Sending SCSI requests from a KMDF filter driver

NTDEV
1

Hi, I have a KMDF filter driver (based off the OSR code found here: http://www.osronline.com/article.cfm?article=446) installed as a lower filter for a USB device (that is a mass storage device atm). Currently I look for SCSI write commands to the device based off of the CDB in the SRB, this works. When I find a write, I want to send another SCSI command (SRB) to the device, this does not.

In my attempt to send this new command I followed the code for SendXrb (found here: http://blogs.msdn.com/doronh/archive/2006/08/16/703157.aspx) but modified it to do a synchronous call by using WdfIoTargetSendInternalIoctlOthersSynchronously(). My call looks like this:
status = WdfIoTargetSendInternalIoctlOthersSynchronously(mTarget, NULL, IOCTL_SCSI_EXECUTE_NONE, &memDescriptor, NULL, NULL, NULL, NULL);

According to the NTSTATUS I have a bad parameter, any ideas? Also, is this the correct way to create and send a request inside a KMDF filter? Thanks!

2

Here is the code leading up to the WdfIoTargetSend call, sorry I forgot to post it earlier:

WDFIOTARGET mTarget;
WDFMEMORY memory;
PSCSI_REQUEST_BLOCK pSrb;
PVOID senseInfoBuffer = NULL;
WDF_REQUEST_SEND_OPTIONS options;
NTSTATUS status;
PDEVICE_CONTEXT devCont;
WDF_MEMORY_DESCRIPTOR memDescriptor;

devCont = WdfFltrGetDeviceContext(WdfIoQueueGetDevice(Queue));
ASSERT(IS_DEVICE_CONTEXT(devCont));

WdfFltrTrace((“Original srb function - 0x%x\n”, pFilterSrb->Function));
WdfFltrTrace((“Original srb Cdb length - 0x%x\n”, pFilterSrb->CdbLength));

mTarget = WdfDeviceGetIoTarget(WdfIoQueueGetDevice(Queue));

status = WdfMemoryCreate(WDF_NO_OBJECT_ATTRIBUTES, NonPagedPool, 0, sizeof(SCSI_REQUEST_BLOCK), &memory, (PVOID*)&pSrb);
if(NT_SUCCESS(status))
{
WDF_MEMORY_DESCRIPTOR_INIT_HANDLE(&memDescriptor, memory, NULL);
//Format the SRB
RtlZeroMemory(pSrb, SCSI_REQUEST_BLOCK_SIZE);
pSrb->Length = SCSI_REQUEST_BLOCK_SIZE;
pSrb->Function = SRB_FUNCTION_EXECUTE_SCSI;
pSrb->CdbLength = 0xa;
pSrb->SenseInfoBufferLength = 18;
// Sense buffer is in aligned nonpaged pool.
senseInfoBuffer = ExAllocatePoolWithTag(NonPagedPoolCacheAligned, 18, ‘MOOB’);
if(senseInfoBuffer != NULL)
{
pSrb->SenseInfoBuffer = senseInfoBuffer;
pSrb->TimeOutValue = pFilterSrb->TimeOutValue;
pSrb->DataBuffer = NULL;
pSrb->OriginalRequest = deviceControlIrp;
pSrb->QueueAction = SRB_SIMPLE_TAG_REQUEST;
pSrb->DataTransferLength = 0;
pSrb->SrbFlags = pFilterSrb->SrbFlags;
pSrb->ScsiStatus = 0;
pSrb->SrbStatus = 0;
pSrb->NextSrb = NULL;

RtlZeroMemory(pSrb->Cdb, sizeof(UCHAR)*16);
pSrb->Cdb[0] = (UCHAR)0xC1; //Our custom scsi command
pSrb->Cdb[7] = (UCHAR)0xAB; //pFilterSrb->Cdb[7];
pSrb->Cdb[8] = (UCHAR)0xCD; //pFilterSrb->Cdb[8];

status = WdfIoTargetSendInternalIoctlOthersSynchronously(mTarget, NULL, IOCTL_SCSI_EXECUTE_NONE, &memDescriptor, NULL, NULL, NULL, NULL);
if(NT_SUCCESS(status))
{
WdfFltrTrace((“Send passed\n”));
}
… (clean up code follows)

3

Try dumping the log for your driver:
load dbg extension: !load <path_to>\wdfkd.dll
run !wdftmffile
or
run !wdfsearchpath
dump log: !wdflogdump <driver_name> (see !wdfldr for this name).
The log should contain more info about the problem.

Thx,
Egi.</driver_name></path_to>

4

I don’t have kernel debugging fully operational and I’m guessing that I can’t generate this log file locally can I? Thanks for the response.

~Jamey

5

You can try using windbg->kernel debugging->local.
I never used it in this environment but maybe it will work.
Remember to enable kernel debugging for OS with bcdedit (you may need to reboot if first time).

Egi.

6

Thanks for the tip, I will continue with the debugger and see what I can turn up.