How to lock user buffer in EvtIoWrite?

Hello.

I am developing a USB driver for WinXP using the KMDF framework. EvtIoWrite callback receives a buffer from user mode and sends it to the device.
When trying to send buffers larger than 10MB I get a BSOD, and I suspect that the reason is that I did not lock properly the user buffer in EvtIoWrite. My question is, what is the proper way to lock the user buffer in EvtIoWrite?

Thanks in advance.

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BUGCODE_USB_DRIVER (fe)
USB Driver bugcheck, first parameter is USB bugcheck code.
Arguments:
Arg1: 00000001, INTERNAL_ERROR An internal error has occured in the USB stack
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

*** ERROR: Module load completed but symbols could not be loaded for my_test.exe

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xFE

PROCESS_NAME: my_test.exe

LAST_CONTROL_TRANSFER: from f719be24 to 804f9f43

STACK_TEXT:
a9ffa450 f719be24 000000fe 00000001 00000000 nt!KeBugCheckEx+0x1b
a9ffa498 f719c0af 86e37028 86623aa8 86505000 USBPORT!USBPORT_SplitBulkInterruptTransfer+0x52
a9ffa4b8 f71a331e 86e37028 86623aa8 86505000 USBPORT!USBPORT_SplitTransfer+0x68
a9ffa534 806e96e4 86e37028 00000000 00000000 USBPORT!USBPORT_MapTransfer+0x66a
a9ffa560 804eeef2 86cf5640 86e3705c 0000098a hal!HalAllocateAdapterChannel+0x126
a9ffa578 f71a363f 86cf5640 86e37028 0000098a nt!IoAllocateAdapterChannel+0x2a
a9ffa5bc f71a4439 86e37028 864fea88 80546afc USBPORT!USBPORT_FlushMapTransferList+0x1b1
a9ffa618 f71a5326 00623aa8 ffffffff 80546afc USBPORT!USBPORT_FlushPendingList+0x5b1
a9ffa648 f71ac2b0 867723a0 a9ffa680 f71abe74 USBPORT!USBPORT_QueueTransferUrb+0x248
a9ffa654 f71abe74 86e37028 864fea88 86d11aa4 USBPORT!USBPORT_AsyncTransfer+0x30
a9ffa680 f71b0fe8 86c2c030 86e37028 00000090 USBPORT!USBPORT_ProcessURB+0x3f4
a9ffa6a0 f719a332 86c2c030 864fea88 864fea88 USBPORT!USBPORT_PdoInternalDeviceControlIrp+0x7e
a9ffa6c4 804ef19f 864feb64 86c2c188 86d11aa4 USBPORT!USBPORT_Dispatch+0x148
a9ffa6d4 f770759c a9ffa6fc f770b82d 864fea88 nt!IopfCallDriver+0x31
a9ffa6dc f770b82d 864fea88 86c2c030 864fea88 usbhub!USBH_PassIrp+0x18
a9ffa6fc f770c0ae 86d80480 864fea88 79ae12c0 usbhub!USBH_PdoUrbFilter+0xbd
a9ffa718 f77095e4 86d11aa4 864fea88 a9ffa754 usbhub!USBH_PdoDispatch+0x202
a9ffa728 804ef19f 866aec30 864fea88 86c14da0 usbhub!USBH_HubDispatch+0x48
a9ffa738 f78f84db 00220003 864feb64 80000000 nt!IopfCallDriver+0x31
a9ffa754 f78f776b 86641370 864fea88 8054bd24 usbccgp!ParentInternalDeviceControl+0xbb
a9ffa778 f78f75d3 86641368 864fea88 0000000f usbccgp!USBC_InternalDeviceControl+0x3b
a9ffa7b4 804ef19f 866412b0 864fea88 86c14da0 usbccgp!USBC_Dispatch+0x183
a9ffa7c4 f78f9391 80000000 00000009 00220003 nt!IopfCallDriver+0x31
a9ffa7f4 f78f7786 8673a0f0 864fea88 8673a0f0 usbccgp!FunctionInternalDeviceControl+0x1c1
a9ffa818 f78f75d3 8673a0e8 864fea88 0000000f usbccgp!USBC_InternalDeviceControl+0x56
a9ffa854 804ef19f 8673a030 864fea88 a9ffa8c8 usbccgp!USBC_Dispatch+0x183
a9ffa864 a8d46164 86c5f470 86c5f554 00000000 nt!IopfCallDriver+0x31
a9ffa87c a8da675d 00000005 865e1990 8651ed38 Wdf01000!imp_WdfRequestSend+0x2de
a9ffa894 a8da6667 79a1e668 79ae12c0 a9ffa8c8 my_usb_driver!WdfRequestSend+0x1d [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 661]
a9ffab20 a8d5f02a 793a0b88 79901320 00989680 my_usb_driver!evt_write+0x27d
a9ffab3c a8d6036e 793a0b88 79901320 00989680 Wdf01000!FxIoQueueIoRead::Invoke+0x2a
a9ffab64 a8d629ac 79901320 866fecd8 86c5f470 Wdf01000!FxIoQueue::DispatchRequestToDriver+0x2bb
a9ffab80 a8d63b7f 86c5f400 00000000 86dde9b8 Wdf01000!FxIoQueue::DispatchEvents+0x3be
a9ffaba0 a8d64e14 866fecd8 a8d17290 79901320 Wdf01000!FxIoQueue::QueueRequestFromForward+0x139
a9ffabc8 a8d4a2b6 866ae010 866fecd8 866fecd8 Wdf01000!FxPkgIo::EnqueueRequest+0x244
a9ffabdc a8d1761a 00000000 866ae010 79901320 Wdf01000!imp_WdfDeviceEnqueueRequest+0xde
a9ffabf0 a8d174b6 79951fe8 79901320 00000000 my_usb_driver!WdfDeviceEnqueueRequest+0x1a [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfdevice.h @ 3429]
a9ffac24 a8d6559c 79951fe8 79901320 86f72f40 my_usb_driver!evt_io_in_caller+0x226
a9ffac3c a8d65798 866fecd8 866e9008 86eb7d30 Wdf01000!FxPkgIo::DispathToInCallerContextCallback+0xb1
a9ffac64 a8d54a3f 866e9008 a9ffac94 804ef19f Wdf01000!FxPkgIo::Dispatch+0x1f1
a9ffac70 804ef19f 864fc088 866e9008 806e6410 Wdf01000!FxDevice::Dispatch+0x7f
a9ffac80 8057f982 866e909c 00d996a0 866e9008 nt!IopfCallDriver+0x31
a9ffac94 8057d4c9 864fc088 866e9008 86eb7d30 nt!IopSynchronousServiceTail+0x70
a9ffad38 8054163c 000007e8 00000000 00000000 nt!NtWriteFile+0x5d7
a9ffad38 7c90e514 000007e8 00000000 00000000 nt!KiFastCallEntry+0xfc
0006fe30 7c90df8a 7c82e86c 000007e8 00000000 ntdll!KiFastSystemCallRet
0006fe34 7c82e86c 000007e8 00000000 00000000 ntdll!ZwWriteFile+0xc
0006fe94 00401946 000007e8 00410020 00989680 kernel32!WriteFile+0xa9
WARNING: Stack unwind information not available. Following frames may be wrong.
0006fec8 00401db5 000007e8 00410020 00989680 my_test+0x1946
0006ff40 0040222f 000007e8 00000000 00000001 my_test+0x1db5
0006ff7c 0040251b 00000006 00272430 00272ad0 my_test+0x222f
0006ffc0 7c817077 00000000 00000000 7ffda000 my_test+0x251b
0006fff0 00000000 0040264c 00000000 78746341 kernel32!BaseProcessStart+0x23

STACK_COMMAND: kb

FOLLOWUP_IP:
Wdf01000!imp_WdfRequestSend+2de
a8d46164 eb0a jmp Wdf01000!imp_WdfRequestSend+0x2ea (a8d46170)

SYMBOL_STACK_INDEX: 1b

SYMBOL_NAME: Wdf01000!imp_WdfRequestSend+2de

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME: Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf28

FAILURE_BUCKET_ID: 0xFE_Wdf01000!imp_WdfRequestSend+2de

BUCKET_ID: 0xFE_Wdf01000!imp_WdfRequestSend+2de

Followup: MachineOwner

xxxxx@gmail.com wrote:

I am developing a USB driver for WinXP using the KMDF framework. EvtIoWrite callback receives a buffer from user mode and sends it to the device.
When trying to send buffers larger than 10MB I get a BSOD, and I suspect that the reason is that I did not lock properly the user buffer in EvtIoWrite.

Nope. Unless you are using a METHOD_NEITHER ioctl, Windows will have
locked the buffer for you.

The problem is that a single URB in XP cannot be larger than about 3
MB. Here’s a knowledge base article that describes this limit:
http://support.microsoft.com/kb/832430

You need to chop your request up into separate URBs of 3MB or less.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Are you using METHOD_BUFFERED_IN/OUT_DIRECT?

Gary G. Little

----- Original Message -----
From: xxxxx@gmail.com
To: “Windows System Software Devs Interest List”
Sent: Thursday, December 16, 2010 11:51:01 AM
Subject: [ntdev] How to lock user buffer in EvtIoWrite?

Hello.

I am developing a USB driver for WinXP using the KMDF framework. EvtIoWrite callback receives a buffer from user mode and sends it to the device.
When trying to send buffers larger than 10MB I get a BSOD, and I suspect that the reason is that I did not lock properly the user buffer in EvtIoWrite. My question is, what is the proper way to lock the user buffer in EvtIoWrite?

Thanks in advance.

1: kd> !analyze -v

*
Bugcheck Analysis *
*
***

BUGCODE_USB_DRIVER (fe)
USB Driver bugcheck, first parameter is USB bugcheck code.
Arguments:
Arg1: 00000001, INTERNAL_ERROR An internal error has occured in the USB stack
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for my_test.exe

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xFE

PROCESS_NAME: my_test.exe

LAST_CONTROL_TRANSFER: from f719be24 to 804f9f43

STACK_TEXT:
a9ffa450 f719be24 000000fe 00000001 00000000 nt!KeBugCheckEx+0x1b
a9ffa498 f719c0af 86e37028 86623aa8 86505000 USBPORT!USBPORT_SplitBulkInterruptTransfer+0x52
a9ffa4b8 f71a331e 86e37028 86623aa8 86505000 USBPORT!USBPORT_SplitTransfer+0x68
a9ffa534 806e96e4 86e37028 00000000 00000000 USBPORT!USBPORT_MapTransfer+0x66a
a9ffa560 804eeef2 86cf5640 86e3705c 0000098a hal!HalAllocateAdapterChannel+0x126
a9ffa578 f71a363f 86cf5640 86e37028 0000098a nt!IoAllocateAdapterChannel+0x2a
a9ffa5bc f71a4439 86e37028 864fea88 80546afc USBPORT!USBPORT_FlushMapTransferList+0x1b1
a9ffa618 f71a5326 00623aa8 ffffffff 80546afc USBPORT!USBPORT_FlushPendingList+0x5b1
a9ffa648 f71ac2b0 867723a0 a9ffa680 f71abe74 USBPORT!USBPORT_QueueTransferUrb+0x248
a9ffa654 f71abe74 86e37028 864fea88 86d11aa4 USBPORT!USBPORT_AsyncTransfer+0x30
a9ffa680 f71b0fe8 86c2c030 86e37028 00000090 USBPORT!USBPORT_ProcessURB+0x3f4
a9ffa6a0 f719a332 86c2c030 864fea88 864fea88 USBPORT!USBPORT_PdoInternalDeviceControlIrp+0x7e
a9ffa6c4 804ef19f 864feb64 86c2c188 86d11aa4 USBPORT!USBPORT_Dispatch+0x148
a9ffa6d4 f770759c a9ffa6fc f770b82d 864fea88 nt!IopfCallDriver+0x31
a9ffa6dc f770b82d 864fea88 86c2c030 864fea88 usbhub!USBH_PassIrp+0x18
a9ffa6fc f770c0ae 86d80480 864fea88 79ae12c0 usbhub!USBH_PdoUrbFilter+0xbd
a9ffa718 f77095e4 86d11aa4 864fea88 a9ffa754 usbhub!USBH_PdoDispatch+0x202
a9ffa728 804ef19f 866aec30 864fea88 86c14da0 usbhub!USBH_HubDispatch+0x48
a9ffa738 f78f84db 00220003 864feb64 80000000 nt!IopfCallDriver+0x31
a9ffa754 f78f776b 86641370 864fea88 8054bd24 usbccgp!ParentInternalDeviceControl+0xbb
a9ffa778 f78f75d3 86641368 864fea88 0000000f usbccgp!USBC_InternalDeviceControl+0x3b
a9ffa7b4 804ef19f 866412b0 864fea88 86c14da0 usbccgp!USBC_Dispatch+0x183
a9ffa7c4 f78f9391 80000000 00000009 00220003 nt!IopfCallDriver+0x31
a9ffa7f4 f78f7786 8673a0f0 864fea88 8673a0f0 usbccgp!FunctionInternalDeviceControl+0x1c1
a9ffa818 f78f75d3 8673a0e8 864fea88 0000000f usbccgp!USBC_InternalDeviceControl+0x56
a9ffa854 804ef19f 8673a030 864fea88 a9ffa8c8 usbccgp!USBC_Dispatch+0x183
a9ffa864 a8d46164 86c5f470 86c5f554 00000000 nt!IopfCallDriver+0x31
a9ffa87c a8da675d 00000005 865e1990 8651ed38 Wdf01000!imp_WdfRequestSend+0x2de
a9ffa894 a8da6667 79a1e668 79ae12c0 a9ffa8c8 my_usb_driver!WdfRequestSend+0x1d [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 661]
a9ffab20 a8d5f02a 793a0b88 79901320 00989680 my_usb_driver!evt_write+0x27d
a9ffab3c a8d6036e 793a0b88 79901320 00989680 Wdf01000!FxIoQueueIoRead::Invoke+0x2a
a9ffab64 a8d629ac 79901320 866fecd8 86c5f470 Wdf01000!FxIoQueue::DispatchRequestToDriver+0x2bb
a9ffab80 a8d63b7f 86c5f400 00000000 86dde9b8 Wdf01000!FxIoQueue::DispatchEvents+0x3be
a9ffaba0 a8d64e14 866fecd8 a8d17290 79901320 Wdf01000!FxIoQueue::QueueRequestFromForward+0x139
a9ffabc8 a8d4a2b6 866ae010 866fecd8 866fecd8 Wdf01000!FxPkgIo::EnqueueRequest+0x244
a9ffabdc a8d1761a 00000000 866ae010 79901320 Wdf01000!imp_WdfDeviceEnqueueRequest+0xde
a9ffabf0 a8d174b6 79951fe8 79901320 00000000 my_usb_driver!WdfDeviceEnqueueRequest+0x1a [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfdevice.h @ 3429]
a9ffac24 a8d6559c 79951fe8 79901320 86f72f40 my_usb_driver!evt_io_in_caller+0x226
a9ffac3c a8d65798 866fecd8 866e9008 86eb7d30 Wdf01000!FxPkgIo::DispathToInCallerContextCallback+0xb1
a9ffac64 a8d54a3f 866e9008 a9ffac94 804ef19f Wdf01000!FxPkgIo::Dispatch+0x1f1
a9ffac70 804ef19f 864fc088 866e9008 806e6410 Wdf01000!FxDevice::Dispatch+0x7f
a9ffac80 8057f982 866e909c 00d996a0 866e9008 nt!IopfCallDriver+0x31
a9ffac94 8057d4c9 864fc088 866e9008 86eb7d30 nt!IopSynchronousServiceTail+0x70
a9ffad38 8054163c 000007e8 00000000 00000000 nt!NtWriteFile+0x5d7
a9ffad38 7c90e514 000007e8 00000000 00000000 nt!KiFastCallEntry+0xfc
0006fe30 7c90df8a 7c82e86c 000007e8 00000000 ntdll!KiFastSystemCallRet
0006fe34 7c82e86c 000007e8 00000000 00000000 ntdll!ZwWriteFile+0xc
0006fe94 00401946 000007e8 00410020 00989680 kernel32!WriteFile+0xa9
WARNING: Stack unwind information not available. Following frames may be wrong.
0006fec8 00401db5 000007e8 00410020 00989680 my_test+0x1946
0006ff40 0040222f 000007e8 00000000 00000001 my_test+0x1db5
0006ff7c 0040251b 00000006 00272430 00272ad0 my_test+0x222f
0006ffc0 7c817077 00000000 00000000 7ffda000 my_test+0x251b
0006fff0 00000000 0040264c 00000000 78746341 kernel32!BaseProcessStart+0x23

STACK_COMMAND: kb

FOLLOWUP_IP:
Wdf01000!imp_WdfRequestSend+2de
a8d46164 eb0a jmp Wdf01000!imp_WdfRequestSend+0x2ea (a8d46170)

SYMBOL_STACK_INDEX: 1b

SYMBOL_NAME: Wdf01000!imp_WdfRequestSend+2de

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME: Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf28

FAILURE_BUCKET_ID: 0xFE_Wdf01000!imp_WdfRequestSend+2de

BUCKET_ID: 0xFE_Wdf01000!imp_WdfRequestSend+2de

Followup: MachineOwner
---------

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Gary, Tim

Thank you for your response.

This is not an ioctl, but an EvtIoWrite callback (IRP_MJ_WRITE). The 3MB limitation of USB seems a reasonable explanation for the BSOD.

Thanks again for the help!