IoStatus.Staus pageable

NTDEV
1

I’m trying to debug a very old wdm driver. I feel I ran into this during a past rewrite but can’t seem to find any information to back up my theory. The crash dump analysis shows the error described below within the ISR. It seems the IRP pointer should not be accessed here. In later iterations I moved this access to the DPC but I want to make sure this is indeed the problem and solution. Is accessing the IRP from the ISR the actual problem and if so why?

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000018, memory referenced
Arg2: 00000006, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 9adafdbd, address which referenced memory

BOOLEAN PL_Isr(IN PKINTERRUPT Interrupt, IN PVOID ServiceContext)
{
PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) ServiceContext;
BOOLEAN done = FALSE;

PIRP curIrp;
curIrp = GetCurrentIrp(&pdx->dqReadWrite);

FAULTING_SOURCE_CODE:
969:
970: // Close out this IRP. Report actual number of words transferred.

971: curIrp->IoStatus.Status = STATUS_SUCCESS;
972: curIrp->IoStatus.Information =
973: (
974: pdx->ReadTransfer.BytesRequested
975: - pdx->ReadTransfer.BytesRemaining
976: )/ sizeof(ULONG);

2

Arg1: 00000018, memory referenced

You are referencing NULL, so you don’t have a valid IRP. If you have a valid IRP, you can reference the IRP and any nonpaged buffers hanging off of the IRP.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com xxxxx@lists.osr.com
Sent: Tuesday, July 25, 2017 10:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] IoStatus.Staus pageable

I’m trying to debug a very old wdm driver. I feel I ran into this during a past rewrite but can’t seem to find any information to back up my theory. The crash dump analysis shows the error described below within the ISR. It seems the IRP pointer should not be accessed here. In later iterations I moved this access to the DPC but I want to make sure this is indeed the problem and solution. Is accessing the IRP from the ISR the actual problem and if so why?

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000018, memory referenced
Arg2: 00000006, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 9adafdbd, address which referenced memory

BOOLEAN PL_Isr(IN PKINTERRUPT Interrupt, IN PVOID ServiceContext) {
PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) ServiceContext;
BOOLEAN done = FALSE;

PIRP curIrp;
curIrp = GetCurrentIrp(&pdx->dqReadWrite); …

FAULTING_SOURCE_CODE:
969:
970: // Close out this IRP. Report actual number of words transferred.
> 971: curIrp->IoStatus.Status = STATUS_SUCCESS;
972: curIrp->IoStatus.Information =
973: (
974: pdx->ReadTransfer.BytesRequested
975: - pdx->ReadTransfer.BytesRemaining
976: )/ sizeof(ULONG);


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

3

I can’t find a reason why it would be NULL. This seems to run for many hours and will crash at random It had been running for nearly a decade as well. I’m not sure why it would be null. Is there perhaps something I should be looking for?

4

How do you synchronize access of the IRP in the ISR with code outside of the ISR? Does the code outside of the ISR acquire the interrupt spinlock? Does the driver assume the ISR is the only driver code that can be running when touching the IRP?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com xxxxx@lists.osr.com
Sent: Tuesday, July 25, 2017 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] IoStatus.Staus pageable

I can’t find a reason why it would be NULL. This seems to run for many hours and will crash at random It had been running for nearly a decade as well. I’m not sure why it would be null. Is there perhaps something I should be looking for?


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>