System crash with USB bus driver - continuation

NTDEV
1

Hi,

i am writing a virtual bus driver for multi function printers (MFP).
My MFPs are working properly. But after a disconnect the system
is crashing for a canon MP810.

My problem is the same as described in Thread no 110182: http://www.osronline.com/ShowThread.cfm?link=110182

The bus driver cancels all IRPs with IoCancelIrp. An appropiate
cancel routine is set and all IRPs are cancelled correctly.
But the usbccgp.sys driver seems to canel an IRP this is not
existing.

Can anybody help me ?

Kernel debugger output:

*** Fatal System Error: 0x000000d1
(0xF886FDD0,0x00000002,0x00000000,0xF886FDD0)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading unloaded module list

Loading User Symbols


*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {f886fdd0, 2, 0, f886fdd0}

Probably caused by : usbccgp.sys ( usbccgp+1dd0 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f886fdd0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f886fdd0, address which referenced memory

Debugging Details:

READ_ADDRESS: f886fdd0 Nonpaged pool

CURRENT_IRQL: 2

FAULTING_IP:
usbccgp+1dd0
f886fdd0 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 80501b8f to f886fdd0

TRAP_FRAME: f39e7bb8 – (.trap fffffffff39e7bb8)
ErrCode = 00000000
eax=f886fdd0 ebx=806ed000 ecx=81ffb478 edx=1e000024 esi=81ffb3c0 edi=81fb1230
eip=f886fdd0 esp=f39e7c2c ebp=f39e7c44 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
<unloaded_usbccgp.sys>+0x1dd0:
f886fdd0 ?? ???
Resetting default scope

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f39e7c28 80501b8f 81fdfe20 81ffb3c0 81ffb3d0 <unloaded_usbccgp.sys>+0x1dd0
f39e7c44 805895f6 81ffb3c0 820a8bf8 81fb1020 nt!IoCancelIrp+0x6f
f39e7c6c 8057b57f 81fb1020 81fb1020 81fb1268 nt!IoCancelThreadIo+0x33
f39e7d14 8057b746 00000000 00000000 81fb1020 nt!PspExitThread+0x442
f39e7d34 8057bd1f 81fb1020 00000000 f39e7d64 nt!PspTerminateThreadByPointer+0x52
f39e7d54 804de7ec 00000000 00000000 016bffb4 nt!NtTerminateThread+0x70
f39e7d54 7c91eb94 00000000 00000000 016bffb4 nt!KiFastCallEntry+0xf8
016bff70 7c91e8af 7c80c0b3 00000000 00000000 ntdll!KiFastSystemCallRet
016bff74 7c80c0b3 00000000 00000000 7c920732 ntdll!NtTerminateThread+0xc
016bffb4 7c80b688 00000000 7c920732 00000002 kernel32!ExitThread+0x8b
016bffec 00000000 673991c5 000bad60 00000000 kernel32!BaseThreadStart+0x3c</unloaded_usbccgp.sys></unloaded_usbccgp.sys>

2

I don’t know what you did, but this is damn strange. I’d be curious to
see the code, because your trap frame shows that the fault is occurring
at an instruction that is referencing its own address (EAX=EIP), which
seems suspect to me, unless it is saying that the code itself is MIA. I
didn’t read the original thread, and I don’t have much to offer, but I
think your !analyze is worthless.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@seh.de
Sent: Monday, July 02, 2007 04:25
To: Windows System Software Devs Interest List
Subject: [ntdev] System crash with USB bus driver - continuation

Hi,

i am writing a virtual bus driver for multi function printers (MFP).
My MFPs are working properly. But after a disconnect the system
is crashing for a canon MP810.

My problem is the same as described in Thread no 110182:
http://www.osronline.com/ShowThread.cfm?link=110182

The bus driver cancels all IRPs with IoCancelIrp. An appropiate
cancel routine is set and all IRPs are cancelled correctly.
But the usbccgp.sys driver seems to canel an IRP this is not
existing.

Can anybody help me ?

Kernel debugger output:

*** Fatal System Error: 0x000000d1
(0xF886FDD0,0x00000002,0x00000000,0xF886FDD0)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols


Loading unloaded module list

Loading User Symbols


************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

Use !analyze -v to get detailed debugging information.

BugCheck D1, {f886fdd0, 2, 0, f886fdd0}

Probably caused by : usbccgp.sys ( usbccgp+1dd0 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f886fdd0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f886fdd0, address which referenced memory

Debugging Details:

READ_ADDRESS: f886fdd0 Nonpaged pool

CURRENT_IRQL: 2

FAULTING_IP:
usbccgp+1dd0
f886fdd0 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 80501b8f to f886fdd0

TRAP_FRAME: f39e7bb8 – (.trap fffffffff39e7bb8)
ErrCode = 00000000
eax=f886fdd0 ebx=806ed000 ecx=81ffb478 edx=1e000024 esi=81ffb3c0
edi=81fb1230
eip=f886fdd0 esp=f39e7c2c ebp=f39e7c44 iopl=0 nv up ei ng nz ac
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010297
<unloaded_usbccgp.sys>+0x1dd0:
f886fdd0 ?? ???
Resetting default scope

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be
wrong.
f39e7c28 80501b8f 81fdfe20 81ffb3c0 81ffb3d0
<unloaded_usbccgp.sys>+0x1dd0
f39e7c44 805895f6 81ffb3c0 820a8bf8 81fb1020 nt!IoCancelIrp+0x6f
f39e7c6c 8057b57f 81fb1020 81fb1020 81fb1268 nt!IoCancelThreadIo+0x33
f39e7d14 8057b746 00000000 00000000 81fb1020 nt!PspExitThread+0x442
f39e7d34 8057bd1f 81fb1020 00000000 f39e7d64
nt!PspTerminateThreadByPointer+0x52
f39e7d54 804de7ec 00000000 00000000 016bffb4 nt!NtTerminateThread+0x70
f39e7d54 7c91eb94 00000000 00000000 016bffb4 nt!KiFastCallEntry+0xf8
016bff70 7c91e8af 7c80c0b3 00000000 00000000 ntdll!KiFastSystemCallRet
016bff74 7c80c0b3 00000000 00000000 7c920732 ntdll!NtTerminateThread+0xc
016bffb4 7c80b688 00000000 7c920732 00000002 kernel32!ExitThread+0x8b
016bffec 00000000 673991c5 000bad60 00000000
kernel32!BaseThreadStart+0x3c


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</unloaded_usbccgp.sys></unloaded_usbccgp.sys>