none
KMDF filter driver for HID device fail to send I/O to underlying mouclass driver??? RRS feed

  • Question

  • Dear Sir:

     I used Mouse filter driver to send feature report to underlying mouclass driver 
      But it crash when running WdfIoTargetSendIoctlSynchronously with IOCTL_HID_SET_FEATURE
      (I hope do the same function that like HidD_SetFeature at User mode)

      I will try to run WdfIoTargetSendIoctlSynchronously with IOCTL_HID_GET_COLLECTION_DESCRIPTOR
      , and it can work well

     It show status is ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
      I don't know what happen and the cause
      (I use WdfCoInstaller01009.dll and platform is WinXP)

     Please help me to slove this issue??

     Thank you!

    BR,
     Alan

    //--------------------------------------------------------------------------------------------------------------------//
     //------------------------ Refer  https://support.microsoft.com/en-us/kb/2022615-----------------------------//

     status = WdfIoTargetCreate(hDevice, WDF_NO_OBJECT_ATTRIBUTES, &hidTarget);

     WDF_IO_TARGET_OPEN_PARAMS_INIT_EXISTING_DEVICE(&openParams, WdfDeviceWdmGetAttachedDevice(hDevice));

     openParams.ShareAccess = FILE_SHARE_WRITE | FILE_SHARE_READ;
      status = WdfIoTargetOpen(hidTarget, &openParams);

     ReportSize = MAX_FEATURE_BUFFER_SIZE; // 6 bytes
      report = (PCHAR)ExAllocatePoolWithTag(NonPagedPool, ReportSize, POOL_TAG);

     RtlZeroMemory(report, sizeof(CHAR)*ReportSize);
      status = STATUS_SUCCESS;

     //Only copy feature data, like ReportBuffer parameter of HidD_SetFeature
      RtlCopyMemory(report, byFeatureData, sizeof(byFeatureData));

     WDF_MEMORY_DESCRIPTOR_INIT_BUFFER(&inputDescriptor,
       report,
       sizeof(CHAR)*ReportSize);

     status = WdfIoTargetSendIoctlSynchronously(hidTarget,
       NULL,
       IOCTL_HID_SET_FEATURE/*IOCTL_HID_SET_OUTPUT_REPORT*/,
       &inputDescriptor,
       NULL,
       NULL,
       NULL);
      if (!NT_SUCCESS(status)) {
       KdPrint(("WdfIoTargetSendIoctlSynchronously failed 0x%x\n", status));
       goto ExitAndFree;
      }
     //--------------------------------------------------------------------------------------------------------------------//

     

    • Edited by alan.emc Friday, December 18, 2015 8:19 AM
    Friday, December 18, 2015 7:42 AM

Answers

  • HIDClass requires that there be a file object.  If you disassemble the code, you'll see that it has fetched the IO_STACK_LOCATION from the IRP, and then fetched the FILE_OBJECT from there, and here it is attempting to fetch the FsContext value out of the FILE_OBJECT.  Since you didn't provide a FILE_OBJECT, it tries to dereference a null pointer and crashes.

    It may be easier to write a lower filter and send the USB command directly, rather than try to talk to HIDClass.  If you do need to talk to HIDClass, you'll have to wait until the system opens a file handle.


    Tim Roberts, Driver MVP Providenza & Boekelheide, Inc.

    Friday, December 18, 2015 11:10 PM

All replies

  • Below is detailed information for Error(WinDbg dump)


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

    FAULTING_IP:
    HIDCLASS!HidpGetSetReport+24
    ba749b64 8b400c          mov     eax,dword ptr [eax+0Ch]

    EXCEPTION_PARAMETER1:  00000000

    EXCEPTION_PARAMETER2:  0000000c

    READ_ADDRESS:  0000000c

    FOLLOWUP_IP:
    HIDCLASS!HidpGetSetReport+24
    ba749b64 8b400c          mov     eax,dword ptr [eax+0Ch]

    BUGCHECK_STR:  0x7E

    DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

    STACK_TEXT: 
    f78d2314 ba749580 8906c9d0 891aa008 000b0195 HIDCLASS!HidpGetSetReport+0x24
    f78d2378 ba749957 8906c9d0 891aa008 f78d23a4 HIDCLASS!HidpIrpMajorDeviceControl+0x210
    f78d2388 ba0a1a8a 8906c918 891aa008 891aa008 HIDCLASS!HidpMajorHandler+0x55
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f78d23a4 f761897d 8906c918 892c3e80 88f0fed8 USBlyzer+0x1a8a
    f78d23e0 804e47f7 00000000 891aa008 f78d2450 bhound7+0x197d
    f78d23f0 b6bd149c b6c1e934 891909f8 f78d2580 nt!IopfCallDriver+0x31
    f78d2434 b6bce9d8 018d2450 00000000 00000000 wdf01000!FxIoTarget::SubmitSync+0x198
    f78d2580 b6bcea56 891909f8 770f3710 00000000 wdf01000!FxIoTargetSendIoctl+0x28b
    f78d25ac f7808a7e 89190ac0 770f3710 00000000 wdf01000!imp_WdfIoTargetSendIoctlSynchronously+0x2a
    f78d25d4 f780aeab 770f3710 00000000 000b0195 eTouchfiltr!WdfIoTargetSendIoctlSynchronously+0x2e
    [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfiotarget.h @ 947]
    f78d26c0 f780a303 7706b208 00000001 00000000 eTouchfiltr!eTouchFilter_SetFeature+0x30b
    f78d26d8 b6c10f6a 7706b208 00000005 b6c23294 eTouchfiltr!eTouchFilter_EvtDeviceD0Entry+0xf3
    f78d26f0 b6c10d81 88f0e918 88f0ea24 88f0e918 wdf01000!FxPkgPnp::PowerD0Starting+0x24
    f78d2778 b6c11bb2 00000316 88f0ea24 88f0e918 wdf01000!FxPkgPnp::PowerEnterNewState+0x11c
    f78d279c b6c125bb f78d27b4 00000008 88f0e918 wdf01000!FxPkgPnp::PowerProcessEventInner+0x171
    f78d27c0 b6c1b6e5 00000000 f78d27f4 b6c1b67c wdf01000!FxPkgPnp::PowerProcessEvent+0x15c
    f78d27cc b6c1b67c 88f0e918 88f0ea94 88f0e918 wdf01000!FxPkgPnp::NotPowerPolOwnerStarting+0xf
    f78d27f4 b6c187f5 00000501 88f0ea94 88f0e918 wdf01000!FxPkgPnp::NotPowerPolicyOwnerEnterNewState+0x105
    f78d2818 b6c19388 00000001 00000008 88f0e918 wdf01000!FxPkgPnp::PowerPolicyProcessEventInner+0x264
    f78d283c b6c165a8 00000000 00000000 00000008 wdf01000!FxPkgPnp::PowerPolicyProcessEvent+0x172
    f78d2858 b6c15484 88f0e918 88f0e9c0 88f0e918 wdf01000!FxPkgPnp::PnpEventHardwareAvailable+0x90
    f78d2880 b6c15db2 00000108 88f0e9c0 88f0e918 wdf01000!FxPkgPnp::PnpEnterNewState+0x104
    f78d28a4 b6c1647a f78d28bc 891909f8 88f0e918 wdf01000!FxPkgPnp::PnpProcessEventInner+0x149
    f78d28c8 b6c0f40b 00000002 00000000 f78d28f8 wdf01000!FxPkgPnp::PnpProcessEvent+0x13e
    f78d28d8 b6c0ee02 88f0e918 f78d2900 88ef7008 wdf01000!FxPkgPnp::_PnpStartDevice+0x1e
    f78d28f8 b6beba3f 88ef7008 f78d2920 b6bebc63 wdf01000!FxPkgPnp::Dispatch+0x207
    f78d2904 b6bebc63 88f94ce0 88ef7008 88ef7198 wdf01000!FxDevice::Dispatch+0x7f
    f78d2920 804e47f7 88f94ce0 88ef7008 00000000 wdf01000!FxDevice::DispatchWithLock+0x7b
    f78d2930 f777953f 88ef7008 88f2bf00 89042d01 nt!IopfCallDriver+0x31
    f78d2950 f777876b 88f94ce0 88ef7008 00000001 mouclass!MouseSendIrpSynchronously+0x59
    f78d29bc f761897d 88f2be48 88ef7008 891cf008 mouclass!MousePnP+0x229
    f78d29f4 f76192a4 88f2be48 88ef7008 88ef71bc bhound7+0x197d
    f78d2a10 f76189ca 88f2be48 88ef7000 88ef71bc bhound7+0x22a4
    f78d2a28 804e47f7 88f2be48 88ef7008 f78d2aa4 bhound7+0x19ca
    f78d2a38 8059ce17 f78d2aa4 8906c918 00000000 nt!IopfCallDriver+0x31
    f78d2a64 805b5ed7 88f2be48 f78d2a80 00000000 nt!IopSynchronousCall+0xb7
    f78d2aa8 8050a638 8906c918 89004308 00000001 nt!IopStartDevice+0x4d
    f78d2ac4 805b5d73 8906c918 8906c901 89004308 nt!PipProcessStartPhase1+0x4e
    f78d2d1c 8061cc0b 89202d30 00000001 00000000 nt!PipProcessDevNodeTree+0x1db
    f78d2d4c 8050731f 00000003 8055a2c0 805632fc nt!PiRestartDevice+0x80
    f78d2d74 804e526b 00000000 00000000 898f28b8 nt!PipDeviceActionWorker+0x15e
    f78d2dac 8057beff 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
    f78d2ddc 804f98ea 804e5196 00000001 00000000 nt!PspSystemThreadStartup+0x34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  HIDCLASS!HidpGetSetReport+24

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: HIDCLASS

    IMAGE_NAME:  HIDCLASS.SYS

    Friday, December 18, 2015 7:43 AM
  • HIDClass requires that there be a file object.  If you disassemble the code, you'll see that it has fetched the IO_STACK_LOCATION from the IRP, and then fetched the FILE_OBJECT from there, and here it is attempting to fetch the FsContext value out of the FILE_OBJECT.  Since you didn't provide a FILE_OBJECT, it tries to dereference a null pointer and crashes.

    It may be easier to write a lower filter and send the USB command directly, rather than try to talk to HIDClass.  If you do need to talk to HIDClass, you'll have to wait until the system opens a file handle.


    Tim Roberts, Driver MVP Providenza & Boekelheide, Inc.

    Friday, December 18, 2015 11:10 PM
  • Dear Roberts:

     Thank you for your information.

     Now I would like to send feature command to underlying mouclass driver
     to enable my device some feature when running at EvtDeviceD0Entry

     At first, I think get FILE_OBJECT at EvtDeviceFileCreate, but it seems incorrect,
     because App doesn't open.

     And then I get FILE_OBJECT at IOCTL_INTERNAL_MOUSE_CONNECT in EvtIoInternalDeviceControl
     , but it got empty pointer

     How to get FILE_OBJECT for WdfIoTargetSendIoctlSynchronously working well at my moufilter driver???

     Do you give me some sample code???

     Thank you.

    BR,
        Alan

     

    • Edited by alan.emc Monday, December 21, 2015 8:51 AM
    Monday, December 21, 2015 2:14 AM
  • If I create new Request at my SendFeature function, set TargetFileObject to FileObject of new Request, and set Request parameter of WdfIoTargetSendIoctlSynchronously to new Request(like below snipper code)

    Is it correct???

    //---------------------------------------------------------------------------------------------------------------//

     status = WdfIoTargetCreate(hDevice, WDF_NO_OBJECT_ATTRIBUTES, &hidTarget);

     WDF_OBJECT_ATTRIBUTES_INIT(&attributes);
      attributes.ParentObject = hidTarget;
      status = WdfRequestCreate(&attributes, hidTarget, &newRequest);

     WDF_IO_TARGET_OPEN_PARAMS_INIT_EXISTING_DEVICE(&openParams, WdfDeviceWdmGetAttachedDevice(hDevice));

     openParams.ShareAccess = FILE_SHARE_WRITE | FILE_SHARE_READ;
      openParams.TargetFileObject = IoGetCurrentIrpStackLocation(WdfRequestWdmGetIrp(newRequest))->FileObject;
      status = WdfIoTargetOpen(hidTarget, &openParams);

      ReportSize = MAX_FEATURE_BUFFER_SIZE; // 8 bytes
      report = (PCHAR)ExAllocatePoolWithTag(NonPagedPool, ReportSize, POOL_TAG);

      RtlZeroMemory(report, sizeof(CHAR)*ReportSize);
         status = STATUS_SUCCESS;

      //Only copy feature data, like ReportBuffer parameter of HidD_SetFeature
         RtlCopyMemory(report, byFeatureData, sizeof(byFeatureData));

      WDF_MEMORY_DESCRIPTOR_INIT_BUFFER(&inputDescriptor,
           report,
           sizeof(CHAR)*ReportSize);

      status = WdfIoTargetSendIoctlSynchronously(hidTarget,
          newRequest/*NULL*/,
          IOCTL_HID_SET_FEATURE/*IOCTL_HID_SET_OUTPUT_REPORT*/,
          &inputDescriptor,
          NULL,
          NULL,
          NULL);

     

    • Edited by alan.emc Monday, December 21, 2015 9:18 AM
    Monday, December 21, 2015 9:15 AM