution

There are two workarounds until the Realtek driver is updated to properly validate network frames and apply the correct NBL NDIS_RECEIVE_FLAGS_RESOURCES flag and validate packets for malformation.

1. Update Realtek driver to the latest release. 

2. Back date the Realtek driver to a previous version where the issue no longer occurs.  Backdating the driver will correct the NBL NDIS_RECEIVE_FLAGS_RESOURCES flag setting and NDIS packet validation, ensuring the Windows network stack forwards a correct NBL and correctly formatted packets to the Symantec Teefer.sys driver.  This will prevent Teefer.sys from attempting freeing/memory allocation actions based on incorrect data from the Realtek driver.

3. Enable Kernel Caching in the Symantec Endpoint Protection product as a compatibility workaround.  This will allow the SEP Teefer driver to handle the malformed packets and improperly set NBL NDIS_RECEIVE_FLAGS_RESOURCES flags,  But will require disabling certain features in the KB link at the bottom of the page.

Realtek is currently working on QA of a driver that will be released to resolve this issue, and this document will be updated when it has been released to reflect this. 

Additional Information

Enabling Kernel Cache mode for SEP and SESC:
https://knowledge.broadcom.com/external/article/157551/smb-transfer-speeds-decrease-after-insta.html

 

*** Realtek is a IP and chipset vendor and as such the driver may not be labeled as a Realtek driver. As an example Lenovo renames the driver and network adapter.  it may be required to view the driver details in the Device manger to properly identify the chipset.