IoBuildDeviceIoControlRequest

Rob_Green · October 10, 2001, 9:43pm

Hello,
I am using IoBuildDeviceIoControlRequest to create an irp to be sent
asynchronously to another driver. In the completion routine i then complete
the original irp, and return success. However when i return from the
completion routine, i get a bsod sometimes (I have driver verifier enabled):

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack bactrace will reveal the guilty party.
Arguments:
Arg1: bbc8ff68
Arg2: bbc8ffff
Arg3: 64000094
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten, 1 == address trying to free, 2 ==
address where bits are corrupted, 3 == unique internal Mm pattern

Details:
Unknown type 1c, value 00000024
Faulting module 00000000 ( +0 )
Unknown type 27, value 804a9bcc

0: kd> db bbc8ff68 l 100
bbc8ff68 00 00 94 00 00 00 00 00-40 00 00 00 00 c0 14 81 …@…
bbc8ff78 78 ff c8 bb 78 ff c8 bb-00 00 00 00 00 00 00 00 x…x…
bbc8ff88 00 01 01 03 00 00 00 00-00 00 00 00 00 00 00 00 …
bbc8ff98 00 00 00 00 00 00 00 00-00 00 00 00 10 e0 d6 e1 …
bbc8ffa8 12 00 30 00 00 00 00 00-80 a5 1a 81 b4 a5 1a 81 …0…
bbc8ffb8 b4 a5 1a 81 75 e2 42 80-fe 0c 53 80 00 00 00 00 …u.B…S…
bbc8ffc8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
bbc8ffd8 0e 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
bbc8ffe8 00 00 00 00 b8 78 49 81-00 00 00 00 49 d8 e5 bf …xI…I…
bbc8fff8 08 e0 d6 e1 64 64 64 65-?? ?? ?? ?? ?? ?? ?? ?? …ddde???
bbc90008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???

Question 1:
Is it possible to do asynchronous calls with this call?

If so, what could be wrong?

thanks,
rob

#define IOCTL_PRIVATE_IOCTL
CTL_CODE(FILE_DEVICE_UNKNOWN,0x1,METHOD_BUFFERED,FILE_ANY_ACCESS)

Context->OriginalIrp = Irp;

IoMarkIrpPending(Irp);

newIrp = IoBuildDeviceIoControlRequest (
IOCTL_PRIVATE_IOCTL,
OtherDriver,
In,
65536,
In,
65536,
FALSE,
NULL,
NULL );

IoSetCompletionRoutine(
newIrp,
PrivateIoctlCallBack,
Context,
TRUE,
TRUE,
TRUE
);

STATIC NTSTATUS PrivateIoctlCallBack(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
Context->OriginalIrp->IoStatus.Status = Irp->IoStatus.Status;
Context->OriginalIrp->IoStatus.Information = Irp->IoStatus.Information;
IoCompleteRequest(Context->OriginalIrp,IO_NO_INCREMENT);

ExFreePool(Context);

if ( Irp->PendingReturned ) {
IoMarkIrpPending( Irp );
}

return STATUS_SUCCESS;
}

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 10, 2001, 10:25pm

you can’t complete your Irp in the completion routine…

because some driver under yours called IoCompleteIrp for your Irp, and what
you should do is returning simply…

----- Original Message -----
From: “Rob Green”
To: “NT Developers Interest List”
Sent: Thursday, October 11, 2001 9:40 AM
Subject: [ntdev] IoBuildDeviceIoControlRequest

>
> Hello,
> I am using IoBuildDeviceIoControlRequest to create an irp to be sent
> asynchronously to another driver. In the completion routine i then
complete
> the original irp, and return success. However when i return from the
> completion routine, i get a bsod sometimes (I have driver verifier
enabled):
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: bbc8ff68
> Arg2: bbc8ffff
> Arg3: 64000094
> Arg4: 00000024, caller is freeing an address where bytes after the end of
> the allocation have been overwritten, 1 == address trying to free, 2 ==
> address where bits are corrupted, 3 == unique internal Mm pattern
>
>
> Details:
> Unknown type 1c, value 00000024
> Faulting module 00000000 ( +0 )
> Unknown type 27, value 804a9bcc
>
> 0: kd> db bbc8ff68 l 100
> bbc8ff68 00 00 94 00 00 00 00 00-40 00 00 00 00 c0 14 81
…@…
> bbc8ff78 78 ff c8 bb 78 ff c8 bb-00 00 00 00 00 00 00 00
x…x…
> bbc8ff88 00 01 01 03 00 00 00 00-00 00 00 00 00 00 00 00
…
> bbc8ff98 00 00 00 00 00 00 00 00-00 00 00 00 10 e0 d6 e1
…
> bbc8ffa8 12 00 30 00 00 00 00 00-80 a5 1a 81 b4 a5 1a 81
…0…
> bbc8ffb8 b4 a5 1a 81 75 e2 42 80-fe 0c 53 80 00 00 00 00
…u.B…S…
> bbc8ffc8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
…
> bbc8ffd8 0e 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
…
> bbc8ffe8 00 00 00 00 b8 78 49 81-00 00 00 00 49 d8 e5 bf
…xI…I…
> bbc8fff8 08 e0 d6 e1 64 64 64 65-?? ?? ?? ?? ?? ?? ?? ??
…ddde???
> bbc90008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
???
>
> Question 1:
> Is it possible to do asynchronous calls with this call?
>
> If so, what could be wrong?
>
> thanks,
> rob
>
>
> -------------------
> #define IOCTL_PRIVATE_IOCTL
> CTL_CODE(FILE_DEVICE_UNKNOWN,0x1,METHOD_BUFFERED,FILE_ANY_ACCESS)
>
> Context->OriginalIrp = Irp;
>
> IoMarkIrpPending(Irp);
>
> newIrp = IoBuildDeviceIoControlRequest (
> IOCTL_PRIVATE_IOCTL,
> OtherDriver,
> In,
> 65536,
> In,
> 65536,
> FALSE,
> NULL,
> NULL );
>
> IoSetCompletionRoutine(
> newIrp,
> PrivateIoctlCallBack,
> Context,
> TRUE,
> TRUE,
> TRUE
> );
>
> STATIC NTSTATUS PrivateIoctlCallBack(
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp,
> IN PVOID Context
> )
> {
> Context->OriginalIrp->IoStatus.Status = Irp->IoStatus.Status;
> Context->OriginalIrp->IoStatus.Information = Irp->IoStatus.Information;
> IoCompleteRequest(Context->OriginalIrp,IO_NO_INCREMENT);
>
> ExFreePool(Context);
>
> if ( Irp->PendingReturned ) {
> IoMarkIrpPending( Irp );
> }
>
> return STATUS_SUCCESS;
> }
>
>
> —
> You are currently subscribed to ntdev as: KDriver@163.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 11, 2001, 9:00am

I think he meant that he has pended an IRP sent to him (IRP-A), created a
new IRP (IRP-2), sent IRP-2 down to some other driver, and then in his
completion handler for IRP-2 he completed IRP-A. Nothing wrong with that at
all.

Rob, the error means that you wrote off the end of the buffer at bbc8ff68. I
assume that you have done the obvious and verified that all that can be
verified about whatever bbc8ff68 is.

-----Original Message-----
From: kdriver [mailto:kdriver@163.com]
Sent: Wednesday, October 10, 2001 10:22 PM
To: NT Developers Interest List
Subject: [ntdev] Re: IoBuildDeviceIoControlRequest

you can’t complete your Irp in the completion routine…

because some driver under yours called IoCompleteIrp for your Irp, and what
you should do is returning simply…

----- Original Message -----
From: “Rob Green”
To: “NT Developers Interest List”
Sent: Thursday, October 11, 2001 9:40 AM
Subject: [ntdev] IoBuildDeviceIoControlRequest

>
> Hello,
> I am using IoBuildDeviceIoControlRequest to create an irp to be
> sent asynchronously to another driver. In the completion routine i
> then
complete
> the original irp, and return success. However when i return from the
> completion routine, i get a bsod sometimes (I have driver verifier
enabled):
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: bbc8ff68
> Arg2: bbc8ffff
> Arg3: 64000094
> Arg4: 00000024, caller is freeing an address where bytes after the end
> of the allocation have been overwritten, 1 == address trying to free,
> 2 == address where bits are corrupted, 3 == unique internal Mm pattern
>
>
> Details:
> Unknown type 1c, value 00000024
> Faulting module 00000000 ( +0 )
> Unknown type 27, value 804a9bcc
>
> 0: kd> db bbc8ff68 l 100
> bbc8ff68 00 00 94 00 00 00 00 00-40 00 00 00 00 c0 14 81
…@…
> bbc8ff78 78 ff c8 bb 78 ff c8 bb-00 00 00 00 00 00 00 00
x…x…
> bbc8ff88 00 01 01 03 00 00 00 00-00 00 00 00 00 00 00 00
…
> bbc8ff98 00 00 00 00 00 00 00 00-00 00 00 00 10 e0 d6 e1
…
> bbc8ffa8 12 00 30 00 00 00 00 00-80 a5 1a 81 b4 a5 1a 81
…0…
> bbc8ffb8 b4 a5 1a 81 75 e2 42 80-fe 0c 53 80 00 00 00 00
…u.B…S…
> bbc8ffc8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
…
> bbc8ffd8 0e 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
…
> bbc8ffe8 00 00 00 00 b8 78 49 81-00 00 00 00 49 d8 e5 bf
…xI…I…
> bbc8fff8 08 e0 d6 e1 64 64 64 65-?? ?? ?? ?? ?? ?? ?? ??
…ddde???
> bbc90008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
???
>
> Question 1:
> Is it possible to do asynchronous calls with this call?
>
> If so, what could be wrong?
>
> thanks,
> rob
>
>
> -------------------
> #define IOCTL_PRIVATE_IOCTL
> CTL_CODE(FILE_DEVICE_UNKNOWN,0x1,METHOD_BUFFERED,FILE_ANY_ACCESS)
>
> Context->OriginalIrp = Irp;
>
> IoMarkIrpPending(Irp);
>
> newIrp = IoBuildDeviceIoControlRequest (
> IOCTL_PRIVATE_IOCTL,
> OtherDriver,
> In,
> 65536,
> In,
> 65536,
> FALSE,
> NULL,
> NULL );
>
> IoSetCompletionRoutine(
> newIrp,
> PrivateIoctlCallBack,
> Context,
> TRUE,
> TRUE,
> TRUE
> );
>
> STATIC NTSTATUS PrivateIoctlCallBack(
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp,
> IN PVOID Context
> )
> {
> Context->OriginalIrp->IoStatus.Status = Irp->IoStatus.Status;
> Context->OriginalIrp->IoStatus.Information =
> Context->OriginalIrp->Irp->IoStatus.Information;
> IoCompleteRequest(Context->OriginalIrp,IO_NO_INCREMENT);
>
> ExFreePool(Context);
>
> if ( Irp->PendingReturned ) {
> IoMarkIrpPending( Irp );
> }
>
> return STATUS_SUCCESS;
> }
>
>
> —
> You are currently subscribed to ntdev as: KDriver@163.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com