Bugcheck 0xD5 accessing Irp in completion routine

Hi guys,

In my code, I set a completion routine for IRP_MJ_FILE_SYSTEM_CONTROL,
minor function IRP_MN_MOUNT_VOLUME. In the completion path, the first
thing to do is to see if the operation was succesfull by examining
Irp->IoStatus.Status. However, at that specific instruction, the system
occasionally bugchecks with code 0xD5,
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL. The debugger indicates that the
Irp->IoStatus is invalid… I assume that the Irp is gone… How in the
world is this possible ?

Below you’ll find an excerpt of my code.

Best,
Bartjan.

From the main dispatch routine:

// Do we have a file-system specific thing going on here ?
case IRP_MJ_FILE_SYSTEM_CONTROL:
if ( currentIrpStack->MinorFunction == IRP_MN_MOUNT_VOLUME )
{
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp, MyDriverMountHookDone, (PVOID)
NULL, TRUE, TRUE, TRUE );
return ( IoCallDriver(hookExt->FileSystem, Irp) );
}
// else passthrough

The completion routine looks like this:

NTSTATUS
MyDriverMountHookDone(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context )
{
// Only do this if the operation was valid
if ( NT_SUCCESS(Irp->IoStatus.Status) )
{
// do something
}

//
// Now we have to mark Irp as pending if necessary, and
// we can bail out then.
//
if ( Irp->PendingReturned )
IoMarkIrpPending( Irp );
return Irp->IoStatus.Status;
}

The IRP has been freed, most likely. This could be because someone ELSE
called IoFreeIrp (for example). Are there other filters in the stack?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

“Whoever would overthrow the liberty of a nation must begin by subduing the
freeness of speech.”
– Benjamin Franklin

-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Tuesday, April 02, 2002 7:46 AM
To: File Systems Developers
Subject: [ntfsd] Bugcheck 0xD5 accessing Irp in completion routine

Hi guys,

In my code, I set a completion routine for IRP_MJ_FILE_SYSTEM_CONTROL,
minor function IRP_MN_MOUNT_VOLUME. In the completion path, the first
thing to do is to see if the operation was succesfull by examining
Irp->IoStatus.Status. However, at that specific instruction, the system
occasionally bugchecks with code 0xD5,
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL. The debugger indicates that the
Irp->IoStatus is invalid… I assume that the Irp is gone… How in the
world is this possible ?

Below you’ll find an excerpt of my code.

Best,
Bartjan.

From the main dispatch routine:

// Do we have a file-system specific thing going on here ?
case IRP_MJ_FILE_SYSTEM_CONTROL:
if ( currentIrpStack->MinorFunction == IRP_MN_MOUNT_VOLUME )
{
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp, MyDriverMountHookDone, (PVOID)
NULL, TRUE, TRUE, TRUE );
return ( IoCallDriver(hookExt->FileSystem, Irp) );
}
// else passthrough

The completion routine looks like this:

NTSTATUS
MyDriverMountHookDone(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context )
{
// Only do this if the operation was valid
if ( NT_SUCCESS(Irp->IoStatus.Status) )
{
// do something
}

//
// Now we have to mark Irp as pending if necessary, and
// we can bail out then.
//
if ( Irp->PendingReturned )
IoMarkIrpPending( Irp );
return Irp->IoStatus.Status;
}

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

Yes, there are other filter drivers on the stack (McAfee’s NaiFiltr).
Below I’ve pasted the stack. But do other filter drivers have the
privilege to free any Irp ? Do I need to probe the Irp address for
validness ?

Bartjan.

The call stack (ThTrac2k is my driver):

f73c7a9c 8042bef7 00000004 ffdff408 f73c7db0
nt!RtlpBreakWithStatusInstruction
f73c7acc 8042c438 00000004 c02b74bc 80062ea0
nt!KiBugCheckDebugBreak+0x31
f73c7e58 80449b3f 00000000 add2fffc 00000001 nt!KeBugCheckEx+0x5d7
f73c7ea0 80467cc6 00000001 add2fffc 00000000 nt!MmAccessFault+0x74e
f73c7ea0 f84f9d3e 00000001 add2fffc 00000000 nt!KiTrap0E+0xc3
f73c7f3c 8053013c 81590a40 a75d1e48 f84f4cab
ThTrac2k!ThTrackMountHookDone+0xe
f73c7f84 8052fd69 00000000 81597de8 00000000
nt!IovSpecialIrpCompleteRequest+0x18c
f73c7f9c bfe7e65d 00000001 81597de8 bfe9c98a nt!IovCompleteRequest+0xa4
f73c8038 bfe9ca35 81597de8 a75d1e48 8174a020 Ntfs!NtfsCommonWrite+0x14e
f73c80a8 80530510 8174a020 a75d1e48 a75d1e48 Ntfs!NtfsWriteLog+0x6ed
f73c80f4 8052fcd5 817bce00 a75d1fb4 a75d1e48
nt!IovSpecialIrpCallDriver+0xcd
f73c8110 eb3fbcb3 817bce00 80063124 81685e10 nt!IovCallDriver+0x31
f73c813c eb3fc216 817bce00 a75d1e48 80530510 NaiFiltr+0x3cb3
f73c8194 8052fcd5 a75d1fd0 f84f99d9 add2ff18 NaiFiltr+0x4216
f73c81b0 f84faf47 81590a40 81590a40 817b5630 nt!IovCallDriver+0x31
f73c8344 f84fb080 81590a40 a75d1e48 80063124
ThTrac2k!ThTrackDispatch+0xf6
f73c835c 80530510 f73c8df0 a75d1e48 a75d1e48
ThTrac2k!ThTrackDispatch+0x22f
f73c83a8 8052fcd5 8132c5e8 a75d1e48 00000000
nt!IovSpecialIrpCallDriver+0xcd
f73c83c4 f8e65089 00000200 814e6188 a85bbe30 nt!IovCallDriver+0x31
f73c8424 f8e8bf9c 00000006 b1d89fa0 00000014
mrxsmb!Nt5CscXxxInformation+0xd0
f73c86c8 f8e7416f 81128b48 b1d89fa0 81128bc8
mrxsmb!MRxSmbCscSetFileInfoEpilogue+0x2a4
f73c8748 f8eb7f58 81128b00 a85bbb68 f8ec6ad1
mrxsmb!MRxSmbSetFileInformation+0x348
f73c8754 f8ec6ad1 81128b48 00000014 a85bbb58
rdbss!RxpSetInfoMiniRdr+0x61
f73c87e8 f8ec51f0 81128b48 b286df20 81128b48
rdbss!RxSetEndOfFileInfo+0x19f
f73c8848 f8eb63a6 81128b48 8113a468 817e7610
rdbss!RxCommonSetInformation+0x1b8
f73c88f8 f8ebe4d8 f8ebc918 815e4306 b286dfb4
rdbss!RxFsdCommonDispatch+0x2a6
f73c8928 f8e68fe5 817e7610 b286df20 817e7610 rdbss!RxFsdDispatch+0xac
f73c8948 80530510 817e7610 b286df01 b286df20
mrxsmb!MRxSmbFsdDispatch+0x118
f73c8994 8052fcd5 81627800 b286dfb4 b286df20
nt!IovSpecialIrpCallDriver+0xcd
f73c89b0 eb3fbcb3 81627800 80063124 81685e10 nt!IovCallDriver+0x31
f73c89dc eb3fc216 81627800 b286df20 80530510 NaiFiltr+0x3cb3
f73c8a34 8052fcd5 b286dfd0 f84f99d9 ade35f18 NaiFiltr+0x4216
f73c8a50 f84faf47 81573cc0 81573cc0 817b5630 nt!IovCallDriver+0x31
f73c8be4 f84fb080 81573cc0 b286df20 80063124
ThTrac2k!ThTrackDispatch+0xf6
f73c8bfc 80530510 f73c8df0 b286df20 b286df20
ThTrac2k!ThTrackDispatch+0x22f
f73c8c48 804b6654 f73c8d64 0012ed38 8049e4b6
nt!IovSpecialIrpCallDriver+0xcd
f73c8d48 804649a1 0000029c 0012ed40 0012ed50
nt!NtSetInformationFile+0x58a
f73c8d48 77f82e90 0000029c 0012ed40 0012ed50 nt!KiSystemService+0xc4
0012ed1c 77e872f9 0000029c 0012ed40 0012ed50
ntdll_77f80000!NtSetInformationFile+0xb
0012ed60 77a7a112 0000029c 0015f078 77a7a070
KERNEL32!BaseIsThisAConsoleName+0x5d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: dinsdag 2 april 2002 15:00
To: File Systems Developers
Subject: [ntfsd] RE: Bugcheck 0xD5 accessing Irp in completion routine

The IRP has been freed, most likely. This could be because
someone ELSE called IoFreeIrp (for example). Are there other
filters in the stack?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

“Whoever would overthrow the liberty of a nation must begin
by subduing the freeness of speech.”
– Benjamin Franklin

-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Tuesday, April 02, 2002 7:46 AM
To: File Systems Developers
Subject: [ntfsd] Bugcheck 0xD5 accessing Irp in completion routine

Hi guys,

In my code, I set a completion routine for
IRP_MJ_FILE_SYSTEM_CONTROL, minor function
IRP_MN_MOUNT_VOLUME. In the completion path, the first thing
to do is to see if the operation was succesfull by examining
Irp->IoStatus.Status. However, at that specific instruction,
the system
occasionally bugchecks with code 0xD5,
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL. The debugger
indicates that the
Irp->IoStatus is invalid… I assume that the Irp is gone…
How in the
world is this possible ?

Below you’ll find an excerpt of my code.

Best,
Bartjan.

From the main dispatch routine:

// Do we have a file-system specific thing going on here ?
case IRP_MJ_FILE_SYSTEM_CONTROL:
if ( currentIrpStack->MinorFunction == IRP_MN_MOUNT_VOLUME )
{
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp,
MyDriverMountHookDone, (PVOID) NULL, TRUE, TRUE, TRUE );
return ( IoCallDriver(hookExt->FileSystem, Irp) );
}
// else passthrough

The completion routine looks like this:

NTSTATUS
MyDriverMountHookDone(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context )
{
// Only do this if the operation was valid
if ( NT_SUCCESS(Irp->IoStatus.Status) )
{
// do something
}

//
// Now we have to mark Irp as pending if necessary, and
// we can bail out then.
//
if ( Irp->PendingReturned )
IoMarkIrpPending( Irp );
return Irp->IoStatus.Status;
}

---

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

---

You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
To unsubscribe send a blank email to %%email.unsub%%

Bartjan,

This is KERNEL code - there’s no privilege issue at this level. It is
difficult to believe that this is a “normal” mechanism for them, but is it
possible you are getting called with some OTHER Irp than the one you saw in
the original dispatch code?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

“Whoever would overthrow the liberty of a nation must begin by subduing the
freeness of speech.”
– Benjamin Franklin

-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Tuesday, April 02, 2002 8:06 AM
To: File Systems Developers
Subject: [ntfsd] RE: Bugcheck 0xD5 accessing Irp in completion routine

Yes, there are other filter drivers on the stack (McAfee’s NaiFiltr).
Below I’ve pasted the stack. But do other filter drivers have the
privilege to free any Irp ? Do I need to probe the Irp address for
validness ?

Bartjan.

The call stack (ThTrac2k is my driver):

f73c7a9c 8042bef7 00000004 ffdff408 f73c7db0
nt!RtlpBreakWithStatusInstruction
f73c7acc 8042c438 00000004 c02b74bc 80062ea0
nt!KiBugCheckDebugBreak+0x31
f73c7e58 80449b3f 00000000 add2fffc 00000001 nt!KeBugCheckEx+0x5d7
f73c7ea0 80467cc6 00000001 add2fffc 00000000 nt!MmAccessFault+0x74e
f73c7ea0 f84f9d3e 00000001 add2fffc 00000000 nt!KiTrap0E+0xc3
f73c7f3c 8053013c 81590a40 a75d1e48 f84f4cab
ThTrac2k!ThTrackMountHookDone+0xe
f73c7f84 8052fd69 00000000 81597de8 00000000
nt!IovSpecialIrpCompleteRequest+0x18c
f73c7f9c bfe7e65d 00000001 81597de8 bfe9c98a nt!IovCompleteRequest+0xa4
f73c8038 bfe9ca35 81597de8 a75d1e48 8174a020 Ntfs!NtfsCommonWrite+0x14e
f73c80a8 80530510 8174a020 a75d1e48 a75d1e48 Ntfs!NtfsWriteLog+0x6ed
f73c80f4 8052fcd5 817bce00 a75d1fb4 a75d1e48
nt!IovSpecialIrpCallDriver+0xcd
f73c8110 eb3fbcb3 817bce00 80063124 81685e10 nt!IovCallDriver+0x31
f73c813c eb3fc216 817bce00 a75d1e48 80530510 NaiFiltr+0x3cb3
f73c8194 8052fcd5 a75d1fd0 f84f99d9 add2ff18 NaiFiltr+0x4216
f73c81b0 f84faf47 81590a40 81590a40 817b5630 nt!IovCallDriver+0x31
f73c8344 f84fb080 81590a40 a75d1e48 80063124
ThTrac2k!ThTrackDispatch+0xf6
f73c835c 80530510 f73c8df0 a75d1e48 a75d1e48
ThTrac2k!ThTrackDispatch+0x22f
f73c83a8 8052fcd5 8132c5e8 a75d1e48 00000000
nt!IovSpecialIrpCallDriver+0xcd
f73c83c4 f8e65089 00000200 814e6188 a85bbe30 nt!IovCallDriver+0x31
f73c8424 f8e8bf9c 00000006 b1d89fa0 00000014
mrxsmb!Nt5CscXxxInformation+0xd0
f73c86c8 f8e7416f 81128b48 b1d89fa0 81128bc8
mrxsmb!MRxSmbCscSetFileInfoEpilogue+0x2a4
f73c8748 f8eb7f58 81128b00 a85bbb68 f8ec6ad1
mrxsmb!MRxSmbSetFileInformation+0x348
f73c8754 f8ec6ad1 81128b48 00000014 a85bbb58
rdbss!RxpSetInfoMiniRdr+0x61
f73c87e8 f8ec51f0 81128b48 b286df20 81128b48
rdbss!RxSetEndOfFileInfo+0x19f
f73c8848 f8eb63a6 81128b48 8113a468 817e7610
rdbss!RxCommonSetInformation+0x1b8
f73c88f8 f8ebe4d8 f8ebc918 815e4306 b286dfb4
rdbss!RxFsdCommonDispatch+0x2a6
f73c8928 f8e68fe5 817e7610 b286df20 817e7610 rdbss!RxFsdDispatch+0xac
f73c8948 80530510 817e7610 b286df01 b286df20
mrxsmb!MRxSmbFsdDispatch+0x118
f73c8994 8052fcd5 81627800 b286dfb4 b286df20
nt!IovSpecialIrpCallDriver+0xcd
f73c89b0 eb3fbcb3 81627800 80063124 81685e10 nt!IovCallDriver+0x31
f73c89dc eb3fc216 81627800 b286df20 80530510 NaiFiltr+0x3cb3
f73c8a34 8052fcd5 b286dfd0 f84f99d9 ade35f18 NaiFiltr+0x4216
f73c8a50 f84faf47 81573cc0 81573cc0 817b5630 nt!IovCallDriver+0x31
f73c8be4 f84fb080 81573cc0 b286df20 80063124
ThTrac2k!ThTrackDispatch+0xf6
f73c8bfc 80530510 f73c8df0 b286df20 b286df20
ThTrac2k!ThTrackDispatch+0x22f
f73c8c48 804b6654 f73c8d64 0012ed38 8049e4b6
nt!IovSpecialIrpCallDriver+0xcd
f73c8d48 804649a1 0000029c 0012ed40 0012ed50
nt!NtSetInformationFile+0x58a
f73c8d48 77f82e90 0000029c 0012ed40 0012ed50 nt!KiSystemService+0xc4
0012ed1c 77e872f9 0000029c 0012ed40 0012ed50
ntdll_77f80000!NtSetInformationFile+0xb
0012ed60 77a7a112 0000029c 0015f078 77a7a070
KERNEL32!BaseIsThisAConsoleName+0x5d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: dinsdag 2 april 2002 15:00
To: File Systems Developers
Subject: [ntfsd] RE: Bugcheck 0xD5 accessing Irp in completion routine

The IRP has been freed, most likely. This could be because
someone ELSE called IoFreeIrp (for example). Are there other
filters in the stack?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

“Whoever would overthrow the liberty of a nation must begin
by subduing the freeness of speech.”
– Benjamin Franklin

-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Tuesday, April 02, 2002 7:46 AM
To: File Systems Developers
Subject: [ntfsd] Bugcheck 0xD5 accessing Irp in completion routine

Hi guys,

In my code, I set a completion routine for
IRP_MJ_FILE_SYSTEM_CONTROL, minor function
IRP_MN_MOUNT_VOLUME. In the completion path, the first thing
to do is to see if the operation was succesfull by examining
Irp->IoStatus.Status. However, at that specific instruction,
the system
occasionally bugchecks with code 0xD5,
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL. The debugger
indicates that the
Irp->IoStatus is invalid… I assume that the Irp is gone…
How in the
world is this possible ?

Below you’ll find an excerpt of my code.

Best,
Bartjan.

From the main dispatch routine:

// Do we have a file-system specific thing going on here ?
case IRP_MJ_FILE_SYSTEM_CONTROL:
if ( currentIrpStack->MinorFunction == IRP_MN_MOUNT_VOLUME )
{
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp,
MyDriverMountHookDone, (PVOID) NULL, TRUE, TRUE, TRUE );
return ( IoCallDriver(hookExt->FileSystem, Irp) );
}
// else passthrough

The completion routine looks like this:

NTSTATUS
MyDriverMountHookDone(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context )
{
// Only do this if the operation was valid
if ( NT_SUCCESS(Irp->IoStatus.Status) )
{
// do something
}

//
// Now we have to mark Irp as pending if necessary, and
// we can bail out then.
//
if ( Irp->PendingReturned )
IoMarkIrpPending( Irp );
return Irp->IoStatus.Status;
}

---

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

---

You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

Sorry Tony, wrong choice of words… Sometimes it’s difficult being a
Dutchman in a global environment…

Actually, I meant: is it valid for other filter drivers to free the Irp
? Does this actually happen in real life ?

–
Bartjan (not wearing wooden shoes, though…)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: dinsdag 2 april 2002 15:25
To: File Systems Developers
Subject: [ntfsd] RE: Bugcheck 0xD5 accessing Irp in completion routine

Bartjan,

This is KERNEL code - there’s no privilege issue at this
level. It is difficult to believe that this is a “normal”
mechanism for them, but is it possible you are getting called
with some OTHER Irp than the one you saw in the original
dispatch code?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

“Whoever would overthrow the liberty of a nation must begin
by subduing the freeness of speech.”
– Benjamin Franklin

-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Tuesday, April 02, 2002 8:06 AM
To: File Systems Developers
Subject: [ntfsd] RE: Bugcheck 0xD5 accessing Irp in completion routine

Yes, there are other filter drivers on the stack (McAfee’s
NaiFiltr). Below I’ve pasted the stack. But do other filter
drivers have the privilege to free any Irp ? Do I need to
probe the Irp address for validness ?

Bartjan.

The call stack (ThTrac2k is my driver):

f73c7a9c 8042bef7 00000004 ffdff408 f73c7db0
nt!RtlpBreakWithStatusInstruction f73c7acc 8042c438 00000004
c02b74bc 80062ea0 nt!KiBugCheckDebugBreak+0x31 f73c7e58
80449b3f 00000000 add2fffc 00000001 nt!KeBugCheckEx+0x5d7
f73c7ea0 80467cc6 00000001 add2fffc 00000000
nt!MmAccessFault+0x74e f73c7ea0 f84f9d3e 00000001 add2fffc
00000000 nt!KiTrap0E+0xc3 f73c7f3c 8053013c 81590a40 a75d1e48
f84f4cab ThTrac2k!ThTrackMountHookDone+0xe f73c7f84 8052fd69
00000000 81597de8 00000000 nt!IovSpecialIrpCompleteRequest+0x18c
f73c7f9c bfe7e65d 00000001 81597de8 bfe9c98a
nt!IovCompleteRequest+0xa4 f73c8038 bfe9ca35 81597de8
a75d1e48 8174a020 Ntfs!NtfsCommonWrite+0x14e f73c80a8
80530510 8174a020 a75d1e48 a75d1e48 Ntfs!NtfsWriteLog+0x6ed
f73c80f4 8052fcd5 817bce00 a75d1fb4 a75d1e48
nt!IovSpecialIrpCallDriver+0xcd f73c8110 eb3fbcb3 817bce00
80063124 81685e10 nt!IovCallDriver+0x31 f73c813c eb3fc216
817bce00 a75d1e48 80530510 NaiFiltr+0x3cb3 f73c8194 8052fcd5
a75d1fd0 f84f99d9 add2ff18 NaiFiltr+0x4216 f73c81b0 f84faf47
81590a40 81590a40 817b5630 nt!IovCallDriver+0x31 f73c8344
f84fb080 81590a40 a75d1e48 80063124
ThTrac2k!ThTrackDispatch+0xf6 f73c835c 80530510 f73c8df0
a75d1e48 a75d1e48 ThTrac2k!ThTrackDispatch+0x22f f73c83a8
8052fcd5 8132c5e8 a75d1e48 00000000
nt!IovSpecialIrpCallDriver+0xcd f73c83c4 f8e65089 00000200
814e6188 a85bbe30 nt!IovCallDriver+0x31 f73c8424 f8e8bf9c
00000006 b1d89fa0 00000014 mrxsmb!Nt5CscXxxInformation+0xd0
f73c86c8 f8e7416f 81128b48 b1d89fa0 81128bc8
mrxsmb!MRxSmbCscSetFileInfoEpilogue+0x2a4
f73c8748 f8eb7f58 81128b00 a85bbb68 f8ec6ad1
mrxsmb!MRxSmbSetFileInformation+0x348
f73c8754 f8ec6ad1 81128b48 00000014 a85bbb58
rdbss!RxpSetInfoMiniRdr+0x61 f73c87e8 f8ec51f0 81128b48
b286df20 81128b48 rdbss!RxSetEndOfFileInfo+0x19f f73c8848
f8eb63a6 81128b48 8113a468 817e7610 rdbss!RxCommonSetInformation+0x1b8
f73c88f8 f8ebe4d8 f8ebc918 815e4306 b286dfb4
rdbss!RxFsdCommonDispatch+0x2a6 f73c8928 f8e68fe5 817e7610
b286df20 817e7610 rdbss!RxFsdDispatch+0xac f73c8948 80530510
817e7610 b286df01 b286df20 mrxsmb!MRxSmbFsdDispatch+0x118
f73c8994 8052fcd5 81627800 b286dfb4 b286df20
nt!IovSpecialIrpCallDriver+0xcd f73c89b0 eb3fbcb3 81627800
80063124 81685e10 nt!IovCallDriver+0x31 f73c89dc eb3fc216
81627800 b286df20 80530510 NaiFiltr+0x3cb3 f73c8a34 8052fcd5
b286dfd0 f84f99d9 ade35f18 NaiFiltr+0x4216 f73c8a50 f84faf47
81573cc0 81573cc0 817b5630 nt!IovCallDriver+0x31 f73c8be4
f84fb080 81573cc0 b286df20 80063124
ThTrac2k!ThTrackDispatch+0xf6 f73c8bfc 80530510 f73c8df0
b286df20 b286df20 ThTrac2k!ThTrackDispatch+0x22f f73c8c48
804b6654 f73c8d64 0012ed38 8049e4b6
nt!IovSpecialIrpCallDriver+0xcd f73c8d48 804649a1 0000029c
0012ed40 0012ed50 nt!NtSetInformationFile+0x58a f73c8d48
77f82e90 0000029c 0012ed40 0012ed50 nt!KiSystemService+0xc4
0012ed1c 77e872f9 0000029c 0012ed40 0012ed50
ntdll_77f80000!NtSetInformationFile+0xb
0012ed60 77a7a112 0000029c 0015f078 77a7a070
KERNEL32!BaseIsThisAConsoleName+0x5d

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
> Sent: dinsdag 2 april 2002 15:00
> To: File Systems Developers
> Subject: [ntfsd] RE: Bugcheck 0xD5 accessing Irp in
completion routine
>
>
> The IRP has been freed, most likely. This could be because
> someone ELSE called IoFreeIrp (for example). Are there other
> filters in the stack?
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> “Whoever would overthrow the liberty of a nation must begin
> by subduing the freeness of speech.”
> – Benjamin Franklin
>
>
> -----Original Message-----
> From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
> Sent: Tuesday, April 02, 2002 7:46 AM
> To: File Systems Developers
> Subject: [ntfsd] Bugcheck 0xD5 accessing Irp in completion routine
>
> Hi guys,
>
> In my code, I set a completion routine for
> IRP_MJ_FILE_SYSTEM_CONTROL, minor function
> IRP_MN_MOUNT_VOLUME. In the completion path, the first thing
> to do is to see if the operation was succesfull by examining
> Irp->IoStatus.Status. However, at that specific instruction,
> the system
> occasionally bugchecks with code 0xD5,
> DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL. The debugger
> indicates that the
> Irp->IoStatus is invalid… I assume that the Irp is gone…
> How in the
> world is this possible ?
>
> Below you’ll find an excerpt of my code.
>
> Best,
> Bartjan.
>
>
>
> From the main dispatch routine:
>
> // Do we have a file-system specific thing going on here ?
> case IRP_MJ_FILE_SYSTEM_CONTROL:
> if ( currentIrpStack->MinorFunction ==
IRP_MN_MOUNT_VOLUME )
> {
> IoCopyCurrentIrpStackLocationToNext(Irp);
> IoSetCompletionRoutine( Irp,
> MyDriverMountHookDone, (PVOID) NULL, TRUE, TRUE, TRUE );
> return ( IoCallDriver(hookExt->FileSystem, Irp) );
> }
> // else passthrough
>
> The completion routine looks like this:
>
> NTSTATUS
> MyDriverMountHookDone(
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp,
> IN PVOID Context )
> {
> // Only do this if the operation was valid
> if ( NT_SUCCESS(Irp->IoStatus.Status) )
> {
> // do something
> }
>
> //
> // Now we have to mark Irp as pending if necessary, and
> // we can bail out then.
> //
> if ( Irp->PendingReturned )
> IoMarkIrpPending( Irp );
> return Irp->IoStatus.Status;
> }
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> —
> You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl To
> unsubscribe send a blank email to %%email.unsub%%
>

---

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

---

You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
To unsubscribe send a blank email to %%email.unsub%%

This is a nitpick that probably won’t solve your problem. You should not be returning “Irp->IoStatus.Status” from your completion routine. You should be returning either STATUS_SUCCESS or STATUS_MORE_PROCESSING_REQUIRED. In this case, you should be returning STATUS_SUCCESS because you do not wish to keep ownership of the IRP. It just so happens that the “IO Manager” ignores anything but STATUS_MORE_PROCESSING_REQUIRED returned from completion.

-----Original Message-----
From: Bartjan Wattel [mailto:xxxxx@zeelandnet.nl]
Sent: Tuesday, April 02, 2002 7:46 AM
To: File Systems Developers
Subject: [ntfsd] Bugcheck 0xD5 accessing Irp in completion routine

Hi guys,

In my code, I set a completion routine for IRP_MJ_FILE_SYSTEM_CONTROL,
minor function IRP_MN_MOUNT_VOLUME. In the completion path, the first
thing to do is to see if the operation was succesfull by examining
Irp->IoStatus.Status. However, at that specific instruction, the system
occasionally bugchecks with code 0xD5,
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL. The debugger indicates that the
Irp->IoStatus is invalid… I assume that the Irp is gone… How in the
world is this possible ?

Below you’ll find an excerpt of my code.

Best,
Bartjan.

From the main dispatch routine:

// Do we have a file-system specific thing going on here ?
case IRP_MJ_FILE_SYSTEM_CONTROL:
if ( currentIrpStack->MinorFunction == IRP_MN_MOUNT_VOLUME )
{
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp, MyDriverMountHookDone, (PVOID)
NULL, TRUE, TRUE, TRUE );
return ( IoCallDriver(hookExt->FileSystem, Irp) );
}
// else passthrough

The completion routine looks like this:

NTSTATUS
MyDriverMountHookDone(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context )
{
// Only do this if the operation was valid
if ( NT_SUCCESS(Irp->IoStatus.Status) )
{
// do something
}

//
// Now we have to mark Irp as pending if necessary, and
// we can bail out then.
//
if ( Irp->PendingReturned )
IoMarkIrpPending( Irp );
return Irp->IoStatus.Status;
}

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%