none
filter driver handle power IRP RRS feed

  • Question

  • Hi,

    I have a device upper and lower filter driver

    here is the code that handles power irp:

    NTSTATUS
    FilterDispatchPower(
        PDEVICE_OBJECT    DeviceObject,
        PIRP              Irp
        )
    {
        PDEVICE_EXTENSION       deviceExtension;
        NTSTATUS                status;
        PIO_STACK_LOCATION      irpStack;
        
        deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;
        status = IoAcquireRemoveLock (&deviceExtension->RemoveLock, Irp);
        
        if (!NT_SUCCESS (status)) { // may be device is being removed.
            Irp->IoStatus.Status = status;
            PoStartNextPowerIrp(Irp);
            IoCompleteRequest (Irp, IO_NO_INCREMENT);
            return status;
        }
    
        irpStack = IoGetCurrentIrpStackLocation(Irp);
    
        DebugPrint(("FilterDO %s IRP:0x%p \n",
                    PowerMinorFunctionString(irpStack->MinorFunction), Irp));
        
        IoCopyCurrentIrpStackLocationToNext(Irp);
    
        PoStartNextPowerIrp(Irp);
        IoSkipCurrentIrpStackLocation(Irp);
        status = PoCallDriver(deviceExtension->NextLowerDriver, Irp);
        IoReleaseRemoveLock(&deviceExtension->RemoveLock, Irp); 
        return status;
    }

    why it causes BSOD after I comment the "IoCopyCurrentIrpStackLocationToNext" and waking up from sleep state? 

    not really understand relations between "IoGetCurrentIrpStackLocation", "IoCopyCurrentIrpStackLocationToNext" and "IoSkipCurrentIrpStackLocation"
    • Edited by _Wayne56 Thursday, August 9, 2018 3:26 AM
    Thursday, August 9, 2018 3:23 AM

Answers

  • There is an I/O stack location for each device object in the DevStack. The I/O stack location contains the "command" (IRP_MJ_xxx) and parameters (input and output buffers) that tell the driver what to do. Your driver is responsible for filling in the I/O stack location in the IRP for the driver beneath your driver in the DevStack. If you don't fill it in, then there will be garbage in it and will likely cause the system to crash (the system does very little parameter checking in kernel mode; everything is assumed to be 100% correct). If your driver is just passing a request (IRP) down the DevStack, you are still responsible for filling in the I/O stack location. IoCopyCurrentIrpStackLocationToNext does as you would expect, namely copying the current IRP stack location (filled in the by driver above you in the DevStack) to the stack location for the driver beneath you. This is used when you are just passing an IRP down the stack without changing the command or parameters.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, August 9, 2018 3:57 AM
    Moderator

All replies

  • There is an I/O stack location for each device object in the DevStack. The I/O stack location contains the "command" (IRP_MJ_xxx) and parameters (input and output buffers) that tell the driver what to do. Your driver is responsible for filling in the I/O stack location in the IRP for the driver beneath your driver in the DevStack. If you don't fill it in, then there will be garbage in it and will likely cause the system to crash (the system does very little parameter checking in kernel mode; everything is assumed to be 100% correct). If your driver is just passing a request (IRP) down the DevStack, you are still responsible for filling in the I/O stack location. IoCopyCurrentIrpStackLocationToNext does as you would expect, namely copying the current IRP stack location (filled in the by driver above you in the DevStack) to the stack location for the driver beneath you. This is used when you are just passing an IRP down the stack without changing the command or parameters.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, August 9, 2018 3:57 AM
    Moderator
  • There is an I/O stack location for each device object in the DevStack. The I/O stack location contains the "command" (IRP_MJ_xxx) and parameters (input and output buffers) that tell the driver what to do. Your driver is responsible for filling in the I/O stack location in the IRP for the driver beneath your driver in the DevStack. If you don't fill it in, then there will be garbage in it and will likely cause the system to crash (the system does very little parameter checking in kernel mode; everything is assumed to be 100% correct). If your driver is just passing a request (IRP) down the DevStack, you are still responsible for filling in the I/O stack location. IoCopyCurrentIrpStackLocationToNext does as you would expect, namely copying the current IRP stack location (filled in the by driver above you in the DevStack) to the stack location for the driver beneath you. This is used when you are just passing an IRP down the stack without changing the command or parameters.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    very clear 
    thanks a lot!
    Thursday, August 9, 2018 5:18 AM
  • sorry Brian, I have another question

    I tried to send a IO Control to my upper filter driver and pass it to function driver

    but it crash... did I miss something?

    my function driver only print a line

    here is the code:

    NTSTATUS
    FilterDispatchIo(
        PDEVICE_OBJECT    DeviceObject,
        PIRP              Irp
        )
    {
        PIO_STACK_LOCATION  irpStack;
        NTSTATUS            status;
        PDEVICE_EXTENSION           deviceExtension;
    
        PAGED_CODE();
    
        deviceExtension = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;
    
            status = STATUS_SUCCESS;
            Irp->IoStatus.Information = 0;
            irpStack = IoGetCurrentIrpStackLocation (Irp);
    
            switch (irpStack->MajorFunction) {
                case IRP_MJ_CREATE:
                case IRP_MJ_CLOSE:
                case IRP_MJ_CLEANUP:
                    break;
                    
                case IRP_MJ_DEVICE_CONTROL:
                    switch (irpStack->Parameters.DeviceIoControl.IoControlCode) {
    
                        case IOCTL_For_Testing: 
                            DebugPrint(("IOCTL_For_Testing\n"));
                            IoCopyCurrentIrpStackLocationToNext(Irp);
                            IoSkipCurrentIrpStackLocation(Irp);
                            status = IoCallDriver (deviceExtension->NextLowerDriver, Irp);
                            return status;
    
                        default:
                            status = STATUS_INVALID_PARAMETER;
                            break;
                    }
                default:
                    break;
            }
    
        Irp->IoStatus.Status = status;
        IoCompleteRequest (Irp, IO_NO_INCREMENT);
        return status;
    }


    my function driver's code:

    case IOCTL_For_Testing:
                    DebugPrint(("IOCTL_For_Testing"));
                    Status = STATUS_SUCCESS;
    break;
    
    pIrp->IoStatus.Status = Status;
    IoCompleteRequest(pIrp, IO_NO_INCREMENT );
    return Status;



    • Edited by _Wayne56 Thursday, August 9, 2018 6:32 AM
    Thursday, August 9, 2018 6:21 AM
  • Remove the call to IoSkipCurrentIrpStackLocation

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, August 9, 2018 6:22 PM
    Moderator
  • What's the !analyze -v output from the crash? Also, why are you bothering with WDM? You should be writing this in WDF.

    Scott Noone
    Engineering Partner
    OSR Open Systems Resources, Inc.
    Windows Driver Training, Consulting, Problem Analysis, and Custom Development
    http://www.osronline.com
    https://www.osr.com
    https://www.linkedin.com/in/scottnoone

    Tuesday, August 14, 2018 2:18 PM