Crash in usbhub.sys

Hi

I am writing a USB function driver and I am using a
modified bulkusb example from Windows 2003 DDK.
However, I am getting an intermittent crash when more
than one of my device is connected, removed,
reconnected rapidly. I am surprised that, my driver
is not even in the stack list. I am using Windows XP,
SP2. Here is the stack dump. Is this a known issue ?

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception
address pinpoints
the driver/function that caused the problem. Always
note this address
as well as the link date of the driver/image that
contains this address.
Arguments:
Arg1: c0000005, The exception code that was not
handled
Arg2: 804e13c0, The address that the exception
occurred at
Arg3: f8a8fa28, Exception Record Address
Arg4: f8a8f724, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The
instruction at “0x%08lx” referenced memory at
“0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!IopfCallDriver+28
804e13c0 8b7108 mov esi,dword ptr [ecx+8]

EXCEPTION_RECORD: f8a8fa28 – (.exr fffffffff8a8fa28)
.exr fffffffff8a8fa28
ExceptionAddress: 804e13c0
(nt!IopfCallDriver+0x00000028)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000008
Attempt to read from address 00000008

CONTEXT: f8a8f724 – (.cxr fffffffff8a8f724)
.cxr fffffffff8a8f724
eax=0000000f ebx=8255f368 ecx=00000000 edx=82f0fa68
esi=82055b60 edi=82f0fa68
eip=804e13c0 esp=f8a8faf0 ebp=f8a8faf8 iopl=0
nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210282
nt!IopfCallDriver+0x28:
804e13c0 8b7108 mov esi,dword ptr [ecx+8]
ds:0023:00000008=???
.cxr
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at
“0x%08lx” referenced memory at “0x%08lx”. The memory
could not be “%s”.

READ_ADDRESS: 00000008

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from f880450a to 804e13c0

STACK_TEXT:
f8a8faf0 f880450a f8a8fb18 f88082d9 82f0fa68
nt!IopfCallDriver+0x28
f8a8faf8 f88082d9 82f0fa68 00000000 82f0fa68
usbhub!USBH_PassIrp+0x18
f8a8fb18 f8808afa 826342d0 82f0fa68 82f0fa68
usbhub!USBH_PdoUrbFilter+0xbd
f8a8fb34 f88061d8 82055b60 82f0fa68 f8a8fb84
usbhub!USBH_PdoDispatch+0x202
f8a8fb44 804e13c9 8255f2b0 82f0fa68 825ebea0
usbhub!USBH_HubDispatch+0x48
f8a8fb54 f880c5d2 82561548 82055b60 00000000
nt!IopfCallDriver+0x31
f8a8fb84 f880c6c8 8255f2b0 82055b60 f8a8fbb0
usbhub!USBH_SyncSubmitUrb+0xd8
f8a8fb94 f8804587 82561490 82055b60 825617c4
usbhub!USBH_FdoSyncSubmitUrb+0x16
f8a8fbb0 f8804c30 82561548 82d5e48c 82561548
usbhub!USBH_AbortInterruptPipe+0x3d
f8a8fbdc f880bbb0 82561500 82e1d49c 82e1d3c0
usbhub!UsbhFdoCleanup+0xf6
f8a8fbf0 f8805f04 82561490 82e1d3c0 82e1d3c0
usbhub!USBH_FdoRemoveDevice+0x64
f8a8fc10 f8806039 82561548 82e1d3c0 00000002
usbhub!USBH_FdoPnP+0xa8
f8a8fc38 f88061ee 82561548 82e1d3c0 f8a8fc84
usbhub!USBH_FdoDispatch+0x63
f8a8fc48 804e13c9 82561490 82e1d3c0 f8a8fcd4
usbhub!USBH_HubDispatch+0x5e
f8a8fc58 8059e866 8255f2b0 8255f2b0 00000002
nt!IopfCallDriver+0x31
f8a8fc84 805aa742 82561490 f8a8fcb0 00000000
nt!IopSynchronousCall+0xb7
f8a8fcd8 80507039 8255f2b0 00000002 00000000
nt!IopRemoveDevice+0x93
f8a8fd00 805ab76a e24fd418 00000018 e1941718
nt!IopRemoveLockedDeviceNode+0x160
f8a8fd18 805aaa18 8208c948 00000002 e1941718
nt!IopDeleteLockedDeviceNode+0x34
f8a8fd4c 805abc54 8255f2b0 02941718 00000002
nt!IopDeleteLockedDeviceNodes+0x3f
f8a8fd7c 804e23a5 825954a8 00000000 82fc6da8
nt!IopDelayedRemoveWorker+0x4b
f8a8fdac 80574128 825954a8 00000000 00000000
nt!ExpWorkerThread+0xef
f8a8fddc 804efc51 804e22e1 00000001 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000
nt!KiThreadStartup+0x16

FOLLOWUP_IP:
usbhub!USBH_PassIrp+18
f880450a 5d pop ebp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: usbhub!USBH_PassIrp+18

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbhub

IMAGE_NAME: usbhub.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107d68

STACK_COMMAND: .cxr 0xfffffffff8a8f724 ; kb

FAILURE_BUCKET_ID: 0x7E_usbhub!USBH_PassIrp+18

BUCKET_ID: 0x7E_usbhub!USBH_PassIrp+18

Followup: MachineOwner

Mohan Hegde
Senior Software Engineer
Cepheid INC
Sunnyvale CA 94086

Now that’s room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

are you sure you are canceling all I/O when processing IRP_MN_REMOVE_DEVICE? I would recommend that you base your driver on the WDK version of this sample since it is the latest, better yet, base your driver on the KMDF version of this driver. The KMDF version will take of I/O cancellation and a bunch of other boilerplate code that is the WDM version. Furthermore, the selective suspend implementation in the WDM version is not that great, the KMDF version has a much better selective suspend implementation.

d

It isn’t uncommon your driver isn’t at crash stack. Check all other threads in system (!process 0 7 and search for your driver name). Also examine all your devices and their state. Sometimes careful examination of devices extesions helps.

From the stack the problem could be you haven’t cancelled all pending interrupt EP requests before passing remove IRP down the stack; it is just a guess (based on usbhub!USBH_AbortInterruptPipe+0x3d). You have to wait until all IRPs passed down complete before device removal. If analysis doesn’t help and problem is reproducible, use traces to see what happened before crash. Such problems are usually caused by race conditions; both in the driver or OS.

BTW, apply BulkUsb bugfixes from WDK 6000 to your code. There are few but even with them the code isn’t production quality. If you’re starting a new project, it is probably better idea to use KMDF, instead.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Mohan Hegde[SMTP:xxxxx@yahoo.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, March 30, 2007 6:29 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Crash in usbhub.sys

Hi

I am writing a USB function driver and I am using a
modified bulkusb example from Windows 2003 DDK.
However, I am getting an intermittent crash when more
than one of my device is connected, removed,
reconnected rapidly. I am surprised that, my driver
is not even in the stack list. I am using Windows XP,
SP2. Here is the stack dump. Is this a known issue ?

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception
address pinpoints
the driver/function that caused the problem. Always
note this address
as well as the link date of the driver/image that
contains this address.
Arguments:
Arg1: c0000005, The exception code that was not
handled
Arg2: 804e13c0, The address that the exception
occurred at
Arg3: f8a8fa28, Exception Record Address
Arg4: f8a8f724, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The
instruction at “0x%08lx” referenced memory at
“0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!IopfCallDriver+28
804e13c0 8b7108 mov esi,dword ptr [ecx+8]

EXCEPTION_RECORD: f8a8fa28 – (.exr fffffffff8a8fa28)
.exr fffffffff8a8fa28
ExceptionAddress: 804e13c0
(nt!IopfCallDriver+0x00000028)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000008
Attempt to read from address 00000008

CONTEXT: f8a8f724 – (.cxr fffffffff8a8f724)
.cxr fffffffff8a8f724
eax=0000000f ebx=8255f368 ecx=00000000 edx=82f0fa68
esi=82055b60 edi=82f0fa68
eip=804e13c0 esp=f8a8faf0 ebp=f8a8faf8 iopl=0
nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210282
nt!IopfCallDriver+0x28:
804e13c0 8b7108 mov esi,dword ptr [ecx+8]
ds:0023:00000008=???
.cxr
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at
“0x%08lx” referenced memory at “0x%08lx”. The memory
could not be “%s”.

READ_ADDRESS: 00000008

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from f880450a to 804e13c0

STACK_TEXT:
f8a8faf0 f880450a f8a8fb18 f88082d9 82f0fa68
nt!IopfCallDriver+0x28
f8a8faf8 f88082d9 82f0fa68 00000000 82f0fa68
usbhub!USBH_PassIrp+0x18
f8a8fb18 f8808afa 826342d0 82f0fa68 82f0fa68
usbhub!USBH_PdoUrbFilter+0xbd
f8a8fb34 f88061d8 82055b60 82f0fa68 f8a8fb84
usbhub!USBH_PdoDispatch+0x202
f8a8fb44 804e13c9 8255f2b0 82f0fa68 825ebea0
usbhub!USBH_HubDispatch+0x48
f8a8fb54 f880c5d2 82561548 82055b60 00000000
nt!IopfCallDriver+0x31
f8a8fb84 f880c6c8 8255f2b0 82055b60 f8a8fbb0
usbhub!USBH_SyncSubmitUrb+0xd8
f8a8fb94 f8804587 82561490 82055b60 825617c4
usbhub!USBH_FdoSyncSubmitUrb+0x16
f8a8fbb0 f8804c30 82561548 82d5e48c 82561548
usbhub!USBH_AbortInterruptPipe+0x3d
f8a8fbdc f880bbb0 82561500 82e1d49c 82e1d3c0
usbhub!UsbhFdoCleanup+0xf6
f8a8fbf0 f8805f04 82561490 82e1d3c0 82e1d3c0
usbhub!USBH_FdoRemoveDevice+0x64
f8a8fc10 f8806039 82561548 82e1d3c0 00000002
usbhub!USBH_FdoPnP+0xa8
f8a8fc38 f88061ee 82561548 82e1d3c0 f8a8fc84
usbhub!USBH_FdoDispatch+0x63
f8a8fc48 804e13c9 82561490 82e1d3c0 f8a8fcd4
usbhub!USBH_HubDispatch+0x5e
f8a8fc58 8059e866 8255f2b0 8255f2b0 00000002
nt!IopfCallDriver+0x31
f8a8fc84 805aa742 82561490 f8a8fcb0 00000000
nt!IopSynchronousCall+0xb7
f8a8fcd8 80507039 8255f2b0 00000002 00000000
nt!IopRemoveDevice+0x93
f8a8fd00 805ab76a e24fd418 00000018 e1941718
nt!IopRemoveLockedDeviceNode+0x160
f8a8fd18 805aaa18 8208c948 00000002 e1941718
nt!IopDeleteLockedDeviceNode+0x34
f8a8fd4c 805abc54 8255f2b0 02941718 00000002
nt!IopDeleteLockedDeviceNodes+0x3f
f8a8fd7c 804e23a5 825954a8 00000000 82fc6da8
nt!IopDelayedRemoveWorker+0x4b
f8a8fdac 80574128 825954a8 00000000 00000000
nt!ExpWorkerThread+0xef
f8a8fddc 804efc51 804e22e1 00000001 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000
nt!KiThreadStartup+0x16

FOLLOWUP_IP:
usbhub!USBH_PassIrp+18
f880450a 5d pop ebp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: usbhub!USBH_PassIrp+18

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbhub

IMAGE_NAME: usbhub.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107d68

STACK_COMMAND: .cxr 0xfffffffff8a8f724 ; kb

FAILURE_BUCKET_ID: 0x7E_usbhub!USBH_PassIrp+18

BUCKET_ID: 0x7E_usbhub!USBH_PassIrp+18

Followup: MachineOwner

Mohan Hegde
Senior Software Engineer
Cepheid INC
Sunnyvale CA 94086

---

Now that’s room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I have applied all WDK patches to bulkusb. Also, I use
IoAcquireRemoveLock and IoReleaseRemoveLock whenever
an IRP is dispatched. IoReleaseRemoveLockAndWait seems
to return in my IRP_MN_REMOVE_DEVICE routine. I am
unable to reproduce this on Windows 2000 machines.

Will KMDF version support Windows 2000 ?

Mohan

— xxxxx@Microsoft.com wrote:

are you sure you are canceling all I/O when
processing IRP_MN_REMOVE_DEVICE? I would recommend
that you base your driver on the WDK version of this
sample since it is the latest, better yet, base your
driver on the KMDF version of this driver. The KMDF
version will take of I/O cancellation and a bunch of
other boilerplate code that is the WDM version.
Furthermore, the selective suspend implementation in
the WDM version is not that great, the KMDF version
has a much better selective suspend implementation.

d

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR
Online at
http://www.osronline.com/page.cfm?name=ListServer

Mohan Hegde
Senior Software Engineer
Cepheid INC
Sunnyvale CA 94086

It’s here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/

Yes, it supports windows 2000

-----Original Message-----
From: “Mohan Hegde”
To: “Windows System Software Devs Interest List”
Sent: 03/30/07 6:53 AM
Subject: RE:[ntdev] Crash in usbhub.sys

I have applied all WDK patches to bulkusb. Also, I use
IoAcquireRemoveLock and IoReleaseRemoveLock whenever
an IRP is dispatched. IoReleaseRemoveLockAndWait seems
to return in my IRP_MN_REMOVE_DEVICE routine. I am
unable to reproduce this on Windows 2000 machines.

Will KMDF version support Windows 2000 ?

Mohan

— xxxxx@Microsoft.com wrote:

> are you sure you are canceling all I/O when
> processing IRP_MN_REMOVE_DEVICE? I would recommend
> that you base your driver on the WDK version of this
> sample since it is the latest, better yet, base your
> driver on the KMDF version of this driver. The KMDF
> version will take of I/O cancellation and a bunch of
> other boilerplate code that is the WDM version.
> Furthermore, the selective suspend implementation in
> the WDM version is not that great, the KMDF version
> has a much better selective suspend implementation.
>
> d
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR
> Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Mohan Hegde
Senior Software Engineer
Cepheid INC
Sunnyvale CA 94086

____________________________________________________________________________________
It’s here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer