Windows stop responding after complete HID read report

Nikita_Bratukhin · May 20, 2017, 7:04am

i am trying to write hid driver for my usb joystick. i am use hidusbfx as example. Everything works except completing hid read report request.

for example i use simple hid descriptor

CONST UCHAR G_DefaultReportDescriptor = {
// Consumer control collection
0x05,0x01, // USAGE_PAGE (GENERAL DESKTOP)
0x09,0x04, // USAGE (Joystick)
0xa1, 0x01, // COLLECTION (Application)
0xa1, 0x00, // COLLECTION (Physical)

0x05, 0x09, // USAGE_PAGE (Button)
0x19, 0x01, // USAGE_MINIMUM (Button 1)
0x29, 0x08, // USAGE_MAXIMUM (Button 8)
0x15, 0x00, // LOGICAL_MINIMUM (0)
0x25, 0x01, // LOGICAL_MAXIMUM (1)
0x95, 0x08, // REPORT_COUNT (8)
0x75, 0x01, // REPORT_SIZE (1)
0x81, 0x02, // INPUT (Data,Var,Abs)

0xc0, // END_COLLECTION
0xc0
};

when i receive IOCTL_HID_READ_REPORT i forward request to manual queue

case IOCTL_HID_READ_REPORT:
{
TraceEvents(TRACE_LEVEL_ERROR, TRACE_QUEUE, “read report”);
status = WdfRequestForwardToIoQueue(Request, context->interruptMsgQueue);
if (!NT_SUCCESS(status)) {
TraceEvents(TRACE_LEVEL_ERROR, TRACE_DRIVER,
“WdfRequestForwardToIoQueue failed with status: 0x%x\n”, status);

WdfRequestComplete(Request, status);
}
return;
}

and later, when i get data from interrupt pipe i complete request

VOID
InterruptPipeReadComplete(
WDFUSBPIPE Pipe,
WDFMEMORY Buffer,
size_t NumBytesTransferred,
WDFCONTEXT Context
)
{

TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, “%!FUNC! entry”);

UNREFERENCED_PARAMETER(Pipe);
UNREFERENCED_PARAMETER(Context);

PUCHAR buf = WdfMemoryGetBuffer(Buffer, NULL);

TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, “data: %x %x %x %x %x %x %x”, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], (unsigned)NumBytesTransferred);

WDFREQUEST request;
NTSTATUS status;
PDEVICE_CONTEXT context = Context;

status = WdfIoQueueRetrieveNextRequest(
context->interruptMsgQueue,
&request);

if (NT_SUCCESS(status)) {

TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, “complete”);

PUCHAR reqbuf;
size_t bytesReturned;

status = WdfRequestRetrieveOutputBuffer(request,
1,
&reqbuf,
&bytesReturned);// BufferLength

*reqbuf = buf[4];

TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, “returned : %x”,(unsigned)bytesReturned);

WdfRequestCompleteWithInformation(request, status, bytesReturned);
}

TraceEvents(TRACE_LEVEL_INFORMATION, TRACE_DRIVER, “%!FUNC! exit”);

}

and when WdfRequestCompleteWithInformation is called windows stop responding
i was trying different descriptors and reports, but it doesn’t help

full code in github repo:
https://github.com/TheHoudini/KMDFDriver/tree/master/Jdriver
pls help, i have no idea how to fix it =(

p.s. sry for my english

Mikae · May 20, 2017, 6:24pm

Nikita,

Once it hangs, break in to the OS with WinDbg and execute

!stack 2 %YourDriverName%

command. Paste the output here. It would be way easier to understand what’s going on without delving into code details.

Slava_Imameev · May 21, 2017, 1:16am

I would also try
!locks

Nikita_Bratukhin · May 21, 2017, 2:35am

i cant break when its happen :C

Nikita_Bratukhin · May 21, 2017, 2:49am

https://youtu.be/R9YkqIyJY5I

after 1:05 target vm totally dead

Mikae · May 21, 2017, 6:57am

I’d try to use WinDbg to debug this issue. There are many tutorials how to set it up and it always succeeds to break in.

Pavel_A1 · May 21, 2017, 10:33am

Run with the Verifier set on your driver. As already advised in the other forum.
If you have not used the verifier before - that’s perfect time to begin.

– pa

OSR_Community_User · May 21, 2017, 11:30am

It looks like the machine hangs during driver initialization. Add breakpoints to DriverEntry and EvtDriverDeviceAdd and do step by step debugging (F10) just to be sure the initialization is done without errors.

At the start of DriverEntry and EvtDriverDeviceAdd add the following code :

if (KD_DEBUGGER_ENABLED && KD_DEBUGGER_NOT_PRESENT == FALSE)
{
DbgBreakPoint() ;
}

Be sure that both DriverEntry and EvtDriverDeviceAdd return a successful NTSTATUS value and you will be ready to debug the IOCTL.

J. S.

OSR_Community_User · May 21, 2017, 3:34pm

You are working on a lower filter driver but the EvtDriverDeviceAdd callback does not call WdfFdoInitSetFilter.

You cannot install this driver as a PNP driver as the hardware ID will be claimed by the driver. This is not an FDO (functionnal DO) but a filter DO. You must use an installation application for a filter driver.

Copy the driver’s binary.
Open the device’s registry key and run the AddReg INF section.
Create the driver’s service.
Start the service.
You may need to reboot the machine.

You also have issues in the INF file. The driver’s service section is not référenced.

In the AddService line, replace mshidkmdf_Service_Inst with Jdriver_Service_Inst.

W. N.

OSR_Community_User · May 21, 2017, 3:44pm

Correction :

Sorry, do not start the driver’s service. The Os will start it when the underlying PDO’s stack is built.

Plug the USB HID device and the filter driver should be loaded.

W. N.

OSR_Community_User · May 22, 2017, 9:58am

Your project is far from being ready for deployment.

Just one example : your INF file is overwriting the configuration of the inbox MSHIDKMDF driver’s service. Just don’t use it until you have completely reviewd it.

If you want an FDO for your joystick, than just start with an ordinary KMDF driver for a PNP enumerated device whose hardware ID is your joystick’s ID.

I would restart from a new KMDF driver made out of VS template and set the joystick’s ID as the claimed hardware ID in the INF file.

J. S.