Bugcheck: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

Adam_Xue · June 16, 2006, 9:00pm

Hi, All,

My driver got BSOD while the device is resetting. The dump file for me looks
like the driver was unloaded but I/O manager still try to call my driver’s
DispatchPnP
routine. How could that happen? Any ideas to debug it?

My device is a cardbus card with a USB controller.

1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.
Arguments:
Arg1: b405c5f0, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: b405c5f0, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, Mm internal code.

Debugging Details:

*** Error in in reading nt!_ETHREAD @ 00000000
*** Error in in reading nt!_ETHREAD @ 00000000
*** Error in in reading nt!_ETHREAD @ 00000000

READ_ADDRESS: b405c5f0

FAULTING_IP:
swumx20+65f0
b405c5f0 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xCE

LOCK_ADDRESS: 80560560 – (!locks 80560560)

Resource @ nt!IopDeviceTreeLock (0x80560560) Shared 1 owning threads
Contention Count = 81
Threads: 8a3fe3c8-01<*>
1 total locks, 1 locks currently held

PNP_TRIAGE:
Lock address : 0x80560560
Thread Count : 1
Thread address: 0x8a3fe3c8
Thread wait : 0x1dc35

IP_MODULE_UNLOADED:
devdriver+65f0
b405c5f0 ?? ???

LAST_CONTROL_TRANSFER: from 80528ef8 to 805371aa

FAILED_INSTRUCTION_ADDRESS:
devdriver+65f0
b405c5f0 ?? ???

STACK_TEXT:
f78eeacc 80528ef8 00000050 b405c5f0 00000000 nt!KeBugCheckEx+0x1b
f78eeb1c 804e0944 00000000 b405c5f0 00000000 nt!MmAccessFault+0x77e
f78eeb1c b405c5f0 00000000 b405c5f0 00000000 nt!KiTrap0E+0xd0
WARNING: Frame IP not in any known module. Following frames may be wrong.
f78eeba4 804e13d9 89655028 8a1d5650 f78eec30 <unloaded_devdriver.sys>+0x65f0
; This is my driver’s DispatchPnP routine
f78eebb4 8059e86e 8983faa8 8983faa8 00000002 nt!IopfCallDriver+0x31
f78eebe0 805aa766 89655028 f78eec0c 00000000 nt!IopSynchronousCall+0xb7
f78eec34 8050e5a9 8983faa8 00000002 00000000 nt!IopRemoveDevice+0x93
f78eec5c 805ab78e e2c93858 0000001f e2f2e2d8
nt!IopRemoveLockedDeviceNode+0x160
f78eec74 805aaa3c 897c43b0 00000002 e2f2e2d8
nt!IopDeleteLockedDeviceNode+0x34
f78eeca8 805f7114 8983faa8 02f2e2d8 00000002
nt!IopDeleteLockedDeviceNodes+0x3f
f78eed3c 805aad99 f78eed78 806ff974 e3abf228
nt!PiProcessQueryRemoveAndEject+0x76b
f78eed58 805a018f f78eed78 89d95828 805694fc
nt!PiProcessTargetDeviceEvent+0x2a
f78eed7c 804e23b5 89d95828 00000000 8a3fe3c8 nt!PiWalkDeviceList+0x122
f78eedac 80574128 89d95828 00000000 00000000 nt!ExpWorkerThread+0xef
f78eeddc 804efc81 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
devdriver+65f0
b405c5f0 ?? ???

FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: devdriver+65f0

MODULE_NAME: devdriver

IMAGE_NAME: devdriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: 0xCE_BAD_IP_devdriver+65f0

BUCKET_ID: 0xCE_BAD_IP_devdriver+65f0

Followup: MachineOwner
---------</unloaded_devdriver.sys>

Doron_Holan · June 16, 2006, 11:03pm

If mismanage your object reference counts (e.g.
ObReferenceDereferenceObject) and remove too many references, the call
to IoDeleteDevice/IoWMIRegistrationControl can cause a driver unload
prematurely.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Adam Xue
Sent: Friday, June 16, 2006 6:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Bugcheck:
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

Hi, All,

My driver got BSOD while the device is resetting. The dump file for me
looks
like the driver was unloaded but I/O manager still try to call my
driver’s
DispatchPnP
routine. How could that happen? Any ideas to debug it?

My device is a cardbus card with a USB controller.

1: kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.
Arguments:
Arg1: b405c5f0, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: b405c5f0, If non-zero, the instruction address which referenced
the
bad memory
address.
Arg4: 00000000, Mm internal code.

Debugging Details:

*** Error in in reading nt!_ETHREAD @ 00000000
*** Error in in reading nt!_ETHREAD @ 00000000
*** Error in in reading nt!_ETHREAD @ 00000000

READ_ADDRESS: b405c5f0

FAULTING_IP:
swumx20+65f0
b405c5f0 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xCE

LOCK_ADDRESS: 80560560 – (!locks 80560560)

Resource @ nt!IopDeviceTreeLock (0x80560560) Shared 1 owning threads
Contention Count = 81
Threads: 8a3fe3c8-01<*>
1 total locks, 1 locks currently held

PNP_TRIAGE:
Lock address : 0x80560560
Thread Count : 1
Thread address: 0x8a3fe3c8
Thread wait : 0x1dc35

IP_MODULE_UNLOADED:
devdriver+65f0
b405c5f0 ?? ???

LAST_CONTROL_TRANSFER: from 80528ef8 to 805371aa

FAILED_INSTRUCTION_ADDRESS:
devdriver+65f0
b405c5f0 ?? ???

STACK_TEXT:
f78eeacc 80528ef8 00000050 b405c5f0 00000000 nt!KeBugCheckEx+0x1b
f78eeb1c 804e0944 00000000 b405c5f0 00000000 nt!MmAccessFault+0x77e
f78eeb1c b405c5f0 00000000 b405c5f0 00000000 nt!KiTrap0E+0xd0
WARNING: Frame IP not in any known module. Following frames may be
wrong.
f78eeba4 804e13d9 89655028 8a1d5650 f78eec30
<unloaded_devdriver.sys>+0x65f0
; This is my driver’s DispatchPnP routine
f78eebb4 8059e86e 8983faa8 8983faa8 00000002 nt!IopfCallDriver+0x31
f78eebe0 805aa766 89655028 f78eec0c 00000000 nt!IopSynchronousCall+0xb7
f78eec34 8050e5a9 8983faa8 00000002 00000000 nt!IopRemoveDevice+0x93
f78eec5c 805ab78e e2c93858 0000001f e2f2e2d8
nt!IopRemoveLockedDeviceNode+0x160
f78eec74 805aaa3c 897c43b0 00000002 e2f2e2d8
nt!IopDeleteLockedDeviceNode+0x34
f78eeca8 805f7114 8983faa8 02f2e2d8 00000002
nt!IopDeleteLockedDeviceNodes+0x3f
f78eed3c 805aad99 f78eed78 806ff974 e3abf228
nt!PiProcessQueryRemoveAndEject+0x76b
f78eed58 805a018f f78eed78 89d95828 805694fc
nt!PiProcessTargetDeviceEvent+0x2a
f78eed7c 804e23b5 89d95828 00000000 8a3fe3c8 nt!PiWalkDeviceList+0x122
f78eedac 80574128 89d95828 00000000 00000000 nt!ExpWorkerThread+0xef
f78eeddc 804efc81 804e22f1 00000001 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
devdriver+65f0
b405c5f0 ?? ???

FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: devdriver+65f0

MODULE_NAME: devdriver

IMAGE_NAME: devdriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: 0xCE_BAD_IP_devdriver+65f0

BUCKET_ID: 0xCE_BAD_IP_devdriver+65f0

Followup: MachineOwner
---------

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</unloaded_devdriver.sys>