Driver crashes if DeviceIOControl with OPVERLAPPED structure is called

NTDEV
1

I have below user application code which runs fine without OVERLAPPED parameter to DeviceIOControl() call. But I want it to be async so passing OVERLAPPED structure with event.
With this additional parameter driver crashes. I have driver written with WDF which handles EvtIoDeviceControl event.

OVERLAPPED *ol = new OVERLAPPED;
ZeroMemory(ol, sizeof(OVERLAPPED));
ol->hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);

ZeroMemory(OutputBuffer, sizeof(OutputBuffer));
returnValue = DeviceIoControl(hFile, IOCTL_EXAMPLE_SAMPLE_BUFFERED_IO, “** Hello from User Mode Buffered I/O”, sizeof(“** Hello from User Mode Buffered I/O34”) + 2, OutputBuffer, sizeof(OutputBuffer), &bytesReturned, ol);

Driver EvtIoDeviceControl handler

void SioctlDeviceControl1(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t OutputBufferLength,
IN size_t InputBufferLength,
IN ULONG IoControlCode
)
{
PAGED_CODE();

}
driver crashes at PAGED_CODE() call which is first line in the function. I think IRQL level of this call is changed if I use OVERLAPPED parameter.

Can some one please help me to solve this exception?

2

Do in need to set ExecutionLevel member of the driver’s WDF_OBJECT_ATTRIBUTES to some value?

3

This has nothing to do with overlapped io. (as an aside you must specify the overlapped flag in the call to create file, otherwise it has no effect in the io call and if specified in the create call, you mist pass an overlapped for All io calls, it is not optional).

Post the output of !analyze -v. Make sure your symbols and the os symbols are setup properly. How did you initialize the device? Did you specify sync or execution scopes?

d

Bent from my phone

From: xxxxx@gmail.commailto:xxxxx
Sent: ?4/?7/?2013 6:12 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] Driver crashes if DeviceIOControl with OPVERLAPPED structure is called

I have below user application code which runs fine without OVERLAPPED parameter to DeviceIOControl() call. But I want it to be async so passing OVERLAPPED structure with event.
With this additional parameter driver crashes. I have driver written with WDF which handles EvtIoDeviceControl event.

OVERLAPPED *ol = new OVERLAPPED;
ZeroMemory(ol, sizeof(OVERLAPPED));
ol->hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);

ZeroMemory(OutputBuffer, sizeof(OutputBuffer));
returnValue = DeviceIoControl(hFile, IOCTL_EXAMPLE_SAMPLE_BUFFERED_IO, “Hello from User Mode Buffered I/O", sizeof(" Hello from User Mode Buffered I/O34”) + 2, OutputBuffer, sizeof(OutputBuffer), &bytesReturned, ol);


Driver EvtIoDeviceControl handler

void SioctlDeviceControl1(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t OutputBufferLength,
IN size_t InputBufferLength,
IN ULONG IoControlCode
)
{
PAGED_CODE();

}
driver crashes at PAGED_CODE() call which is first line in the function. I think IRQL level of this call is changed if I use OVERLAPPED parameter.

Can some one please help me to solve this exception?


NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

4

Do you have DriverVerifier enabled with Force Pending IO enabled?

5

Thanks Doron.

I have created the file with OVERLAPPED flag.
hFile = CreateFile(L"\\.\WFPExampleTest", FILE_SHARE_READ | FILE_SHARE_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL);

If it is not related to OVERLPAPPED then why does it work fine without it. Actually it should crash even in sync mode. So I thought its related to OVERLAPPED structure.

Here is the debugger output at the time of crash line execution

I kept the breakpoint at PAGED _CODE() linke and press F10 when breakpoint is hit. Debugger shows below output:
3: kd> p
Assertion c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp(2112): KeGetCurrentIrql() <= 1
WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70:
fffff880`06362aa0 cd2c int 2C

6

Alex, I have enable it now. How can I use it now to find the issue?
Thank You.

7

You are being called at dispatch level. Nothing to do with overlapped or not. Show the whole callstack. Sync scope and execution level are important factors in the irql you are called at.

d

Bent from my phone

From: xxxxx@gmail.commailto:xxxxx
Sent: ?4/?7/?2013 8:23 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Driver crashes if DeviceIOControl with OPVERLAPPED structure is called

Thanks Doron.

I have created the file with OVERLAPPED flag.
hFile = CreateFile(L"\\.\WFPExampleTest", FILE_SHARE_READ | FILE_SHARE_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL);

If it is not related to OVERLPAPPED then why does it work fine without it. Actually it should crash even in sync mode. So I thought its related to OVERLAPPED structure.

Here is the debugger output at the time of crash line execution

I kept the breakpoint at PAGED _CODE() linke and press F10 when breakpoint is hit. Debugger shows below output:
3: kd> p
Assertion c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp(2112): KeGetCurrentIrql() <= 1
WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70:
fffff880`06362aa0 cd2c int 2C


NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

8

device creation code: If I understood below code, I didn’t specify any execution scope or sync.

attributes.EvtCleanupCallback = EventCleanupDeviceObject;

pWDFDeviceInit = WdfControlDeviceInitAllocate(*pWDFDriver, &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R);
WdfDeviceInitSetExclusive(pWDFDeviceInit, TRUE);
WdfDeviceInitSetIoType(pWDFDeviceInit, WdfDeviceIoBuffered);
WdfDeviceInitAssignName (pWDFDeviceInit, &ntUnicodeString);
WdfControlDeviceInitSetShutdownNotification(pWDFDeviceInit,
NonPnpShutdown,
WdfDeviceShutdown);

WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&attributes,
CONTROL_DEVICE_EXTENSION);

WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&attributes, DEVICE_CONTEXT);

status = WdfDeviceCreate(&pWDFDeviceInit,
&attributes,
&g_WDFDevice);
if(status != STATUS_SUCCESS)
{
HLPR_BAIL;
}

status = WdfDeviceCreateSymbolicLink(g_WDFDevice, &ntWin32NameString );

deviceContext = WdfObjectGet_DEVICE_CONTEXT(g_WDFDevice);

status = WdfDeviceCreateDeviceInterface(
g_WDFDevice,
&GUID_DEVINTERFACE_ECHO,
NULL // ReferenceString
);

WdfDeviceSetDeviceInterfaceState (
g_WDFDevice,
&GUID_DEVINTERFACE_ECHO,
NULL, // ReferenceString
TRUE
);

// Queue initialize

WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE(
&queueConfig,
WdfIoQueueDispatchSequential
);

queueConfig.EvtIoRead = EchoEvtIoRead;
queueConfig.EvtIoWrite = EchoEvtIoWrite;
queueConfig.EvtIoDeviceControl = SioctlDeviceControl1;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&queueAttributes, QUEUE_CONTEXT);
queueAttributes.SynchronizationScope = WdfSynchronizationScopeQueue;

queueAttributes.EvtDestroyCallback = EchoEvtIoQueueContextDestroy;
deviceContext = WdfObjectGet_DEVICE_CONTEXT(Device);

status = WdfIoQueueCreate(
Device,
&queueConfig,
&queueAttributes,
&deviceContext->queue
);

if( !NT_SUCCESS(status) ) {
KdPrint((“WdfIoQueueCreate failed 0x%x\n”,status));
return status;
}

Detailed Crash dump:

3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000420, Exception code that caused the bugcheck
Arg2: fffff88006362aa0, Address of the instruction which caused the bugcheck
Arg3: fffff88007f98ca0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000420 -

FAULTING_IP:
WFPSamplerCalloutDriver!SioctlDeviceControl1+70 [c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp @ 2112]
fffff88006362aa0 cd2c int 2Ch<br><br>CONTEXT: fffff88007f98ca0 -- (.cxr 0xfffff88007f98ca0)<br>rax=0000000000000002 rbx=fffffa800ce40170 rcx=000000000000002e<br>rdx=0000057ff31bfe88 rsi=fffffa800ce98a70 rdi=fffffa800ce9ab30<br>rip=fffff88006362aa0 rsp=fffff88007f996a0 rbp=fffff88007f99770<br> r8=0000000000000100 r9=0000000000000000 r10=fffffa800ce98a70<br>r11=fffff88007f99728 r12=0000057ff31bfe88 r13=000000009c402408<br>r14=0000057ff31654c8 r15=0000000000000100<br>iopl=0 nv up ei pl nz na pe nc<br>cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000202<br>WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70:<br>fffff88006362aa0 cd2c int 2Ch
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: Example.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff88001067f88 to fffff88006362aa0

STACK_TEXT:
fffff88007f996a0 fffff88001067f88 : 0000057ff31654c8 0000057ff31bfe88 0000000000000100 0000000000000000 : WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70 [c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp @ 2112]
fffff88007f99730 fffff8800106742f : fffffa800ce9ab00 fffffa8000000000 fffffa800ce9ab30 fffffa800ce6ff48 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488
fffff88007f997b0 fffff88001072fbb : fffffa800ce98a70 fffffa800ce40100 0000000000000000 fffffa800ce40170 : Wdf01000!FxIoQueue::DispatchEvents+0x66f
fffff88007f99830 fffff8800106c30a : fffffa800ce98a00 fffffa800ce40170 fffffa800cf39d90 fffff88007f99910 : Wdf01000!FxIoQueue::QueueRequest+0x2ab
fffff88007f998a0 fffff8800106b9da : fffffa800ce40170 fffffa800cf39d90 fffff88007f99c80 fffffa800cf39d90 : Wdf01000!FxPkgIo::Dispatch+0x4da
fffff88007f99910 fffff8800106baa6 : fffffa800cf39d90 fffff88007f99c80 fffffa800ce981c0 000000009c402408 : Wdf01000!FxDevice::Dispatch+0x19a
fffff88007f99950 fffff80129e7342f : fffffa800cf39d90 fffff88007f99c80 0000000000000001 fffff88000000000 : Wdf01000!FxDevice::DispatchWithLock+0xa6
fffff88007f99990 fffff80129e73db6 : 000000c7882a6f10 0000000000000030 0000000000000000 000000c7882a6f10 : nt!IopXxxControlFile+0x7dd
fffff88007f99b20 fffff80129a89053 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
fffff88007f99b90 000007fe4d7c2c1a : 000007fe4a83f187 0000000000000000 0000000000000000 0000000000000020 : nt!KiSystemServiceCopyEnd+0x13
000000c7880ef8e8 000007fe4a83f187 : 0000000000000000 0000000000000000 0000000000000020 0000000000000000 : ntdll!ZwDeviceIoControlFile+0xa
000000c7880ef8f0 000007fe4d4a1880 : 000000009c402408 0000000000000000 000000c7880ef980 0000000000000000 : KERNELBASE!DeviceIoControl+0x1d7
000000c7880ef960 000007f73c41132e : 000000c7882a6f10 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!DeviceIoControlImplementation+0x74
000000c7880ef9b0 000007f73c411e03 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Example+0x132e
000000c7880efb20 000007fe4d4a167e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Example+0x1e03
000000c7880efb50 000007fe4d7dc3f1 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x1a
000000c7880efb80 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

FOLLOWUP_IP:
WFPSamplerCalloutDriver!SioctlDeviceControl1+70 [c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp @ 2112]
fffff880`06362aa0 cd2c int 2Ch

FAULTING_SOURCE_CODE:
2108: PCHAR data = “This String is from Device Driver !!! Ravindra”;
2109: size_t datalen = strlen(data)+1;//Length of data including null
2110: size_t inDataLenght;
2111: PVOID ptr;
> 2112: PAGED_CODE();
2113:
2114: if(!OutputBufferLength || !InputBufferLength)
2115: {
2116: WdfRequestComplete(Request, STATUS_INVALID_PARAMETER);
2117: return;

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: WFPSamplerCalloutDriver!SioctlDeviceControl1+70

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WFPSamplerCalloutDriver

IMAGE_NAME: WFPSamplerCalloutDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5162360b

STACK_COMMAND: .cxr 0xfffff88007f98ca0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_WFPSamplerCalloutDriver!SioctlDeviceControl1+70

BUCKET_ID: X64_0x3B_WFPSamplerCalloutDriver!SioctlDeviceControl1+70

Followup: MachineOwner
---------

Thanks.

9

You specified a sync scope

queueAttributes.SynchronizationScope = WdfSynchronizationScopeQueue;

This is why you are called at dispatch. Also, you cannot use or enable device interfaces on control devices. Turn on the wdf verifier on your driver, that would have told you the error

d

Bent from my phone

From: xxxxx@gmail.commailto:xxxxx
Sent: ?4/?7/?2013 8:37 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Driver crashes if DeviceIOControl with OPVERLAPPED structure is called

device creation code: If I understood below code, I didn’t specify any execution scope or sync.

attributes.EvtCleanupCallback = EventCleanupDeviceObject;

pWDFDeviceInit = WdfControlDeviceInitAllocate(*pWDFDriver, &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R);
WdfDeviceInitSetExclusive(pWDFDeviceInit, TRUE);
WdfDeviceInitSetIoType(pWDFDeviceInit, WdfDeviceIoBuffered);
WdfDeviceInitAssignName (pWDFDeviceInit, &ntUnicodeString);
WdfControlDeviceInitSetShutdownNotification(pWDFDeviceInit,
NonPnpShutdown,
WdfDeviceShutdown);

WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&attributes,
CONTROL_DEVICE_EXTENSION);

WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&attributes, DEVICE_CONTEXT);

status = WdfDeviceCreate(&pWDFDeviceInit,
&attributes,
&g_WDFDevice);
if(status != STATUS_SUCCESS)
{
HLPR_BAIL;
}

status = WdfDeviceCreateSymbolicLink(g_WDFDevice, &ntWin32NameString );

deviceContext = WdfObjectGet_DEVICE_CONTEXT(g_WDFDevice);

status = WdfDeviceCreateDeviceInterface(
g_WDFDevice,
&GUID_DEVINTERFACE_ECHO,
NULL // ReferenceString
);

WdfDeviceSetDeviceInterfaceState (
g_WDFDevice,
&GUID_DEVINTERFACE_ECHO,
NULL, // ReferenceString
TRUE
);

// Queue initialize



WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE(
&queueConfig,
WdfIoQueueDispatchSequential
);

queueConfig.EvtIoRead = EchoEvtIoRead;
queueConfig.EvtIoWrite = EchoEvtIoWrite;
queueConfig.EvtIoDeviceControl = SioctlDeviceControl1;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&queueAttributes, QUEUE_CONTEXT);
queueAttributes.SynchronizationScope = WdfSynchronizationScopeQueue;

queueAttributes.EvtDestroyCallback = EchoEvtIoQueueContextDestroy;
deviceContext = WdfObjectGet_DEVICE_CONTEXT(Device);

status = WdfIoQueueCreate(
Device,
&queueConfig,
&queueAttributes,
&deviceContext->queue
);

if( !NT_SUCCESS(status) ) {
KdPrint((“WdfIoQueueCreate failed 0x%x\n”,status));
return status;
}

Detailed Crash dump:

3: kd> !analyze -v
Bugcheck Analysis



SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000420, Exception code that caused the bugcheck
Arg2: fffff88006362aa0, Address of the instruction which caused the bugcheck
Arg3: fffff88007f98ca0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000420 -

FAULTING_IP:
WFPSamplerCalloutDriver!SioctlDeviceControl1+70 [c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp @ 2112]
fffff88006362aa0 cd2c int 2Ch<br><br>CONTEXT: fffff88007f98ca0 -- (.cxr 0xfffff88007f98ca0)<br>rax=0000000000000002 rbx=fffffa800ce40170 rcx=000000000000002e<br>rdx=0000057ff31bfe88 rsi=fffffa800ce98a70 rdi=fffffa800ce9ab30<br>rip=fffff88006362aa0 rsp=fffff88007f996a0 rbp=fffff88007f99770<br> r8=0000000000000100 r9=0000000000000000 r10=fffffa800ce98a70<br>r11=fffff88007f99728 r12=0000057ff31bfe88 r13=000000009c402408<br>r14=0000057ff31654c8 r15=0000000000000100<br>iopl=0 nv up ei pl nz na pe nc<br>cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000202<br>WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70:<br>fffff88006362aa0 cd2c int 2Ch
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: Example.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff88001067f88 to fffff88006362aa0

STACK_TEXT:
fffff88007f996a0 fffff88001067f88 : 0000057ff31654c8 0000057ff31bfe88 0000000000000100 0000000000000000 : WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70 [c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp @ 2112]
fffff88007f99730 fffff8800106742f : fffffa800ce9ab00 fffffa8000000000 fffffa800ce9ab30 fffffa800ce6ff48 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488
fffff88007f997b0 fffff88001072fbb : fffffa800ce98a70 fffffa800ce40100 0000000000000000 fffffa800ce40170 : Wdf01000!FxIoQueue::DispatchEvents+0x66f
fffff88007f99830 fffff8800106c30a : fffffa800ce98a00 fffffa800ce40170 fffffa800cf39d90 fffff88007f99910 : Wdf01000!FxIoQueue::QueueRequest+0x2ab
fffff88007f998a0 fffff8800106b9da : fffffa800ce40170 fffffa800cf39d90 fffff88007f99c80 fffffa800cf39d90 : Wdf01000!FxPkgIo::Dispatch+0x4da
fffff88007f99910 fffff8800106baa6 : fffffa800cf39d90 fffff88007f99c80 fffffa800ce981c0 000000009c402408 : Wdf01000!FxDevice::Dispatch+0x19a
fffff88007f99950 fffff80129e7342f : fffffa800cf39d90 fffff88007f99c80 0000000000000001 fffff88000000000 : Wdf01000!FxDevice::DispatchWithLock+0xa6
fffff88007f99990 fffff80129e73db6 : 000000c7882a6f10 0000000000000030 0000000000000000 000000c7882a6f10 : nt!IopXxxControlFile+0x7dd
fffff88007f99b20 fffff80129a89053 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
fffff88007f99b90 000007fe4d7c2c1a : 000007fe4a83f187 0000000000000000 0000000000000000 0000000000000020 : nt!KiSystemServiceCopyEnd+0x13
000000c7880ef8e8 000007fe4a83f187 : 0000000000000000 0000000000000000 0000000000000020 0000000000000000 : ntdll!ZwDeviceIoControlFile+0xa
000000c7880ef8f0 000007fe4d4a1880 : 000000009c402408 0000000000000000 000000c7880ef980 0000000000000000 : KERNELBASE!DeviceIoControl+0x1d7
000000c7880ef960 000007f73c41132e : 000000c7882a6f10 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!DeviceIoControlImplementation+0x74
000000c7880ef9b0 000007f73c411e03 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Example+0x132e
000000c7880efb20 000007fe4d4a167e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Example+0x1e03
000000c7880efb50 000007fe4d7dc3f1 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x1a
000000c7880efb80 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

FOLLOWUP_IP:
WFPSamplerCalloutDriver!SioctlDeviceControl1+70 [c:\samples\windows filtering platform sample\c++\sys\framework_wfpsamplercalloutdriver.cpp @ 2112]
fffff880`06362aa0 cd2c int 2Ch

FAULTING_SOURCE_CODE:
2108: PCHAR data = “This String is from Device Driver !!! Ravindra”;
2109: size_t datalen = strlen(data)+1;//Length of data including null
2110: size_t inDataLenght;
2111: PVOID ptr;
> 2112: PAGED_CODE();
2113:
2114: if(!OutputBufferLength || !InputBufferLength)
2115: {
2116: WdfRequestComplete(Request, STATUS_INVALID_PARAMETER);
2117: return;

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: WFPSamplerCalloutDriver!SioctlDeviceControl1+70

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WFPSamplerCalloutDriver

IMAGE_NAME: WFPSamplerCalloutDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5162360b

STACK_COMMAND: .cxr 0xfffff88007f98ca0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_WFPSamplerCalloutDriver!SioctlDeviceControl1+70

BUCKET_ID: X64_0x3B_WFPSamplerCalloutDriver!SioctlDeviceControl1+70

Followup: MachineOwner
---------

Thanks.


NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

10

> I have below user application code which runs fine without OVERLAPPED

parameter to DeviceIOControl() call. But I want it to be async so passing
OVERLAPPED structure with event.
With this additional parameter driver crashes. I have driver written with
WDF which handles EvtIoDeviceControl event.

OVERLAPPED *ol = new OVERLAPPED;
ZeroMemory(ol, sizeof(OVERLAPPED));
ol->hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);

ZeroMemory(OutputBuffer, sizeof(OutputBuffer));
returnValue = DeviceIoControl(hFile,
IOCTL_EXAMPLE_SAMPLE_BUFFERED_IO, “** Hello from User Mode
Buffered I/O”, sizeof(“** Hello from User Mode Buffered I/O34”) +
2, OutputBuffer, sizeof(OutputBuffer), &bytesReturned, ol);

Driver EvtIoDeviceControl handler

void SioctlDeviceControl1(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t OutputBufferLength,
IN size_t InputBufferLength,
IN ULONG IoControlCode
)
{
PAGED_CODE();

}
driver crashes at PAGED_CODE() call which is first line in the function.
I think IRQL level of this call is changed if I use OVERLAPPED parameter.

You can tell this how? Oh, yes, in the analyze -v output,which you
showed us above. My bad. I should have read it more carefully.

What kind of driver is this? Did you mention if it is a top-level driver,
minifilter, or bottom feeder? Be aware that if you are not the topmost
driver, your driver may be called in an arbitrary user context at any
level <= DISPATCH_LEVEL.

In the absence of any useful information that might suggest an answer, it
is hard to guess what might be wrong.
joe

Can some one please help me to solve this exception?

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

11

Pageable drivers are an optimization which should be perform after the
driver is known to work.

There are a very limited number of conditions under which driver code is
executed at PASSIVE_LEVEL. If you are not sure, don’t make it pageable.

It is actually pretty amazing how many bugs will show up in a “working”
driver once the app starts using OVERLAPPED mode. If you haven’t tested
your driver in OVERLAPPED mode, you are still in pre-Alpha test mode.
Since I use OVERLAPPED I/O a lot, I would regularly find bugs in all kinds
of drivers.

When you use async I/O, all kinds of different but well-specified things
happen in your driver compared to the execution paths taken for
synchronous I/O. The bug is not related to your use of the OVERLAPPED
structure; whenever you see this kind of error, it simply means that your
driver was written incorrectly.

It is SUPPOSED to fail because the PAGED_CODE macro tests the IRQL and if
it does not meet the requirements for pageable code, te debug build OS
will give you a warning and the free-build kernel will react as you saw.
This crash says that you violated the paged-code contract you claim to be
part of.

So whatever that function is, it is not permitted to be pageable (and by
transitive closure, it may not call any function, whether in your code or
in the WDF support or the kernel itself, that is forbidden at
DISPATCH_LEVEL)
joe

Thanks Doron.

I have created the file with OVERLAPPED flag.
hFile = CreateFile(L"\\.\WFPExampleTest", FILE_SHARE_READ |
FILE_SHARE_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL);

If it is not related to OVERLPAPPED then why does it work fine without it.
Actually it should crash even in sync mode. So I thought its related to
OVERLAPPED structure.

Here is the debugger output at the time of crash line execution

I kept the breakpoint at PAGED _CODE() linke and press F10 when breakpoint
is hit. Debugger shows below output:
3: kd> p
Assertion c:\samples\windows filtering platform
sample\c++\sys\framework_wfpsamplercalloutdriver.cpp(2112):
KeGetCurrentIrql() <= 1
WFPSamplerCalloutDriver!SioctlDeviceControl1+0x70:
fffff880`06362aa0 cd2c int 2C

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

12

Thank you.

Removed all sync references from the code. I am at least able to remove this crash.

Removed WdfDeviceInitSetExclusive(pWDFDeviceInit, TRUE); and queueAttributes.SynchronizationScope = WdfSynchronizationScopeQueue;

Now trying to make use of WdfRequestForwardToIoQueue() API to handle EvtIoDeviceControl Request asynchronously. It seems driver continuously calls SioctlDeviceControl1() callbackfor EvtIoDeviceControl event. So user application hangs at DeviceIOControl() call which is with OVERLAPPED parameter.
I am adding this event to queue and not called WdfRequestComplete().


case IOCTL_EXAMPLE_SAMPLE_BUFFERED_IO:
deviceContext = WdfObjectGet_DEVICE_CONTEXT(g_WDFDevice);
ntStatus = WdfRequestForwardToIoQueue(Request, deviceContext->queue);
if(!NT_SUCCESS(ntStatus)) {
ntStatus = STATUS_SUCCESS;
// ntStatus = STATUS_INSUFFICIENT_RESOURCES;
break;
}
return;
default:
WdfRequestComplete( Request, STATUS_SUCCESS);

13

It sounds like you are forwarding the request to the same queue which presented the request. AKA recursion. Don’t do that. It doesn’t make a sync request async.

And the SetExclusive call has nothing to do with io presentation, it just means only one handle can be opened at any time

d

Bent from my phone

From: xxxxx@gmail.commailto:xxxxx
Sent: ?4/?8/?2013 2:46 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Driver crashes if DeviceIOControl with OPVERLAPPED structure is called

Thank you.

Removed all sync references from the code. I am at least able to remove this crash.

Removed WdfDeviceInitSetExclusive(pWDFDeviceInit, TRUE); and queueAttributes.SynchronizationScope = WdfSynchronizationScopeQueue;

Now trying to make use of WdfRequestForwardToIoQueue() API to handle EvtIoDeviceControl Request asynchronously. It seems driver continuously calls SioctlDeviceControl1() callbackfor EvtIoDeviceControl event. So user application hangs at DeviceIOControl() call which is with OVERLAPPED parameter.
I am adding this event to queue and not called WdfRequestComplete().


case IOCTL_EXAMPLE_SAMPLE_BUFFERED_IO:
deviceContext = WdfObjectGet_DEVICE_CONTEXT(g_WDFDevice);
ntStatus = WdfRequestForwardToIoQueue(Request, deviceContext->queue);
if(!NT_SUCCESS(ntStatus)) {
ntStatus = STATUS_SUCCESS;
// ntStatus = STATUS_INSUFFICIENT_RESOURCES;
break;
}
return;
default:
WdfRequestComplete( Request, STATUS_SUCCESS);


NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

14

Thanks so much Doron. This was the recursion issue. I solved it by adding another queue to the device.

WDF_IO_QUEUE_CONFIG_INIT(&queueConfig, WdfIoQueueDispatchManual);

status = WdfIoQueueCreate(
Device,
&queueConfig,
WDF_NO_OBJECT_ATTRIBUTES,
&deviceContext->internalQueue
);