bsod on ucx01000.sys

Hello, my usb driver filter fine work on Windows < 8.1, but on 8.1 cause bsod when I try to send urb from IRP_MJ_START callback.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffffffffffb48, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80061e8a066, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:

READ_ADDRESS: fffffffffffffb48

FAULTING_IP:
Wdf01000!imp_WdfObjectGetTypedContextWorker+26
fffff800`61e8a066 4c8b5010 mov r10,qword ptr [rax+10h]

MM_INTERNAL_CODE: 0

IMAGE_NAME: ucx01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 530893f5

MODULE_NAME: ucx01000

FAULTING_MODULE: fffff80061e89000 Wdf01000

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME: ffffd00025275ea0 – (.trap 0xffffd00025275ea0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffffffffffb38 rbx=0000000000000000 rcx=0000000000000000
rdx=00000000000004c0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80061e8a066 rsp=ffffd00025276030 rbp=000000000000000b
r8=fffff800638f50b0 r9=000000000000000f r10=ffffe0015a8da410
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
Wdf01000!imp_WdfObjectGetTypedContextWorker+0x26:
fffff80061e8a066 4c8b5010 mov r10,qword ptr [rax+10h] ds:fffffffffffffb48=???
Resetting default scope

LOCK_ADDRESS: fffff80263f57cc0 – (!locks fffff80263f57cc0)

Resource @ nt!PiEngineLock (0xfffff80263f57cc0) Exclusively owned
Contention Count = 1
NumberOfExclusiveWaiters = 1
Threads: ffffe00159f3c880-01<*>
Threads Waiting On Exclusive Access:
ffffe0015a1ae880

1 total locks, 1 locks currently held

PNP_TRIAGE:
Lock address : 0xfffff80263f57cc0
Thread Count : 1
Thread address: 0xffffe00159f3c880
Thread wait : 0x1f4

LAST_CONTROL_TRANSFER: from fffff80263e080e7 to fffff80263dd6fa0

STACK_TEXT:
ffffd00025275cb8 fffff80263e080e7 : 0000000000000050 fffffffffffffb48 0000000000000000 ffffd00025275ea0 : nt!KeBugCheckEx
ffffd00025275cc0 fffff80263cea9c9 : 0000000000000000 ffffe00159f3c880 ffffd00025275ea0 ffffe0015ae7c320 : nt! ?? ::FNODOBFM::string'+0x20c37 ffffd00025275d60 fffff80263de122f : 0000000000000000 0000000000000000 0000000000000000 ffffd00025275ea0 : nt!MmAccessFault+0x7a9 ffffd00025275ea0 fffff80061e8a066 : fffff80263fcfdc0 0000000000000001 ffffd00000000008 ffffe0015ade0b40 : nt!KiPageFault+0x12f ffffd00025276030 fffff800638e8a84 : 000000000000000b fffff800638e8cfb 000000000000000b fffff800638e8c00 : Wdf01000!imp_WdfObjectGetTypedContextWorker+0x26 ffffd00025276080 fffff800638dee20 : 00001ffea571b3d8 ffffe0015ade0b40 ffffd00025276140 ffffe0015ade0d78 : ucx01000!Urb_USBPORTStyle_ProcessURB+0x98 ffffd000252760e0 fffff80061e8fd43 : ffffe0015ade0b40 fffff80263ce40b2 000000000000000f ffffe0015a8e4c20 : ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0x448 ffffd00025276170 fffff8006357d386 : ffffc001e5a8f057 fffff8006357d386 0000000000000000 fffff8006357d386 : Wdf01000!FxDevice::DispatchWithLock+0xb01 ffffd00025276250 fffff8006357d7cf : 0000000000000000 fffff8006357d73b fffff80063581580 00000000c0000001 : MyDriver!SendAndWaitUrb+0x72 ffffd000252762e0 fffff8006357ed15 : 0000000000000000 ffffc001e5a8f848 0000000000000000 ffffe0015a8e2d30 : MyDriver!GetUsbStringDescriptor+0x77 ffffd000252763e0 fffff8006357e8bc : ffffe0015a8e2d30 ffffc001e5a8f020 0000000000000000 ffffd00025276620 : MyDriver!GetUsbDeviceParameters+0x219 ffffd000252764e0 fffff80063589444 : 0000000000000001 ffffe0015afe21b0 ffffc001e5a8f010 ffffe0015a8e2d30 : MyDriver!InitAndAddPdo+0x93 ffffd00025276530 fffff80264028eea : ffffe0015b3af550 ffffe0015b3ed880 ffffe0015afe2060 0000000000000009 : MyDriver!DispatchPnpRequest+0x1c8 \<- IRP_MJ_START ffffd000252765b0 fffff80263ccdcad : ffffe0015a8e2d30 ffffd00025276659 0000000000000000 fffff8026403fe3c : nt!PnpAsynchronousCall+0x102 ffffd000252765f0 fffff80264029437 : ffffe0015b3ae4d0 ffffe0015b3ae4d0 ffffe0015b3ed880 0000000000000000 : nt!PnpStartDevice+0xc5 ffffd000252766c0 fffff802640295d3 : ffffe0015b3ae4d0 ffffe0015b3ae4d0 0000000000000000 ffffe0015b3ae4d0 : nt!PnpStartDeviceNode+0x147 ffffd00025276790 fffff80264037d0b : ffffe0015b3ae4d0 0000000000000001 0000000000000001 ffffe0015956ed30 : nt!PipProcessStartPhase1+0x5f ffffd000252767d0 fffff8026419e113 : ffffe001594fa1a0 0000000000000001 0000000000000000 fffff80264043ef6 : nt!PipProcessDevNodeTree+0x403 ffffd00025276a50 fffff80263d79a84 : 0000000100000003 0000000000000000 0000000000000000 ffffe00159f3c9c0 : nt!PiProcessStartSystemDevices+0x87 ffffd00025276aa0 fffff80263cd6adb : fffff80263d796c4 ffffd00025276bd0 0000000000000000 ffffe00163734943 : nt!PnpDeviceActionWorker+0x3c0 ffffd00025276b50 fffff80263d52794 : 0000000000000000 ffffe00159f3c880 ffffe00159f3c880 ffffe00159436900 : nt!ExpWorkerThread+0x293 ffffd00025276c00 fffff80263ddd5c6 : fffff80263f69180 ffffe00159f3c880 ffffe0015951c880 0000000000000000 : nt!PspSystemThreadStartup+0x58 ffffd00025276c60 0000000000000000 : ffffd00025277000 ffffd00025271000 0000000000000000 00000000`00000000 : nt!KiStartSystemThread+0x16

xxxxx@gmail.com wrote:

Hello, my usb driver filter fine work on Windows < 8.1, but on 8.1 cause bsod when I try to send urb from IRP_MJ_START callback.

What kind of device are you filtering? Are you upper or lower filter?
How did you load it?

The stack trace here shows that you have been called directly by PnP,
but what you’re sending is going straight to the xHCI host controller
extension driver. I can’t imagine how you could take that path without
passing through a function driver or a hub driver first.

(Minor nitpick: it’s IRP_MN_START, not MJ. That’s a subfunction of
IRP_MJ_PNP.)


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Are you trying to send an URB before or after the lower driver(s) completed the START IRP?

Tim Roberts, I use upper usb filter.
Alex Grig, I send URB after lower drivers completed the START IRP.
This situation happend only on Win 8.1.

xxxxx@gmail.com wrote:

Tim Roberts, I use upper usb filter.

Upper filter to what, exactly? The fact that you are sending directly
to the host controller is very suspicious.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Upper filter fo sub devices (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{36FC9E60-C465-11CF-8056-444553540000}).
What suspicious in sending directly to the host controller? I get PDO from AddDevice().

Formally, the URB interface is only defined for the client devices that sit on USBHUB.SYS (or USBHUB3.SYS for USB 3.0). No client driver sits directly on the host driver, and you should not try to send the URBs there.

xxxxx@gmail.com wrote:

Upper filter fo sub devices (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{36FC9E60-C465-11CF-8056-444553540000}).
What suspicious in sending directly to the host controller? I get PDO from AddDevice().

The one question you’ve never answered is WHAT ARE YOU TRYING TO ACCOMPLISH?

The class GUID you have there is, indeed, the GUID for all USB hubs and
host controllers, but those two types of devices have different
requirements in the URBs. You can’t just send an arbitrary URB into the
host controller. There’s information you need to know to fill in the
fields, like the configuration handle and endpoint handles. You won’t
have that information unless you have intercepted requests setting up
the device.

Exactly which URB are you trying to send?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

The response is probably in the SendAndWaitUrb details.

Thank for help guys! I simple get serial number from all usb devices.
But I have other questions :
How I can get serial number for usb controller? And how I can determinate that pdo belongshost controller, no hub?

  1. there is no reason to suspect that a host controller has a serial number.
  2. the host controller only creates root hub pdos. The hardware ids for a
    controller enumerated pdo are going to contain something like ROOT_HUB.

Mark Roddy

On Thu, Sep 18, 2014 at 4:09 AM, wrote:

> Thank for help guys! I simple get serial number from all usb devices.
> But I have other questions :
> How I can get serial number for usb controller? And how I can determinate
> that pdo belongshost controller, no hub?
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

xxxxx@gmail.com wrote:

Thank for help guys! I simple get serial number from all usb devices.
But I have other questions :
How I can get serial number for usb controller? And how I can determinate that pdo belongshost controller, no hub?

Host controllers do not have descriptors, so the concept of a serial
number does not apply.

The hardware ID for a host controller will be PCI\VEN_…, whereas the
hardware ID for a hub will be USB\VID_… or USB\ROOT_HUB.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

A lot of PCIe devices do have serial numbers. And the PnP subsystem now uses that serial number to generate the instance id.

Jan

On Sep 18, 2014, at 9:59 AM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
>> Thank for help guys! I simple get serial number from all usb devices.
>> But I have other questions :
>> How I can get serial number for usb controller? And how I can determinate that pdo belongshost controller, no hub?
>
> Host controllers do not have descriptors, so the concept of a serial
> number does not apply.
>
> The hardware ID for a host controller will be PCI\VEN_…, whereas the
> hardware ID for a hub will be USB\VID_… or USB\ROOT_HUB.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>