ZwDeviceIoControlFile problem

NTDEV
1

Hi all

I have a problem with driver-driver ioctls that I’m struggling with.

I have a wdm driver for a device with a simple ioctl interface. From a dll I can get a handle to the device using CreateFileA and talk to the device using DeviceIoControl. This works fine and has done for some time.

I’d like to now operate the device from another wdm and so use the Zw… funcs…

I can get a handle to the device:

InitializeObjectAttributes(&objAttr, &ntDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

Status = ZwCreateFile(&hndFile,
FILE_READ_DATA|FILE_WRITE_DATA,
&objAttr,
&ioStatusBlock,
0, // allocation is meaningless
0, // no attributes specified
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
FILE_OPEN, // must already exist
FILE_NON_DIRECTORY_FILE, // must NOT be a directory
NULL, // no EA buffer
0); // no EA buffer size…

I can call the device ioctl:

Status = ZwDeviceIoControlFile(
hndFile,
testEvent,
NULL,
NULL,
&ioStatusBlock,
(unsigned long) IOCTL_BUFFERED_WRITE_READ,
WriteBuff,
WriteSize,
ReadBuff,
ReadSize);
And I can see the ioctl land in the other driver.

However, I’m getting a BSOD:

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 89a669b0, The pool entry we were looking for within the page.
Arg3: 89a669c0, The next pool entry.
Arg4: 1a020001, (reserved)

This seems to be as result of IoCompleteRequest in the driver before returning from the ioctl:
Irp->IoStatus.Status = Status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return Status;

I am going about this the right way?

Thanks

Sean

2

First, I’d suggest you move to WDF.

Having said that, driver A should attach to driver B via IoAttachDevice or
another IoAttachXxxxx function call, and use IoBuildDeviceIoControlRequest
for constructing the device IO control packet.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@deva.co.uk
Sent: Tuesday, August 24, 2010 9:50 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwDeviceIoControlFile problem

Hi all

I have a problem with driver-driver ioctls that I’m struggling with.

I have a wdm driver for a device with a simple ioctl interface. From a dll I
can get a handle to the device using CreateFileA and talk to the device
using DeviceIoControl. This works fine and has done for some time.

I’d like to now operate the device from another wdm and so use the Zw…
funcs…

I can get a handle to the device:

InitializeObjectAttributes(&objAttr, &ntDeviceName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

Status = ZwCreateFile(&hndFile,
FILE_READ_DATA|FILE_WRITE_DATA,
&objAttr,
&ioStatusBlock,
0, // allocation is meaningless
0, // no attributes specified

FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
FILE_OPEN, // must already exist
FILE_NON_DIRECTORY_FILE, // must NOT be a
directory
NULL, // no EA buffer
0); // no EA buffer size…

I can call the device ioctl:

Status = ZwDeviceIoControlFile(
hndFile,
testEvent,
NULL,
NULL,
&ioStatusBlock,
(unsigned long) IOCTL_BUFFERED_WRITE_READ,
WriteBuff,
WriteSize,
ReadBuff,
ReadSize);

And I can see the ioctl land in the other driver.

However, I’m getting a BSOD:

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of the
problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 89a669b0, The pool entry we were looking for within the page.
Arg3: 89a669c0, The next pool entry.
Arg4: 1a020001, (reserved)

This seems to be as result of IoCompleteRequest in the driver before
returning from the ioctl:
Irp->IoStatus.Status = Status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return Status;

I am going about this the right way?

Thanks

Sean

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

> Irp->IoStatus.Status = Status;

IoCompleteRequest (Irp, IO_NO_INCREMENT);
return Status;
It seems like IRP already completed. Do you complete IRP only in one place or you could complete somewhere else?
You could analyze an IRP by using !irp command of WinDbg.

Igor Sharovar

4

These are 2 x wdm drivers that have been in use for quite some years now and work very well. We just need to add some small functionality and so it’s not a practical for us to move to wdf at this time.

It does seem like a problem with the irp completion. I presume that we need to complete an irp that was sent by ZwDeviceIoControlFile?

Sean

5

>I presume that we need to complete an irp that was sent by ZwDeviceIoControlFile?
I believe you should. If IRP generated you must complete it.
For testing, your driver could create Irp and call IoCallDriver.

Igor Sharovar

6

Bingo!

An invalid pointer was corrupting my irp. The Zw… funcs themselves are fine… so far…

Thanks for your help.

Sean