BSOD because RtlCopyMemory running at wrong IRQL...HELP....

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Everyone

When I test my USB Driver in DTM test, Target OS is WINDOWS Server
2003

NTSTATUS DeviceControlComplete(
PDEVICE_OBJECT fido,
PIRP Irp,
PDEVICE_EXTENSION pdx
){
PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp);
PURB purb = (PURB) irpSp->Parameters.Others.Argument1;
.....
RtlCopyMemory(pdx->intdata, purb-
UrbControlDescriptorRequest.TransferBuffer, purb-
UrbControlDescriptorRequest.TransferBufferLength);//this line cause
the BSOD
......
}
(From DDK Comment: Callers of RtlCopyMemory can be running at any IRQL
if both memory blocks are resident. Otherwise, the caller must be
running at IRQL < DISPATCH_LEVEL.)

I know it's RtlCopyMemory to cause the BSOD.
Because the current IRQL is DISPATCH_LEVEL, but the
caller(RtlCopyMemory) must be running at IRQL < DISPATCH_LEVEL.
Does anybody have the same problems?? or something like this?
any suggestions??


WINDBG MESSAGE :

Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\baron\桌面\ori\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: D:\WINDOWS\Symbols\sys;D:\WINDOWS\Symbols;SRV*c:
\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs)
Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Sat Oct 13 04:19:13.203 2007 (GMT+8)
System Uptime: 0 days 0:02:31.828
Loading Kernel Symbols
........................................................................................................
Loading User Symbols

Loading unloaded module list
.....
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {85ce7000, 2, 0, f77bf691}

*** No owner thread found for resource 808ae4e0
*** No owner thread found for resource 808ae4e0
*** No owner thread found for resource 808ae4e0
Probably caused by : touchset.sys ( touchset!DeviceControlComplete
+1d )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 85ce7000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f77bf691, address which referenced memory

Debugging Details:
------------------

*** No owner thread found for resource 808ae4e0
*** No owner thread found for resource 808ae4e0
*** No owner thread found for resource 808ae4e0

READ_ADDRESS: 85ce7000 Special pool

CURRENT_IRQL: 2

FAULTING_IP:
touchset!DeviceControlComplete+1d [d:\z\xp2k_orion\driver
\touchset_1.1.8.39\sys\driverentry.cpp @ 729]
f77bf691 837b1805 cmp dword ptr [ebx+18h],5

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: f78e6604 -- (.trap 0xfffffffff78e6604)
ErrCode = 00000000
eax=866ccfb4 ebx=85ce6fe8 ecx=00000000 edx=00000002 esi=f78e6710
edi=866cced8
eip=f77bf691 esp=f78e6678 ebp=f78e66ac iopl=0 nv up ei ng nz
na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
touchset!DeviceControlComplete+0x1d:
f77bf691 837b1805 cmp dword ptr [ebx+18h],5 ds:
0023:85ce7000=????????
Resetting default scope

LOCK_ADDRESS: 808ae560 -- (!locks 808ae560)

Resource @ nt!IopDeviceTreeLock (0x808ae560) Shared 1 owning
threads
Threads: 853ff3f0-01<*>
1 total locks, 1 locks currently held

PNP_TRIAGE:
Lock address : 0x808ae560
Thread Count : 1
Thread address: 0x853ff3f0
Thread wait : 0x25f1

LAST_CONTROL_TRANSFER: from f77bf691 to 80837ed5

STACK_TEXT:
f78e6604 f77bf691 badb0d00 00000002 866ccf90 nt!KiTrap0E+0x2a7
f78e6688 809d4283 84f4ad00 866cced8 84f4adb8 touchset!
DeviceControlComplete+0x1d [d:\z\xp2k_orion\driver
\touchset_1.1.8.39\sys\driverentry.cpp @ 729]
f78e66ac 8083ec8a 84f4ad00 866cced8 f78e6710 nt!
IovpLocalCompletionRoutine+0xb4
f78e66dc 809d480d 866cced8 852060ec 00000000 nt!IopfCompleteRequest
+0xcd
f78e6748 baf75d2a 8083b28b f78e679c baf7c808 nt!IovCompleteRequest
+0x9a
f78e6754 baf7c808 8517e030 866cced8 00000000 USBPORT!
USBPORT_CompleteIrp+0x2a
f78e679c baf7d6f5 85206028 8083b28b 84f4cd10 USBPORT!
USBPORT_FlushAbortList+0x472
f78e67c4 baf7fe18 85206028 4b576f6e 84f4cd10 USBPORT!
USBPORT_CoreEndpointWorker+0x571
f78e6824 baf80411 00f4cd10 ffffffff 866cced8 USBPORT!
USBPORT_FlushPendingList+0x2da
f78e6844 baf88ce0 85206028 2b726241 6d524261 USBPORT!
USBPORT_AbortEndpoint+0x307
f78e6864 baf87b9a 85206028 00000103 84f4e84c USBPORT!USBPORT_AbortPipe
+0xb8
f78e6890 baf8cc7a 8517e030 85206028 866cced8 USBPORT!USBPORT_ProcessURB
+0x3ee
f78e68b0 baf75e7c 8517e030 866cced8 80a78be4 USBPORT!
USBPORT_PdoInternalDeviceControlIrp+0x7e
f78e68d4 809d457d 866ccf90 8517e188 866cced8 USBPORT!USBPORT_Dispatch
+0x148
f78e6904 80859657 bac1418a f78e6918 bac1418a nt!IovCallDriver+0x112
f78e6910 bac1418a f78e6938 bac1801b 866cced8 nt!IofCallDriver+0x13
f78e6918 bac1801b 866cced8 8517e030 84f406f0 usbhub!USBH_PassIrp+0x18
f78e6938 bac1897f 84f406f0 866cced8 80a78be4 usbhub!USBH_PdoUrbFilter
+0xbd
f78e6958 bac15e3e 85ce6fe8 866cced8 f78e6998 usbhub!USBH_PdoDispatch
+0x211
f78e6968 809d457d 84f4f4a8 866cced8 866ccfac usbhub!USBH_HubDispatch
+0x48
f78e6998 80859657 f77bfe11 f78e69b8 f77bfe11 nt!IovCallDriver+0x112
f78e69a4 f77bfe11 80a78be4 84f4ad00 00000000 nt!IofCallDriver+0x13
f78e69b8 809d457d 84f4adcc 866cced8 866ccfd0 touchset!FilterDispatchAny
+0xe1 [d:\z\xp2k_orion\driver\touchset_1.1.8.39\sys\driverentry.cpp @
704]
f78e69e8 80859657 809e5b79 f78e6a08 809e5b79 nt!IovCallDriver+0x112
f78e69f4 809e5b79 80a78be4 84f4a228 00000000 nt!IofCallDriver+0x13
f78e6a08 809d457d 84f4a228 866cced8 00000000 nt!ViFilterDispatchGeneric
+0x2a
f78e6a38 80859657 f7688d03 f78e6a70 f7688d03 nt!IovCallDriver+0x112
f78e6a44 f7688d03 84f4a86c 85ce6fe8 84f4a620 nt!IofCallDriver+0x13
f78e6a70 f768c089 84f4a620 85ce6fe8 00000002 hidusb!HumCallUSB+0x71
f78e6a88 f768c0da 84f4a620 00000000 859e0e70 hidusb!
HumAbortPendingRequests+0x4b
f78e6aa0 f768c1ef 84f4a620 859e0e70 84f4a808 hidusb!HumRemoveDevice
+0x32
f78e6ad0 f7698a3a 84f4a620 859e0e70 84f4a6ec hidusb!HumPnP+0x45
f78e6ae0 f76a0e98 84f4a620 859e0e70 859e0e70 HIDCLASS!HidpCallDriver
+0x3c
f78e6af8 f769f465 84f4a6ec 859e0e70 80a78be4 HIDCLASS!HidpRemoveDevice
+0x9e
f78e6b14 f769f5a9 84f4a6d8 859e0e70 f769947c HIDCLASS!HidpFdoPnp+0x6f
f78e6b20 f769947c 84f4a6d8 859e0e70 809d457d HIDCLASS!HidpIrpMajorPnp
+0x1b
f78e6b2c 809d457d 84f4a620 859e0e70 859e0fd4 HIDCLASS!HidpMajorHandler
+0x76
f78e6b5c 80859657 809e5c1f f78e6b7c 809e5c1f nt!IovCallDriver+0x112
f78e6b68 809e5c1f 80a78be4 84f4f778 00000000 nt!IofCallDriver+0x13
f78e6b7c 809d457d 84f4a620 859e0e70 859e1000 nt!ViFilterDispatchPnp
+0x95
f78e6bac 80859657 808f6a25 f78e6be4 808f6a25 nt!IovCallDriver+0x112
f78e6bb8 808f6a25 84f4f4a8 84f4f4a8 851dc218 nt!IofCallDriver+0x13
f78e6be4 808e20b5 84f4f778 f78e6c10 00000000 nt!IopSynchronousCall
+0xbe
f78e6c38 8080beae 84f4f4a8 00000002 00000000 nt!IopRemoveDevice+0x97
f78e6c60 808e149b e1113b78 00000015 e1101820 nt!
IopRemoveLockedDeviceNode+0x160
f78e6c78 808e18cc 851dc218 00000002 e1101820 nt!
IopDeleteLockedDeviceNode+0x50
f78e6cac 808e1732 84f4f4a8 02101820 00000002 nt!
IopDeleteLockedDeviceNodes+0x3f
f78e6d40 808e19b6 f78e6d7c 853ea214 e110c748 nt!
PiProcessQueryRemoveAndEject+0x7ad
f78e6d5c 808e7879 f78e6d7c 853ff3f0 808b70dc nt!
PiProcessTargetDeviceEvent+0x2a
f78e6d80 8083f72e 84e4bf00 00000000 853ff3f0 nt!PiWalkDeviceList+0x1d2
f78e6dac 8092ccff 84e4bf00 00000000 00000000 nt!ExpWorkerThread+0xeb
f78e6ddc 80841a96 8083f671 00000001 00000000 nt!PspSystemThreadStartup
+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
touchset!DeviceControlComplete+1d [d:\z\xp2k_orion\driver
\touchset_1.1.8.39\sys\driverentry.cpp @ 729]
f77bf691 837b1805 cmp dword ptr [ebx+18h],5

FAULTING_SOURCE_CODE:
725: currentY = 0;
726: UCHAR Button = 0;
727:
728: if(purb){
729: if(purb->UrbControlDescriptorRequest.TransferBufferLength==5){
730: RtlCopyMemory(pdx->intdata, purb-
UrbControlDescriptorRequest.TransferBuffer, purb-
UrbControlDescriptorRequest.TransferBufferLength);
731:
732: Button = pdx->intdata[0];
733: currentX = pdx->intdata[1] | (pdx->intdata[2] << 8);
734: currentY = pdx->intdata[3] | (pdx->intdata[4] << 8);


SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: touchset

IMAGE_NAME: touchset.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 46b7378d

SYMBOL_NAME: touchset!DeviceControlComplete+1d

FAILURE_BUCKET_ID: 0xD1_VRF_touchset!DeviceControlComplete+1d

BUCKET_ID: 0xD1_VRF_touchset!DeviceControlComplete+1d

Followup: MachineOwner
---------

.

Quantcast