windows kernel not infaillible

windows kernel not infaillible !
or buggy
I am appealing once the function IoCompleteRequest and not several times,

Windows 7 or Vista on my driver when I right click on my drive and I
click on Format.

BLUE-SCREEN! because the kernel Windows is not infallible!
Followup: memory_corruption

[----Works very well under XP----]

How to submit a crash-memory file (. DMP) to microsoft?
I call once IoCompleteRequest.

Crash type :
MULTIPLE_IRP_COMPLETE_REQUESTS (44)
A driver has requested that an IRP be completed (IoCompleteRequest()), but
the packet has already been completed. This is a tough bug to find because
the easiest case, a driver actually attempted to complete its own packet
twice, is generally not what happened. Rather, two separate drivers each
believe that they own the packet, and each attempts to complete it. The
first actually works, and the second fails. Tracking down which drivers
in the system actually did this is difficult, generally because the trails
of the first driver have been covered by the second. However, the driver
stack for the current request can be found by examining the DeviceObject
fields in each of the stack locations.

Before submitting the DMP file to microsoft, the code is good ?
In the control disk I return STATUS_PENDING adding to the pile, which
will be performed in another thread that made model of IMGDISK aside it
is the psGetCurrentProcessID :

typedef struct {
LIST_ENTRY le;
PIRP irp;
HANDLE processID;
}TENTRYL,*PENTRYL;

Disk control Function :
IoMarkIrpPending(irp);
entryl=(PENTRYL)ExAllocatePool(NonPagedPool,sizeof (TENTRYL));
if (entryl!=NULL)
{
entryl->irp=irp;
entryl->processID=hp;
pvd->stackiodisk++;

ExInterlockedInsertTailList(&pvd->list_head,
&entryl->le,
&pvd->list_lock);



}
else
KdPrintferror(("Error allocation entryl\n",NULL));
*status= STATUS_PENDING;
KeSetEvent(&pvd->request_event, (KPRIORITY) 0, FALSE);



Disk Control Thread :
request=NULL;
request = ExInterlockedRemoveHeadList(&pvd->list_head,&pvd->list_lock);
pvd->stackiodisk--;
entryl=CONTAINING_RECORD(request,TENTRYL,le);
irp=entryl->irp;
hprocessID=entryl->processID;
ExFreePool(entryl);

Thank you.

You have not provided enough data for anyone to know if it is your driver or
the kernel. Have you run this with Driver Verifier on Windows 7? Have you
run SDV on this with the Windows 7 WDK? Both of these tools can help you
see if it is your code. Finally while no one claims the Windows kernel is
infallible, in the 15 years of drvier development I have been doing, I have
never seen this bug check where it was not the driver writer's fault.


--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply



"Mathieu" <> wrote in message
news:4b1416d0$0$925$...
> windows kernel not infaillible !
> or buggy
> I am appealing once the function IoCompleteRequest and not several times,
>
> Windows 7 or Vista on my driver when I right click on my drive and I click
> on Format.
>
> BLUE-SCREEN! because the kernel Windows is not infallible!
> Followup: memory_corruption
>
> [----Works very well under XP----]
>
> How to submit a crash-memory file (. DMP) to microsoft?
> I call once IoCompleteRequest.
>
> Crash type :
> MULTIPLE_IRP_COMPLETE_REQUESTS (44)
> A driver has requested that an IRP be completed (IoCompleteRequest()), but
> the packet has already been completed. This is a tough bug to find
> because
> the easiest case, a driver actually attempted to complete its own packet
> twice, is generally not what happened. Rather, two separate drivers each
> believe that they own the packet, and each attempts to complete it. The
> first actually works, and the second fails. Tracking down which drivers
> in the system actually did this is difficult, generally because the trails
> of the first driver have been covered by the second. However, the driver
> stack for the current request can be found by examining the DeviceObject
> fields in each of the stack locations.
>
> Before submitting the DMP file to microsoft, the code is good ?
> In the control disk I return STATUS_PENDING adding to the pile, which will
> be performed in another thread that made model of IMGDISK aside it is the
> psGetCurrentProcessID :
>
> typedef struct {
> LIST_ENTRY le;
> PIRP irp;
> HANDLE processID;
> }TENTRYL,*PENTRYL;
>
> Disk control Function :
> IoMarkIrpPending(irp);
> entryl=(PENTRYL)ExAllocatePool(NonPagedPool,sizeof (TENTRYL));
> if (entryl!=NULL)
> {
> entryl->irp=irp;
> entryl->processID=hp;
> pvd->stackiodisk++;
>
> ExInterlockedInsertTailList(&pvd->list_head,
> &entryl->le,
> &pvd->list_lock);
>
>
> }
> else
> KdPrintferror(("Error allocation entryl\n",NULL));
> *status= STATUS_PENDING;
> KeSetEvent(&pvd->request_event, (KPRIORITY) 0, FALSE);
>
>
>
> Disk Control Thread :
> request=NULL;
> request = ExInterlockedRemoveHeadList(&pvd->list_head,&pvd->list_lock);
> pvd->stackiodisk--;
> entryl=CONTAINING_RECORD(request,TENTRYL,le);
> irp=entryl->irp;
> hprocessID=entryl->processID;
> ExFreePool(entryl);
>
> Thank you.
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4650 (20091130) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4650 (20091130) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

> BLUE-SCREEN! because the kernel Windows is not infallible!

Correct, driver bugs cause blue screens immediately. This is normal.

But, if the _user app_ bug causes a blue screen, then submit a security issue report to MS in some way.

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com

Don Burn a écrit :
> You have not provided enough data for anyone to know if it is your driver or
> the kernel. Have you run this with Driver Verifier on Windows 7? Have you
> run SDV on this with the Windows 7 WDK? Both of these tools can help you
> see if it is your code. Finally while no one claims the Windows kernel is
> infallible, in the 15 years of drvier development I have been doing, I have
> never seen this bug check where it was not the driver writer's fault.
>
>


VOID VDUM_DeviceThread(IN PVOID Context)
{
PDEVICE_OBJECT device_object;
LARGE_INTEGER time_out;
PLIST_ENTRY request;
NTSTATUS status;
PIO_STACK_LOCATION io_stack;
PIRP irp;
ULONG len,lxx;
LONGLONG xl;
BOOLEAN ok=FALSE;
PUCHAR buffer;
PUCHAR system_buffer;
TCP cp;
int nc=0;
PPARAMVD pvd=(PPARAMVD)Context;
device_object=pvd->DeviceObject;
time_out.QuadPart = -1000000;
KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY);
pvd->thread=KeGetCurrentThread();
while (device_object->Flags & DO_DEVICE_INITIALIZING)
{
LARGE_INTEGER wait_time;

KdPrintf(("[VDUM] [Thread] Driver still initializing, waiting 100
ms...\n"));

wait_time.QuadPart = -1000000;
KeDelayExecutionThread(KernelMode, FALSE, &wait_time);
}
for (;
{


HANDLE hprocessID=NULL;
PENTRYL entryl;
KIRQL oldirql;
nc++;
KdPrintferror(("[VDUM] [Thread] ExInterlockedRemoveHeadList %d
stackiodisk %x\n",nc,pvd->stackiodisk));
request=NULL;
request = ExInterlockedRemoveHeadList(&pvd->list_head,&pvd->list_lock);

/*MUTEX_P(pvd->lockijt,&oldirql);
hhp=ExInterlockedRemoveHeadList(&pvd->list_head,&pvd->list_lock);

if (hhp!=NULL)
{
request = ExInterlockedRemoveHeadList(&pvd->list_head,&pvd->list_lock);
}
MUTEX_V(pvd->lockijt,oldirql);*/




if (request == NULL)
{
if (!pvd->terminate_thread)
{

KdPrintferror(("[VDUM] [Thread]KeWaitForSingleObject %d \n",nc));

KeWaitForSingleObject(&pvd->request_event,
Executive, KernelMode, FALSE, NULL);
continue;
}
else
{
KdPrintferror(("[VDUM] [Thread]Signal end Thread\n"));
PsTerminateSystemThread(STATUS_SUCCESS);
}
/*if (device_object->ReferenceCount != 0)
{
KdPrintferror(("[VDUM] [Thread] Device %i has %i references.
Waiting.\n",
pvd->index,
device_object->ReferenceCount));

KeDelayExecutionThread(KernelMode, FALSE, &time_out);

time_out.LowPart <<= 4;
continue;
}*/

}
pvd->stackiodisk--;
entryl=CONTAINING_RECORD(request,TENTRYL,le);
irp=entryl->irp;
hprocessID=entryl->processID;
ExFreePool(entryl);
KdPrintferror(("ProcessID (%x)
(%x)\n",hprocessID,PsGetCurrentProcessId()));
//irp = CONTAINING_RECORD(request, IRP, Tail.Overlay.ListEntry);
KdPrintferror(("[VDUM] Thread Irp %x\n",irp));
io_stack = IoGetCurrentIrpStackLocation(irp);
if (pvd->IsUnLoad)
{
status=STATUS_SUCCESS;
// irp->IoStatus.Information = 0;
goto jrunload;

}
status=STATUS_NOT_IMPLEMENTED;
switch (io_stack->MajorFunction)
{
case IRP_MJ_WRITE:
ok=TRUE;
KdPrintferror(("[VDUM] [Thread] Begin IRP_MJ_WRITE id:%x Length %d
Status %x\n",pvd->cc,irp->IoStatus.Information,status));
len=0;
lxx=0;
xl=0;
buffer=NULL;
system_buffer =
(PUCHAR) MmGetSystemAddressForMdlSafe(irp->MdlAddress,
NormalPagePriority);


if (system_buffer == NULL)
{
status=irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
irp->IoStatus.Information = 0;
KdPrintferror(("[VDUM] system_buffer error\n"));
break;
}
buffer = (PUCHAR)ExAllocatePool(NonPagedPool,
io_stack->Parameters.Write.Length);
if (buffer == NULL)
{
status=irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
irp->IoStatus.Information = 0;
KdPrintferror(("[VDUM] buffer error\n"));
break;
}



len=io_stack->Parameters.Write.Length;


//xl=io_stack->Parameters.Read.ByteOffset.LowPart+(io_stack->Parameters.Read.ByteOffset.HighPart<<32);

irp->IoStatus.Information = io_stack->Parameters.Write.Length;

/*RtlCopyMemory(system_buffer,buffer,
io_stack->Parameters.Read.Length);*/


lxx=len;

cp._length=len;
cp.pvd=pvd;
cp.commande=VDUMS_CMDWRITE;



cp.offsethigh=io_stack->Parameters.Write.ByteOffset.HighPart;
cp.offsetlow=io_stack->Parameters.Write.ByteOffset.LowPart;
cp.hprocessID=hprocessID;


cp.buffer=buffer;


RtlCopyMemory(buffer,system_buffer ,io_stack->Parameters.Write.Length);
status=COM_PIPE(&cp);
if (status==STATUS_SUCCESS)
{
irp->IoStatus.Information=0;
irp->IoStatus.Information=io_stack->Parameters.Write.Length;
}
if (status!=STATUS_SUCCESS)
irp->IoStatus.Information=0;
irp->IoStatus.Status = status;

KdPrintferror(("[VDUM] [Thread] IRP_MJ_WRITE id %x Length %d Status
%x\n",pvd->cc,irp->IoStatus.Information,status));
if (status!=STATUS_SUCCESS)
{
KdPrintferror(("[VDUM] [VRWRITE] Error Write status %x\n",status));
}

ExFreePool(buffer);
#if NBG1
KeSetEvent(&pvd->eventIOP,(KPRIORITY)0,FALSE);
#endif
break;
...........
............
KdPrintf(("[VDUM] [Thread]IoCompleteRequest %d \n",nc));
irp->IoStatus.Status=status;
IoCompleteRequest(irp,
NT_SUCCESS(irp->IoStatus.Status) ?
IO_DISK_INCREMENT : IO_NO_INCREMENT);
KdPrintf(("[VDUM] [Thread]End IoCompleteRequest %d status
%x\n",nc,status));
................
...............

void IjThread(PPARAMVD pvd,IN PIRP irp,NTSTATUS* status)
{
PENTRYL entryl;
HANDLE hp;

KIRQL oldirql;
hp=PsGetCurrentProcessId();

KdPrintferror(("Begin IjThread (%x)\n",hp));
irp->IoStatus.Status=STATUS_PENDING;
// MUTEX_P(pvd->lockijt,&oldirql);
IoMarkIrpPending(irp);





entryl=(PENTRYL)ExAllocatePool(NonPagedPool,sizeof (TENTRYL));
if (entryl!=NULL)
{
entryl->irp=irp;
entryl->processID=hp;
pvd->stackiodisk++;

ExInterlockedInsertTailList(&pvd->list_head,
&entryl->le,
&pvd->list_lock);

/* ExInterlockedInsertTailList(&pvd->list_head,
&irp->Tail.Overlay.ListEntry,
&pvd->list_lock);*/


}
else
KdPrintferror(("Error allocation entryl\n",NULL));
*status= STATUS_PENDING;
//irp->IoStatus.Status=STATUS_PENDING;
KeSetEvent(&pvd->request_event, (KPRIORITY) 0, FALSE);
KdPrintferror(("End IjThread (%x) stack:%x \n",hp,pvd->stackiodisk));



//MUTEX_V(pvd->lockijt,oldirql);
}



NTSTATUS vdums_vdisk_control(IN PDEVICE_OBJECT DeviceObject, IN PIRP irp)
{
HANDLE hpid;
LONGLONG limit;
NTSTATUS status;
PIO_STACK_LOCATION irps;
BOOLEAN ok=FALSE;
PEPROCESS pep;
char *nameptr;
HANDLE h;
PUCHAR pImageFileName;
PPARAMVD pvd=(PPARAMVD)DeviceObject->DeviceExtension;
pvd->rfdisk++;
irps = IoGetCurrentIrpStackLocation(irp);
status=STATUS_SUCCESS;
irp->IoStatus.Information=0;
irp->IoStatus.Status=status;

............
............
switch (irps->MajorFunction)
{
case IRP_MJ_WRITE:
pvd->cc++;
pushthread=TRUE;
KdPrintferror(("[VDUM] Write id%x)on device %i Offset %p%p Length
%p.\n",pvd->cc,pvd->index,irps->Parameters.Read.ByteOffset.HighPart,irps->Parameters.Read.ByteOffset.LowPart,irps->Parameters.Read.Length));
ok=TRUE;
if (pvd->read_only==TRUE)
{
irp->IoStatus.Information = 0;
irp->IoStatus.Status=STATUS_MEDIA_WRITE_PROTECTED;
status= irp->IoStatus.Status;
pushthread=FALSE;
}
else
{

limit=pvd->sizeko;
limit=limit<<10;
if ((irps->Parameters.Write.ByteOffset.QuadPart +
irps->Parameters.Write.Length) >
(limit))
{
KdPrintf(("[VDUM] Write beyond eof on device %i.\n",
pvd->index));

irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;


status= STATUS_SUCCESS;
pushthread=FALSE;
}
if (irps->Parameters.Write.Length == 0)
{
KdPrintf(("[VDUM] Read/write zero bytes on device %i.\n",
pvd->index));

irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;


status= STATUS_SUCCESS;
}

/*if (pushthread)
xIjThread(pvd,irp,&status);*/
if (pushthread)
status=STATUS_PENDING;
}
irp->IoStatus.Status = status;
break;
..........
..........
..........

irp->IoStatus.Status = status;
return status;

}


NTSTATUS DeviceDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP irp)
{
//PIO_STACK_LOCATION irps;
BOOLEAN isdisk=FALSE;
HANDLE hpid;
HANDLE htid;
NTSTATUS status=STATUS_NOT_IMPLEMENTED;
nstack++;
hpid=PsGetCurrentProcessId();
htid=PsGetCurrentThreadId();
KdPrintf(("[VDUM] Begin DeviceDispatch nstack %x Process id:%x Thread
id:%x\n",nstack,hpid,htid));
// sanity check

if (irp == NULL) {
KdPrintf(("[VDUM] DeviceDispatch: !irp\n"));
return STATUS_SUCCESS;
}
irp->IoStatus.Information = 0;
if (DeviceObject==g_devcontrol)
{
....
....
}
else
{
if (vdums_validdevice(DeviceObject))
{
KdPrintf(("[VDUM] DeviceDispatch vdisk control\n"));
//if (nstack<16)


status=vdums_vdisk_control(DeviceObject,irp);
isdisk=TRUE;


}
else
{

irp->IoStatus.Information=0;
}
}


KdPrintf(("[VDUM] End DeviceDispatch stack %x status %x true status %x
\n",nstack,status,irp->IoStatus.Status));
if (status!=irp->IoStatus.Status)
{
KdPrintf(("Probléme status %x true status
%x\n",status,irp->IoStatus.Status));
}
nstack--;
irp->IoStatus.Status = status;
if (status!=STATUS_PENDING)
{
KdPrintf(("[VDUM] End Iocompleterequest %x status
%x\n",nstack,status,irp->IoStatus.Status));
if (isdisk==TRUE)
{
if (status==STATUS_SUCCESS)
IoCompleteRequest(irp, IO_DISK_INCREMENT);
else
IoCompleteRequest(irp, IO_NO_INCREMENT);
}
else
IoCompleteRequest(irp, IO_NO_INCREMENT);



}
else
{
if (isdisk==FALSE)
{
status=irp->IoStatus.Status=STATUS_INTERNAL_ERROR;
irp->IoStatus.Information=0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
KdPrintf(("[VDUM] DeviceDispatch Internal Error\n"));

}
else
{
PPARAMVD vd=(PPARAMVD)DeviceObject->DeviceExtension;
IjThread(vd,irp,&status);
return irp->IoStatus.Status;

}
}
return status;
}

Don Burn a écrit :
> You have not provided enough data for anyone to know if it is your driver or
> the kernel. Have you run this with Driver Verifier on Windows 7? Have you
> run SDV on this with the Windows 7 WDK? Both of these tools can help you
> see if it is your code. Finally while no one claims the Windows kernel is
> infallible, in the 15 years of drvier development I have been doing, I have
> never seen this bug check where it was not the driver writer's fault.
>
>


How can run SDV ???

See http://msdn.microsoft.com/en-gb/library/aa469108.aspx


--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply



"Mathieu" <> wrote in message
news:4b14404a$0$936$...
> Don Burn a écrit :
>> You have not provided enough data for anyone to know if it is your driver
>> or the kernel. Have you run this with Driver Verifier on Windows 7?
>> Have you run SDV on this with the Windows 7 WDK? Both of these tools
>> can help you see if it is your code. Finally while no one claims the
>> Windows kernel is infallible, in the 15 years of drvier development I
>> have been doing, I have never seen this bug check where it was not the
>> driver writer's fault.
>>
>>
>
>
> How can run SDV ???
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4650 (20091130) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4650 (20091130) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Mathieu <> writes:

> IjThread(vd,irp,&status);
> return irp->IoStatus.Status;

That code in DeviceDispatch looks like a bug.
IjThread assigns irp->IoStatus.Status = STATUS_PENDING, calls
IoMarkIrpPending, inserts the IRP to a queue, assigns *status =
STATUS_PENDING, and sets an event to wake up VDUM_DeviceThread.
It seems possible that VDUM_DeviceThread already changes
irp->IoStatus.Status and completes the IRP before IjThread
returns. Then, DeviceDispatch reads irp->IoStatus.Status, which
is no longer STATUS_PENDING, and returns that. The incorrect
return value might cause the caller to complete the IRP twice,
although I'm too tired to figure out exactly how and why the
caller would be written to make it susceptible to this bug.