WdfRequestUnmarkCancelable cause a blue screen

Hello folks,

I run into a problem that I call WdfRequestUnmarkCancelable in EvtIoWriteCompletionRoutine . Fatal system error happened. there are the logs from WinDBG.
I create a sequential write queue .and mark the request cancelable, format the request for write ,set completion routine ,send down to IOtarget .
everything works well until the request completion routine calling ,I unmark the request,and It happened .

Appriciated for any information!

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: a80a4bdc, Virtual address for the attempted write.
Arg2: 31186121, PTE contents.
Arg3: 805520e0, (reserved)
Arg4: 0000000a, (reserved)

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xBE

PROCESS_NAME: Idle

TRAP_FRAME: 805520e0 – (.trap 0xffffffff805520e0)
ErrCode = 00000003
eax=88ec9c10 ebx=00000000 ecx=89884288 edx=88f9a888 esi=a80a4bdc edi=88ec9bb8
eip=a80713f5 esp=80552154 ebp=80552158 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x11:
a80713f5 8916 mov dword ptr [esi],edx ds:0023:a80a4bdc={wdf01000!FxRequestOutputBuffer::GetBuffer (a80784ba)}
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f9df9 to 8052c5dc

STACK_TEXT:
80551c14 804f9df9 00000003 80551f70 00000000 nt!RtlpBreakWithStatusInstruction
80551c60 804fa9e4 00000003 00000000 c0540520 nt!KiBugCheckDebugBreak+0x19
80552040 804faf33 000000be a80a4bdc 31186121 nt!KeBugCheck2+0x574
80552060 8052136a 000000be a80a4bdc 31186121 nt!KeBugCheckEx+0x1b
805520c8 80545578 00000001 a80a4bdc 00000000 nt!MmAccessFault+0x9a8
805520c8 a80713f5 00000001 a80a4bdc 00000000 nt!KiTrap0E+0xd0
80552158 a8071515 88ec9bb8 89817008 88ec9b80 wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x11
8055216c a806c4ef 88ec9bb8 89884210 88ec9b80 wdf01000!FxIrpQueue::RemoveIrpFromQueueByContext+0x22
80552180 a807d992 89884288 77136478 89817008 wdf01000!FxRequest::RemoveFromIrpQueue+0x18
805521a0 a806139b 88ec9b02 00000000 00000000 wdf01000!FxIoQueue::RequestCancelable+0x1f3
805521c4 a80c0036 88ec9b80 00000000 80552208 wdf01000!imp_WdfRequestUnmarkCancelable+0xc1
805521d4 a80c1dd9 77136478 89a00d24 89a00d24 usb2ser!WdfRequestUnmarkCancelable+0x16 [d:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 775]
80552208 a80c1734 88fce1d8 00000000 000000c8 usb2ser!SerialCompleteWriteRequest+0x49 [d:\write.c @ 512]
80552230 a8071317 77136478 7711b8f0 89a00d24 usb2ser!IoWriteComplete+0xc4 [d:\write.c @ 294]
8055225c a8055c36 89a2461f 88ee4708 00000000 wdf01000!FxRequestBase::CompleteSubmitted+0xf6
80552278 a8055cde 01ec9b80 89a49a30 805522a4 wdf01000!FxIoTarget::RequestCompletionRoutine+0x12d
80552288 804f180d 897235e8 89a24540 88ec9b80 wdf01000!FxIoTarget::_RequestCompletionRoutine+0x35
805522a4 804f26b0 897235e8 89a24540 89a49a30 nt!IopUnloadSafeCompletion+0x1d
805522d4 b96950d5 89a24540 88ed1eb8 8993b028 nt!IopfCompleteRequest+0xa2
8055233c b9695d47 89a00d6c 00000000 8993b7d8 USBPORT!USBPORT_CompleteTransfer+0x373
8055236c b9696944 026e6f44 8993b0e0 8993b0e0 USBPORT!USBPORT_DoneTransfer+0x137
805523a4 b969813a 8993b028 80547abc 8993b230 USBPORT!USBPORT_FlushDoneTransferList+0x16c
805523d0 b96a624b 8993b028 80547abc 8993b028 USBPORT!USBPORT_DpcWorker+0x224
8055240c b96a63c2 8993b028 00000001 8055d0c0 USBPORT!USBPORT_IsrDpcWorker+0x38f
80552428 80546e6f 8993b64c 6b755044 00000000 USBPORT!USBPORT_IsrDpc+0x166
80552450 80546d54 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80552454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28

STACK_COMMAND: kb

FOLLOWUP_IP:
usb2ser!WdfRequestUnmarkCancelable+16 [d:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 775]
a80c0036 5d pop ebp

FAULTING_SOURCE_CODE:
771: WDFREQUEST Request
772: )
773: {
774: return ((PFN_WDFREQUESTUNMARKCANCELABLE) WdfFunctions[WdfRequestUnmarkCancelableTableIndex])(WdfDriverGlobals, Request);

775: }
776:
777: //
778: // WDF Function: WdfRequestIsCanceled
779: //
780: typedef

SYMBOL_STACK_INDEX: b

SYMBOL_NAME: usb2ser!WdfRequestUnmarkCancelable+16

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usb2ser

IMAGE_NAME: usb2ser.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ccd32dd

FAILURE_BUCKET_ID: 0xBE_usb2ser!WdfRequestUnmarkCancelable+16

BUCKET_ID: 0xBE_usb2ser!WdfRequestUnmarkCancelable+16

Followup: MachineOwner

1 you never send a request to another driver with a cancel routine set

2 since you don’t send the req with one set, it is incorrect to clear it in the completion routine

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@hotmail.com
Sent: October 31, 2010 3:18 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] WdfRequestUnmarkCancelable cause a blue screen

Hello folks,

I run into a problem that I call WdfRequestUnmarkCancelable in EvtIoWriteCompletionRoutine . Fatal system error happened. there are the logs from WinDBG.
I create a sequential write queue .and mark the request cancelable, format the request for write ,set completion routine ,send down to IOtarget .
everything works well until the request completion routine calling ,I unmark the request,and It happened .

Appriciated for any information!

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: a80a4bdc, Virtual address for the attempted write.
Arg2: 31186121, PTE contents.
Arg3: 805520e0, (reserved)
Arg4: 0000000a, (reserved)

Debugging Details:
------------------

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xBE

PROCESS_NAME: Idle

TRAP_FRAME: 805520e0 – (.trap 0xffffffff805520e0)
ErrCode = 00000003
eax=88ec9c10 ebx=00000000 ecx=89884288 edx=88f9a888 esi=a80a4bdc edi=88ec9bb8
eip=a80713f5 esp=80552154 ebp=80552158 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x11:
a80713f5 8916 mov dword ptr [esi],edx ds:0023:a80a4bdc={wdf01000!FxRequestOutputBuffer::GetBuffer (a80784ba)}
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f9df9 to 8052c5dc

STACK_TEXT:
80551c14 804f9df9 00000003 80551f70 00000000 nt!RtlpBreakWithStatusInstruction
80551c60 804fa9e4 00000003 00000000 c0540520 nt!KiBugCheckDebugBreak+0x19
80552040 804faf33 000000be a80a4bdc 31186121 nt!KeBugCheck2+0x574
80552060 8052136a 000000be a80a4bdc 31186121 nt!KeBugCheckEx+0x1b
805520c8 80545578 00000001 a80a4bdc 00000000 nt!MmAccessFault+0x9a8
805520c8 a80713f5 00000001 a80a4bdc 00000000 nt!KiTrap0E+0xd0
80552158 a8071515 88ec9bb8 89817008 88ec9b80 wdf01000!FxIrpQueue::RemoveIrpFromListEntry+0x11
8055216c a806c4ef 88ec9bb8 89884210 88ec9b80 wdf01000!FxIrpQueue::RemoveIrpFromQueueByContext+0x22
80552180 a807d992 89884288 77136478 89817008 wdf01000!FxRequest::RemoveFromIrpQueue+0x18
805521a0 a806139b 88ec9b02 00000000 00000000 wdf01000!FxIoQueue::RequestCancelable+0x1f3
805521c4 a80c0036 88ec9b80 00000000 80552208 wdf01000!imp_WdfRequestUnmarkCancelable+0xc1
805521d4 a80c1dd9 77136478 89a00d24 89a00d24 usb2ser!WdfRequestUnmarkCancelable+0x16 [d:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 775]
80552208 a80c1734 88fce1d8 00000000 000000c8 usb2ser!SerialCompleteWriteRequest+0x49 [d:\write.c @ 512]
80552230 a8071317 77136478 7711b8f0 89a00d24 usb2ser!IoWriteComplete+0xc4 [d:\write.c @ 294]
8055225c a8055c36 89a2461f 88ee4708 00000000 wdf01000!FxRequestBase::CompleteSubmitted+0xf6
80552278 a8055cde 01ec9b80 89a49a30 805522a4 wdf01000!FxIoTarget::RequestCompletionRoutine+0x12d
80552288 804f180d 897235e8 89a24540 88ec9b80 wdf01000!FxIoTarget::_RequestCompletionRoutine+0x35
805522a4 804f26b0 897235e8 89a24540 89a49a30 nt!IopUnloadSafeCompletion+0x1d
805522d4 b96950d5 89a24540 88ed1eb8 8993b028 nt!IopfCompleteRequest+0xa2
8055233c b9695d47 89a00d6c 00000000 8993b7d8 USBPORT!USBPORT_CompleteTransfer+0x373
8055236c b9696944 026e6f44 8993b0e0 8993b0e0 USBPORT!USBPORT_DoneTransfer+0x137
805523a4 b969813a 8993b028 80547abc 8993b230 USBPORT!USBPORT_FlushDoneTransferList+0x16c
805523d0 b96a624b 8993b028 80547abc 8993b028 USBPORT!USBPORT_DpcWorker+0x224
8055240c b96a63c2 8993b028 00000001 8055d0c0 USBPORT!USBPORT_IsrDpcWorker+0x38f
80552428 80546e6f 8993b64c 6b755044 00000000 USBPORT!USBPORT_IsrDpc+0x166
80552450 80546d54 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80552454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28

STACK_COMMAND: kb

FOLLOWUP_IP:
usb2ser!WdfRequestUnmarkCancelable+16 [d:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 775]
a80c0036 5d pop ebp

FAULTING_SOURCE_CODE:
771: WDFREQUEST Request
772: )
773: {
774: return ((PFN_WDFREQUESTUNMARKCANCELABLE) WdfFunctions[WdfRequestUnmarkCancelableTableIndex])(WdfDriverGlobals, Request);
> 775: }
776:
777: //
778: // WDF Function: WdfRequestIsCanceled
779: //
780: typedef

SYMBOL_STACK_INDEX: b

SYMBOL_NAME: usb2ser!WdfRequestUnmarkCancelable+16

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usb2ser

IMAGE_NAME: usb2ser.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ccd32dd

FAILURE_BUCKET_ID: 0xBE_usb2ser!WdfRequestUnmarkCancelable+16

BUCKET_ID: 0xBE_usb2ser!WdfRequestUnmarkCancelable+16

Followup: MachineOwner
---------

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks Doron !

Yes ,I just figure out this problem. Mark the old request cancelable for which the cancel routine can be called once who want to cancel the request.
I create a new request to send to Iotarget ,and unmark the old request that in completion routine.and it works well .

I check out that formatrequestforwrite is a forward operation. that change the request’s ownship