Strange BSOD: DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)

NTDEV
1

Hi all,

We develop a driver for a modem, and during DevPathExer test we get a strange BSOD:

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 00000215, A non-successful non-STATUS_NOT_SUPPORTED IRP status for
IRP_MJ_PNP is being
passed down stack. Failed PNP IRPs must be completed.
Arg2: 88e5c21e, The address in the driver’s code where the error was detected.
Arg3: b1a4aed8, IRP address.
Arg4: 00000000

From my logs I can’t see that we get calls in the driver for d0Entry of d0Exit callbacks, so it seems that we couldn’t handle the IRP_MJ_PNP incorrectly.

From another reproduction we got an exception when the message “A non-successful non-STATUS_NOT_SUPPORTED IRP status for IRP_MJ_PNP is being passed down stack. Failed PNP IRPs must be completed.” was printed, and when I stopped the debugger and dumped the stack, I could see that the IRP is forwarded by modem.sys, but probably doesn’t reach our driver:

STACK_TEXT:
807ec830 8301dda1 00000215 977ea429 8c33b338 nt!ViErrorFinishReport+0x43
807ec878 830249d1 00000215 8c33b414 8c33b338 nt!VfErrorReport1+0x4d
807ec89c 8301d94e 8c33b438 8c33b414 00000001 nt!VfPnpVerifyIrpStackDownward+0xb1
807ec8b8 8301b716 8c387c08 94167ea0 8c33b438 nt!VfMajorVerifyIrpStackDownward+0x3e
807ec918 8301af05 8c2c3008 8c33b338 8c2c3008 nt!IovpCallDriver1+0x58e
807ec92c 830155db 94167ea0 8c2c3008 94167ea0 nt!VfBeforeCallDriver+0xfd
807ec950 8284afa7 977ea429 8c33b430 977ea2f4 nt!IovCallDriver+0x23b
807ec96c 977ea429 8c33b718 8c33b338 8c33b5e8 nt!IofCallDriver+0x1d
807ec980 977ef878 94167ea0 8c33b338 8c33b530 modem!ForwardIrp+0xdb
807ec9a8 8301564c 8c33b530 8c33b338 8c33b530 modem!ModemPnP+0x1aa
807ec9cc 8284afa7 00000000 8c33b45c 807eca74 nt!IovCallDriver+0x2ac
807ec9e8 82d58b0f 8c377be0 8e266dd8 8c377be0 nt!IofCallDriver+0x1d
807eca18 82d58e7e 8c377be0 807eca50 c00000bb nt!IopSynchronousCall+0x111
807eca78 82d43221 8c377be0 00000017 8e266dd8 nt!IopRemoveDevice+0x130
807ecaa8 82d4306c 00000000 81e619d8 00000000 nt!PnpSurpriseRemoveLockedDeviceNode+0x14f
807ecabc 82d43485 00000003 81e619d8 00000000 nt!PnpDeleteLockedDeviceNode+0x62
807ecaf4 82d4e5ff 8c377be0 81e619d8 00000003 nt!PnpDeleteLockedDeviceNodes+0x85
807ecbb4 82d4ee56 807ecbe8 93f5ddd0 00000000 nt!PnpProcessQueryRemoveAndEject+0x673
807ecbcc 82d4d446 00000000 8ddfa9e8 84de34c0 nt!PnpProcessTargetDeviceEvent+0x66
807ecd04 82994591 8ddfa9e8 84dd9768 84de34c0 nt!PnpDeviceEventWorker+0x3e0
807ecd54 82f0710c 00000001 cb945f3f 00000000 nt!ExpWorkerThread+0x129
807ecd90 829b1cc5 82994468 00000001 00000000 nt!PspSystemThreadStartup+0x178
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

I can’t say where the exception occurred exactly, because it was not in our driver, and we disabled the debug prints in order to reproduce the issue.

What could the problem be? What should I look for here? What could be a common scenario when this bugcheck occurs?

Thanks for help,
S.

2

You should provide more information about this problem. I suggest to you to track Major and Minor codes of Irp. Where is your driver in the stack?
Also, using !irp in WinDbg could give detail information of the Irp.

Igor Sharovar

3

Hello Igor,

Thank you for your reply.

Where is your driver in the stack?
My driver is placed just below the modem.sys (the next lower driver for it).

Also, using !irp in WinDbg could give detail information of the Irp.
Here is the output, which in fact is confusing.

kd> !irp 8909F518 2
Irp is active with 5 stacks 6 is current (= 0x8909f63c)
No Mdl: No System Buffer: Thread 8c02dc90: Irp is completed. Pending has been returned
Flags = 40000000
ThreadListEntry.Flink = 8c02dedc
ThreadListEntry.Blink = 8c02dedc
IoStatus.Status = c0000056
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 80795b28
UserEvent = 80795b30
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = 8909f558
Tail.Overlay.Thread = 8c02dc90
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = 8909f63c
Tail.Overlay.OriginalFileObject = 00000000
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[0, 0] 0 2 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 c0000056
[0, 0] 0 10 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[e, 0] 0 10 890acd30 00000000 00000000-8909f5f4
\Driver\cdc_acm_modem
Args: 00000000 00000000 00000000 00000000
[e, 0] 0 10 890ae8f0 00000000 8bfb81e6-80795a78
\DRIVER\VERIFIER_FILTER modem!IoCompletionSetEvent
Args: 00000000 00000000 00000000 00000000
[1b,17] 0 0 890ae528 00000000 00000000-00000000
\Driver\Modem
Args: 00000000 00000000 00000000 00000000

If I understand the output correctly, we have IRP_MJ_PNP IRP_MN_SURPRISE_REMOVAL which should be completed by \Driver\Modem, and modem issued IOCTL from it’s dispatch routine. I printed that IOCTL, it is IOCTL_SERIAL_PURGE. According to MSDN, when surprise removal is invoked (and as a result, d0_exit routine was invoked in the driver), Serial IOCTLS should be completed by STATUS_DELETE_PENDING, which we actually return in the driver.
That’s the value that I can see in the IoStatus.Status = c0000056.

What do I miss here?

Thanks,
S.

4

The Arg1 description could be confusing for less WDM savvy folks. There are
just too many “not” and “non” in a short sentence.

Calvin

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, October 23, 2009 1:51 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Strange BSOD: DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)

Hi all,

We develop a driver for a modem, and during DevPathExer test we get a
strange BSOD:

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 00000215, A non-successful non-STATUS_NOT_SUPPORTED IRP status for
IRP_MJ_PNP is being
passed down stack. Failed PNP IRPs must be completed.
Arg2: 88e5c21e, The address in the driver’s code where the error was
detected.
Arg3: b1a4aed8, IRP address.
Arg4: 00000000

From my logs I can’t see that we get calls in the driver for d0Entry of
d0Exit callbacks, so it seems that we couldn’t handle the IRP_MJ_PNP
incorrectly.

From another reproduction we got an exception when the message “A
non-successful non-STATUS_NOT_SUPPORTED IRP status for IRP_MJ_PNP is being
passed down stack. Failed PNP IRPs must be completed.” was printed, and
when I stopped the debugger and dumped the stack, I could see that the IRP
is forwarded by modem.sys, but probably doesn’t reach our driver:

STACK_TEXT:
807ec830 8301dda1 00000215 977ea429 8c33b338 nt!ViErrorFinishReport+0x43
807ec878 830249d1 00000215 8c33b414 8c33b338 nt!VfErrorReport1+0x4d
807ec89c 8301d94e 8c33b438 8c33b414 00000001
nt!VfPnpVerifyIrpStackDownward+0xb1
807ec8b8 8301b716 8c387c08 94167ea0 8c33b438
nt!VfMajorVerifyIrpStackDownward+0x3e
807ec918 8301af05 8c2c3008 8c33b338 8c2c3008 nt!IovpCallDriver1+0x58e
807ec92c 830155db 94167ea0 8c2c3008 94167ea0 nt!VfBeforeCallDriver+0xfd
807ec950 8284afa7 977ea429 8c33b430 977ea2f4 nt!IovCallDriver+0x23b
807ec96c 977ea429 8c33b718 8c33b338 8c33b5e8 nt!IofCallDriver+0x1d
807ec980 977ef878 94167ea0 8c33b338 8c33b530 modem!ForwardIrp+0xdb
807ec9a8 8301564c 8c33b530 8c33b338 8c33b530 modem!ModemPnP+0x1aa
807ec9cc 8284afa7 00000000 8c33b45c 807eca74 nt!IovCallDriver+0x2ac
807ec9e8 82d58b0f 8c377be0 8e266dd8 8c377be0 nt!IofCallDriver+0x1d
807eca18 82d58e7e 8c377be0 807eca50 c00000bb nt!IopSynchronousCall+0x111
807eca78 82d43221 8c377be0 00000017 8e266dd8 nt!IopRemoveDevice+0x130
807ecaa8 82d4306c 00000000 81e619d8 00000000
nt!PnpSurpriseRemoveLockedDeviceNode+0x14f
807ecabc 82d43485 00000003 81e619d8 00000000
nt!PnpDeleteLockedDeviceNode+0x62
807ecaf4 82d4e5ff 8c377be0 81e619d8 00000003
nt!PnpDeleteLockedDeviceNodes+0x85
807ecbb4 82d4ee56 807ecbe8 93f5ddd0 00000000
nt!PnpProcessQueryRemoveAndEject+0x673
807ecbcc 82d4d446 00000000 8ddfa9e8 84de34c0
nt!PnpProcessTargetDeviceEvent+0x66
807ecd04 82994591 8ddfa9e8 84dd9768 84de34c0 nt!PnpDeviceEventWorker+0x3e0
807ecd54 82f0710c 00000001 cb945f3f 00000000 nt!ExpWorkerThread+0x129
807ecd90 829b1cc5 82994468 00000001 00000000 nt!PspSystemThreadStartup+0x178
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

I can’t say where the exception occurred exactly, because it was not in our
driver, and we disabled the debug prints in order to reproduce the issue.

What could the problem be? What should I look for here? What could be a
common scenario when this bugcheck occurs?

Thanks for help,
S.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Calvin Guan wrote:

The Arg1 description could be confusing for less WDM savvy folks. There are
just too many “not” and “non” in a short sentence.

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 00000215, A non-successful non-STATUS_NOT_SUPPORTED IRP status for
IRP_MJ_PNP is being
passed down stack. Failed PNP IRPs must be completed.

What would you suggest?

IRP_MJ_PNP with a failure status (other than STATUS_NOT_SUPPORTED) is
being
pushed down the stack. Failed PNP IRPs must be completed, not passed on.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.