WdfIoQueueRetrieveNextRequest.

I have usb pdo with a manual default queue from which I pick requests and send them to a manual queue on the usb pdo's parent device. When the parent device picks the request off of its queue with WdfIoQueueRetrieveNextRequest, I get the crash listed below. Why does the wdf try to free pool?

FAULTING_IP:
wdf01000!FxPoolFree+c5
f94cf551 5e pop esi

BUGCHECK_STR: 0xc2_40

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: UtSrRedirector.

LAST_CONTROL_TRANSFER: from 804f8df9 to 8052b5dc

STACK_TEXT:
f766e524 804f8df9 00000003 f766e880 00000000 nt!RtlpBreakWithStatusInstruction
f766e570 804f99e4 00000003 00000000 80564d20 nt!KiBugCheckDebugBreak+0x19
f766e950 804f9f33 000000c2 00000040 00000000 nt!KeBugCheck2+0x574
f766e970 80548c2d 000000c2 00000040 00000000 nt!KeBugCheckEx+0x1b
f766e9b0 8054b49a 00000000 00000000 00000000 nt!MiFreePoolPages+0x8b
f766e9f0 f94cf551 00000000 00000000 817ddca0 nt!ExFreePoolWithTag+0x1ba
f766ea08 f94ce478 817ddca0 f766ea24 f94ceb46 wdf01000!FxPoolFree+0xc5
f766ea14 f94ceb46 817ddca0 817ddca0 f766ea44 wdf01000!FxObject::operator delete+0x13
f766ea24 f9490f8e 00000001 f94cf81b 00000000 wdf01000!FxSpinLock::`scalar deleting destructor'+0x19
f766ea2c f94cf81b 00000000 00000000 00000000 wdf01000!FxObject::SelfDestruct+0xb
f766ea44 f9490fd6 806e6900 814bbce8 f766ea84 wdf01000!FxObject::ProcessDestroy+0xa6
f766ea54 f94bcd2a 74617453 000003f0 f94e6be8 wdf01000!FxObject::Release+0x42
f766ea84 f94bb86d 00000000 00000000 f766eaa0 wdf01000!FxIoQueue::GetRequest+0x4a2
f766eaa4 f74b70da 00000000 814bbce8 f766eb38 wdf01000!imp_WdfIoQueueRetrieveNextRequest+0x7d
f766eab8 f74b6ee0 7eb44310 f766eb38 00001003 UtSrDtuBusAndSrUsbDevice!WdfIoQueueRetrieveNextRequest+0x1a [c:\winddk\7600.16385.0\inc\wdf\kmdf\1.9\wdfio.h @ 780]
f766eb3c f74b6d5c 7eb49c18 7e7b02b0 00000000 UtSrDtuBusAndSrUsbDevice!RedirectorQueryIoctl+0x60 [c:\winddk\7600.16385.0\src\general\zzcurrent\drivers\utsrdtubusandsrusbdevice\utsrdtubus.c @ 153]
f766eb80 f94bc072 7eb49c18 7e7b02b0 00000024 UtSrDtuBusAndSrUsbDevice!EvtUtSrDtuBusIoDeviceControl+0x20c [c:\winddk\7600.16385.0\src\general\zzcurrent\drivers\utsrdtubusandsrusbdevice\utsrdtubus.c @ 103]
f766eba4 f94bd3d0 7eb49c18 7e7b02b0 00000024 wdf01000!FxIoQueueIoInternalDeviceControl::Invoke+0x30
f766ebd4 f94bf9ac 7e7b02b0 8184fd48 814b63e0 wdf01000!FxIoQueue::DispatchRequestToDriver+0x31d
f766ebf0 f94c0a36 814b6300 00000000 817dd900 wdf01000!FxIoQueue::DispatchEvents+0x3be
f766ec10 f94c2824 8184fd48 8186f898 8179c368 wdf01000!FxIoQueue::QueueRequest+0x1ec
f766ec34 f94b1a3f 818cfe48 f766ec64 804ef18f wdf01000!FxPkgIo::Dispatch+0x27d
f766ec40 804ef18f 814b8418 818cfe48 806e6410 wdf01000!FxDevice::Dispatch+0x7f
f766ec50 8057f982 818cfedc 8186f898 818cfe48 nt!IopfCallDriver+0x31
f766ec64 805807f7 814b8418 818cfe48 8186f898 nt!IopSynchronousServiceTail+0x70
f766ed00 80579274 000000ec 000000e4 00000000 nt!IopXxxControlFile+0x5c5
f766ed34 8054161c 000000ec 000000e4 00000000 nt!NtDeviceIoControlFile+0x2a
f766ed34 7c90e4f4 000000ec 000000e4 00000000 nt!KiFastCallEntry+0xfc
00aefe7c 7c90d26c 7c8016c2 000000ec 000000e4 ntdll!KiFastSystemCallRet
00aefe80 7c8016c2 000000ec 000000e4 00000000 ntdll!NtDeviceIoControlFile+0xc
00aefee0 00403903 000000ec 002a2004 00aeff8c kernel32!DeviceIoControl+0x78
00aeff38 004016e8 002a2004 00aeff8c 00aeff64 UtSrRedirector!CallDriver+0x73 [c:\winddk\7600.16385.0\src\general\zzcurrent\applications\utsrredirector\utsrredirector\utsrredirector.cpp @ 622]
00aeffb4 7c80b713 00000000 00000000 7c910098 UtSrRedirector!ReadFromDriver+0x58 [c:\winddk\7600.16385.0\src\general\zzcurrent\applications\utsrredirector\utsrredirector\readfromdriverthread.cpp @ 31]
00aeffec 00000000 00401690 00000000 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND: kb

FOLLOWUP_IP:
UtSrDtuBusAndSrUsbDevice!WdfIoQueueRetrieveNextRequest+1a [c:\winddk\7600.16385.0\inc\wdf\kmdf\1.9\wdfio.h @ 780]
f74b70da 5d pop ebp

FAULTING_SOURCE_CODE:
776: WDFREQUEST* OutRequest
777: )
778: {
779: return ((PFN_WDFIOQUEUERETRIEVENEXTREQUEST) WdfFunctions[WdfIoQueueRetrieveNextRequestTableIndex])(WdfDriverGlobals, Queue, OutRequest);

780: }
781:
782: //
783: // WDF Function: WdfIoQueueRetrieveRequestByFileObject
784: //
785: typedef

SYMBOL_STACK_INDEX: e

SYMBOL_NAME: UtSrDtuBusAndSrUsbDevice!WdfIoQueueRetrieveNextRequest+1a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: UtSrDtuBusAndSrUsbDevice

IMAGE_NAME: UtSrDtuBusAndSrUsbDevice.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4d02a0f0

FAILURE_BUCKET_ID: 0xc2_40_UtSrDtuBusAndSrUsbDevice!WdfIoQueueRetrieveNextRequest+1a

BUCKET_ID: 0xc2_40_UtSrDtuBusAndSrUsbDevice!WdfIoQueueRetrieveNextRequest+1a

Followup: MachineOwner

xxxxx@gmail.com wrote:

I have usb pdo with a manual default queue from which I pick requests and send them to a manual queue on the usb pdo’s parent device. When the parent device picks the request off of its queue with WdfIoQueueRetrieveNextRequest, I get the crash listed below. Why does the wdf try to free pool?

You cannot share WDFREQUESTs between drivers. Is that what you are
trying to do? All WDF objects are private to the driver. They cannot
be shared.

If you are just trying to send the request to the parent driver, why
don’t you just use WdfRequestSend to send it on, like a normal request

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I use WdfRequestForwardToParentDeviceIoQueue to forward the request. This used to work when I had a parallel queue in the usb pdo. It started crashing only after I changed the queue to manual.

It looks like a ref counting issue. Note: in your dump, it seems that the first queue is not manual. Please double-check your configuration settings. (and if not done enable wdf verifier).

Thx,
Egi.