davidpreetham
Member
- Jun 7, 2019
- 8
Hi,
Current driver(usb emulated driver), creating child device which will be loading usbserial driver, on top application will be communicating.
current driver recieved bulkin request from usbser.sys, current driver holding the wdfrequest and marked using WdfRequestMarkCancelableEx.
current driver holds the request in indefinetly(while loop runs with 2mS timeout) until it recieves data from device due to some issues device not sending data.
OS triggered power irp to usbser.sys, which inturn it tried to stop its already posted requests.
wdf framwork cancelled using its cancelrepeater.
current driver cancel routine is not called and still its present in current driver.
which lead to BSOD power irp holding usbser for too long, ideally bulk in request is pending in current driver which ever usbser pospted previously.
usbser call stack to cancel its previously posted requests:
[0x5] Wdf01000!_FX_DRIVER_GLOBALS::WaitForSignal + 0x5f
[0x6] Wdf01000!FxUsbPipeContinuousReader::CancelRepeaters + 0x76
[0x7] Wdf01000!FxUsbPipe::WaitForSentIoToComplete + 0xf0
[0x8] Wdf01000!FxIoTarget::Stop + 0x61
[0x9] Wdf01000!imp_WdfIoTargetStop + 0x62
[0xa] usbser!UsbSerStopUSBRead + 0xdb
[0xb] usbser!UsbSerEvtDeviceD0Exit + 0x82
[0xc] Wdf01000!FxPnpDeviceD0Exit::InvokeClient + 0x2f
current driver that hold wdf request which usbser tried to cancel:
[0x3] nt!KeWaitForSingleObject + 0x233
[0x4] current!current_timeout + 0x7b
[0x5] current!current_read + 0x11d
[0x6] current!current_read + 0x3ad
[0x7] current!current_read_cb + 0x52
[0x8] current!currentBulkInRequestHandler + 0x60
[0x9] current!currentEvtBulkInRequest + 0x3a0
[0xa] Wdf01000!VfEvtIoInternalDeviceControl + 0x154
How can i verify the cancel wdf framwork initiated called current driver cancel routine? or why it is not called?
raw format of irp shows cancel routine is NULL, cancel bit is set to 1.
WdfRequestMarkCancelableEx will set irp cancel routine or wdf request structure variable ?
from windbg cmds it is confirmed cancelrepeater tried to cancel IRP and wdf request associated irp with current driver is same.
there is no driver logs for us to extract to see what exactly happening.
0: kd> dx -id 0,0,ffffa982eae9e180 -r1 ((Wdf01000!_IRP *)0xffffa982ff4e1560)
((Wdf01000!_IRP *)0xffffa982ff4e1560) : 0xffffa982ff4e1560 [Type: _IRP *]
[<Raw View>] [Type: _IRP]
IoStack : Size = 14, Current IRP_MJ_INTERNAL_DEVICE_CONTROL / 0x0 for Device for "\Driver\UDE"
0: kd> dx -id 0,0,ffffa982eae9e180 -r1 -nv (*((Wdf01000!_IRP *)0xffffa982ff4e1560))
(*((Wdf01000!_IRP *)0xffffa982ff4e1560)) [Type: _IRP]
[+0x000] Type : 6 [Type: short]
[+0x002] Size : 0x508 [Type: unsigned short]
[+0x008] MdlAddress : 0x0 [Type: _MDL *]
[+0x010] Flags : 0x0 [Type: unsigned long]
[+0x018] AssociatedIrp [Type: _IRP::<unnamed-type-AssociatedIrp>]
[+0x020] ThreadListEntry [Type: _LIST_ENTRY]
[+0x030] IoStatus [Type: _IO_STATUS_BLOCK]
[+0x040] RequestorMode : 0 [Type: char]
[+0x041] PendingReturned : 0x0 [Type: unsigned char]
[+0x042] StackCount : 14 [Type: char]
[+0x043] CurrentLocation : 10 '\n' [Type: char]
[+0x044] Cancel : 0x1 [Type: unsigned char]
[+0x045] CancelIrql : 0x0 [Type: unsigned char]
[+0x046] ApcEnvironment : 0 [Type: char]
[+0x047] AllocationFlags : 0x44 [Type: unsigned char]
[+0x048] UserIosb : 0x0 [Type: _IO_STATUS_BLOCK *]
[+0x050] UserEvent : 0x0 [Type: _KEVENT *]
[+0x058] Overlay [Type: _IRP::<unnamed-type-Overlay>]
[+0x068] CancelRoutine : 0x0 : 0x0 [Type: void (__cdecl*)(_DEVICE_OBJECT *,_IRP *)]
[+0x070] UserBuffer : 0x0 [Type: void *]
[+0x078] Tail [Type: _IRP::<unnamed-type-Tail>]
Current driver(usb emulated driver), creating child device which will be loading usbserial driver, on top application will be communicating.
current driver recieved bulkin request from usbser.sys, current driver holding the wdfrequest and marked using WdfRequestMarkCancelableEx.
current driver holds the request in indefinetly(while loop runs with 2mS timeout) until it recieves data from device due to some issues device not sending data.
OS triggered power irp to usbser.sys, which inturn it tried to stop its already posted requests.
wdf framwork cancelled using its cancelrepeater.
current driver cancel routine is not called and still its present in current driver.
which lead to BSOD power irp holding usbser for too long, ideally bulk in request is pending in current driver which ever usbser pospted previously.
usbser call stack to cancel its previously posted requests:
[0x5] Wdf01000!_FX_DRIVER_GLOBALS::WaitForSignal + 0x5f
[0x6] Wdf01000!FxUsbPipeContinuousReader::CancelRepeaters + 0x76
[0x7] Wdf01000!FxUsbPipe::WaitForSentIoToComplete + 0xf0
[0x8] Wdf01000!FxIoTarget::Stop + 0x61
[0x9] Wdf01000!imp_WdfIoTargetStop + 0x62
[0xa] usbser!UsbSerStopUSBRead + 0xdb
[0xb] usbser!UsbSerEvtDeviceD0Exit + 0x82
[0xc] Wdf01000!FxPnpDeviceD0Exit::InvokeClient + 0x2f
current driver that hold wdf request which usbser tried to cancel:
[0x3] nt!KeWaitForSingleObject + 0x233
[0x4] current!current_timeout + 0x7b
[0x5] current!current_read + 0x11d
[0x6] current!current_read + 0x3ad
[0x7] current!current_read_cb + 0x52
[0x8] current!currentBulkInRequestHandler + 0x60
[0x9] current!currentEvtBulkInRequest + 0x3a0
[0xa] Wdf01000!VfEvtIoInternalDeviceControl + 0x154
How can i verify the cancel wdf framwork initiated called current driver cancel routine? or why it is not called?
raw format of irp shows cancel routine is NULL, cancel bit is set to 1.
WdfRequestMarkCancelableEx will set irp cancel routine or wdf request structure variable ?
from windbg cmds it is confirmed cancelrepeater tried to cancel IRP and wdf request associated irp with current driver is same.
there is no driver logs for us to extract to see what exactly happening.
0: kd> dx -id 0,0,ffffa982eae9e180 -r1 ((Wdf01000!_IRP *)0xffffa982ff4e1560)
((Wdf01000!_IRP *)0xffffa982ff4e1560) : 0xffffa982ff4e1560 [Type: _IRP *]
[<Raw View>] [Type: _IRP]
IoStack : Size = 14, Current IRP_MJ_INTERNAL_DEVICE_CONTROL / 0x0 for Device for "\Driver\UDE"
0: kd> dx -id 0,0,ffffa982eae9e180 -r1 -nv (*((Wdf01000!_IRP *)0xffffa982ff4e1560))
(*((Wdf01000!_IRP *)0xffffa982ff4e1560)) [Type: _IRP]
[+0x000] Type : 6 [Type: short]
[+0x002] Size : 0x508 [Type: unsigned short]
[+0x008] MdlAddress : 0x0 [Type: _MDL *]
[+0x010] Flags : 0x0 [Type: unsigned long]
[+0x018] AssociatedIrp [Type: _IRP::<unnamed-type-AssociatedIrp>]
[+0x020] ThreadListEntry [Type: _LIST_ENTRY]
[+0x030] IoStatus [Type: _IO_STATUS_BLOCK]
[+0x040] RequestorMode : 0 [Type: char]
[+0x041] PendingReturned : 0x0 [Type: unsigned char]
[+0x042] StackCount : 14 [Type: char]
[+0x043] CurrentLocation : 10 '\n' [Type: char]
[+0x044] Cancel : 0x1 [Type: unsigned char]
[+0x045] CancelIrql : 0x0 [Type: unsigned char]
[+0x046] ApcEnvironment : 0 [Type: char]
[+0x047] AllocationFlags : 0x44 [Type: unsigned char]
[+0x048] UserIosb : 0x0 [Type: _IO_STATUS_BLOCK *]
[+0x050] UserEvent : 0x0 [Type: _KEVENT *]
[+0x058] Overlay [Type: _IRP::<unnamed-type-Overlay>]
[+0x068] CancelRoutine : 0x0 : 0x0 [Type: void (__cdecl*)(_DEVICE_OBJECT *,_IRP *)]
[+0x070] UserBuffer : 0x0 [Type: void *]
[+0x078] Tail [Type: _IRP::<unnamed-type-Tail>]
