DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS problem

Hi,

I have a problem where on the Driver Unload routine I get a
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS bug check. The
weird thing about this is that the faulting IP is within DriverExit (my
driver unload routine), why would I get this in the driver unload
routine considering the driver unload routine hasn't completed yet?

Details below:-

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: f7b13fdb, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: f7b13fdb, If non-zero, the instruction address which referenced
the bad memory address.
Arg4: 00000000, Mm internal code.

Debugging Details:

READ_ADDRESS: f7b13fdb Nonpaged pool

FAULTING_IP:
aries+fdb
f7b13fdb ??

Relevant section in map file:-

0001:00000fd4 _DriverExit@4 000112d4 f driver.obj
0001:00001010 _DriverEntry@8 00011310 f driver.obj

Thanks in advance,
Ceri

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

Did you do something in your unload routine that might drop the
reference count on the driver object to zero like ObDerferenceObject it,
or delete a device object (though that should be guarded by NTIO) while
you still had outstanding I/O requests?

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ceri Coburn
Sent: Friday, August 20, 2004 1:35 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
problem

Hi,

I have a problem where on the Driver Unload routine I get a
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS bug check. The
weird thing about this is that the faulting IP is within DriverExit (my
driver unload routine), why would I get this in the driver unload
routine considering the driver unload routine hasn't completed yet?

Details below:-

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver
unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: f7b13fdb, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: f7b13fdb, If non-zero, the instruction address which referenced
the bad memory address.
Arg4: 00000000, Mm internal code.

Debugging Details:

READ_ADDRESS: f7b13fdb Nonpaged pool

FAULTING_IP:
aries+fdb
f7b13fdb ??

Relevant section in map file:-

0001:00000fd4 _DriverExit@4 000112d4 f driver.obj
0001:00001010 _DriverEntry@8 00011310 f driver.obj

Thanks in advance,
Ceri

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

I have found the problem, and it wasn't in the DriverUnload. The driver
I have created is not necessary a proper windows driver, it's an API spy
which patched the KeServiceDescriptorTable.

In each patched API function I have a
IoAquireRemoveLock/IoReleaseRemoveLock pair to prevent the driver being
removed whilst a patched API call is in progress. Now the problem I
have is that in my Unload I then have IoReleaseRemoveLockAndWait. And
sometime what happens is that the last IoReleaseRemoveLock is called and
then switched to the unload function and IoReleaseRemoveLockAndWait
finished and the driver unloads, but after switching back the patched
API function still has the epilog code to execute and because the driver
has been unloaded I get the error.

Any ideas on how to combat this?
Thanks

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: 20 August 2004 14:51
To: Windows System Software Devs Interest List
Subject: RE: [ntdev]
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS problem

Did you do something in your unload routine that might drop the
reference count on the driver object to zero like ObDerferenceObject it,
or delete a device object (though that should be guarded by NTIO) while
you still had outstanding I/O requests?

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ceri Coburn
Sent: Friday, August 20, 2004 1:35 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
problem

Hi,

I have a problem where on the Driver Unload routine I get a
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS bug check. The
weird thing about this is that the faulting IP is within DriverExit (my
driver unload routine), why would I get this in the driver unload
routine considering the driver unload routine hasn't completed yet?

Details below:-

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver
unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: f7b13fdb, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: f7b13fdb, If non-zero, the instruction address which referenced
the bad memory address.
Arg4: 00000000, Mm internal code.

Debugging Details:

READ_ADDRESS: f7b13fdb Nonpaged pool

FAULTING_IP:
aries+fdb
f7b13fdb ??

Relevant section in map file:-

0001:00000fd4 _DriverExit@4 000112d4 f driver.obj
0001:00001010 _DriverEntry@8 00011310 f driver.obj

Thanks in advance,
Ceri

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

Don't support unload. You are patching system apis and you want to be
unloadable?

=====================
Mark Roddy

-----Original Message-----
From: Ceri Coburn [mailto:xxxxx@first4internet.co.uk]
Sent: Friday, August 20, 2004 10:02 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
problem

I have found the problem, and it wasn't in the DriverUnload. The driver I
have created is not necessary a proper windows driver, it's an API spy which
patched the KeServiceDescriptorTable.

In each patched API function I have a
IoAquireRemoveLock/IoReleaseRemoveLock pair to prevent the driver being
removed whilst a patched API call is in progress. Now the problem I have is
that in my Unload I then have IoReleaseRemoveLockAndWait. And sometime what
happens is that the last IoReleaseRemoveLock is called and then switched to
the unload function and IoReleaseRemoveLockAndWait finished and the driver
unloads, but after switching back the patched API function still has the
epilog code to execute and because the driver has been unloaded I get the
error.

Any ideas on how to combat this?
Thanks

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: 20 August 2004 14:51
To: Windows System Software Devs Interest List
Subject: RE: [ntdev]
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS problem

Did you do something in your unload routine that might drop the reference
count on the driver object to zero like ObDerferenceObject it, or delete a
device object (though that should be guarded by NTIO) while you still had
outstanding I/O requests?

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ceri Coburn
Sent: Friday, August 20, 2004 1:35 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
problem

Hi,

I have a problem where on the Driver Unload routine I get a
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS bug check. The weird
thing about this is that the faulting IP is within DriverExit (my driver
unload routine), why would I get this in the driver unload routine
considering the driver unload routine hasn't completed yet?

Details below:-

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver unloaded
without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: f7b13fdb, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: f7b13fdb, If non-zero, the instruction address which referenced the
bad memory address.
Arg4: 00000000, Mm internal code.

Debugging Details:

READ_ADDRESS: f7b13fdb Nonpaged pool

FAULTING_IP:
aries+fdb
f7b13fdb ??

Relevant section in map file:-

0001:00000fd4 _DriverExit@4 000112d4 f driver.obj
0001:00001010 _DriverEntry@8 00011310 f driver.obj

Thanks in advance,
Ceri

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
''
To unsubscribe send a blank email to xxxxx@lists.osr.com

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

This email has been scanned by the MessageLabs Email Security System.
For more information please visit Symantec™ Email Security | Enterprise Messaging Security

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com

Well, first a driver patching the KeServiceDescriptorTable is a very bad
idea. Second, a PNP driver patching the KeServiceDescriptorTable is AN
INCREDIBLY STUPID IDEA, at least make it a legacy driver without those
interactions, and get rid of the remove lock requirments.

If you haven’t read the various discussions of hooking that have appeared on
this list, go back and search the archives for hooking. Basically, by doing
the hooking you have made a driver that always has the probability of
crashing. This driver will never be of a quality for production code, and
is something that any sane person would avoid. Also, note that it is likely
to fail in future revisions of the OS as more cheking is put in.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

“Ceri Coburn” wrote in message
news:xxxxx@ntdev…
I have found the problem, and it wasn’t in the DriverUnload. The driver
I have created is not necessary a proper windows driver, it’s an API spy
which patched the KeServiceDescriptorTable.

In each patched API function I have a
IoAquireRemoveLock/IoReleaseRemoveLock pair to prevent the driver being
removed whilst a patched API call is in progress. Now the problem I
have is that in my Unload I then have IoReleaseRemoveLockAndWait. And
sometime what happens is that the last IoReleaseRemoveLock is called and
then switched to the unload function and IoReleaseRemoveLockAndWait
finished and the driver unloads, but after switching back the patched
API function still has the epilog code to execute and because the driver
has been unloaded I get the error.

Any ideas on how to combat this?
Thanks

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: 20 August 2004 14:51
To: Windows System Software Devs Interest List
Subject: RE: [ntdev]
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS problem

Did you do something in your unload routine that might drop the
reference count on the driver object to zero like ObDerferenceObject it,
or delete a device object (though that should be guarded by NTIO) while
you still had outstanding I/O requests?

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ceri Coburn
Sent: Friday, August 20, 2004 1:35 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
problem

Hi,

I have a problem where on the Driver Unload routine I get a
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS bug check. The
weird thing about this is that the faulting IP is within DriverExit (my
driver unload routine), why would I get this in the driver unload
routine considering the driver unload routine hasn’t completed yet?

Details below:-

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver
unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver’s name is displayed on the screen.
Arguments:
Arg1: f7b13fdb, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: f7b13fdb, If non-zero, the instruction address which referenced
the bad memory address.
Arg4: 00000000, Mm internal code.

Debugging Details:
------------------

READ_ADDRESS: f7b13fdb Nonpaged pool

FAULTING_IP:
aries+fdb
f7b13fdb ??

Relevant section in map file:-

0001:00000fd4 _DriverExit@4 000112d4 f driver.obj
0001:00001010 _DriverEntry@8 00011310 f driver.obj

Thanks in advance,
Ceri


This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email


—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email



This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email

You cannot unload the driver which installed such patches. No reliable way
of doing this. Forget this idea.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Ceri Coburn”
To: “Windows System Software Devs Interest List”
Sent: Friday, August 20, 2004 6:01 PM
Subject: RE: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
problem

> I have found the problem, and it wasn’t in the DriverUnload. The driver
> I have created is not necessary a proper windows driver, it’s an API spy
> which patched the KeServiceDescriptorTable.
>
> In each patched API function I have a
> IoAquireRemoveLock/IoReleaseRemoveLock pair to prevent the driver being
> removed whilst a patched API call is in progress. Now the problem I
> have is that in my Unload I then have IoReleaseRemoveLockAndWait. And
> sometime what happens is that the last IoReleaseRemoveLock is called and
> then switched to the unload function and IoReleaseRemoveLockAndWait
> finished and the driver unloads, but after switching back the patched
> API function still has the epilog code to execute and because the driver
> has been unloaded I get the error.
>
> Any ideas on how to combat this?
> Thanks
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
> Sent: 20 August 2004 14:51
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev]
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS problem
>
> Did you do something in your unload routine that might drop the
> reference count on the driver object to zero like ObDerferenceObject it,
> or delete a device object (though that should be guarded by NTIO) while
> you still had outstanding I/O requests?
>
> -p
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ceri Coburn
> Sent: Friday, August 20, 2004 1:35 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
> problem
>
> Hi,
>
> I have a problem where on the Driver Unload routine I get a
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS bug check. The
> weird thing about this is that the faulting IP is within DriverExit (my
> driver unload routine), why would I get this in the driver unload
> routine considering the driver unload routine hasn’t completed yet?
>
> Details below:-
>
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver
> unloaded without cancelling timers, DPCs, worker threads, etc.
> The broken driver’s name is displayed on the screen.
> Arguments:
> Arg1: f7b13fdb, memory referenced
> Arg2: 00000000, value 0 = read operation, 1 = write operation
> Arg3: f7b13fdb, If non-zero, the instruction address which referenced
> the bad memory address.
> Arg4: 00000000, Mm internal code.
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: f7b13fdb Nonpaged pool
>
> FAULTING_IP:
> aries+fdb
> f7b13fdb ??
>
>
> Relevant section in map file:-
>
> 0001:00000fd4 _DriverExit@4 000112d4 f driver.obj
> 0001:00001010 _DriverEntry@8 00011310 f driver.obj
>
>
> Thanks in advance,
> Ceri
>
>
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
>
>
>
>
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

On Fri, 20 Aug 2004 15:01:55 +0100, you wrote:

I have found the problem, and it wasn’t in the DriverUnload. The driver
I have created is not necessary a proper windows driver, it’s an API spy
which patched the KeServiceDescriptorTable.

In each patched API function I have a
IoAquireRemoveLock/IoReleaseRemoveLock pair to prevent the driver being
removed whilst a patched API call is in progress. Now the problem I
have is that in my Unload I then have IoReleaseRemoveLockAndWait. And
sometime what happens is that the last IoReleaseRemoveLock is called and
then switched to the unload function and IoReleaseRemoveLockAndWait
finished and the driver unloads, but after switching back the patched
API function still has the epilog code to execute and because the driver
has been unloaded I get the error.

Any ideas on how to combat this?

There isn’t really an elegant solution to that. Make sure the lock is
released as late as you possibly can. If you *really* need to be able
to unload, first unpatch KeServiceDescriptorTable with the lock held
(which will prevent any new calls entering from that point on), then
wait (which will hopefully give any existing calls time to exit your
code). It’s not going to be totally reliable, it isn’t exactly a nice
setup, but it’s probably about as good as you’ll get.

James.

Thanks guys, I thought that would be the case as it isn’t an elegant
solution in the first place. I’ll just have to live with releasing the
locks as late as possible and then maybe add a delay to give the API’s
in progress a chance to finish.

Thanks Again,
Ceri

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James
Sent: 21 August 2004 12:30
To: Windows System Software Devs Interest List
Subject: Re: [ntdev]
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS problem

On Fri, 20 Aug 2004 15:01:55 +0100, you wrote:

I have found the problem, and it wasn’t in the DriverUnload. The
driver
I have created is not necessary a proper windows driver, it’s an API
spy
which patched the KeServiceDescriptorTable.

In each patched API function I have a
IoAquireRemoveLock/IoReleaseRemoveLock pair to prevent the driver being
removed whilst a patched API call is in progress. Now the problem I
have is that in my Unload I then have IoReleaseRemoveLockAndWait. And
sometime what happens is that the last IoReleaseRemoveLock is called
and
then switched to the unload function and IoReleaseRemoveLockAndWait
finished and the driver unloads, but after switching back the patched
API function still has the epilog code to execute and because the
driver
has been unloaded I get the error.

Any ideas on how to combat this?

There isn’t really an elegant solution to that. Make sure the lock is
released as late as you possibly can. If you *really* need to be able
to unload, first unpatch KeServiceDescriptorTable with the lock held
(which will prevent any new calls entering from that point on), then
wait (which will hopefully give any existing calls time to exit your
code). It’s not going to be totally reliable, it isn’t exactly a nice
setup, but it’s probably about as good as you’ll get.

James.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email