Re: Problem manually creating IRP to submit from one driver to another

NTDEV
1

Is there some compelling reason for not using IoBuildDeviceIoControlRequest?

Also what are you doing with the FileObject returned from
IoGetDeviceObjectPointer?

=====================
Mark Roddy

-----Original Message-----
From: David West [mailto:David.West@cs.tcd.ie]
Sent: Thursday, October 09, 2003 11:48 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Problem manually creating IRP to submit from one driver
to another

Oh, and one other weird thing I observe about this problem.

After the calling driver calls IoGetDeviceObjectPointer, the driver being
called receives an IRP_MJ_CREATE, followed immediately by an IRP_MJ_CLEANUP.
Only later does it receive the IRP_MJ_INTERNAL_DEVICE_CONTROL after the
calling driver calls IoCallDriver. During processing of this IRP, the
called driver crashes while calling the IoCompleteRequest function.

In the user mode application, I notice the called driver receives the IRPs
in the different order IRP_MJ_CREATE, IRP_MJ_INTERNAL_DEVICE_CONTROL,
IRP_MJ_CLEANUP, IRP_MJ_CLOSE.

Thanks
----- Original Message -----
From: David West
To: Windows System Software Devs Interest List
Sent: Thursday, October 09, 2003 4:40 PM
Subject: [ntdev] Problem manually creating IRP to submit from one driver to
another

Hi,

I'm trying to send a simple IOCTL to a driver from another driver, by
manually creating an IRP and submitting it (Is there another way to do this
from within a driver?). Unfortunately I am getting a BugCheck 7E,
(exception c0000005, indicating a memory access violation), when the driver
that is being called calls the IoComplete request function.

When I test sending the IOCTL with a user mode application, using the
DeviceIoControl function, it executes without any problems.

This is the code I am using, is there any obvious problems/ommisions? Am I
forgetting to initialise some part of the IRP or something? I've been stuck
on this for ages, please help!

ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);

status = IoGetDeviceObjectPointer(
&usDeviceName,
FILE_READ_DATA,
&m_pMyFileObject,
&m_pMyDeviceObject
);

if(!NT_SUCCESS(status)){
return STATUS_ERROR;
}

pIrp = IoAllocateIrp(m_pMyDeviceObject->StackSize, FALSE);

if(pIrp == NULL){
return STATUS_INSUFFICIENT_RESOURCES;
}

{
PIO_STACK_LOCATION _IRPSP;
pIrp->AssociatedIrp.SystemBuffer = pBuffer;
IoSetCompletionRoutine(pIrp, NULL, NULL, FALSE, FALSE, FALSE);
_IRPSP = IoGetNextIrpStackLocation(pIrp);
_IRPSP->MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL;
_IRPSP->MinorFunction = 0;
_IRPSP->DeviceObject = m_pMyDeviceObject;
_IRPSP->FileObject = m_pMyFileObject;
_IRPSP->Parameters.DeviceIoControl.IoControlCode = IOCTL_DO_SOMETHING;
_IRPSP->Parameters.DeviceIoControl.InputBufferLength =
sizeof(BUFFER_TYPE);
_IRPSP->Parameters.DeviceIoControl.OutputBufferLength = 0;
_IRPSP->Parameters.DeviceIoControl.Type3InputBuffer = 0;
}

//Go ahead and submit the request
status = IoCallDriver(m_pMyDeviceObject, pIrp);

Thanks,
David

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@tcd.ie
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

2

I think the cleanup is a red herring. This is just an artifact of how
IoGetDeviceObjectPointer works: it closes the handle after incrementing the
reference count on the file object, thus provoking the cleanup but not the
close before he gets to do IO. This should (obviously or NT is way broken,)
not cause a problem, unless the target driver is doing something totally
wrong on a cleanup.

His problem, AFAICT, is that he is not using IoBuildDeviceIoControlRequest
and has thus most likely screwed up the construction of the IRP, causing a
null pointer reference in the target driver.

=====================
Mark Roddy

-----Original Message-----
From: James Antognini [mailto:xxxxx@mindspring.nospam.com]
Sent: Thursday, October 09, 2003 12:30 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Problem manually creating IRP to submit
from one driver to another

Without having tried this sort of thing myself, I would guess
the “weird” thing is due to IoGetDeviceObjectPointer() doing,
in effect, open on the called device object.

As for your real problem, I suggest looking at the DDK, where
there are lots of examples of IoGetDeviceObjectPointer. Then
I would look at an IOCTL Irp produced by a user-space call
and an Irp that you build.

David West wrote:

> Oh, and one other weird thing I observe about this problem.
After the
> calling driver calls IoGetDeviceObjectPointer, the driver
being called
> receives an IRP_MJ_CREATE, followed immediately by an
IRP_MJ_CLEANUP.
> Only later does it receive the IRP_MJ_INTERNAL_DEVICE_CONTROL after
> the calling driver calls IoCallDriver. During processing
of this IRP,
> the called driver crashes while calling the IoCompleteRequest
> function. In the user mode application, I notice the called driver
> receives the IRPs in the different order IRP_MJ_CREATE,
> IRP_MJ_INTERNAL_DEVICE_CONTROL, IRP_MJ_CLEANUP, IRP_MJ_CLOSE.


If replying by e-mail, please remove “nospam.” from the address.

James Antognini
Windows DDK MVP

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com