BSOD when unplugging USB device during activity

[sonatique]

While doing tests of removing USB device abruptly (i.e. physically upluggin it) during activity (basically reading on a data enpoint in a loop) I systematically got a BSOD.

My stack is an application using libusb-1.0, libubsK.dll and libuskK.sys (latest signed versions)

Analysis of the minidump using WinDbg gave the following output, in which libusbK.sys is clearly identified as doing something wrong.

It is a bit beyond my knowledge, could someone have a look at it? I guess it's easily reproducible.. Thanks

Here is WinDbg output:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffffe80dfc26870, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffffe80dfc267c8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1781

    Key  : Analysis.Elapsed.mSec
    Value: 11773

    Key  : Analysis.IO.Other.Mb
    Value: 1

    Key  : Analysis.IO.Read.Mb
    Value: 4

    Key  : Analysis.IO.Write.Mb
    Value: 12

    Key  : Analysis.Init.CPU.mSec
    Value: 109

    Key  : Analysis.Init.Elapsed.mSec
    Value: 60213

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 114

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x139

    Key  : Dump.Attributes.AsUlong
    Value: 1808

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : FailFast.Name
    Value: CORRUPT_LIST_ENTRY

    Key  : FailFast.Type
    Value: 3

    Key  : Failure.Bucket
    Value: 0x139_3_CORRUPT_LIST_ENTRY_libusbK!unknown_function

    Key  : Failure.Hash
    Value: {3e2f28bf-7cbf-dc2c-f08f-3b94cf8f94c5}

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 1417df84

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 21631230

    Key  : Hypervisor.Flags.ValueHex
    Value: 14a10fe

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 3f7


BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: fffffe80dfc26870

BUGCHECK_P3: fffffe80dfc267c8

BUGCHECK_P4: 0

FILE_IN_CAB:  092723-15156-01.dmp

DUMP_FILE_ATTRIBUTES: 0x1808
  Kernel Generated Triage Dump

TRAP_FRAME:  fffffe80dfc26870 -- (.trap 0xfffffe80dfc26870)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffe80dfc26cb8 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffe80dc7f6838 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000a91511d rsp=fffffe80dfc26a00 rbp=ffff9304dea3abb0
 r8=00000000000005c0  r9=fffff8000a990c08 r10=0000000000000000
r11=fffffe80dfc269e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
Wdf01000!RtlFailFast+0x5:
fffff800`0a91511d cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  fffffe80dfc267c8 -- (.exr 0xfffffe80dfc267c8)
ExceptionAddress: fffff8000a91511d (Wdf01000!RtlFailFast+0x0000000000000005)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
fffffe80`dfc26548 fffff800`094477a9     : 00000000`00000139 00000000`00000003 fffffe80`dfc26870 fffffe80`dfc267c8 : nt!KeBugCheckEx
fffffe80`dfc26550 fffff800`09447d32     : ffff9304`e15f6dc0 fffff800`0a906e46 00006cfb`35d39300 ffff9304`aa010000 : nt!KiBugCheckDispatch+0x69
fffffe80`dfc26690 fffff800`09445b06     : 00000000`00000009 fffff800`0927d847 ffff9304`d9de8aa0 00000000`00000000 : nt!KiFastFailDispatch+0xb2
fffffe80`dfc26870 fffff800`0a91511d     : fffffe80`dfc26c40 ffff9304`dea3abb0 00000000`00000001 fffffe80`dfc26bd0 : nt!KiRaiseSecurityCheckFailure+0x346
fffffe80`dfc26a00 fffff800`0a9069c6     : fffff800`0aa80500 fffff800`0a929a00 fffffe80`dfc26bd0 00000000`00000004 : Wdf01000!FxIoTarget::SubmitLocked+0xeaad [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1536] 
fffffe80`dfc26aa0 fffff800`0a953dce     : fffffe80`dfc26bd0 fffffe80`dfc26b60 fffffe80`dfc26c40 fffffe80`dfc26cf0 : Wdf01000!FxIoTarget::Submit+0x3e [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1649] 
fffffe80`dfc26ae0 fffff800`0a954083     : ffff9304`db01aa00 fffff800`00000000 00000000`00000000 fffffe80`dfc26cf0 : Wdf01000!FxIoTarget::SubmitSync+0x126 [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1740] 
fffffe80`dfc26ba0 fffff800`0a95701c     : 00000000`00000000 fffffe80`dfc26c00 00000000`00000000 00000000`00000000 : Wdf01000!FxIoTarget::SubmitSyncRequestIgnoreTargetState+0x93 [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 2697] 
fffffe80`dfc26bf0 fffff800`675033c1     : ffff9304`e5492b70 ffff9304`e15f6dc0 ffff9304`dea3abb0 00000000`00004000 : Wdf01000!imp_WdfUsbTargetPipeResetSynchronously+0x15c [minkernel\wdf\framework\shared\targets\usb\fxusbpipeapi.cpp @ 603] 
fffffe80`dfc26e80 ffff9304`e5492b70     : ffff9304`e15f6dc0 ffff9304`dea3abb0 00000000`00004000 ffff9304`e5492fa8 : libusbK+0x33c1
fffffe80`dfc26e88 ffff9304`e15f6dc0     : ffff9304`dea3abb0 00000000`00004000 ffff9304`e5492fa8 ffff9304`d23f1020 : 0xffff9304`e5492b70
fffffe80`dfc26e90 ffff9304`dea3abb0     : 00000000`00004000 ffff9304`e5492fa8 ffff9304`d23f1020 00000000`00000010 : 0xffff9304`e15f6dc0
fffffe80`dfc26e98 00000000`00004000     : ffff9304`e5492fa8 ffff9304`d23f1020 00000000`00000010 00000000`00000000 : 0xffff9304`dea3abb0
fffffe80`dfc26ea0 ffff9304`e5492fa8     : ffff9304`d23f1020 00000000`00000010 00000000`00000000 00006cfb`239a7238 : 0x4000
fffffe80`dfc26ea8 ffff9304`d23f1020     : 00000000`00000010 00000000`00000000 00006cfb`239a7238 00006cfb`1ab6d488 : 0xffff9304`e5492fa8
fffffe80`dfc26eb0 00000000`00000010     : 00000000`00000000 00006cfb`239a7238 00006cfb`1ab6d488 00000000`00004000 : 0xffff9304`d23f1020
fffffe80`dfc26eb8 00000000`00000000     : 00006cfb`239a7238 00006cfb`1ab6d488 00000000`00004000 00000000`00004000 : 0x10


SYMBOL_NAME:  libusbK+33c1

MODULE_NAME: libusbK

IMAGE_NAME:  libusbK.sys

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  33c1

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_libusbK!unknown_function

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {3e2f28bf-7cbf-dc2c-f08f-3b94cf8f94c5}

Followup:     MachineOwner

[mcuee]

Hmm, this is beyond my capability as well. I have not seen such issue before.

@TravisRo
Needs your help here.

[VadimAspirin]

Hello,
Faced the same problem, has anyone found a solution?

[TravisRo]

Can you switch the driver to winusb.sys?