BUG: Calling IoDeleteDevice May Unexpectedly Unload Driver (216308)


The information in this article applies to:

  • Microsoft Windows 98 Driver Development Kit (DDK)
This article was previously published under Q216308

SYMPTOMS

If a Windows 98 WDM driver's AddDevice routine calls IoCreateDevice followed by IoDeleteDevice, the driver may be unloaded unexpectedly and the memory freed, all before the AddDevice routine finishes execution. This could theoretically allow another thread to prematurely overwrite the driver's memory, causing potential system instability.

CAUSE

Calling IoDeleteDevice results in Ntkern.vxd unloading the driver if the driver's reference count is 0 (zero) and no other threads are in the process of unloading it.

RESOLUTION

As a workaround, it may be possible to restructure the driver's AddDevice routine so that it does not create the Device Object unnecessarily, thereby avoiding the IoDeleteDevice call.

Rather than calling IoDeleteDevice, the AddDevice routine can return a failure code if necessary. Device Manager will show the device as having an error, but this should not cause a memory leak.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem has been fixed for future versions of Windows 98.

MORE INFORMATION

On both Windows 98 and Windows Millennium Edition, a call to IoDeleteDevice within an IRP_MN_REMOVE_DEVICE handler may result in the following behavior:
  • DriverUnload may be called before the IRP_MN_REVMOVE_DEVICE handler has exited.
  • The driver may unload before the IRP_MN_REMOVE_DEVICE handler has exited.
The best way to avoid problems is to minimize the amount of code that follows the call to IoDeleteDevice.

REFERENCES

See the Windows 98 DDK for more information on IoCreateDevice, IoDeleteDevice, and WDM drivers.
Modification Type:MajorLast Reviewed:10/16/2002
Keywords:kbBug KB216308
©2002 Microsoft Corporation. All rights reserved.