IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1

NTDEV
1

Hi,

I am trying to inject the keyboard scan code data from IRP_MJ_DEVICE_CONTROL.

I am using KeraiseIRQL (Dispatch_LEVEL, previrql)

when I call serive callback routine I am getting this error IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1.

Can you please help me use to use service callback in this context.

Thank you for your help.
JJD.

2

Please see my code here… Please let me know where I am going wrong.

KEYBOARD_INPUT_DATA InputDataStart[2] = {1,1};// = NULL;
KEYBOARD_INPUT_DATA InputDataEnd;
ULONG InputDataConsumed = 0;

temp = *Buffer;
DbgPrint(“User to Driver %d \n”,temp);

InputDataConsumed = 0;
InputDataStart[0].UnitId = 0;
InputDataStart[0].MakeCode = temp;
InputDataStart[0].Flags = KEY_MAKE;
InputDataStart[0].Reserved = 0;
InputDataStart[0].ExtraInformation = 0;
InputDataStart[1].UnitId = 0;
InputDataStart[1].MakeCode = temp;
InputDataStart[1].Flags = KEY_BREAK;
InputDataStart[1].Reserved = 0;
InputDataStart[1].ExtraInformation = 0;
classDeviceObject = devExt->UpperConnectData.ClassDeviceObject;
classService = devExt->UpperConnectData.ClassService;

KeRaiseIrql(DISPATCH_LEVEL, &prevIrql);
DbgPrint((“*(PSERVICE_CALLBACK_ROUTINE) Entered \n”));
(*(PSERVICE_CALLBACK_ROUTINE) classService)(
classDeviceObject,
InputDataStart,
InputDataStart+2,
&InputDataConsumed);

DbgPrint((“*(TATA SERVICE_CALLBACK_ROUTINE) Exited \n”));

KeLowerIrql(prevIrql);

3

xxxxx@gmail.com wrote:

when I call serive callback routine I am getting this error IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1.

Well, the bib question is what your sevice routine does. Specifically, a
bad pointer dereference, touching paged memory, and calling various
kernel routines is not allowed at dispatch. But, you need to give us a
!analyze -v output if you want any more detail.

MH.

4

xxxxx@gmail.com wrote:

Please see my code here… Please let me know where I am going wrong.

KEYBOARD_INPUT_DATA InputDataStart[2] = {1,1};// = NULL;
KEYBOARD_INPUT_DATA InputDataEnd;
ULONG InputDataConsumed = 0;

I see that you are not actually using InputDataEnd here, but for future
reference you should know that there is no guarantee in the C standard
that your items will be allocated on the stack in the exact order you
have declared them.

classDeviceObject = devExt->UpperConnectData.ClassDeviceObject;
classService = devExt->UpperConnectData.ClassService;

KeRaiseIrql(DISPATCH_LEVEL, &prevIrql);
DbgPrint((“*(PSERVICE_CALLBACK_ROUTINE) Entered \n”));
(*(PSERVICE_CALLBACK_ROUTINE) classService)(
classDeviceObject,
InputDataStart,
InputDataStart+2,
&InputDataConsumed);

DbgPrint((“*(TATA SERVICE_CALLBACK_ROUTINE) Exited \n”));

KeLowerIrql(prevIrql);

Where does the blue screen happen? The one thing I do see is that you
aren’t checking whether classService and classDeviceObject are NULL. We
don’t see the rest of your code, of course, but are you absolutely
certain those fields are set before you get here?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

Hi,

Please find the kernel dump for my code. I have tried changing the unused KEYBOARD_INPUT_DATA InputDataEnd structure as well. Following in the result. Can you please help me to solve this.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

READ_ADDRESS: 00000000 Paged pool

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

PROCESS_NAME: toast.exe

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 8042a025 to 80452f6c

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
ef592750 8042a025 00000003 ef592798 00000000 nt!ObGetSecurityMode
ef592780 8042a603 00000003 00000000 00000000 nt!IopGetDevicePDO+0x4d
ef5927e0 80468ce2 8205bf90 80481b00 81b9e010 nt!MapperConstructRootEnumTree+0xcd
ef5927e0 183bb000 8205bf90 80481b00 81b9e010 nt!KiUnexpectedInterruptTail+0x113
WARNING: Frame IP not in any known module. Following frames may be wrong.
00001000 00000000 00000000 00000000 00000000 0x183bb000

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!IopGetDevicePDO+4d
8042a025 834dfcff or dword ptr [ebp-4],0FFFFFFFFh

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!IopGetDevicePDO+4d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 384d5a76

FAILURE_BUCKET_ID: 0xD1_VRF_CODE_AV_NULL_IP_nt!IopGetDevicePDO+4d

BUCKET_ID: 0xD1_VRF_CODE_AV_NULL_IP_nt!IopGetDevicePDO+4d

Followup: MachineOwner

6

Hi,

Can you please let me know why I am getting this error IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1

JJD

7

Please post the output of !analyze -v within winbdg.

Have a nice day
GV


Gianluca Varenni, Windows DDK MVP

CACE Technologies
http://www.cacetech.com

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, December 13, 2007 9:52 AM
Subject: RE:[ntdev] IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1

> Hi,
>
> Can you please let me know why I am getting this error
> IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1
>
> JJD
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

8

At 05:52 PM 12/13/2007, xxxxx@gmail.com wrote:

Hi,

Can you please let me know why I am getting this error
IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1

JJD

You’re probably accessing paged or non-existant memory at >= DISPATCH_LEVEL.

Attach WinDbg to catch it live or examine the memory.dmp file.

Knowing how to attach the debugger to catch and analyse crashes is a
pre-requisite before anyone here can provide any great insight.

Mark.

9

>At 05:52 PM 12/13/2007, xxxxx@gmail.com wrote:

>Hi,
>
>Can you please let me know why I am getting this error
>IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1
>
>JJD

You’re probably accessing paged or non-existant memory at >= DISPATCH_LEVEL.

Attach WinDbg to catch it live or examine the memory.dmp file.

Knowing how to attach the debugger to catch and analyse crashes is a
pre-requisite before anyone here can provide any great insight.

Mark.

Ah, just spotted that you posted the result of !analyze -v in an earlier post.

From that, the primary cause is that you’re trying to read something
using a NULL pointer at DISPATCH_LEVEL.

Other than that, fix the symbols and you might have a better call
stack to look at.

Mark.

10

xxxxx@gmail.com wrote:

Hi,

Please find the kernel dump for my code. I have tried changing the unused KEYBOARD_INPUT_DATA InputDataEnd structure as well. Following in the result. Can you please help me to solve this.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***

This is a key problem for you. You need to hook up to the symbol server
to get the correct symbols.

LAST_CONTROL_TRANSFER: from 8042a025 to 80452f6c

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
ef592750 8042a025 00000003 ef592798 00000000 nt!ObGetSecurityMode
ef592780 8042a603 00000003 00000000 00000000 nt!IopGetDevicePDO+0x4d
ef5927e0 80468ce2 8205bf90 80481b00 81b9e010 nt!MapperConstructRootEnumTree+0xcd
ef5927e0 183bb000 8205bf90 80481b00 81b9e010 nt!KiUnexpectedInterruptTail+0x113
WARNING: Frame IP not in any known module. Following frames may be wrong.
00001000 00000000 00000000 00000000 00000000 0x183bb000

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!IopGetDevicePDO+4d
8042a025 834dfcff or dword ptr [ebp-4],0FFFFFFFFh

What operating system is this? On XP SP2 with the PA kernel,
IopGetDevicePDO is only 0x40 bytes long, IopGetDevicePDO doesn’t call
ObGetSecurityMode, and the instruction at +4d doesn’t look like that.
Further, the instruction we see here couldn’t cause this blue screen.

Was this analyzed from a mini dump? Can you catch this live in the
debugger?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

11

The OP posted some code where he is calling through a pointer. Obviously,
that pointer is null.

  • Dan.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, December 13, 2007 12:06 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1

xxxxx@gmail.com wrote:

Hi,

Please find the kernel dump for my code. I have tried changing the unused
KEYBOARD_INPUT_DATA InputDataEnd structure as well. Following in the result.
Can you please help me to solve this.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid)
address at an interrupt request level (IRQL) that is too high. This
is usually caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***

This is a key problem for you. You need to hook up to the symbol server to
get the correct symbols.

LAST_CONTROL_TRANSFER: from 8042a025 to 80452f6c

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
ef592750 8042a025 00000003 ef592798 00000000 nt!ObGetSecurityMode
ef592780 8042a603 00000003 00000000 00000000 nt!IopGetDevicePDO+0x4d
ef5927e0 80468ce2 8205bf90 80481b00 81b9e010
nt!MapperConstructRootEnumTree+0xcd
ef5927e0 183bb000 8205bf90 80481b00 81b9e010
nt!KiUnexpectedInterruptTail+0x113
WARNING: Frame IP not in any known module. Following frames may be wrong.
00001000 00000000 00000000 00000000 00000000 0x183bb000

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!IopGetDevicePDO+4d
8042a025 834dfcff or dword ptr [ebp-4],0FFFFFFFFh

What operating system is this? On XP SP2 with the PA kernel,
IopGetDevicePDO is only 0x40 bytes long, IopGetDevicePDO doesn’t call
ObGetSecurityMode, and the instruction at +4d doesn’t look like that.
Further, the instruction we see here couldn’t cause this blue screen.

Was this analyzed from a mini dump? Can you catch this live in the
debugger?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

12

@Joshua__David said:
Please see my code here… Please let me know where I am going wrong.

KEYBOARD_INPUT_DATA InputDataStart[2] = {1,1};// = NULL;
KEYBOARD_INPUT_DATA InputDataEnd;
ULONG InputDataConsumed = 0;

temp = *Buffer;
DbgPrint(“User to Driver %d \n”,temp);

  		InputDataConsumed = 0;
  		InputDataStart[0].UnitId = 0;
  		InputDataStart[0].MakeCode = temp;
  		InputDataStart[0].Flags = KEY_MAKE;
  		InputDataStart[0].Reserved = 0;
  		InputDataStart[0].ExtraInformation = 0;					
  		InputDataStart[1].UnitId = 0;
  		InputDataStart[1].MakeCode = temp;
  		InputDataStart[1].Flags = KEY_BREAK;
  		InputDataStart[1].Reserved = 0;
  		InputDataStart[1].ExtraInformation = 0;

classDeviceObject = devExt->UpperConnectData.ClassDeviceObject;
classService = devExt->UpperConnectData.ClassService;

KeRaiseIrql(DISPATCH_LEVEL, &prevIrql);
DbgPrint(("(PSERVICE_CALLBACK_ROUTINE) Entered \n"));
((PSERVICE_CALLBACK_ROUTINE) classService)(
classDeviceObject,
InputDataStart,
InputDataStart+2,
&InputDataConsumed);

DbgPrint((“*(TATA SERVICE_CALLBACK_ROUTINE) Exited \n”));

KeLowerIrql(prevIrql);

@Joshua__David said:
Hi,

I am trying to inject the keyboard scan code data from IRP_MJ_DEVICE_CONTROL.

I am using KeraiseIRQL (Dispatch_LEVEL, previrql)

when I call serive callback routine I am getting this error IRQL_NOT_LESS_OR_EQUAL Error code- 0xD1.

Can you please help me use to use service callback in this context.

Thank you for your help.
JJD.

Hi guys
The IRQL_NOT_LESS_OR_EQUAL error is a blue screen error in Windows that typically indicates a driver-related problem.

13

The IRQL_NOT_LESS_OR_EQUAL error is a blue screen error in Windows that typically indicates a driver-related problem.

That may be single most useless comment ever made on this list. Why would they be asking on a driver mailing list if they didn’t know it was a driver-related problem?

Further, this was a 15-year-old post. The original asker has probably gone on to other things. I assume this will be locked summarily.

14

Done.