I’ve encountered a blue screen in WdfUsbTargetDeviceSelectConfig() that I don’t
understand. What’s especially odd is that it will only occur when all of the following
conditions are true:
-
The device exposes a non-zero based, non-sequential list of interface descriptors
(such as, interfaces 5, 6, and 8). -
The host OS is Windows 2000 (doesn’t occur on Windows XP, haven’t tried
Vista). -
There is no USB hub between the machine and the device. Introducing a hub
makes the problem disappears.
I’ve seen two different crash dumps from this problem, so I’ve given both below.
The WDF IFR log says:
— start of log —
1: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x7A94BFE8 !devobj 0x856B5840
entering PnP State WdfDevStatePnpInit from WdfDevStatePnpObjectCreated
2: FxPkgPnp::Dispatch - WDFDEVICE 0x7A94BFE8 !devobj 0x856B5840,
IRP_MJ_PNP, 0x00000000(IRP_MN_START_DEVICE) IRP 0x85781BC8
3: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x7A94BFE8 !devobj 0x856B5840
entering PnP State WdfDevStatePnpInitStarting from WdfDevStatePnpInit
4: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x7A94BFE8 !devobj 0x856B5840
entering PnP State WdfDevStatePnpHardwareAvailable from WdfDevStatePnpInitStarting
5: FxIoTarget::SubmitLocked - ignoring WDFIOTARGET 7A94A9C8 state,
sending WDFREQUEST BAF7CA08, state 1
6: FxIoTarget::SubmitLocked - ignoring WDFIOTARGET 7A94A9C8 state,
sending WDFREQUEST BAF7CA08, state 1
---- end of log ----
Blue screen #1 dump:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {c0000005, 8046ac64, 0, fffb}
Probably caused by : Pool_Corruption ( nt!ExFreePool+b )
Followup: Pool_corruption
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8046ac64, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 0000fffb, Parameter 1 of the exception
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
nt!ExFreePoolWithTag+f2
8046ac64 8a47fa mov al,byte ptr [edi-6]
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0000fffb
READ_ADDRESS: 0000fffb
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x1E
PROCESS_NAME: System
EXCEPTION_RECORD: eb443714 – (.exr ffffffffeb443714)
ExceptionAddress: 8046ac64 (nt!ExFreePoolWithTag+0x000000f2)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000fffb
Attempt to read from address 0000fffb
CONTEXT: eb44336c – (.cxr ffffffffeb44336c)
eax=00000000 ebx=00000000 ecx=00000000 edx=6e9c0000 esi=e2a9b448 edi=00010001
eip=8046ac64 esp=eb4437dc ebp=eb4437fc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0xf2:
8046ac64 8a47fa mov al,byte ptr [edi-6] ds:0023:0000fffb=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 8046aaef to 8046ac64
STACK_TEXT:
eb4437fc 8046aaef 00010001 00000000 eb2caeec nt!ExFreePoolWithTag+0xf2
eb443808 eb2caeec 00010001 eb2cae0e 856dd3b0 nt!ExFreePool+0xb
eb443838 eb2c84d0 85e47030 856a32e8 00010001 USBD!USBD_SelectInterface+0xde
eb443864 eb2c99eb 85e47030 856a32e8 8579b828 USBD!USBD_ProcessURB+0x198
eb443898 eb2c8c38 85e47030 856a32e8 85e470e8 USBD!USBD_FdoDispatch+0x221
eb4438c0 eb2b0409 85e47030 856a32e8 eb4438ec USBD!USBD_Dispatch+0x76
eb4438f4 8041dded 85e47030 856a32e8 856a33bc uhcd!UHCD_Dispatch+0x23
eb443908 eb0c204b 856a32e8 8582c8c8 00220003 nt!IopfCallDriver+0x35
eb44391c eb0c228a 85d7ae28 856a32e8 8582c810 usbhub!USBH_PdoUrbFilter+0xdd
eb443938 eb0c069a 00020a00 856a32e8 eb443990 usbhub!USBH_PdoDispatch+0xd8
eb443948 8041dded 8582c810 856a32e8 bffde44a usbhub!USBH_HubDispatch+0x46
eb44395c bffde471 85e92008 bffde677 85729c50 nt!IopfCallDriver+0x35
eb443964 bffde677 85729c50 856a32e8 85729c50 ACPI!ACPIDispatchForwardIrp+0x27
eb443990 8041dded 85729c50 856a32e8 ba6d6a08 ACPI!ACPIDispatchIrp+0x123
eb4439a4 ba67dbd1 857e20f8 8569dd50 eb443ae4 nt!IopfCallDriver+0x35
eb4439ec ba687312 01443a08 eb443a98 00000000 Wdf01000!FxIoTarget::SubmitSync+0x1f2
eb443ae4 ba687bc0 00000000 857e20d0 eb443c8c Wdf01000!FxUsbDevice::SelectConfig+0x59b
eb443c24 ba681f3b 00000000 eb443c7c 00000000 Wdf01000!FxUsbDevice::SelectConfigMulti+0x2db
eb443c44 ba7bbd6d 8589cd20 7a9622a8 00000000 Wdf01000!imp_WdfUsbTargetDeviceSelectConfig+0x6c9
eb443c5c ba7bbb81 7a9622a8 00000000 eb443c7c xxxccgp!WdfUsbTargetDeviceSelectConfig+0x1d
eb443c90 ba6c207c 7a964fe8 7a872648 7a8725c8 xxxccgp!xxxCcgpEvtDevicePrepareHardware+0x101
eb443cb0 ba6c23ae eb443ccb 00000008 8569bd50 Wdf01000!FxPkgPnp::PnpPrepareHardware+0x7c
eb443ccc ba6c1245 8569bd50 ba6da260 8569bd50 Wdf01000!FxPkgPnp::PnpEventHardwareAvailable+0x6f
eb443cf4 ba6c1fa0 00000108 8569bdfc 8569bd50 Wdf01000!FxPkgPnp::PnpEnterNewState+0x15c
eb443d1c ba6c2323 eb443d4c 80062f58 8569bdf0 Wdf01000!FxPkgPnp::PnpProcessEventInner+0x1f5
eb443d30 ba6c5f34 8569bd50 eb443d4c 8569d8e8 Wdf01000!FxPkgPnp::_PnpProcessEventInner+0x26
eb443d5c ba6c5fa7 85729e50 eb443da8 8042040f Wdf01000!FxEventQueue::EventQueueWorker+0x47
eb443d68 8042040f 85729e50 8569bdf0 8047479c Wdf01000!FxWorkItemEventQueue::_WorkItemCallback+0x1a
eb443d78 80416bfa 8569d8e8 00000000 00000000 nt!IopProcessWorkItem+0xf
eb443da8 80454ab2 8569d8e8 00000000 00000000 nt!ExpWorkerThread+0xae
eb443ddc 804692a2 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!ExFreePool+b
8046aaef c20400 ret 4
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExFreePool+b
FOLLOWUP_NAME: Pool_corruption
IMAGE_NAME: Pool_Corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: Pool_Corruption
STACK_COMMAND: .cxr 0xffffffffeb44336c ; kb
FAILURE_BUCKET_ID: 0x1E_nt!ExFreePool+b
BUCKET_ID: 0x1E_nt!ExFreePool+b
Followup: Pool_corruption
kd> lmvm Pool_Corruption
start end module name
…
Blue screen #2 dump:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {c0000005, eb2ca7ca, 0, 901b3}
Probably caused by : USBD.SYS ( USBD!USBD_InternalInterfaceBusy+e )
Followup: MachineOwner
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eb2ca7ca, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 000901b3, Parameter 1 of the exception
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
USBD!USBD_InternalInterfaceBusy+e
eb2ca7ca 385f0c cmp byte ptr [edi+0Ch],bl
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 000901b3
READ_ADDRESS: 000901b3
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x1E
PROCESS_NAME: System
EXCEPTION_RECORD: eb43f720 – (.exr ffffffffeb43f720)
ExceptionAddress: eb2ca7ca (USBD!USBD_InternalInterfaceBusy+0x0000000e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 000901b3
Attempt to read from address 000901b3
CONTEXT: eb43f378 – (.cxr ffffffffeb43f378)
eax=00000006 ebx=00000000 ecx=00000000 edx=0000000c esi=e2a3b208 edi=000901a7
eip=eb2ca7ca esp=eb43f7e8 ebp=eb43f800 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210246
USBD!USBD_InternalInterfaceBusy+0xe:
eb2ca7ca 385f0c cmp byte ptr [edi+0Ch],bl ds:0023:000901b3=??
Resetting default scope
LAST_CONTROL_TRANSFER: from eb2cae60 to eb2ca7ca
STACK_TEXT:
eb43f800 eb2cae60 857c6c68 85e8b030 000901a7 USBD!USBD_InternalInterfaceBusy+0xe
eb43f838 eb2c84d0 85e8b030 857376e8 856b0450 USBD!USBD_SelectInterface+0x52
eb43f864 eb2c99eb 85e8b030 857376e8 857c6c68 USBD!USBD_ProcessURB+0x198
eb43f898 eb2c8c38 85e8b030 857376e8 85e8b0e8 USBD!USBD_FdoDispatch+0x221
eb43f8c0 eb2b0409 85e8b030 857376e8 eb43f8ec USBD!USBD_Dispatch+0x76
eb43f8f4 8041dded 85e8b030 857376e8 857377bc uhcd!UHCD_Dispatch+0x23
eb43f908 eb0c204b 857376e8 857c05c8 00220003 nt!IopfCallDriver+0x35
eb43f91c eb0c228a 85d84e28 857376e8 857c0510 usbhub!USBH_PdoUrbFilter+0xdd
eb43f938 eb0c069a 00020a00 857376e8 eb43f990 usbhub!USBH_PdoDispatch+0xd8
eb43f948 8041dded 857c0510 857376e8 bffde44a usbhub!USBH_HubDispatch+0x46
eb43f95c bffde471 85e92008 bffde677 85bf3f10 nt!IopfCallDriver+0x35
eb43f964 bffde677 85bf3f10 857376e8 85bf3f10 ACPI!ACPIDispatchForwardIrp+0x27
eb43f990 8041dded 85bf3f10 857376e8 ba819a08 ACPI!ACPIDispatchIrp+0x123
eb43f9a4 ba7c0bd1 85817eb8 856adef0 eb43fae4 nt!IopfCallDriver+0x35
eb43f9ec ba7ca312 0143fa08 eb43fa98 00000000 Wdf01000!FxIoTarget::SubmitSync+0x1f2
eb43fae4 ba7cabc0 00000000 85817e90 eb43fc8c Wdf01000!FxUsbDevice::SelectConfig+0x59b
eb43fc24 ba7c4f3b 00000000 eb43fc7c 00000000 Wdf01000!FxUsbDevice::SelectConfigMulti+0x2db
eb43fc44 badd7d6d 8588d420 7a952108 00000000 Wdf01000!imp_WdfUsbTargetDeviceSelectConfig+0x6c9
eb43fc5c badd7b81 7a952108 00000000 eb43fc7c xxxccgp!WdfUsbTargetDeviceSelectConfig+0x1d
eb43fc90 ba80507c 7a950fe8 7a9503a8 7a950328 xxxccgp!xxxCcgpEvtDevicePrepareHardware+0x101
eb43fcb0 ba8053ae eb43fccb 00000008 856afd50 Wdf01000!FxPkgPnp::PnpPrepareHardware+0x7c
eb43fccc ba804245 856afd50 ba81d260 856afd50 Wdf01000!FxPkgPnp::PnpEventHardwareAvailable+0x6f
eb43fcf4 ba804fa0 00000108 856afdfc 856afd50 Wdf01000!FxPkgPnp::PnpEnterNewState+0x15c
eb43fd1c ba805323 eb43fd4c 80062f58 856afdf0 Wdf01000!FxPkgPnp::PnpProcessEventInner+0x1f5
eb43fd30 ba808f34 856afd50 eb43fd4c 857c98c8 Wdf01000!FxPkgPnp::_PnpProcessEventInner+0x26
eb43fd5c ba808fa7 85806cb0 eb43fda8 8042040f Wdf01000!FxEventQueue::EventQueueWorker+0x47
eb43fd68 8042040f 85806cb0 856afdf0 8047479c Wdf01000!FxWorkItemEventQueue::_WorkItemCallback+0x1a
eb43fd78 80416bfa 857c98c8 00000000 00000000 nt!IopProcessWorkItem+0xf
eb43fda8 80454ab2 857c98c8 00000000 00000000 nt!ExpWorkerThread+0xae
eb43fddc 804692a2 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
USBD!USBD_InternalInterfaceBusy+e
eb2ca7ca 385f0c cmp byte ptr [edi+0Ch],bl
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: USBD
IMAGE_NAME: USBD.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 3e2ecf5d
SYMBOL_NAME: USBD!USBD_InternalInterfaceBusy+e
STACK_COMMAND: .cxr 0xffffffffeb43f378 ; kb
FAILURE_BUCKET_ID: 0x1E_USBD!USBD_InternalInterfaceBusy+e
BUCKET_ID: 0x1E_USBD!USBD_InternalInterfaceBusy+e
Followup: MachineOwner
-Chris