Queries about NDIS-WDF(USB) Miniport driver

NTDEV
1

Hello All ,
I am newbie developing a NDIS-WDF(USB) miniport driver , I have a couple of questions :

-> I have a interface with 2 alternate settings, I need to retrieve number of configured pipes for a particular alternate setting index 1 , what should I do ? I tried SetInterface to alternate index 1 and WdfInterfaceGetNumConfiguredPipes() but I still am getting the number of configured pipes as that of Index 0 (and not of alt setting 1)?

-> When is ndisCheckAdapterBindings() called , Is it called by the IM driver ? Because I am getting a bug check during Miniport Initialize , post the power settings check . I have posted the dump :

Please let me know if I have not been clear or if you need some more information .

TIA,
Venkatesh

//START OF DUMP

*** Fatal System Error: 0x00000050
(0xF830AF70,0x00000000,0xF7324E41,0x00000000)

Driver at fault:
*** NDIS.sys - Address F7324E41 base at F731D000, DateStamp 48025d03
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Sat Nov 13 14:22:54.080 2010 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.
Loading User Symbols

Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f830af70, 0, f7324e41, 0}

Probably caused by : NDIS.sys ( NDIS!ndisCheckAdapterBindings+dd )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
8052b60c cc int 3
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f830af70, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f7324e41, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: f830af70 Nonpaged pool expansion

FAULTING_IP:
NDIS!ndisCheckAdapterBindings+dd
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl (f73231f0)[eax],0

MM_INTERNAL_CODE: 0

IMAGE_NAME: NDIS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025d03

MODULE_NAME: NDIS

FAULTING_MODULE: f731d000 NDIS

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

TRAP_FRAME: f7a00c64 -- (.trap 0xfffffffff7a00c64)
ErrCode = 00000000
eax=00fe7d80 ebx=861f4ad0 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=f7324e41 esp=f7a00cd8 ebp=f7a00d58 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
NDIS!ndisCheckAdapterBindings+0xdd:
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl (f73231f0)[eax],0 ds:0023:f830af70=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f8e09 to 8052b60c

STACK_TEXT:
f7a00798 804f8e09 00000003 f830af70 00000000 nt!RtlpBreakWithStatusInstruction
f7a007e4 804f99f4 00000003 00000000 c07c1850 nt!KiBugCheckDebugBreak+0x19
f7a00bc4 804f9f43 00000050 f830af70 00000000 nt!KeBugCheck2+0x574
f7a00be4 8052039a 00000050 f830af70 00000000 nt!KeBugCheckEx+0x1b
f7a00c4c 805445c0 00000000 f830af70 00000000 nt!MmAccessFault+0x9a8
f7a00c4c f7324e41 00000000 f830af70 00000000 nt!KiTrap0E+0xd0
f7a00d58 f73276d6 862034d0 80564820 873c32b8 NDIS!ndisCheckAdapterBindings+0xdd
f7a00d6c f7323bfe 862034c8 001f4ad0 f7a00dac NDIS!ndisQueuedCheckAdapterBindings+0x83
f7a00d7c 8053879d 862034c8 00000000 873c32b8 NDIS!ndisWorkItemHandler+0xe
f7a00dac 805cff62 862034c8 00000000 00000000 nt!ExpWorkerThread+0xef
f7a00ddc 8054612e 805386ae 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
NDIS!ndisCheckAdapterBindings+dd
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl (f73231f0)[eax],0

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: NDIS!ndisCheckAdapterBindings+dd

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_NDIS!ndisCheckAdapterBindings+dd

BUCKET_ID: 0x50_NDIS!ndisCheckAdapterBindings+dd

Followup: MachineOwner

//END OF DUMP

2

ndisCheckAdapterBindings() is the internal routine that runs when NDIS is
binding or unbinding protocols from adapters.

Since you are working on a Miniport Adapter driver, let's just assume it was
caused by your driver.

Do you know if your driver was called at MiniportInitialize just before the
crash?

I am going to guess further that your adapter is being asked its media type
and you may have answered some completely bogus value. The guess is based
on the crash-site which is using the value of media type to index a static
array. Please check and verify that you processing of MiniportInitialize
correctly selects a value to store at the address passed in
SelectedMediumIndex.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, November 13, 2010 5:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Queries about NDIS-WDF(USB) Miniport driver

Hello All ,
I am newbie developing a NDIS-WDF(USB) miniport driver , I
have a couple of questions :

-> I have a interface with 2 alternate settings, I need to retrieve number
of configured pipes for a particular alternate setting index 1 , what should
I do ? I tried SetInterface to alternate index 1 and
WdfInterfaceGetNumConfiguredPipes() but I still am getting the number of
configured pipes as that of Index 0 (and not of alt setting 1)?

-> When is ndisCheckAdapterBindings() called , Is it called by the IM driver
? Because I am getting a bug check during Miniport Initialize , post the
power settings check . I have posted the dump :

Please let me know if I have not been clear or if you need some more
information .

TIA,
Venkatesh

//START OF DUMP

*** Fatal System Error: 0x00000050
(0xF830AF70,0x00000000,0xF7324E41,0x00000000)

Driver at fault:
*** NDIS.sys - Address F7324E41 base at F731D000, DateStamp 48025d03
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Sat Nov 13
14:22:54.080 2010 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.
Loading User Symbols

Loading unloaded module list
........
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f830af70, 0, f7324e41, 0}

Probably caused by : NDIS.sys ( NDIS!ndisCheckAdapterBindings+dd )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
8052b60c cc int 3
1: kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: f830af70, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f7324e41, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: f830af70 Nonpaged pool expansion

FAULTING_IP:
NDIS!ndisCheckAdapterBindings+dd
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl
(f73231f0)[eax],0

MM_INTERNAL_CODE: 0

IMAGE_NAME: NDIS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025d03

MODULE_NAME: NDIS

FAULTING_MODULE: f731d000 NDIS

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

TRAP_FRAME: f7a00c64 -- (.trap 0xfffffffff7a00c64)
ErrCode = 00000000
eax=00fe7d80 ebx=861f4ad0 ecx=00000000 edx=00000000 esi=00000000
edi=00000000
eip=f7324e41 esp=f7a00cd8 ebp=f7a00d58 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
NDIS!ndisCheckAdapterBindings+0xdd:
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl
(f73231f0)[eax],0 ds:0023:f830af70=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f8e09 to 8052b60c

STACK_TEXT:
f7a00798 804f8e09 00000003 f830af70 00000000
nt!RtlpBreakWithStatusInstruction
f7a007e4 804f99f4 00000003 00000000 c07c1850 nt!KiBugCheckDebugBreak+0x19
f7a00bc4 804f9f43 00000050 f830af70 00000000 nt!KeBugCheck2+0x574
f7a00be4 8052039a 00000050 f830af70 00000000 nt!KeBugCheckEx+0x1b
f7a00c4c 805445c0 00000000 f830af70 00000000 nt!MmAccessFault+0x9a8
f7a00c4c f7324e41 00000000 f830af70 00000000 nt!KiTrap0E+0xd0
f7a00d58 f73276d6 862034d0 80564820 873c32b8
NDIS!ndisCheckAdapterBindings+0xdd
f7a00d6c f7323bfe 862034c8 001f4ad0 f7a00dac
NDIS!ndisQueuedCheckAdapterBindings+0x83
f7a00d7c 8053879d 862034c8 00000000 873c32b8 NDIS!ndisWorkItemHandler+0xe
f7a00dac 805cff62 862034c8 00000000 00000000 nt!ExpWorkerThread+0xef
f7a00ddc 8054612e 805386ae 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
NDIS!ndisCheckAdapterBindings+dd
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl
(f73231f0)[eax],0

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: NDIS!ndisCheckAdapterBindings+dd

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_NDIS!ndisCheckAdapterBindings+dd

BUCKET_ID: 0x50_NDIS!ndisCheckAdapterBindings+dd

Followup: MachineOwner

//END OF DUMP

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

To unsubscribe, visit the List Server section of OSR Online at

3

Did you explicitly select the 2nd interface?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@gmail.com
Sent: November 13, 2010 2:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Queries about NDIS-WDF(USB) Miniport driver

Hello All ,
I am newbie developing a NDIS-WDF(USB) miniport driver , I have a couple of questions :

-> I have a interface with 2 alternate settings, I need to retrieve number of configured pipes for a particular alternate setting index 1 , what should I do ? I tried SetInterface to alternate index 1 and WdfInterfaceGetNumConfiguredPipes() but I still am getting the number of configured pipes as that of Index 0 (and not of alt setting 1)?

-> When is ndisCheckAdapterBindings() called , Is it called by the IM driver ? Because I am getting a bug check during Miniport Initialize , post the power settings check . I have posted the dump :

Please let me know if I have not been clear or if you need some more information .

TIA,
Venkatesh

//START OF DUMP

Fatal System Error: 0x00000050
(0xF830AF70,0x00000000,0xF7324E41,0x00000000)

Driver at fault:
 NDIS.sys - Address F7324E41 base at F731D000, DateStamp 48025d03
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Sat Nov 13 14:22:54.080 2010 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols


.
Loading User Symbols

Loading unloaded module list
Bugcheck Analysis



Use !analyze -v to get detailed debugging information.

BugCheck 50, {f830af70, 0, f7324e41, 0}

Probably caused by : NDIS.sys ( NDIS!ndisCheckAdapterBindings+dd )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052b60c cc int 3
1: kd> !analyze -v
Bugcheck Analysis



PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f830af70, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f7324e41, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

READ_ADDRESS: f830af70 Nonpaged pool expansion

FAULTING_IP:
NDIS!ndisCheckAdapterBindings+dd
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl (f73231f0)[eax],0

MM_INTERNAL_CODE: 0

IMAGE_NAME: NDIS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025d03

MODULE_NAME: NDIS

FAULTING_MODULE: f731d000 NDIS

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

TRAP_FRAME: f7a00c64 – (.trap 0xfffffffff7a00c64)
ErrCode = 00000000
eax=00fe7d80 ebx=861f4ad0 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=f7324e41 esp=f7a00cd8 ebp=f7a00d58 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
NDIS!ndisCheckAdapterBindings+0xdd:
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl (f73231f0)[eax],0 ds:0023:f830af70=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f8e09 to 8052b60c

STACK_TEXT:
f7a00798 804f8e09 00000003 f830af70 00000000 nt!RtlpBreakWithStatusInstruction
f7a007e4 804f99f4 00000003 00000000 c07c1850 nt!KiBugCheckDebugBreak+0x19
f7a00bc4 804f9f43 00000050 f830af70 00000000 nt!KeBugCheck2+0x574
f7a00be4 8052039a 00000050 f830af70 00000000 nt!KeBugCheckEx+0x1b
f7a00c4c 805445c0 00000000 f830af70 00000000 nt!MmAccessFault+0x9a8
f7a00c4c f7324e41 00000000 f830af70 00000000 nt!KiTrap0E+0xd0
f7a00d58 f73276d6 862034d0 80564820 873c32b8 NDIS!ndisCheckAdapterBindings+0xdd
f7a00d6c f7323bfe 862034c8 001f4ad0 f7a00dac NDIS!ndisQueuedCheckAdapterBindings+0x83
f7a00d7c 8053879d 862034c8 00000000 873c32b8 NDIS!ndisWorkItemHandler+0xe
f7a00dac 805cff62 862034c8 00000000 00000000 nt!ExpWorkerThread+0xef
f7a00ddc 8054612e 805386ae 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
NDIS!ndisCheckAdapterBindings+dd
f7324e41 80b8f03132f700 cmp byte ptr NDIS!ndisMediaTypeCl (f73231f0)[eax],0

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: NDIS!ndisCheckAdapterBindings+dd

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_NDIS!ndisCheckAdapterBindings+dd

BUCKET_ID: 0x50_NDIS!ndisCheckAdapterBindings+dd

Followup: MachineOwner
---------

//END OF DUMP


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Thanks guys for your pointers…

5

Hello all ,
I am facing a strange issue . I am able to retrieve the bulk write pipe which I verified to be correct.
-> I have started the IoTarget both (read and write pipes) using WdfIoTargetStart().
-> I have created a Request Object with its Parent Object as the IoTarget Handle obtained from the Bulk write pipe and a wdf memory object with its parent as the Request Object handle .
-> I am using WdfRequestSend() to send the request that I created , I am giving the time out value as
WDF_REL_TIMEOUT_IN_SEC(150) , but still I always get STATUS_PENDING in my completion routine !
-> I tried even sending synchronously but i still get STATUS_PENDING .

I observed that ACPI driver is returning STATUS_CANCELLED. The same device is working fine with linux driver .

Can any-body give some pointers on where i am going wrong . If you want , I will post the code snippet also.

TIA,
Venkatesh

6

xxxxx@gmail.com wrote:

I am facing a strange issue . I am able to retrieve the bulk write pipe which I verified to be correct.
-> I have started the IoTarget both (read and write pipes) using WdfIoTargetStart().
-> I have created a Request Object with its Parent Object as the IoTarget Handle obtained from the Bulk write pipe and a wdf memory object with its parent as the Request Object handle .
-> I am using WdfRequestSend() to send the request that I created , I am giving the time out value as
WDF_REL_TIMEOUT_IN_SEC(150) , but still I always get STATUS_PENDING in my completion routine !
-> I tried even sending synchronously but i still get STATUS_PENDING .

You should never see STATUS_PENDING in a completion routine. The
completion routine won’t be called until the request is complete. Where
do you see STATUS_PENDING, exactly?

I observed that ACPI driver is returning STATUS_CANCELLED. The same device is working fine with linux driver .

If you are sending a USB URB, then how does ACPI get involved?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

7

-> My mistake, I messed up ! I am getting STATUS_IO_TIMEOUT in the completion routine and STATUS_PENDING during sync send .
-> I checked using USBLyzer , my device stack is shown to be MyDevice —> ACPI —> usbhub .