WdfRequestForwardToIoQueue fault injection

I get the following bugcheck when running a fault injection test (wdftest) for WdfRequestForwardToIoQueue: “DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)”. Do you see any suspicious stuff in the code and/or have some answers to my questions below? Thanks in advance!

VOID EvtIoDeviceControl(WDFQUEUE Queue, WDFREQUEST Request, size_t OutputBufferLength, size_t InputBufferLength, ULONG IoControlCode)
{
if(IsPcscIoctl(IoControlCode))
{
PcscIoctl(Queue, Request);
}
else
{
// Complete requests for non PCSC IOCTLs…
}
}

NTSTATUS PcscIoctl(WDFQUEUE Queue, WDFREQUEST Request)
{
WDFDEVICE device = WdfIoQueueGetDevice(Queue);
PDEVICE_CONTEXT pDevCtx = GetDeviceContext(device);
PIRP requestIrp = WdfRequestWdmGetIrp(Request);
requestIrp->Tail.Overlay.DriverContext[0] = (PVOID) Request;
IoCopyCurrentIrpStackLocationToNext(requestIrp);
IoSetCompletionRoutine(requestIrp, SmartcardDeviceControlCompleteCallback, Request, TRUE, TRUE, TRUE);
IoSetNextIrpStackLocation(requestIrp);
NTSTATUS status = SmartcardDeviceControl(&pDevCtx->SmartcardExtension, requestIrp);

if(!NT_SUCCESS(status))
{
// Complete requests here too or what should be done?
}

return STATUS_SUCCESS;
}

NTSTATUS RDF_CARD_TRACKING_Impl(PSMARTCARD_EXTENSION SmartcardExtension)
{
PIRP irp = SmartcardExtension->OsData->NotificationIrp;
WDFREQUEST request = (WDFREQUEST)irp->Tail.Overlay.DriverContext[0];
IoMarkIrpPending(irp);
IoSkipCurrentIrpStackLocation(irp);
PDEVICE_CONTEXT pDevCtx = GetDeviceContext(WdfIoQueueGetDevice(WdfRequestGetIoQueue(request)));
NTSTATUS status = WdfRequestForwardToIoQueue(request, pDevCtx->NotificationQueue);

if (!NT_SUCCESS(status))
{
// Complete request…?

// Return status or maybe STATUS_PENDING?
return status;
}

return STATUS_PENDING;
}

Send the output of !analyze -v

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

-----Original Message-----
From: xxxxx@todos.se
Sent: Friday, November 06, 2009 6:08 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] WdfRequestForwardToIoQueue fault injection

I get the following bugcheck when running a fault injection test (wdftest) for WdfRequestForwardToIoQueue: “DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)”. Do you see any suspicious stuff in the code and/or have some answers to my questions below? Thanks in advance!

VOID EvtIoDeviceControl(WDFQUEUE Queue, WDFREQUEST Request, size_t OutputBufferLength, size_t InputBufferLength, ULONG IoControlCode)
{
if(IsPcscIoctl(IoControlCode))
{
PcscIoctl(Queue, Request);
}
else
{
// Complete requests for non PCSC IOCTLs…
}
}

NTSTATUS PcscIoctl(WDFQUEUE Queue, WDFREQUEST Request)
{
WDFDEVICE device = WdfIoQueueGetDevice(Queue);
PDEVICE_CONTEXT pDevCtx = GetDeviceContext(device);
PIRP requestIrp = WdfRequestWdmGetIrp(Request);
requestIrp->Tail.Overlay.DriverContext[0] = (PVOID) Request;
IoCopyCurrentIrpStackLocationToNext(requestIrp);
IoSetCompletionRoutine(requestIrp, SmartcardDeviceControlCompleteCallback, Request, TRUE, TRUE, TRUE);
IoSetNextIrpStackLocation(requestIrp);
NTSTATUS status = SmartcardDeviceControl(&pDevCtx->SmartcardExtension, requestIrp);

if(!NT_SUCCESS(status))
{
// Complete requests here too or what should be done?
}

return STATUS_SUCCESS;
}

NTSTATUS RDF_CARD_TRACKING_Impl(PSMARTCARD_EXTENSION SmartcardExtension)
{
PIRP irp = SmartcardExtension->OsData->NotificationIrp;
WDFREQUEST request = (WDFREQUEST)irp->Tail.Overlay.DriverContext[0];
IoMarkIrpPending(irp);
IoSkipCurrentIrpStackLocation(irp);
PDEVICE_CONTEXT pDevCtx = GetDeviceContext(WdfIoQueueGetDevice(WdfRequestGetIoQueue(request)));
NTSTATUS status = WdfRequestForwardToIoQueue(request, pDevCtx->NotificationQueue);

if (!NT_SUCCESS(status))
{
// Complete request…?

// Return status or maybe STATUS_PENDING?
return status;
}

return STATUS_PENDING;
}

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff9801694cdf0, memory referenced
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation
Arg3: fffff98005a952d2, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)

Debugging Details:

*** ERROR: Symbol file could not be found. Defaulted to export symbols for SMCLIB.SYS -
Page 1fef5 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007fffffde018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffde018). Type ".hh dbgerr001" for details

WRITE_ADDRESS: fffff9801694cdf0 Special pool

FAULTING_IP:
SMCLIB!SmartcardDeviceControl+aa
fffff980`05a952d2 897530 mov dword ptr [rbp+30h],esi

MM_INTERNAL_CODE: 0

IMAGE_NAME: SMCLIB.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4549bc75

MODULE_NAME: SMCLIB

FAULTING_MODULE: fffff98005a94000 SMCLIB

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD5

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

TRAP_FRAME: fffff9800fe67530 -- (.trap 0xfffff9800fe67530)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000c0000184 rbx=0000000000000000 rcx=fffff9801694cdc0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff98005a952d2 rsp=fffff9800fe676c0 rbp=fffff9801694cdc0
r8=00000000000004b1 r9=fffff98000334320 r10=fffff9800fe67410
r11=fffff9800fe67620 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
SMCLIB!SmartcardDeviceControl+0xaa:
fffff98005a952d2 897530 mov dword ptr [rbp+30h],esi ss:0018:fffff9801694cdf0=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80001854718 to fffff8000184db90

STACK_TEXT:
fffff9800fe67428 fffff80001854718 : 0000000000000050 fffff9801694cdf0 0000000000000001 fffff9800fe67530 : nt!KeBugCheckEx
fffff9800fe67430 fffff8000184c719 : 0000000000000001 00000000c0000184 fffffa800161b400 00000000c0000001 : nt!MmAccessFault+0x137c
fffff9800fe67530 fffff98005a952d2 : fffffa800163a3c8 fffffa8000000006 fffffa800161b300 fffff98014f34100 : nt!KiPageFault+0x119
fffff9800fe676c0 fffff98014f3612d : fffffa800127c5d0 0000057ffea2b8a8 fffffa800161b380 fffffa80015d4750 : SMCLIB!SmartcardDeviceControl+0xaa
fffff9800fe67710 fffff98014f362e5 : 0000057ffea2b8a8 0000057ffed83a28 0000000000000065 0000000000000003 : todosu!anonymous namespace'::PcscIoctl+0xcd [c:\driver\queue.cpp @ 104] fffff9800fe67770 fffff980002f1f90 : 0000057ffea2b8a8 0000057ffed83a28 0000000000000000 0000000000000000 : todosu!EvtIoDeviceControl+0x75 [c:\driver\queue.cpp @ 156] fffff9800fe677b0 fffff980002f199f : fffffa800127c500 fffffa800127c5d0 fffffa80015d4750 fffffa80015d4750 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x4b8 fffff9800fe67830 fffff980002f0f98 : 0000000000000000 0000000000000000 0000000000000000 fffffa800127c722 : Wdf01000!FxIoQueue::DispatchEvents+0x4df fffff9800fe678a0 fffff980002f6558 : fffff9801694cf00 fffffa800127c5d0 fffff9801694cdc0 fffffa800127c5d0 : Wdf01000!FxIoQueue::QueueRequest+0x2bc fffff9800fe67910 fffff980002e0245 : fffffa800127c5d0 fffff9801694cdc0 0000000000000002 fffffa8001d69e40 : Wdf01000!FxPkgIo::Dispatch+0x37c fffff9800fe67990 fffff80001c244e6 : fffff9801694cdc0 fffffa8001d69e40 fffffa800158c1a0 0000000000000001 : Wdf01000!FxDevice::Dispatch+0xa9 fffff9800fe679c0 fffff80001a8dfb7 : fffff9801694cf00 fffff9800fe67ca0 fffff9801694cdc0 fffffa8003e0a220 : nt!IovCallDriver+0x346 fffff9800fe67a00 fffff80001a94206 : 0000000000000000 00000000000006dc 0000000000000000 00000000034afe30 : nt!IopXxxControlFile+0x626 fffff9800fe67b40 fffff8000184d633 : 0000000000000000 0000000000000001 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56 fffff9800fe67bb0 00000000779402ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 00000000034afca8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779402ea

STACK_COMMAND: kb

FOLLOWUP_IP:
SMCLIB!SmartcardDeviceControl+aa
fffff980`05a952d2 897530 mov dword ptr [rbp+30h],esi

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: SMCLIB!SmartcardDeviceControl+aa

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: X64_0xD5_VRF_SMCLIB!SmartcardDeviceControl+aa

BUCKET_ID: X64_0xD5_VRF_SMCLIB!SmartcardDeviceControl+aa

Followup: MachineOwner

Note:
Line 104...SmartcardDeviceControl
Line 156...PcscIoctl

The bugcheck only occurs on Windows Vista x64 and Windows 7 by the way

Log from TraceView:

00000124 driver 4 68 1 123 01\01\1601-03:31:31:838 SUCCESS: WdfTester Enabled for driver \SystemRoot\System32\Drivers\todosu.sys
00000125 driver 4 68 1 124 01\01\1601-03:31:31:841 todosu.sys calling WdfDriverCreate
00000126 driver 4 68 1 125 01\01\1601-03:31:31:842 todosu.sys calling WdfObjectGetTypedContextWorker
00000127 driver 4 68 1 126 01\01\1601-03:31:31:842 todosu.sys calling WdfDriverOpenParametersRegistryKey
00000128 driver 4 68 1 127 01\01\1601-03:31:31:843 todosu.sys calling WdfRegistryQueryULong
00000129 driver 4 68 1 128 01\01\1601-03:31:31:843 todosu.sys calling WdfRegistryQueryULong
00000130 driver 4 68 1 129 01\01\1601-03:31:31:843 todosu.sys calling WdfObjectGetTypedContextWorker
00000131 driver 4 68 1 130 01\01\1601-03:31:31:843 todosu.sys calling WdfRegistryClose
00000132 driver 4 68 1 131 01\01\1601-03:31:31:845 todosu.sys calling WdfDeviceInitSetPnpPowerEventCallbacks
00000133 driver 4 68 1 132 01\01\1601-03:31:31:845 todosu.sys calling WdfDeviceCreate
00000134 driver 4 68 1 133 01\01\1601-03:31:31:845 todosu.sys calling WdfObjectGetTypedContextWorker
00000135 driver 4 68 1 134 01\01\1601-03:31:31:845 todosu.sys calling WdfDeviceSetPnpCapabilities
00000136 driver 4 68 1 135 01\01\1601-03:31:31:845 todosu.sys calling WdfIoQueueCreate
00000137 driver 4 68 1 136 01\01\1601-03:31:31:846 todosu.sys calling WdfIoQueueCreate
00000138 driver 4 68 1 137 01\01\1601-03:31:31:846 todosu.sys calling WdfDeviceCreateDeviceInterface
00000139 driver 4 68 1 138 01\01\1601-03:31:31:846 todosu.sys calling WdfMemoryCreate
00000140 driver 4 68 1 139 01\01\1601-03:31:32:112 todosu.sys calling WdfObjectGetTypedContextWorker
00000141 driver 4 68 1 140 01\01\1601-03:31:32:112 todosu.sys calling WdfObjectGetTypedContextWorker
00000142 driver 4 68 1 141 01\01\1601-03:31:32:112 todosu.sys calling WdfUsbTargetDeviceCreate
00000143 driver 4 68 1 161 01\01\1601-03:31:32:169 todosu.sys calling WdfMemoryGetBuffer
00000144 driver 4 68 1 162 01\01\1601-03:31:32:169 todosu.sys calling WdfUsbTargetPipeReadSynchronously
00000145 driver 4 68 1 163 01\01\1601-03:31:32:172 todosu.sys calling WdfObjectGetTypedContextWorker
00000146 driver 4 68 1 164 01\01\1601-03:31:32:172 todosu.sys calling WdfObjectGetTypedContextWorker
00000147 driver 4 68 1 165 01\01\1601-03:31:32:172 todosu.sys calling WdfMemoryGetBuffer
00000148 driver 4 68 1 166 01\01\1601-03:31:32:172 todosu.sys calling WdfUsbTargetPipeWriteSynchronously
00000149 driver 4 68 1 167 01\01\1601-03:31:32:173 todosu.sys calling WdfMemoryGetBuffer
00000150 driver 4 68 1 168 01\01\1601-03:31:32:173 todosu.sys calling WdfUsbTargetPipeReadSynchronously
00000151 driver 4 68 1 169 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000152 driver 4 68 1 170 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000153 driver 4 68 1 171 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000154 driver 4 68 1 172 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000155 driver 4 68 1 173 01\01\1601-03:31:32:180 todosu.sys calling WdfDeviceWdmGetDeviceObject
00000156 driver 4 68 1 174 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000157 driver 4 68 1 175 01\01\1601-03:31:32:180 todosu.sys calling WdfDeviceGetDriver
00000158 driver 4 68 1 176 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000159 driver 4 68 1 177 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000160 driver 4 68 1 178 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000161 driver 4 68 1 179 01\01\1601-03:31:32:180 todosu.sys calling WdfObjectGetTypedContextWorker
00000162 driver 4 68 1 180 01\01\1601-03:31:32:180 todosu.sys calling WdfUsbTargetDeviceQueryString
00000163 driver 4 68 1 181 01\01\1601-03:31:32:189 todosu.sys calling WdfUsbTargetDeviceQueryString
00000164 driver 4 68 1 182 01\01\1601-03:31:32:200 todosu.sys calling WdfObjectGetTypedContextWorker
00000165 driver 4 68 1 183 01\01\1601-03:31:32:200 todosu.sys calling WdfObjectGetTypedContextWorker
00000166 driver 4 68 1 184 01\01\1601-03:31:32:200 todosu.sys calling WdfUsbTargetDeviceQueryString
00000167 driver 4 68 1 185 01\01\1601-03:31:32:209 todosu.sys calling WdfUsbTargetDeviceQueryString
00000168 driver 4 68 1 186 01\01\1601-03:31:32:221 todosu.sys calling WdfObjectGetTypedContextWorker
00000169 driver 4 68 1 187 01\01\1601-03:31:32:221 todosu.sys calling WdfObjectGetTypedContextWorker
00000170 driver 4 68 1 188 01\01\1601-03:31:32:221 todosu.sys calling WdfMemoryGetBuffer
00000171 driver 4 68 1 189 01\01\1601-03:31:32:221 todosu.sys calling WdfUsbTargetPipeWriteSynchronously
00000172 driver 4 68 1 190 01\01\1601-03:31:32:223 todosu.sys calling WdfMemoryGetBuffer
00000173 driver 4 68 1 191 01\01\1601-03:31:32:223 todosu.sys calling WdfUsbTargetPipeReadSynchronously
00000174 driver 4 68 1 192 01\01\1601-03:31:32:226 todosu.sys calling WdfObjectGetTypedContextWorker
00000175 driver 4 68 1 193 01\01\1601-03:31:32:226 todosu.sys calling WdfObjectGetTypedContextWorker
00000176 driver 4 68 1 194 01\01\1601-03:31:32:226 todosu.sys calling WdfIoQueueRetrieveNextRequest
00000177 driver 4 68 1 195 01\01\1601-03:31:32:226 todosu.sys calling WdfObjectGetTypedContextWorker
00000178 driver 4 68 1 196 01\01\1601-03:31:32:226 todosu.sys calling WdfMemoryGetBuffer
00000179 driver 4 68 1 197 01\01\1601-03:31:32:226 todosu.sys calling WdfUsbTargetPipeWriteSynchronously
00000180 driver 4 68 1 198 01\01\1601-03:31:32:227 todosu.sys calling WdfObjectGetTypedContextWorker
00000181 driver 4 68 1 199 01\01\1601-03:31:32:227 todosu.sys calling WdfRequestCreate
00000182 driver 4 68 1 200 01\01\1601-03:31:32:228 todosu.sys calling WdfMemoryCreate
00000183 driver 4 68 1 201 01\01\1601-03:31:32:228 todosu.sys calling WdfObjectGetTypedContextWorker
00000184 driver 4 68 1 202 01\01\1601-03:31:32:228 todosu.sys calling WdfUsbTargetPipeFormatRequestForRead
00000185 driver 4 68 1 203 01\01\1601-03:31:32:228 todosu.sys calling WdfRequestSetCompletionRoutine
00000186 driver 4 68 1 204 01\01\1601-03:31:32:228 todosu.sys calling WdfRequestSend
00000187 driver 1080 3148 1 205 01\01\1601-03:31:32:256 todosu.sys calling WdfIoQueueGetDevice
00000188 driver 1080 3148 1 206 01\01\1601-03:31:32:256 todosu.sys calling WdfObjectGetTypedContextWorker
00000189 driver 1080 3148 1 207 01\01\1601-03:31:32:256 todosu.sys calling WdfRequestWdmGetIrp
00000190 driver 1080 3148 1 208 01\01\1601-03:31:32:256 todosu.sys calling WdfRequestComplete
00000191 driver 1080 3148 1 209 01\01\1601-03:31:32:269 todosu.sys calling WdfIoQueueGetDevice
00000192 driver 1080 3148 1 210 01\01\1601-03:31:32:269 todosu.sys calling WdfObjectGetTypedContextWorker
00000193 driver 1080 3148 1 211 01\01\1601-03:31:32:269 todosu.sys calling WdfRequestWdmGetIrp
00000194 driver 1080 3148 1 212 01\01\1601-03:31:32:269 todosu.sys calling WdfRequestComplete
00000195 driver 1080 3148 1 213 01\01\1601-03:31:32:269 todosu.sys calling WdfIoQueueGetDevice
00000196 driver 1080 3148 1 214 01\01\1601-03:31:32:269 todosu.sys calling WdfObjectGetTypedContextWorker
00000197 driver 1080 3148 1 215 01\01\1601-03:31:32:269 todosu.sys calling WdfRequestWdmGetIrp
00000198 driver 1080 3148 1 216 01\01\1601-03:31:32:269 todosu.sys calling WdfRequestComplete
00000199 driver 1080 3148 1 217 01\01\1601-03:31:32:270 todosu.sys calling WdfIoQueueGetDevice
00000200 driver 1080 3148 1 218 01\01\1601-03:31:32:270 todosu.sys calling WdfObjectGetTypedContextWorker
00000201 driver 1080 3148 1 219 01\01\1601-03:31:32:270 todosu.sys calling WdfRequestWdmGetIrp
00000202 driver 1080 3148 1 220 01\01\1601-03:31:32:270 todosu.sys calling WdfRequestComplete
00000203 driver 4 68 0 142 01\01\1601-03:31:32:162 todosu.sys calling WdfUsbTargetDeviceGetDeviceDescriptor
00000204 driver 4 68 0 143 01\01\1601-03:31:32:162 todosu.sys calling WdfObjectGetTypedContextWorker
00000205 driver 4 68 0 144 01\01\1601-03:31:32:162 todosu.sys calling WdfUsbTargetDeviceRetrieveConfigDescriptor
00000206 driver 4 68 0 145 01\01\1601-03:31:32:162 todosu.sys calling WdfMemoryCreate
00000207 driver 4 68 0 146 01\01\1601-03:31:32:162 todosu.sys calling WdfUsbTargetDeviceRetrieveConfigDescriptor
00000208 driver 4 68 0 147 01\01\1601-03:31:32:162 todosu.sys calling WdfObjectGetTypedContextWorker
00000209 driver 4 68 0 148 01\01\1601-03:31:32:162 todosu.sys calling WdfUsbTargetDeviceSelectConfig
00000210 driver 4 68 0 149 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbTargetDeviceGetNumInterfaces
00000211 driver 4 68 0 150 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbInterfaceGetConfiguredPipe
00000212 driver 4 68 0 151 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbTargetPipeIsInEndpoint
00000213 driver 4 68 0 152 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbTargetPipeIsOutEndpoint
00000214 driver 4 68 0 153 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbInterfaceGetConfiguredPipe
00000215 driver 4 68 0 154 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbTargetPipeIsInEndpoint
00000216 driver 4 68 0 155 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbTargetPipeIsOutEndpoint
00000217 driver 4 68 0 156 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbInterfaceGetConfiguredPipe
00000218 driver 4 68 0 157 01\01\1601-03:31:32:166 todosu.sys calling WdfObjectGetTypedContextWorker
00000219 driver 4 68 0 158 01\01\1601-03:31:32:166 todosu.sys calling WdfObjectGetTypedContextWorker
00000220 driver 4 68 0 159 01\01\1601-03:31:32:166 todosu.sys calling WdfMemoryGetBuffer
00000221 driver 4 68 0 160 01\01\1601-03:31:32:166 todosu.sys calling WdfUsbTargetPipeWriteSynchronously
00000222 driver 1080 1232 0 221 01\01\1601-03:31:32:284 todosu.sys calling WdfIoQueueGetDevice
00000223 driver 1080 1232 0 222 01\01\1601-03:31:32:284 todosu.sys calling WdfObjectGetTypedContextWorker
00000224 driver 1080 1232 0 223 01\01\1601-03:31:32:284 todosu.sys calling WdfRequestWdmGetIrp
00000225 driver 1080 1232 0 224 01\01\1601-03:31:32:284 todosu.sys calling WdfRequestGetIoQueue
00000226 driver 1080 1232 0 225 01\01\1601-03:31:32:284 todosu.sys calling WdfIoQueueGetDevice
00000227 driver 1080 1232 0 226 01\01\1601-03:31:32:284 todosu.sys calling WdfObjectGetTypedContextWorker
00000228 driver 1080 1232 0 227 01\01\1601-03:31:32:284 todosu.sys calling WdfRequestForwardToIoQueue

Well it is dying in smclib. If you have a consisten report, start stepping through the function to see where fffff9801694cdf0 comes from.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@todos.se
Sent: Sunday, November 08, 2009 11:22 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WdfRequestForwardToIoQueue fault injection

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5) Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff9801694cdf0, memory referenced
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation
Arg3: fffff98005a952d2, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)

Debugging Details:

*** ERROR: Symbol file could not be found. Defaulted to export symbols for SMCLIB.SYS - Page 1fef5 not present in the dump file. Type ".hh dbgerr004" for details PEB is paged out (Peb.Ldr = 000007fffffde018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffde018). Type ".hh dbgerr001" for details

WRITE_ADDRESS: fffff9801694cdf0 Special pool

FAULTING_IP:
SMCLIB!SmartcardDeviceControl+aa
fffff980`05a952d2 897530 mov dword ptr [rbp+30h],esi

MM_INTERNAL_CODE: 0

IMAGE_NAME: SMCLIB.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4549bc75

MODULE_NAME: SMCLIB

FAULTING_MODULE: fffff98005a94000 SMCLIB

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD5

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

TRAP_FRAME: fffff9800fe67530 -- (.trap 0xfffff9800fe67530)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000c0000184 rbx=0000000000000000 rcx=fffff9801694cdc0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff98005a952d2 rsp=fffff9800fe676c0 rbp=fffff9801694cdc0
r8=00000000000004b1 r9=fffff98000334320 r10=fffff9800fe67410
r11=fffff9800fe67620 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
SMCLIB!SmartcardDeviceControl+0xaa:
fffff98005a952d2 897530 mov dword ptr [rbp+30h],esi ss:0018:fffff9801694cdf0=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80001854718 to fffff8000184db90

STACK_TEXT:
fffff9800fe67428 fffff80001854718 : 0000000000000050 fffff9801694cdf0 0000000000000001 fffff9800fe67530 : nt!KeBugCheckEx
fffff9800fe67430 fffff8000184c719 : 0000000000000001 00000000c0000184 fffffa800161b400 00000000c0000001 : nt!MmAccessFault+0x137c
fffff9800fe67530 fffff98005a952d2 : fffffa800163a3c8 fffffa8000000006 fffffa800161b300 fffff98014f34100 : nt!KiPageFault+0x119
fffff9800fe676c0 fffff98014f3612d : fffffa800127c5d0 0000057ffea2b8a8 fffffa800161b380 fffffa80015d4750 : SMCLIB!SmartcardDeviceControl+0xaa
fffff9800fe67710 fffff98014f362e5 : 0000057ffea2b8a8 0000057ffed83a28 0000000000000065 0000000000000003 : todosu!anonymous namespace'::PcscIoctl+0xcd [c:\driver\queue.cpp @ 104] fffff9800fe67770 fffff980002f1f90 : 0000057ffea2b8a8 0000057ffed83a28 0000000000000000 0000000000000000 : todosu!EvtIoDeviceControl+0x75 [c:\driver\queue.cpp @ 156] fffff9800fe677b0 fffff980002f199f : fffffa800127c500 fffffa800127c5d0 fffffa80015d4750 fffffa80015d4750 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x4b8 fffff9800fe67830 fffff980002f0f98 : 0000000000000000 0000000000000000 0000000000000000 fffffa800127c722 : Wdf01000!FxIoQueue::DispatchEvents+0x4df fffff9800fe678a0 fffff980002f6558 : fffff9801694cf00 fffffa800127c5d0 fffff9801694cdc0 fffffa800127c5d0 : Wdf01000!FxIoQueue::QueueRequest+0x2bc fffff9800fe67910 fffff980002e0245 : fffffa800127c5d0 fffff9801694cdc0 0000000000000002 fffffa8001d69e40 : Wdf01000!FxPkgIo::Dispatch+0x37c fffff9800fe67990 fffff80001c244e6 : fffff9801694cdc0 fffffa8001d69e40 fffffa800158c1a0 0000000000000001 : Wdf01000!FxDevice::Dispatch+0xa9 fffff9800fe679c0 fffff80001a8dfb7 : fffff9801694cf00 fffff9800fe67ca0 fffff9801694cdc0 fffffa8003e0a220 : nt!IovCallDriver+0x346 fffff9800fe67a00 fffff80001a94206 : 0000000000000000 00000000000006dc 0000000000000000 00000000034afe30 : nt!IopXxxControlFile+0x626 fffff9800fe67b40 fffff8000184d633 : 0000000000000000 0000000000000001 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56 fffff9800fe67bb0 00000000779402ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 00000000034afca8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779402ea

STACK_COMMAND: kb

FOLLOWUP_IP:
SMCLIB!SmartcardDeviceControl+aa
fffff980`05a952d2 897530 mov dword ptr [rbp+30h],esi

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: SMCLIB!SmartcardDeviceControl+aa

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: X64_0xD5_VRF_SMCLIB!SmartcardDeviceControl+aa

BUCKET_ID: X64_0xD5_VRF_SMCLIB!SmartcardDeviceControl+aa

Followup: MachineOwner

Note:
Line 104...SmartcardDeviceControl
Line 156...PcscIoctl

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

To unsubscribe, visit the List Server section of OSR Online at ListServer/Forum