Lock buffer pages issue in ucx01000.sys when running HLK tests in RS5?

WINDBG
1

Hi experts,
Here is the issue I am seeking help with. There is a Windows 10 filter driver designed and written by someone.

  1. This filter driver is built for RS1 WDK and then works fine on RS1 version of Windows 10. Filter driver also passes HLK tests with HLK Studio of RS1 version.
  2. This same filter driver is now built for RS5 WDK and then works fine on RS5 version of Windows 10. But, filter driver now fails to pass HLK tests with HLK studio of RS5 version.

Failure to pass tests in RS5 version of HLK is manifested as crash in ucx01000.sys. Here is call stack of it

Child-SP RetAddr Call Site

00 fffff685e00a5058 fffff80710f2a572 nt!DbgBreakPointWithStatus
01 fffff685e00a5060 fffff80710f2a179 nt!KiBugCheckDebugBreak+0x12
02 fffff685e00a50c0 fffff80710e4a147 nt!KeBugCheck2+0xdd9
03 fffff685e00a57e0 fffff80710ead321 nt!KeBugCheckEx+0x107
04 fffff685e00a5820 fffff80710ccf9c7 nt!MiSystemFault+0x167d41
05 fffff685e00a5960 fffff80710da0790 nt!MmAccessFault+0x327
06 fffff685e00a5b00 fffff80710ccd949 nt!MiFaultInProbeAddress+0xa4
07 fffff685e00a5bb0 fffff80710cccc74 nt!MiLockPageLeafPageTable+0x279
08 fffff685e00a5c20 fffff80710ccb039 nt!MiProbeAndLockPages+0x154
09 fffff685e00a5d70 fffff803c0d0643a nt!MmProbeAndLockPages+0x29
0a fffff685e00a5da0 fffff803c0d05465 ucx01000!UCX_LockBufferPagesInUrbForDMA+0x52
0b fffff685e00a5de0 fffff803c0d0442a ucx01000!UrbHandler_USBPORTStyle_Legacy_SCT_GetSetDescriptor+0x245
0c fffff685e00a5e90 fffff803c0cf5a13 ucx01000!Urb_USBPORTStyle_ProcessURB+0x362
0d fffff685e00a5ef0 fffff803be031c4e ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0x263
0e (Inline Function) ---------------- Wdf01000!PreprocessIrp+0x2e [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1502] 0f (Inline Function) ---------------- Wdf01000!DispatchWorker+0x179 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1565]
10 (Inline Function) ---------------- Wdf01000!FxDevice::Dispatch+0x197 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1586] 11 fffff685e00a5f80 fffff80710e06aba Wdf01000!FxDevice::DispatchWithLock+0x1ee [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430] 12 fffff685e00a5fe0 fffff8071153eef9 nt!IopfCallDriver+0x56 13 fffff685e00a6020 fffff80710eb1ea5 nt!IovCallDriver+0x275 14 fffff685e00a6060 fffff803be20b638 nt!IofCallDriver+0x15dd75 15 fffff685e00a60a0 fffff803be2010ca ACPI!ACPIIrpDispatchDeviceControl+0xa8 16 fffff685e00a60e0 fffff80710e06aba ACPI!ACPIDispatchIrp+0xba 17 fffff685e00a6160 fffff8071153eef9 nt!IopfCallDriver+0x56 18 fffff685e00a61a0 fffff80710eb1ea5 nt!IovCallDriver+0x275 19 fffff685e00a61e0 fffff803c16d6001 nt!IofCallDriver+0x15dd75 1a fffff685e00a6220 fffff803be031c4e UsbHub3!HUBPDO_EvtDeviceWdmIrpPreprocess+0x1081 1b (Inline Function) ---------------- Wdf01000!PreprocessIrp+0x2e [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1502]
1c (Inline Function) ---------------- Wdf01000!DispatchWorker+0x179 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1565] 1d (Inline Function) ---------------- Wdf01000!FxDevice::Dispatch+0x197 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1586]
1e fffff685e00a62f0 fffff80710e06aba Wdf01000!FxDevice::DispatchWithLock+0x1ee [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
1f fffff685e00a6350 fffff8071153eef9 nt!IopfCallDriver+0x56
20 fffff685e00a6390 fffff8071154d258 nt!IovCallDriver+0x275
21 fffff685e00a63d0 fffff803be034d82 nt!VerifierIofCallDriver+0x18
22 fffff685e00a6400 fffff803be03ca9a Wdf01000!FxIoTarget::Send+0x12 [minkernel\wdf\framework\shared\inc\private\km\fxiotargetkm.hpp @ 267]
23 fffff685e00a6430 fffff803be09c14a Wdf01000!FxIoTarget::SubmitSync+0x146 [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1837]
24 fffff685e00a64f0 fffff803c2eff6ef Wdf01000!imp_WdfUsbTargetDeviceSendUrbSynchronously+0x25a [minkernel\wdf\framework\shared\targets\usb\km\fxusbdeviceapikm.cpp @ 133]
25 fffff685e00a6770 fffff803c2efe62c TLCHIDFilter!WdfUsbTargetDeviceSendUrbSynchronously+0x5f [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.15\wdfusb.h @ 1557]
26 fffff685e00a67c0 fffff803c2ef2053 TLCHIDFilter!USB$get_hid_report_desc+0x4fc [k:\drivers\tlchidfilter\driver\usb.cpp @ 413]
27 fffff685e00a68d0 fffff803be0489ce TLCHIDFilter!DEV$$power_on+0xc33 [k:\drivers\tlchidfilter\driver\device.cpp @ 534]
28 fffff685e00a6a90 fffff803be04875f Wdf01000!FxPnpDeviceD0Entry::InvokeClient+0x2e [minkernel\wdf\framework\shared\irphandlers\pnp\pnpcallbacks.cpp @ 93]
29 fffff685e00a6af0 fffff803be0afe46 Wdf01000!FxPrePostCallback::InvokeStateful+0x5b [minkernel\wdf\framework\shared\irphandlers\pnp\cxpnppowercallbacks.cpp @ 467]
2a (Inline Function) ---------------- Wdf01000!FxPnpDeviceD0Entry::Invoke+0x19 [minkernel\wdf\framework\shared\irphandlers\pnp\pnpcallbacks.cpp @ 68] 2b fffff685e00a6b30 fffff803be0417e7 Wdf01000!FxPkgPnp::PowerD0Starting+0x46 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 2215] 2c (Inline Function) ---------------- Wdf01000!FxPkgPnp::PowerEnterNewState+0x101 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 1643]
2d fffff685e00a6b60 fffff803be040bac Wdf01000!FxPkgPnp::PowerProcessEventInner+0x1f7 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 1557]
2e fffff685e00a6cd0 fffff803be0bf360 Wdf01000!FxPkgPnp::PowerProcessEvent+0x15c [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 1338]
2f fffff685e00a6d70 fffff803be0414e3 Wdf01000!FxPkgPnp::NotPowerPolOwnerStarting+0x10 [minkernel\wdf\framework\shared\irphandlers\pnp\notpowerpolicyownerstatemachine.cpp @ 375]
30 (Inline Function) ---------------- Wdf01000!FxPkgPnp::NotPowerPolicyOwnerEnterNewState+0xec [minkernel\wdf\framework\shared\irphandlers\pnp\notpowerpolicyownerstatemachine.cpp @ 333] 31 fffff685e00a6da0 fffff803be040f15 Wdf01000!FxPkgPnp::PowerPolicyProcessEventInner+0x483 [minkernel\wdf\framework\shared\irphandlers\pnp\powerpolicystatemachine.cpp @ 3338] 32 fffff685e00a6f20 fffff803be0acf47 Wdf01000!FxPkgPnp::PowerPolicyProcessEvent+0x155 [minkernel\wdf\framework\shared\irphandlers\pnp\powerpolicystatemachine.cpp @ 3023] 33 (Inline Function) ---------------- Wdf01000!FxPkgPnp::PnpPowerPolicyStart+0xd [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 3737]
34 fffff685e00a6fc0 fffff803be0aca87 Wdf01000!FxPkgPnp::PnpEventHardwareAvailable+0xc7 [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1458]
35 fffff685e00a7000 fffff803be0ae842 Wdf01000!FxPkgPnp::PnpEnterNewState+0x17b [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1234]
36 fffff685e00a7090 fffff803be0ae5f2 Wdf01000!FxPkgPnp::PnpProcessEventInner+0x1e6 [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1152]
37 fffff685e00a7110 fffff803be0b5e3e Wdf01000!FxPkgPnp::PnpProcessEvent+0x19a [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 933]
38 fffff685e00a71a0 fffff803be032ef4 Wdf01000!FxPkgPnp::_PnpStartDevice+0x1e [minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 1999]
39 fffff685e00a71d0 fffff803be031b73 Wdf01000!FxPkgPnp::Dispatch+0xb4 [minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 745]
3a (Inline Function) ---------------- Wdf01000!DispatchWorker+0x9e [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1572] 3b (Inline Function) ---------------- Wdf01000!FxDevice::Dispatch+0xbc [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1586]
3c fffff685e00a7240 fffff80710e06aba Wdf01000!FxDevice::DispatchWithLock+0x113 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
3d fffff685e00a72a0 fffff8071153eef9 nt!IopfCallDriver+0x56
3e fffff685e00a72e0 fffff80710eb1ea5 nt!IovCallDriver+0x275
3f fffff685e00a7320 fffff803c17fc486 nt!IofCallDriver+0x15dd75
40 fffff685e00a7360 fffff803c03023ca hidusb!HumPnP+0x266
41 fffff685e00a7460 fffff803c032e489 HIDCLASS!HidpCallDriver+0x7a
42 fffff685e00a74c0 fffff803c032e0b0 HIDCLASS!HidpCallDriverSynchronous+0x59
43 fffff685e00a7530 fffff803c032bef9 HIDCLASS!HidpStartDevice+0x90
44 fffff685e00a7580 fffff803c032b07a HIDCLASS!HidpFdoPnp+0x189
45 fffff685e00a75f0 fffff803c0301fe8 HIDCLASS!HidpIrpMajorPnp+0x6a
46 fffff685e00a7630 fffff80710e06aba HIDCLASS!HidpMajorHandler+0xe8
47 fffff685e00a76c0 fffff8071153eef9 nt!IopfCallDriver+0x56
48 fffff685e00a7700 fffff80710eb1ea5 nt!IovCallDriver+0x275
49 fffff685e00a7740 fffff807112fc54e nt!IofCallDriver+0x15dd75
4a fffff685e00a7780 fffff80710d24f01 nt!PnpAsynchronousCall+0xea
4b fffff685e00a77c0 fffff80710dedf58 nt!PnpSendIrp+0x95
4c fffff685e00a7830 fffff807112eaf47 nt!PnpStartDevice+0x88
4d fffff685e00a78c0 fffff807112eb12f nt!PnpStartDeviceNode+0xdb
4e fffff685e00a7950 fffff807112e6278 nt!PipProcessStartPhase1+0x6f
4f fffff685e00a79a0 fffff8071135fbbf nt!PipProcessDevNodeTree+0x3dc
50 fffff685e00a7a60 fffff80710df3081 nt!PiRestartDevice+0xab
51 fffff685e00a7ab0 fffff80710cf611a nt!PnpDeviceActionWorker+0x421
52 fffff685e00a7b70 fffff80710dba6c5 nt!ExpWorkerThread+0x16a
53 fffff685e00a7c10 fffff80710e5149c nt!PspSystemThreadStartup+0x55
54 fffff685e00a7c60 0000000000000000 nt!KiStartSystemThread+0x1c

Since driver verifier passes without issues with this filter driver both on RS1 and on RS5, it may appear to be an issue specific to RS5 HLK tests? Or something is manifested from RS5 version of ucx01000.sys under specific circumstances.

Thanks,
Sergey