Hi All,
While Experimenting with WDF I came across Different Scenario . My driver created a WDF Request object . And I Formatted the request with preallcoated Buffer using the macro WdfIoTargetFormatRequestForInternalIoctl. When i try to retrieve the buffer using WdfRequestRetrieveInputBuffer ,the system crashing with Bugcheck of 0xD1.
I analyzed the Bug , the buffer pointer was correct in IRP_MJ_INTERNAL_DEVICE_CONTROL location in IRP. Here am sending the !analyze -v report along with Wdfkd outputs.
My question is ,why WdfRequestRetrieveInputBuffer giving bugcheck while Creation of WDF Request and retrieval of Buffer in same driver ? I tried this experiment in MSDN sample NetVmini.
*** Fatal System Error: 0x000000d1
(0x000000000000000A,0x0000000000000002,0x0000000000000000,0xFFFFF88000E87807)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows 7 7601 x64 target at (Thu Nov 14 17:14:54.550 2013 (UTC + 5:30)), ptr64 TRUE
Loading Kernel Symbols
…
…
…
Loading User Symbols
Loading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {a, 2, 0, fffff88000e87807}
Probably caused by : netvmini620.sys ( netvmini620!WdfRequestRetrieveInputBuffer+3e )
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
fffff800`02880490 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000a, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88000e87807, address which referenced memory
Debugging Details:
READ_ADDRESS: 000000000000000a
CURRENT_IRQL: 2
FAULTING_IP:
Wdf01000!FxRequest::GetMemoryObject+41b
fffff880`00e87807 664439490a cmp word ptr [rcx+0Ah],r9w
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff88002f9cd30 – (.trap 0xfffff88002f9cd30)
.trap 0xfffff88002f9cd30
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000057ffe7792e8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88000e87807 rsp=fffff88002f9cec0 rbp=0000057ffe779200
r8=fffff88002f9cf77 r9=0000000000000000 r10=fffffa8001886d10
r11=fffff88002f9cc40 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
Wdf01000!FxRequest::GetMemoryObject+0x41b:
fffff88000e87807 664439490a cmp word ptr [rcx+0Ah],r9w ds:00000000
0000000a=???
.trap
Resetting default scope
LOCK_ADDRESS: fffff80002a84440 – (!locks fffff80002a84440)
!locks fffff80002a84440
Resource @ nt!PiEngineLock (0xfffff80002a84440) Exclusively owned
Contention Count = 5
Threads: fffffa80009c3b60-01<*>
1 total locks, 1 locks currently held
PNP_TRIAGE:
Lock address : 0xfffff80002a84440
Thread Count : 1
Thread address: 0xfffffa80009c3b60
Thread wait : 0x18a0d
LAST_CONTROL_TRANSFER: from fffff8000296fd92 to fffff80002880490
STACK_TEXT:
fffff88002f9c478 fffff800
0296fd92 : 000000000000000a fffffa80
009c3b60 0000000000000065 fffff800
028c4178 : nt!RtlpBreakWithStatusInstruction
fffff88002f9c480 fffff800
02970b7e : 0000000000000003 00000000
00000000 fffff800028c49d0 00000000
000000d1 : nt!KiBugCheckDebugBreak+0x12
fffff88002f9c4e0 fffff800
02888744 : 0000000000000000 00001f80
018b0635 0000000000000000 fffff800
02832790 : nt!KeBugCheck2+0x71e
fffff88002f9cbb0 fffff800
02887be9 : 000000000000000a 00000000
0000000a 0000000000000002 00000000
00000000 : nt!KeBugCheckEx+0x104
fffff88002f9cbf0 fffff800
02886860 : 0000000000000000 00000000
00000000 0000000000000000 fffffa80
01886d10 : nt!KiBugCheckDispatch+0x69
fffff88002f9cd30 fffff880
00e87807 : fffffa8001905ed8 00000000
0000000f 0000000000000000 fffffa80
01886d10 : nt!KiPageFault+0x260
fffff88002f9cec0 fffff880
00e7779e : 0000000000000000 fffff880
02f9cfe8 fffff88002f9d088 fffff880
00e5ffe0 : Wdf01000!FxRequest::GetMemoryObject+0x41b
fffff88002f9cf50 fffff880
03873d4e : fffffa8001886d10 00000000
00000000 0000000000000014 fffff880
03888f19 : Wdf01000!imp_WdfRequestRetrieveInputBuffer+0x142
fffff88002f9cfe0 fffff880
03888f3e : 0000057ffe7792e8 00000000
00000018 fffff88002f9d098 fffff880
02f9d088 : netvmini620!WdfRequestRetrieveInputBuffer+0x3e [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 1168]
fffff88002f9d020 fffff880
014aede5 : fffffa8000e331a0 fffff880
03886100 fffff88002f9d330 fffffa80
00b9c5d0 : netvmini620!MPInitializeEx+0x45e [c:\shared\netvmini\6x\adapter.c @ 288]
fffff88002f9d270 fffff880
014ae683 : fffffa8002678120 fffffa80
00b17020 0000000000000000 01cee12c
e8a206e6 : ndis!ndisMInitializeAdapter+0x695
fffff88002f9d630 fffff880
014b076c : fffffa8002678120 fffffa80
00e33050 0000000000000000 fffffa80
00c4a7d0 : ndis!ndisInitializeAdapter+0x113
fffff88002f9d690 fffff880
014ae356 : fffffa8000e331a0 fffffa80
02678120 0000000000000000 ffff2466
7b64d6c5 : ndis!ndisPnPStartDevice+0xac
fffff88002f9d6f0 fffff800
02c3f17e : 0000000000000000 fffffa80
02678120 fffffa8000e33050 fffff880
02f9d820 : ndis!ndisPnPDispatch+0x246
fffff88002f9d790 fffff800
02975b2d : fffffa8000c4a7d0 fffffa80
014e6e30 fffff8000297f250 00000000
00000000 : nt!PnpAsynchronousCall+0xce
fffff88002f9d7d0 fffff800
02c4e4c6 : fffff80002a84200 fffffa80
00afcb80 fffffa80014e6e30 fffffa80
00afcd28 : nt!PnpStartDevice+0x11d
fffff88002f9d890 fffff800
02c4e764 : fffffa8000afcb80 fffffa80
00af0011 fffffa8000afcb80 00000000
00000001 : nt!PnpStartDeviceNode+0x156
fffff88002f9d920 fffff800
02c71e96 : fffffa8000afcb80 fffffa80
00afcb80 0000000000000000 00000000
00000000 : nt!PipProcessStartPhase1+0x74
fffff88002f9d950 fffff800
02c72287 : fffffa8000afcb80 00000000
00000001 0000000000000001 fffff800
02af3c38 : nt!PipProcessDevNodeTree+0x296
fffff88002f9dbc0 fffff800
02981b83 : 0000000100000003 00000000
00000000 0000000000000001 00000000
00000000 : nt!PiRestartDevice+0xc7
fffff88002f9dc10 fffff800
02892a21 : fffff80002981870 fffff800
02a25601 fffffa80009c3b00 00000000
00000000 : nt!PnpDeviceActionWorker+0x313
fffff88002f9dcb0 fffff800
02b25cce : 0000000000000000 fffffa80
009c3b60 0000000000000080 fffffa80
0093a890 : nt!ExpWorkerThread+0x111
fffff88002f9dd40 fffff800
02879fe6 : fffff800029fae80 fffffa80
009c3b60 fffffa80009c3040 00000000
00000000 : nt!PspSystemThreadStartup+0x5a
fffff88002f9dd80 00000000
00000000 : fffff88002f9e000 fffff880
02f98000 fffff88002f9c1b0 00000000
00000000 : nt!KxStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
netvmini620!WdfRequestRetrieveInputBuffer+3e [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 1168]
fffff880`03873d4e 4883c438 add rsp,38h
FAULTING_SOURCE_CODE:
1164: size_t* Length
1165: )
1166: {
1167: return ((PFN_WDFREQUESTRETRIEVEINPUTBUFFER) WdfFunctions[WdfRequestRetrieveInputBufferTableIndex])(WdfDriverGlobals, Request, MinimumRequiredLength, Buffer, Length);
1168: }
1169:
1170: //
1171: // WDF Function: WdfRequestRetrieveOutputBuffer
1172: //
1173: typedef
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: netvmini620!WdfRequestRetrieveInputBuffer+3e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: netvmini620
IMAGE_NAME: netvmini620.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5284a852
FAILURE_BUCKET_ID: X64_0xD1_netvmini620!WdfRequestRetrieveInputBuffer+3e
BUCKET_ID: X64_0xD1_netvmini620!WdfRequestRetrieveInputBuffer+3e
Followup: MachineOwner
The WDf kd outputs are :
d> !wdfkd.wdfdriverinfo netvmini620.sys 0x10
Default driver image name: netvmini620
WDF library image name: Wdf01000
FxDriverGlobals 0xfffffa8000c03220
WdfBindInfo 0xfffff88003885110
Version v1.9 build(7600)
Driver Handles:
!WDFDRIVER 0x0000057fff276538
!WDFDEVICE 0x0000057fff20d988
!WDFIOTARGET 0x0000057fff545bc8
!WDFMEMORY 0x0000057fff37bc18
!WDFREQUEST 0x0000057ffe7792e8
kd> !WDFREQUEST 0x0000057ffe7792e8
!IRP 0xfffffa8001905dc0
State: Allocated by driver, IRP allocated by WDF
kd> !IRP 0xfffffa8001905dc0 1
Irp is active with 1 stacks 2 is current (= 0xfffffa8001905ed8)
No Mdl: No System Buffer: Thread 00000000: Irp is completed.
Flags = 00000000
ThreadListEntry.Flink = fffffa8001905de0
ThreadListEntry.Blink = fffffa8001905de0
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 00000000
UserEvent = 00000000
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = fffffa8001905e38
Tail.Overlay.Thread = 00000000
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = fffffa8001905ed8
Tail.Overlay.OriginalFileObject = 00000000
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[f, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000018 00122043 fffffa80018d7970