IoCancelIrp() Crash the Driver and result is blue screen.

NTDEV
1
  1. The Code is taken from WDM Sample.
  2. Here the problem is to Cancel IRP, In case the CBW command and Direction flage is oppsite in direction, Example Write10 Command opcode and Read Direction.
    The dispatch routine called and the completion routine not get called.
  3. But if all the parameter is correct then the Dispatch routine and completion routine both get called.
  4. IoCancelIrp() Crash the Driver and result is blue screen.

UsbBuildInterruptOrBulkTransferRequest(
urb,
sizeof(struct _URB_BULK_OR_INTERRUPT_TRANSFER),
ptrPipeInfor->PipeHandle,
NULL,
mdl,
ulStageLength,
ulUrbFlags,
NULL);

// set USB_RW_CONTEXT parameters.
rwContext->Urb = urb;
rwContext->Mdl = mdl;
rwContext->Numxfer = 0;
rwContext->Length = ulTotalLength - ulStageLength;
rwContext->VirtualAddress = ptrVirtualAddr + ulStageLength;
rwContext->DeviceExtension = stPtrDeviceExtension;

// use the original read/write irp as an internal device control irp
nextStack = IoGetNextIrpStackLocation(Irp);
nextStack->Parameters.Others.Argument1 = (PVOID) urb;
nextStack->MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL;
nextStack->Parameters.DeviceIoControl.IoControlCode = IOCTL_INTERNAL_USB_SUBMIT_URB;

IoSetCompletionRoutine(Irp,
(PIO_COMPLETION_ROUTINE) USB_ReadWriteCompletion,
rwContext,
TRUE,
TRUE,
TRUE);

// since we return STATUS_PENDING call IoMarkIrpPending.
// Step Given by MSDN.
IoMarkIrpPending(Irp);

USB_IoIncrement(stPtrDeviceExtension);
/* Prepare the Timer, For limiting wait on IRP */
CancelDpcInterval.QuadPart = -5000000 * 50;
/* Set the IRP for Cancellation Routine */
stPtrDeviceExtension->RwIrp = Irp;
/* Qeueue Time Object */
bDPCQueued = KeSetTimer( &stPtrDeviceExtension->RwIrpTimer, CancelDpcInterval, &stPtrDeviceExtension->RwIrpDpc);

ntlStatus = IoCallDriver(stPtrDeviceExtension->TopOfStackDeviceObject, Irp);
}

2

  1. The Code is taken from WDM Sample.

  2. *Here the problem is to Cancel IRP,* In case the CBW command and
    Direction flage is oppsite in direction, Example Write10 Command opcode and
    Read Direction.

The dispatch routine called and the completion routine not get called.

  1. But if all the parameter is correct then the Dispatch routine and
    completion routine both get called.

  2. IoCancelIrp() Crash the Driver and result is blue screen.

UsbBuildInterruptOrBulkTransferRequest(

* urb,*

*
*sizeof(struct*_URB_BULK_OR_INTERRUPT_TRANSFER),
*

* ptrPipeInfor->PipeHandle,*

* NULL,*

* mdl,*

* ulStageLength,*

* ulUrbFlags,*

* NULL);*

* *// set USB_RW_CONTEXT parameters.

* rwContext->Urb = urb;*

* rwContext->Mdl = mdl;*

* rwContext->Numxfer = 0;*

* rwContext->Length = ulTotalLength - ulStageLength;*

* rwContext->VirtualAddress = ptrVirtualAddr + ulStageLength;*

* rwContext->DeviceExtension = stPtrDeviceExtension;*

* *// use the original read/write irp as an internal device control irp

* nextStack = IoGetNextIrpStackLocation(Irp);*

* nextStack->Parameters.Others.Argument1 = (PVOID) urb;*

* nextStack->MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL;*

* nextStack->Parameters.DeviceIoControl.IoControlCode =
IOCTL_INTERNAL_USB_SUBMIT_URB;*

* IoSetCompletionRoutine(Irp,*

* (PIO_COMPLETION_ROUTINE)
USB_ReadWriteCompletion,*

* rwContext,*

* TRUE,*

* TRUE,*

* TRUE);*

* *// since we return STATUS_PENDING call IoMarkIrpPending.

* *// Step Given by MSDN.

* IoMarkIrpPending(Irp);*

* *

* USB_IoIncrement(stPtrDeviceExtension);*

* */* Prepare the Timer, For limiting wait on IRP */

* CancelDpcInterval.QuadPart = -5000000 * 50;*

/* Set the IRP for Cancellation Routine */

*stPtrDeviceExtension->RwIrp = Irp;*

/* Qeueue Time Object */

*bDPCQueued = KeSetTimer( &stPtrDeviceExtension->RwIrpTimer,
CancelDpcInterval, &stPtrDeviceExtension->RwIrpDpc);*

* ntlStatus = IoCallDriver(stPtrDeviceExtension->TopOfStackDeviceObject,
Irp);*

*}*

3

Output of !analyze -v ?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@gmail.com
Sent: December 07, 2010 8:06 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] IoCancelIrp() Crash the Driver and result is blue screen.

1. The Code is taken from WDM Sample.
2. Here the problem is to Cancel IRP, In case the CBW command and Direction flage is oppsite in direction, Example Write10 Command opcode and Read Direction.
The dispatch routine called and the completion routine not get called.
3. But if all the parameter is correct then the Dispatch routine and completion routine both get called.
4. IoCancelIrp() Crash the Driver and result is blue screen.

UsbBuildInterruptOrBulkTransferRequest(
urb,
sizeof(struct _URB_BULK_OR_INTERRUPT_TRANSFER),
ptrPipeInfor->PipeHandle,
NULL,
mdl,
ulStageLength,
ulUrbFlags,
NULL);

// set USB_RW_CONTEXT parameters.
rwContext->Urb = urb;
rwContext->Mdl = mdl;
rwContext->Numxfer = 0;
rwContext->Length = ulTotalLength - ulStageLength;
rwContext->VirtualAddress = ptrVirtualAddr + ulStageLength;
rwContext->DeviceExtension = stPtrDeviceExtension;

// use the original read/write irp as an internal device control irp
nextStack = IoGetNextIrpStackLocation(Irp);
nextStack->Parameters.Others.Argument1 = (PVOID) urb;
nextStack->MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL;
nextStack->Parameters.DeviceIoControl.IoControlCode = IOCTL_INTERNAL_USB_SUBMIT_URB;

IoSetCompletionRoutine(Irp,
(PIO_COMPLETION_ROUTINE) USB_ReadWriteCompletion,
rwContext,
TRUE,
TRUE,
TRUE);

// since we return STATUS_PENDING call IoMarkIrpPending.
// Step Given by MSDN.
IoMarkIrpPending(Irp);

USB_IoIncrement(stPtrDeviceExtension);
/* Prepare the Timer, For limiting wait on IRP /
CancelDpcInterval.QuadPart = -5000000 * 50;
/ Set the IRP for Cancellation Routine /
stPtrDeviceExtension->RwIrp = Irp;
/ Qeueue Time Object */
bDPCQueued = KeSetTimer( &stPtrDeviceExtension->RwIrpTimer, CancelDpcInterval, &stPtrDeviceExtension->RwIrpDpc);

ntlStatus = IoCallDriver(stPtrDeviceExtension->TopOfStackDeviceObject, Irp);
}


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

LAST_CONTROL_TRANSFER: from b96855a5 to 804f9f43

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
a7a8fa74 b96855a5 000000fe 00000004 8a5e5b80 nt+0x22f43
a7a8faa4 b968b362 8a535028 8a503008 586b6b66 USBPORT+0x65a5
a7a8fb0c b968c3c6 0037b188 ffffffff 80546b0c USBPORT+0xc362
a7a8fb3c b9693350 8982a008 a7a8fb74 b9692f14 USBPORT+0xd3c6
a7a8fb48 b9692f14 8a535028 8a5e5b80 88d21868 USBPORT+0x14350
a7a8fb74 b9698088 8a4bb030 8a535028 00000090 USBPORT+0x13f14
a7a8fb94 b96813d2 8a4bb030 8a5e5b80 8a5e5b80 USBPORT+0x19088
a7a8fbb8 804ef19f 8a5e5c14 8a4bb188 88d21868 USBPORT+0x23d2
a7a8fbd0 ba1ec82d 8a5e5b80 8a4bb030 8a5e5b80 nt+0x1819f
a7a8fbf0 ba1ed0ae 8a502d50 8a5e5b80 88ca0d08 usbhub+0x482d
a7a8fc0c ba1ea5e4 88d21868 8a5e5b80 a7a8fc7c usbhub+0x50ae
a7a8fc1c 804ef19f 891c3030 8a5e5b80 8927e960 usbhub+0x25e4
a7a8fc7c 804ef19f 88d455e0 8a5e5b80 806e6410 nt+0x1819f
a7a8fca0 8057c9e7 88d455e0 8a5e5b80 88ca0d08 nt+0x1819f
a7a8fd38 8054164c 00001404 00000000 00000000 nt+0xa59e7
a7a8fd64 7c90e514 badb0d00 02b8f2a8 00000000 nt+0x6a64c
a7a8fd68 badb0d00 02b8f2a8 00000000 00000000 0x7c90e514
a7a8fd6c 02b8f2a8 00000000 00000000 00000000 0xbadb0d00
a7a8fd70 00000000 00000000 00000000 00000000 0x2b8f2a8

STACK_COMMAND: kb

FOLLOWUP_IP:
USBPORT+65a5
b96855a5 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: USBPORT+65a5

5

Fix your symbols. What is your .sympath ?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@gmail.com
Sent: December 07, 2010 8:24 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] IoCancelIrp() Crash the Driver and result is blue screen.

LAST_CONTROL_TRANSFER: from b96855a5 to 804f9f43

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
a7a8fa74 b96855a5 000000fe 00000004 8a5e5b80 nt+0x22f43
a7a8faa4 b968b362 8a535028 8a503008 586b6b66 USBPORT+0x65a5
a7a8fb0c b968c3c6 0037b188 ffffffff 80546b0c USBPORT+0xc362
a7a8fb3c b9693350 8982a008 a7a8fb74 b9692f14 USBPORT+0xd3c6
a7a8fb48 b9692f14 8a535028 8a5e5b80 88d21868 USBPORT+0x14350
a7a8fb74 b9698088 8a4bb030 8a535028 00000090 USBPORT+0x13f14
a7a8fb94 b96813d2 8a4bb030 8a5e5b80 8a5e5b80 USBPORT+0x19088
a7a8fbb8 804ef19f 8a5e5c14 8a4bb188 88d21868 USBPORT+0x23d2
a7a8fbd0 ba1ec82d 8a5e5b80 8a4bb030 8a5e5b80 nt+0x1819f
a7a8fbf0 ba1ed0ae 8a502d50 8a5e5b80 88ca0d08 usbhub+0x482d
a7a8fc0c ba1ea5e4 88d21868 8a5e5b80 a7a8fc7c usbhub+0x50ae
a7a8fc1c 804ef19f 891c3030 8a5e5b80 8927e960 usbhub+0x25e4
a7a8fc7c 804ef19f 88d455e0 8a5e5b80 806e6410 nt+0x1819f
a7a8fca0 8057c9e7 88d455e0 8a5e5b80 88ca0d08 nt+0x1819f
a7a8fd38 8054164c 00001404 00000000 00000000 nt+0xa59e7
a7a8fd64 7c90e514 badb0d00 02b8f2a8 00000000 nt+0x6a64c
a7a8fd68 badb0d00 02b8f2a8 00000000 00000000 0x7c90e514
a7a8fd6c 02b8f2a8 00000000 00000000 00000000 0xbadb0d00
a7a8fd70 00000000 00000000 00000000 00000000 0x2b8f2a8

STACK_COMMAND: kb

FOLLOWUP_IP:
USBPORT+65a5
b96855a5 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: USBPORT+65a5


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

Thanks I found solution like add a timer and start for some duration to run.
in timer dispatch i am cancel the IRP IoCancelIrp(). It is working.

KeSetTimer

KeCancelTimer

IoCancelIrp inside MyTimerDpc function.