MS parport bug (WXP).

NTDEV
1

I saw the parport.sys (Parallel Port) BSODing when lower driver(s) pended an
internal IOCTL and special pool is enabled on IRP allocation. The BSOD is
about "DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)".

My driver stack looks like this:

PARPORT
|
My neat and nice driver
doing something funny
|
ACPI

Whenever I pended an internal IOCTL passed from parport!PptDetectChipFilter
to ACPI driver, machine died.

After I carefully examined my code and made sure there's no beginner's
pending problem, I turned my attention to MS's code. A brief disassemble of
the parport!PptDetectChipFilter shows there's indeed a bug in parport that a
synchronous IRP is mistakenly referenced after IoCallDriver had returned.

Can anyone have NT src access confirm this, please?

Thanks,
Calvin

Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

P.S. The pseudo code of parport!PptDetectChipFilter does something like this
(I'm not supposed to post the NT assembly code, am I?)

parport!PptDetectChipFilter(....)
{
KEVENT event;
IO_STATUS_BLOCK iosb;
PIRP Irp;
......
KeInitializeEvent(&event,...);
Irp = IoBuildDeviceIoControlRequest(
0x160048,
NextLowerDeviceObject,
Buffer,
0x1c,
Buffer,
0x1c,
InternalRequest, /*1*/
&event,
&iosb);
if (Irp) {
status = IoCallDriver(NextLowerDeviceObject,Irp);
if (STATUS_PENDING == status) {
KeWaitForSingleObject(&event,...);
if (STATUS_SUCCESS == Irp->IoStatus.Status) { <--- BSOD --
// shoulda been (STATUS_SUCCESS == iosb.Status), eh??
//
// does something
//
}
}
}
}

ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=8cf64db8
edi=8c2bae70
eip=badeeb0c esp=f88ea9b8 ebp=f88ea9dc iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210246
parport!PptDetectChipFilter+0x8c:
badeeb0c 8b4718 mov eax,[edi+0x18] <<-- Irp->IoStatus.Status
Resetting default scope

STACK_TEXT:
f88ea9dc badf1b1d 8cf64db8 8bf2afd8 8bf2ae48
parport!PptDetectChipFilter+0x8c
f88eaa04 badf20c3 8cf64d00 8bf2ae48 8cf64d00 parport!PptFdoStartDevice+0xc1
f88eaa1c badf070b 8cf64d00 8bf2ae48 80817171 parport!PptFdoPnp+0x4f
f88eaa28 80817171 8cf64d00 8bf2ae48 809e72e4 parport!PptDispatchPnp+0x17
f88eaa38 8095f110 8bf2affc f88eaac8 8bf2ae48 nt!IopfCallDriver+0x31
f88eaa5c 808a24fa f88eaac8 84264f18 00000000 nt!IovCallDriver+0x9e
f88eaa88 808a2569 8cf64d00 f88eaaa4 00000000 nt!IopSynchronousCall+0xb8
f88eaac8 8081d9da 84264f18 c00002ce 00000001 nt!IopStartDevice+0x43
f88eaae4 808a1d53 84264f18 869b0f01 00000000 nt!PipProcessStartPhase1+0x4c
f88ead2c 808a218a 832a4ee8 00000001 00000000 nt!PipProcessDevNodeTree+0x171
f88ead54 8081e128 00000003 808742c0 808790dc
nt!PiProcessStartSystemDevices+0x38
f88ead7c 80854267 00000000 00000000 82e5ada8 nt!PipDeviceActionWorker+0x162
f88eadac 808dc46c 00000000 00000000 00000000 nt!ExpWorkerThread+0xed
f88eaddc 80860ad6 8085417a 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

2

MS parport bug (WXP).Hi,

The parport code is actually in the DDK (src\kernel\parport) and your analysis of the code is correct. Looks like a bug to me.

-scott


Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Calvin Guan” wrote in message news:xxxxx@ntdev…
I saw the parport.sys (Parallel Port) BSODing when lower driver(s) pended an internal IOCTL and special pool is enabled on IRP allocation. The BSOD is about “DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)”.

My driver stack looks like this:

PARPORT
|
My neat and nice driver
doing something funny
|
ACPI

Whenever I pended an internal IOCTL passed from parport!PptDetectChipFilter to ACPI driver, machine died.

After I carefully examined my code and made sure there’s no beginner’s pending problem, I turned my attention to MS’s code. A brief disassemble of the parport!PptDetectChipFilter shows there’s indeed a bug in parport that a synchronous IRP is mistakenly referenced after IoCallDriver had returned.

Can anyone have NT src access confirm this, please?

Thanks,
Calvin
-
Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

P.S. The pseudo code of parport!PptDetectChipFilter does something like this (I’m not supposed to post the NT assembly code, am I?)

parport!PptDetectChipFilter(…)
{
KEVENT event;
IO_STATUS_BLOCK iosb;
PIRP Irp;

KeInitializeEvent(&event,…);
Irp = IoBuildDeviceIoControlRequest(
0x160048,
NextLowerDeviceObject,
Buffer,
0x1c,
Buffer,
0x1c,
InternalRequest, /1/
&event,
&iosb);
if (Irp) {
status = IoCallDriver(NextLowerDeviceObject,Irp);
if (STATUS_PENDING == status) {
KeWaitForSingleObject(&event,…);
if (STATUS_SUCCESS == Irp->IoStatus.Status) { <— BSOD –
// shoulda been (STATUS_SUCCESS == iosb.Status), eh??
//
// does something
//
}
}
}
}

ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=8cf64db8 edi=8c2bae70
eip=badeeb0c esp=f88ea9b8 ebp=f88ea9dc iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210246
parport!PptDetectChipFilter+0x8c:
badeeb0c 8b4718 mov eax,[edi+0x18] <<– Irp->IoStatus.Status
Resetting default scope

STACK_TEXT:
f88ea9dc badf1b1d 8cf64db8 8bf2afd8 8bf2ae48 parport!PptDetectChipFilter+0x8c
f88eaa04 badf20c3 8cf64d00 8bf2ae48 8cf64d00 parport!PptFdoStartDevice+0xc1
f88eaa1c badf070b 8cf64d00 8bf2ae48 80817171 parport!PptFdoPnp+0x4f
f88eaa28 80817171 8cf64d00 8bf2ae48 809e72e4 parport!PptDispatchPnp+0x17
f88eaa38 8095f110 8bf2affc f88eaac8 8bf2ae48 nt!IopfCallDriver+0x31
f88eaa5c 808a24fa f88eaac8 84264f18 00000000 nt!IovCallDriver+0x9e
f88eaa88 808a2569 8cf64d00 f88eaaa4 00000000 nt!IopSynchronousCall+0xb8
f88eaac8 8081d9da 84264f18 c00002ce 00000001 nt!IopStartDevice+0x43
f88eaae4 808a1d53 84264f18 869b0f01 00000000 nt!PipProcessStartPhase1+0x4c
f88ead2c 808a218a 832a4ee8 00000001 00000000 nt!PipProcessDevNodeTree+0x171
f88ead54 8081e128 00000003 808742c0 808790dc nt!PiProcessStartSystemDevices+0x38
f88ead7c 80854267 00000000 00000000 82e5ada8 nt!PipDeviceActionWorker+0x162
f88eadac 808dc46c 00000000 00000000 00000000 nt!ExpWorkerThread+0xed
f88eaddc 80860ad6 8085417a 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16