FW: IRP with bad MDL.

Hi all,

I’m having some trouble in ReadWrite dispatch routine.
The driver works with direct IO.
The routine is basically forwarding the IRP to other lower drivers through some logic in the middle.
This logic builds a new IRP to the lower driver.
Sometimes the logic builds MDL for the new IRP from a buffer, and sometimes it builds the MDL from the MDL of the old IRP.

The problem is that after a few successful IO’s, the ReadWrite routine gets an IRP with a bad MDL, its virtual address is null, and of course the program can’t continue and build the new IRP.

For the extraction of the virtual address I’m using MmGetMdlVirtualAddress and MmGetMdlByteCount, for the build of the new MDL I’m using IoAllocateMdl, and IoBuildPartialMdl for MDL from MDL or MmBuildMdlForNonPagedPool for MDL from buffer.

Appended a dump of the bad IRP and its IO_STACK the bad MDL in the IRP is marked.
?
If you have any ideas I’ll be happy to get it.

Thanks.
Best Regards, Tamir

kd> dt saview!_IRP 0xbb574e48 -r
?? +0x000 Type??? : 6
?? +0x002 Size??? : 0x1b4
?? +0x004 MdlAddress??? : 0xeb43fb0c
??? +0x000 Next??? : (null)
??? +0x004 Size??? : 92
??? +0x006 MdlFlags??? : 2
??? +0x008 Process??? : 0xbb916e48
??? +0x00c MappedSystemVa?? : (null)
??? +0x010 StartVa??? : (null) <- this is the bad address
??? +0x014 ByteCount??? : 0x1000
??? +0x018 ByteOffset??? : 0
?? +0x008 Flags??? : 0x40000043
?? +0x00c AssociatedIrp?? ?: __unnamed
??? +0x000 MasterIrp??? : (null)
??? +0x000 IrpCount??? : 0
??? +0x000 SystemBuffer??? : (null)
?? +0x010 ThreadListEntry? : _LIST_ENTRY [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x004 Blink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x004 Blink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x004 Blink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
?? +0x018 IoStatus??? : _IO_STATUS_BLOCK
??? +0x000 Status?? ???: 0
??? +0x000 Pointer??? : (null)
??? +0x004 Information??? : 0
?? +0x020 RequestorMode??? : 0 ‘’
?? +0x021 PendingReturned? : 0 ‘’
?? +0x022 StackCount??? : 9 ‘’
?? +0x023 CurrentLocation? : 6 ‘’
?? +0x024 Cancel??? : 0 ‘’
?? +0x025 CancelIrql??? : 0 ‘’
?? +0x026 ApcEnvironment?? : 0 ‘’
?? +0x027 AllocationFlags? : 0x80 ‘’
?? +0x028 UserIosb??? : 0xeb43fd50
??? +0x000 Status??? : 0
??? +0x000 Pointer??? : (null)
??? +0x004 Information??? : 0
? ?+0x02c UserEvent??? : 0xeb43fb7c
??? +0x000 Header??? : _DISPATCHER_HEADER
??? +0x000 Type??? : 0 ‘’
??? +0x001 Absolute??? : 0 ‘’
??? +0x002 Size??? : 0x4 ‘’
??? +0x003 Inserted??? : 0 ‘’
??? +0x004 SignalState??? : 0
??? +0x008 WaitListHead??? : _LIST_ENTRY [0xeb43fb84 - 0xeb43fb84]
?? +0x030 Overlay??? : __unnamed
??? +0x000 AsynchronousParameters : __unnamed
??? +0x000 UserApcRoutine?? : (null)
??? +0x004 UserApcContext?? : (null)
??? +0x000 AllocationSize?? : _LARGE_INTEGER 0x0
??? +0x000 LowPart??? : 0
??? +0x004 HighPart??? : 0
??? +0x000 u??? : __unnamed
??? +0x000 QuadPart??? : 0
?? +0x038 CancelRoutine??? : (null)
?? +0x03c UserBuffer??? : (null)
?? +0x040 Tail??? : __unnamed
??? +0x000 Overlay??? : __unnamed
??? +0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
??? +0x000 DriverContext??? : [4] (null)
??? +0x010 Thread??? : 0x818a8620
??? +0x014 AuxiliaryBuffer? : (null)
??? +0x018 ListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x020 CurrentStackLocation : 0xbb574f6c
??? +0x020 PacketType??? : 0xbb574f6c
??? +0x024 OriginalFileObject : 0x84bbfb48
??? +0x000 Apc??? : _KAPC
??? +0x000 Type??? : 0
??? +0x002 Size??? : 0
??? +0x004 Spare0??? : 0
??? +0x008 Thread??? : (null)
??? +0x00c ApcListEntry??? : _LIST_ENTRY [0x0 - 0x818a8620]
??? +0x014 KernelRoutine??? : (null)
??? +0x018 RundownRoutine?? : (null)
??? +0x01c NormalRoutine??? : (null)
??? +0x020 NormalContext??? : 0xbb574f6c
??? +0x024 SystemArgument1? : 0x84bbfb48
??? +0x028 SystemArgument2? : (null)
??? +0x02c ApcStateIndex??? : 0 ‘’
??? +0x02d ApcMode??? : 0 ‘’
??? +0x02e Inserted??? : 0 ‘’
??? +0x000 CompletionKey??? : (null)

kd> !irp 0xbb574e48 1
Irp is active with 9 stacks 6 is current (= 0xbb574f6c)
?Mdl = eb43fb0c Thread 818a8620:? Irp stack trace.?
Flags = 40000043
ThreadListEntry.Flink = bb574e58
ThreadListEntry.Blink = bb574e58
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = eb43fd50
UserEvent = eb43fb7c
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = 00ebcf54
Tail.Overlay.Thread = 818a8620
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = bb574f6c
Tail.Overlay.OriginalFileObject = 84bbfb48
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
??? cmd? flg cl Device?? File??? Completion-Context
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]? ?0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000

[? 4,34]?? 0 e0 84bbf470 00000000 eb2b3658-00000000 Success Error Cancel
??? ??? \Driver\saview?? savirt!Bus_PDO_QueryDeviceRelations
??? Args: 00000400 00000000 0000ae00 00000000
?[? 4,34]?? 0 e1 ff586e30 00000000 bffa4a20-84e34f08 Success Error Cancel pending
??? ??? \Driver\savirt?? ftdisk!FtpRefCountCompletionRoutine
??? Args: 00000400 00000000 0000ae00 00000000
?[? 4, 0]?? 0 e1 84e34e50 00000000 bfe567ff-eb43f94c Success Error Cancel pending
??? ??? \Driver\Ftdisk?? Ntfs!NtfsSingleSyncCompletionRoutine
??? Args: 00000400 00000000 00003000 00000000
?[? 4, 0]?? 0? 0 839da800 84bbfb48 00000000-00000000???
??? ??? \FileSystem\Ntfs
??? Args: 00001000 00000000 00000000 00000000

kd> dt saview!_IO_STACK_LOCATION 0xbb574f6c -r
?? +0x000 MajorFunction??? : 0x4 ‘’
?? +0x001 MinorFunction??? : 0x34 ‘4’
?? +0x002 Flags??? : 0 ‘’
?? +0x003 Control??? : 0xe0 ‘’
?? +0x004 Parameters??? : __unnamed
??? +0x000 Create??? : __unnamed
??? +0x000 SecurityContext? : 0x00000400
??? +0x004 Options??? : 0
??? +0x008 FileAttributes?? : 0xae00
??? +0x00a ShareAccess??? : 0
??? +0x00c EaLength??? : 0
??? +0x000 Read??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 Key??? : 0
??? +0x008 ByteOffset??? : _LARGE_INTEGER 0xae00
??? +0x000 Write??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 Key??? : 0
??? +0x008 ByteOffset??? : _LARGE_INTEGER 0xae00
??? +0x000 QueryFile??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 FileInformationClass : 0
??? +0x000 SetFile??? : __unnamed
??? ???+0x000 Length??? : 0x400
??? +0x004 FileInformationClass : 0
??? +0x008 FileObject??? : 0x0000ae00
??? +0x00c ReplaceIfExists? : 0 ‘’
??? +0x00d AdvanceOnly??? : 0 ‘’
??? +0x00c ClusterCount??? : 0
??? +0x00c DeleteHandle??? : (null)
??? +0x000 QueryVolume??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 FsInformationClass : 0
??? +0x000 DeviceIoControl? : __unnamed
??? +0x000 OutputBufferLength : 0x400
??? +0x004 InputBufferLength : 0
??? +0x008 IoControlCode??? : 0xae00
??? +0x00c Type3InputBuffer : (null)
??? +0x000 QuerySecurity??? : __unnamed
??? +0x000 SecurityInformation : 0x400
??? +0x004 Length??? : 0
??? +0x000 SetSecurity??? : __unnamed
??? +0x000 SecurityInformation : 0x400
??? +0x004 SecurityDescriptor : (null)
??? +0x000 MountVolume??? : __unnamed
??? +0x000 Vpb??? : 0x00000400
??? +0x004 DeviceObject??? : (null)
?? ???+0x000 VerifyVolume??? : __unnamed
??? +0x000 Vpb??? : 0x00000400
??? +0x004 DeviceObject??? : (null)
??? +0x000 Scsi??? : __unnamed
??? +0x000 Srb??? : 0x00000400
??? +0x000 QueryDeviceRelations : __unnamed
??? +0x000 Type??? : 1024
??? +0x000 QueryInterface?? : __unnamed
??? +0x000 InterfaceType??? : 0x00000400?
??? +0x004 Size??? : 0
??? +0x006 Version??? : 0
??? +0x008 Interface??? : 0x0000ae00
??? +0x00c InterfaceSpecificData : (null)
??? +0x000 DeviceCapabilities : __unnamed
??? +0x000 Capabilities??? : 0x00000400
??? +0x000 FilterResourceRequirements : __unnamed
??? +0x000 IoResourceRequirementList : 0x00000400
??? +0x000 ReadWriteConfig? : __unnamed
??? +0x000 WhichSpace??? : 0x400
??? +0x004 Buffer??? : (null)
??? +0x008 Offset??? : 0xae00
??? +0x00c Length??? : 0
??? +0x000 SetLock??? : __unnamed
??? +0x000 Lock??? : 0 ‘’
??? +0x000 QueryId??? : __unnamed
??? +0x000 IdType??? : 1024
??? +0x000 QueryDeviceText? : __unnamed
??? +0x000 DeviceTextType?? : 1024
??? +0x004 LocaleId??? : 0
??? +0x000 UsageNotification : __unnamed
??? +0x000 InPath??? : 0 ‘’
??? +0x001 Reserved??? : [3]? “???”
??? +0x004 Type??? : 0
??? +0x000 WaitWake??? : __unnamed
??? +0x000 PowerState??? : 1024
??? +0x000 PowerSequence??? : __unnamed
??? +0x000 PowerSequence??? : 0x00000400
??? +0x000 Power??? : __unnamed
??? +0x000 SystemContext??? : 0x400
??? +0x004 Type??? : 0
??? +0x008 State??? : _POWER_STATE
??? +0x00c ShutdownType?? ??: 0
??? +0x000 StartDevice??? : __unnamed
??? +0x000 AllocatedResources : 0x00000400
??? +0x004 AllocatedResourcesTranslated : (null)
??? +0x000 WMI??? : __unnamed
??? +0x000 ProviderId??? : 0x400
??? +0x004 DataPath??? : (null)
??? +0x008 BufferSize??? : 0xae00
??? +0x00c Buffer??? : (null)
??? +0x000 Others??? : __unnamed
??? +0x000 Argument1??? : 0x00000400
??? +0x004 Argument2??? : (null)
??? +0x008 Argument3??? : 0x0000ae00
??? +0x00c Argument4??? : (null)
?? +0x014 DeviceObject??? : 0x84bbf470
??? +0x000 Type??? : 3
??? +0x002 Size??? : 0x148
??? +0x004 ReferenceCount?? : 0
??? +0x008 DriverObject??? : 0x8150d1f0
??? +0x000 Type??? : 4
??? +0x002 Size??? : 168
??? +0x004 DeviceObject??? : 0x84bbf470
??? +0x008 Flags??? : 0x12
??? +0x00c DriverStart??? : 0xbfc50000
??? +0x010 DriverSize??? : 0x1aaf60
??? +0x014 DriverSection??? : 0x818ceb48
??? +0x018 DriverExtension? : 0x8150d298
??? +0x01c DriverName??? : _UNICODE_STRING “\Driver\saview”
??? +0x024 HardwareDatabase : 0x8053fd98? “\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
??? +0x028 FastIoDispatch?? : (null)
??? +0x02c DriverInit??? : 0xbfc5baa1??? saview!DriverEntry+0
??? +0x030 DriverStartIo??? : (null)
??? +0x034 DriverUnload??? : 0xbfc5bc5d??? saview!SaViewDriverUnload+0
??? +0x038 MajorFunction??? : [28] 0xbfc5bcc0??? saview!SaViewCreateClose+0
??? +0x00c NextDevice??? : 0x81881cf0
??? +0x000 Type??? : 3
?? ???+0x002 Size??? : 0x1c8
??? +0x004 ReferenceCount?? : 1
??? +0x008 DriverObject??? : 0x8150d1f0
??? +0x00c NextDevice??? : (null)
??? +0x010 AttachedDevice?? : (null)
??? +0x014 CurrentIrp??? : (null)
??? ???+0x018 Timer??? : (null)
??? +0x01c Flags??? : 0x40
??? +0x020 Characteristics? : 0
??? +0x024 Vpb??? : (null)
??? +0x028 DeviceExtension? : 0x81881da8
??? +0x02c DeviceType??? : 0x22
??? +0x030 StackSize??? : 1 ‘’
??? +0x034 Queue??? : __unnamed
??? +0x05c AlignmentRequirement : 0
??? +0x060 DeviceQueue??? : _KDEVICE_QUEUE
??? +0x074 Dpc??? : _KDPC
??? +0x094 ActiveThreadCount : 0
??? +0x098 SecurityDescriptor : 0xe13b01a8
??? +0x09c DeviceLock??? : _KEVENT
??? +0x0ac SectorSize??? : 0
??? +0x0ae Spare1??? : 0
??? +0x0b0 DeviceObjectExtension : 0x81881eb8
??? +0x0b4 Reserved??? : (null)
??? +0x010 AttachedDevice?? : (null)
??? +0x014 CurrentIrp??? : (null)
??? +0x018 Timer??? : (null)
??? +0x01c Flags??? : 0x50
??? +0x020 Characteristics? : 0x100
??? +0x024 Vpb??? : (null)
??? +0x028 DeviceExtension? : 0x84bbf528
??? +0x02c DeviceType??? : 0x22
??? +0x030 StackSize??? : 1 ‘’
??? +0x034 Queue??? : __unnamed
??? +0x000 ListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x000 Wcb??? : _WAIT_CONTEXT_BLOCK
??? +0x05c AlignmentRequirement : 0
??? +0x060 DeviceQueue??? : _KDEVICE_QUEUE
??? +0x000 Type??? : 20
??? +0x002 Size??? : 20
??? +0x004 DeviceListHead?? : _LIST_ENTRY [0x84bbf4d4 - 0x84bbf4d4]
??? +0x00c Lock ???: 0
??? +0x010 Busy??? : 0 ‘’
??? +0x074 Dpc??? : _KDPC
??? +0x000 Type??? : 0
??? +0x002 Number??? : 0 ‘’
??? +0x003 Importance??? : 0 ‘’
??? +0x004 DpcListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x00c DeferredRoutine? : (null)
??? +0x010 DeferredContext? : (null)
??? +0x014 SystemArgument1? : (null)
??? +0x018 SystemArgument2? : (null)
??? +0x01c Lock??? : (null)
??? +0x094 ActiveThreadCount : 0
??? +0x098 SecurityDescriptor : 0xe1fb75e8
??? +0x09c DeviceLock??? : _KEVENT
??? +0x000 Header??? : _DISPATCHER_HEADER
??? +0x0ac SectorSize??? : 0
??? +0x0ae Spare1??? : 0
??? +0x0b0 DeviceObjectExtension : 0x84bbf5b8
??? +0x000 Type??? : 13
??? +0x002 Size??? : 0
??? +0x004 DeviceObject??? : 0x84bbf470
??? +0x0b4 Reserved??? : (null)
?? +0x018 FileObject??? : (null)
?? +0x01c CompletionRoutine : 0xeb2b3658??? savirt!Bus_PDO_QueryDeviceRelations+0
?? +0x020 Context??? : (null)

This mail was sent via storeage.com

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

Why on Earth use MmGetMdlVirtualAddress? The return value of this function
could be an index to an MDL, not a valid address at all. Driver must not
access “memory” pointed by the return value of this function. It’s mainly
used for doing MapTransfer for pre-DMA setup.

I did the similar logic as yours (rebuilding IRP and passing down). I use
MmGetSystemAddressForMdlSafe.

Calvin Guan Windows DDK MVP
Staff SW Engineer, NetXtreme MINIPORT
Enterprise Network Controller Engineering
Broadcom Corporation www.broadcom.com

----- Original Message -----
From: “Tamir Offek”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, June 07, 2005 12:52 AM
Subject: [ntdev] FW: IRP with bad MDL.

Hi all,

I’m having some trouble in ReadWrite dispatch routine.
The driver works with direct IO.
The routine is basically forwarding the IRP to other lower drivers through
some logic in the middle.
This logic builds a new IRP to the lower driver.
Sometimes the logic builds MDL for the new IRP from a buffer, and sometimes
it builds the MDL from the MDL of the old IRP.

The problem is that after a few successful IO’s, the ReadWrite routine gets
an IRP with a bad MDL, its virtual address is null, and of course the
program can’t continue and build the new IRP.

For the extraction of the virtual address I’m using MmGetMdlVirtualAddress
and MmGetMdlByteCount, for the build of the new MDL I’m using IoAllocateMdl,
and IoBuildPartialMdl for MDL from MDL or MmBuildMdlForNonPagedPool for MDL
from buffer.

Appended a dump of the bad IRP and its IO_STACK the bad MDL in the IRP is
marked.

If you have any ideas I’ll be happy to get it.

Thanks.
Best Regards, Tamir

kd> dt saview!_IRP 0xbb574e48 -r
+0x000 Type : 6
+0x002 Size : 0x1b4
+0x004 MdlAddress : 0xeb43fb0c
+0x000 Next : (null)
+0x004 Size : 92
+0x006 MdlFlags : 2
+0x008 Process : 0xbb916e48
+0x00c MappedSystemVa : (null)
+0x010 StartVa : (null) <- this is the bad address
+0x014 ByteCount : 0x1000
+0x018 ByteOffset : 0
+0x008 Flags : 0x40000043
+0x00c AssociatedIrp : __unnamed
+0x000 MasterIrp : (null)
+0x000 IrpCount : 0
+0x000 SystemBuffer : (null)
+0x010 ThreadListEntry : _LIST_ENTRY [0xbb574e58 - 0xbb574e58]
+0x000 Flink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
+0x000 Flink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
+0x004 Blink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
+0x004 Blink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
+0x000 Flink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
+0x004 Blink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x000 Status : 0
+0x000 Pointer : (null)
+0x004 Information : 0
+0x020 RequestorMode : 0 ‘’
+0x021 PendingReturned : 0 ‘’
+0x022 StackCount : 9 ‘’
+0x023 CurrentLocation : 6 ‘’
+0x024 Cancel : 0 ‘’
+0x025 CancelIrql : 0 ‘’
+0x026 ApcEnvironment : 0 ‘’
+0x027 AllocationFlags : 0x80 ‘’
+0x028 UserIosb : 0xeb43fd50
+0x000 Status : 0
+0x000 Pointer : (null)
+0x004 Information : 0
+0x02c UserEvent : 0xeb43fb7c
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x4 ‘’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xeb43fb84 - 0xeb43fb84]
+0x030 Overlay :__unnamed
+0x000 AsynchronousParameters : __unnamed
+0x000 UserApcRoutine : (null)
+0x004 UserApcContext : (null)
+0x000 AllocationSize : _LARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u :__unnamed
+0x000 QuadPart : 0
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : unnamed
+0x000 Overlay : unnamed
+0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
+0x000 DriverContext : [4] (null)
+0x010 Thread : 0x818a8620
+0x014 AuxiliaryBuffer : (null)
+0x018 ListEntry : _LIST_ENTRY [0x0 - 0x0]
+0x020 CurrentStackLocation : 0xbb574f6c
+0x020 PacketType : 0xbb574f6c
+0x024 OriginalFileObject : 0x84bbfb48
+0x000 Apc : _KAPC
+0x000 Type : 0
+0x002 Size : 0
+0x004 Spare0 : 0
+0x008 Thread : (null)
+0x00c ApcListEntry : _LIST_ENTRY [0x0 - 0x818a8620]
+0x014 KernelRoutine : (null)
+0x018 RundownRoutine : (null)
+0x01c NormalRoutine : (null)
+0x020 NormalContext : 0xbb574f6c
+0x024 SystemArgument1 : 0x84bbfb48
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ‘’
+0x02d ApcMode : 0 ‘’
+0x02e Inserted : 0 ‘’
+0x000 CompletionKey : (null)

kd> !irp 0xbb574e48 1
Irp is active with 9 stacks 6 is current (= 0xbb574f6c)
Mdl = eb43fb0c Thread 818a8620: Irp stack trace.
Flags = 40000043
ThreadListEntry.Flink = bb574e58
ThreadListEntry.Blink = bb574e58
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = eb43fd50
UserEvent = eb43fb7c
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = 00ebcf54
Tail.Overlay.Thread = 818a8620
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = bb574f6c
Tail.Overlay.OriginalFileObject = 84bbfb48
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
>[4,34] 0 e0 84bbf470 00000000 eb2b3658-00000000 Success Error Cancel
\Driver\saview savirt!Bus_PDO_QueryDeviceRelations
Args: 00000400 00000000 0000ae00 00000000
[4,34] 0 e1 ff586e30 00000000 bffa4a20-84e34f08 Success Error Cancel
pending
\Driver\savirt ftdisk!FtpRefCountCompletionRoutine
Args: 00000400 00000000 0000ae00 00000000
[4, 0] 0 e1 84e34e50 00000000 bfe567ff-eb43f94c Success Error Cancel
pending
\Driver\Ftdisk Ntfs!NtfsSingleSyncCompletionRoutine
Args: 00000400 00000000 00003000 00000000
[4, 0] 0 0 839da800 84bbfb48 00000000-00000000
\FileSystem\Ntfs
Args: 00001000 00000000 00000000 00000000

kd> dt saview!_IO_STACK_LOCATION 0xbb574f6c -r
+0x000 MajorFunction : 0x4 ‘’
+0x001 MinorFunction : 0x34 ‘4’
+0x002 Flags : 0 ‘’
+0x003 Control : 0xe0 ‘’
+0x004 Parameters : unnamed
+0x000 Create : unnamed
+0x000 SecurityContext : 0x00000400
+0x004 Options : 0
+0x008 FileAttributes : 0xae00
+0x00a ShareAccess : 0
+0x00c EaLength : 0
+0x000 Read : _unnamed
+0x000 Length : 0x400
+0x004 Key : 0
+0x008 ByteOffset : LARGE_INTEGER 0xae00
+0x000 Write : unnamed
+0x000 Length : 0x400
+0x004 Key : 0
+0x008 ByteOffset : _LARGE_INTEGER 0xae00
+0x000 QueryFile : unnamed
+0x000 Length : 0x400
+0x004 FileInformationClass : 0
+0x000 SetFile : unnamed
+0x000 Length : 0x400
+0x004 FileInformationClass : 0
+0x008 FileObject : 0x0000ae00
+0x00c ReplaceIfExists : 0 ‘’
+0x00d AdvanceOnly : 0 ‘’
+0x00c ClusterCount : 0
+0x00c DeleteHandle : (null)
+0x000 QueryVolume : unnamed
+0x000 Length : 0x400
+0x004 FsInformationClass : 0
+0x000 DeviceIoControl : unnamed
+0x000 OutputBufferLength : 0x400
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xae00
+0x00c Type3InputBuffer : (null)
+0x000 QuerySecurity : unnamed
+0x000 SecurityInformation : 0x400
+0x004 Length : 0
+0x000 SetSecurity : unnamed
+0x000 SecurityInformation : 0x400
+0x004 SecurityDescriptor : (null)
+0x000 MountVolume : __unnamed
+0x000 Vpb : 0x00000400
+0x004 DeviceObject : (null)
+0x000 VerifyVolume :__unnamed
+0x000 Vpb : 0x00000400
+0x004 DeviceObject : (null)
+0x000 Scsi : unnamed
+0x000 Srb : 0x00000400
+0x000 QueryDeviceRelations : unnamed
+0x000 Type : 1024
+0x000 QueryInterface : __unnamed
+0x000 InterfaceType : 0x00000400
+0x004 Size : 0
+0x006 Version : 0
+0x008 Interface : 0x0000ae00
+0x00c InterfaceSpecificData : (null)
+0x000 DeviceCapabilities :__unnamed
+0x000 Capabilities : 0x00000400
+0x000 FilterResourceRequirements : unnamed
+0x000 IoResourceRequirementList : 0x00000400
+0x000 ReadWriteConfig : unnamed
+0x000 WhichSpace : 0x400
+0x004 Buffer : (null)
+0x008 Offset : 0xae00
+0x00c Length : 0
+0x000 SetLock : unnamed
+0x000 Lock : 0 ‘’
+0x000 QueryId : unnamed
+0x000 IdType : 1024
+0x000 QueryDeviceText : unnamed
+0x000 DeviceTextType : 1024
+0x004 LocaleId : 0
+0x000 UsageNotification : unnamed
+0x000 InPath : 0 ‘’
+0x001 Reserved : [3] “???”
+0x004 Type : 0
+0x000 WaitWake : unnamed
+0x000 PowerState : 1024
+0x000 PowerSequence : unnamed
+0x000 PowerSequence : 0x00000400
+0x000 Power : _unnamed
+0x000 SystemContext : 0x400
+0x004 Type : 0
+0x008 State : POWER_STATE
+0x00c ShutdownType : 0
+0x000 StartDevice : unnamed
+0x000 AllocatedResources : 0x00000400
+0x004 AllocatedResourcesTranslated : (null)
+0x000 WMI : __unnamed
+0x000 ProviderId : 0x400
+0x004 DataPath : (null)
+0x008 BufferSize : 0xae00
+0x00c Buffer : (null)
+0x000 Others :__unnamed
+0x000 Argument1 : 0x00000400
+0x004 Argument2 : (null)
+0x008 Argument3 : 0x0000ae00
+0x00c Argument4 : (null)
+0x014 DeviceObject : 0x84bbf470
+0x000 Type : 3
+0x002 Size : 0x148
+0x004 ReferenceCount : 0
+0x008 DriverObject : 0x8150d1f0
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : 0x84bbf470
+0x008 Flags : 0x12
+0x00c DriverStart : 0xbfc50000
+0x010 DriverSize : 0x1aaf60
+0x014 DriverSection : 0x818ceb48
+0x018 DriverExtension : 0x8150d298
+0x01c DriverName : _UNICODE_STRING “\Driver\saview”
+0x024 HardwareDatabase : 0x8053fd98
“\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xbfc5baa1 saview!DriverEntry+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : 0xbfc5bc5d saview!SaViewDriverUnload+0
+0x038 MajorFunction : [28] 0xbfc5bcc0 saview!SaViewCreateClose+0
+0x00c NextDevice : 0x81881cf0
+0x000 Type : 3
+0x002 Size : 0x1c8
+0x004 ReferenceCount : 1
+0x008 DriverObject : 0x8150d1f0
+0x00c NextDevice : (null)
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x40
+0x020 Characteristics : 0
+0x024 Vpb : (null)
+0x028 DeviceExtension : 0x81881da8
+0x02c DeviceType : 0x22
+0x030 StackSize : 1 ‘’
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe13b01a8
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x81881eb8
+0x0b4 Reserved : (null)
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x50
+0x020 Characteristics : 0x100
+0x024 Vpb : (null)
+0x028 DeviceExtension : 0x84bbf528
+0x02c DeviceType : 0x22
+0x030 StackSize : 1 ‘’
+0x034 Queue :__unnamed
+0x000 ListEntry : _LIST_ENTRY [0x0 - 0x0]
+0x000 Wcb : _WAIT_CONTEXT_BLOCK
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x000 Type : 20
+0x002 Size : 20
+0x004 DeviceListHead : _LIST_ENTRY [0x84bbf4d4 - 0x84bbf4d4]
+0x00c Lock : 0
+0x010 Busy : 0 ‘’
+0x074 Dpc : _KDPC
+0x000 Type : 0
+0x002 Number : 0 ‘’
+0x003 Importance : 0 ‘’
+0x004 DpcListEntry : _LIST_ENTRY [0x0 - 0x0]
+0x00c DeferredRoutine : (null)
+0x010 DeferredContext : (null)
+0x014 SystemArgument1 : (null)
+0x018 SystemArgument2 : (null)
+0x01c Lock : (null)
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe1fb75e8
+0x09c DeviceLock : _KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x0ac SectorSize : 0
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x84bbf5b8
+0x000 Type : 13
+0x002 Size : 0
+0x004 DeviceObject : 0x84bbf470
+0x0b4 Reserved : (null)
+0x018 FileObject : (null)
+0x01c CompletionRoutine : 0xeb2b3658 savirt!Bus_PDO_QueryDeviceRelations+0
+0x020 Context : (null)

This mail was sent via storeage.com


This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.


—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Think of the value you get back as the “starting index” of the MDL, not an actual address. The value is often a pointer, but kernel components can build MDLs that have no virtual address. You can still build a partial MDL from this MDL (the address you pass into IoBuildPartialMdl gets the MDL’s “starting index” subtracted from it to form an offset into the buffer).

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tamir Offek
Sent: Tuesday, June 07, 2005 12:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] FW: IRP with bad MDL.

Hi all,

I’m having some trouble in ReadWrite dispatch routine.
The driver works with direct IO.
The routine is basically forwarding the IRP to other lower
drivers through some logic in the middle.
This logic builds a new IRP to the lower driver.
Sometimes the logic builds MDL for the new IRP from a buffer,
and sometimes it builds the MDL from the MDL of the old IRP.

The problem is that after a few successful IO’s, the
ReadWrite routine gets an IRP with a bad MDL, its virtual
address is null, and of course the program can’t continue and
build the new IRP.

For the extraction of the virtual address I’m using
MmGetMdlVirtualAddress and MmGetMdlByteCount, for the build
of the new MDL I’m using IoAllocateMdl, and IoBuildPartialMdl
for MDL from MDL or MmBuildMdlForNonPagedPool for MDL from buffer.

Appended a dump of the bad IRP and its IO_STACK the bad MDL
in the IRP is marked.
?
If you have any ideas I’ll be happy to get it.

Thanks.
Best Regards, Tamir

kd> dt saview!_IRP 0xbb574e48 -r
?? +0x000 Type??? : 6
?? +0x002 Size??? : 0x1b4
?? +0x004 MdlAddress??? : 0xeb43fb0c
??? +0x000 Next??? : (null)
??? +0x004 Size??? : 92
??? +0x006 MdlFlags??? : 2
??? +0x008 Process??? : 0xbb916e48
??? +0x00c MappedSystemVa?? : (null)
??? +0x010 StartVa??? : (null) <- this is
the bad address
??? +0x014 ByteCount??? : 0x1000
??? +0x018 ByteOffset??? : 0
?? +0x008 Flags??? : 0x40000043
?? +0x00c AssociatedIrp?? ?: __unnamed
??? +0x000 MasterIrp??? : (null)
??? +0x000 IrpCount??? : 0
??? +0x000 SystemBuffer??? : (null)
?? +0x010 ThreadListEntry? : _LIST_ENTRY [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [ 0xbb574e58 -
0xbb574e58 ]
??? +0x000 Flink??? : 0xbb574e58? [ 0xbb574e58 -
0xbb574e58 ]
??? +0x004 Blink??? : 0xbb574e58? [ 0xbb574e58 -
0xbb574e58 ]
??? +0x004 Blink??? : 0xbb574e58? [ 0xbb574e58 -
0xbb574e58 ]
??? +0x000 Flink??? : 0xbb574e58? [ 0xbb574e58 -
0xbb574e58 ]
??? +0x004 Blink??? : 0xbb574e58? [ 0xbb574e58 -
0xbb574e58 ]
?? +0x018 IoStatus??? : _IO_STATUS_BLOCK
??? +0x000 Status?? ???: 0
??? +0x000 Pointer??? : (null)
??? +0x004 Information??? : 0
?? +0x020 RequestorMode??? : 0 ‘’
?? +0x021 PendingReturned? : 0 ‘’
?? +0x022 StackCount??? : 9 ‘’
?? +0x023 CurrentLocation? : 6 ‘’
?? +0x024 Cancel??? : 0 ‘’
?? +0x025 CancelIrql??? : 0 ‘’
?? +0x026 ApcEnvironment?? : 0 ‘’
?? +0x027 AllocationFlags? : 0x80 ‘’
?? +0x028 UserIosb??? : 0xeb43fd50
??? +0x000 Status??? : 0
??? +0x000 Pointer??? : (null)
??? +0x004 Information??? : 0
? ?+0x02c UserEvent??? : 0xeb43fb7c
??? +0x000 Header??? : _DISPATCHER_HEADER
??? +0x000 Type??? : 0 ‘’
??? +0x001 Absolute??? : 0 ‘’
??? +0x002 Size??? : 0x4 ‘’
??? +0x003 Inserted??? : 0 ‘’
??? +0x004 SignalState??? : 0
??? +0x008 WaitListHead??? : _LIST_ENTRY [ 0xeb43fb84 -
0xeb43fb84 ]
?? +0x030 Overlay??? : __unnamed
??? +0x000 AsynchronousParameters : __unnamed
??? +0x000 UserApcRoutine?? : (null)
??? +0x004 UserApcContext?? : (null)
??? +0x000 AllocationSize?? : _LARGE_INTEGER 0x0
??? +0x000 LowPart??? : 0
??? +0x004 HighPart??? : 0
??? +0x000 u??? : __unnamed
??? +0x000 QuadPart??? : 0
?? +0x038 CancelRoutine??? : (null)
?? +0x03c UserBuffer??? : (null)
?? +0x040 Tail??? : __unnamed
??? +0x000 Overlay??? : __unnamed
??? +0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
??? +0x000 DriverContext??? : [4] (null)
??? +0x010 Thread??? : 0x818a8620
??? +0x014 AuxiliaryBuffer? : (null)
??? +0x018 ListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x020 CurrentStackLocation : 0xbb574f6c
??? +0x020 PacketType??? : 0xbb574f6c
??? +0x024 OriginalFileObject : 0x84bbfb48
??? +0x000 Apc??? : _KAPC
??? +0x000 Type??? : 0
??? +0x002 Size??? : 0
??? +0x004 Spare0??? : 0
??? +0x008 Thread??? : (null)
??? +0x00c ApcListEntry??? : _LIST_ENTRY [0x0 - 0x818a8620]
??? +0x014 KernelRoutine??? : (null)
??? +0x018 RundownRoutine?? : (null)
??? +0x01c NormalRoutine??? : (null)
??? +0x020 NormalContext??? : 0xbb574f6c
??? +0x024 SystemArgument1? : 0x84bbfb48
??? +0x028 SystemArgument2? : (null)
??? +0x02c ApcStateIndex??? : 0 ‘’
??? +0x02d ApcMode??? : 0 ‘’
??? +0x02e Inserted??? : 0 ‘’
??? +0x000 CompletionKey??? : (null)

kd> !irp 0xbb574e48 1
Irp is active with 9 stacks 6 is current (= 0xbb574f6c)
?Mdl = eb43fb0c Thread 818a8620:? Irp stack trace. Flags =
40000043 ThreadListEntry.Flink = bb574e58
ThreadListEntry.Blink = bb574e58 IoStatus.Status = 00000000
IoStatus.Information = 00000000 RequestorMode = 00000000
Cancel = 00 CancelIrql = 0 ApcEnvironment = 00 UserIosb =
eb43fd50 UserEvent = eb43fb7c
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine =
00000000 UserBuffer = 00000000 &Tail.Overlay.DeviceQueueEntry
= 00ebcf54 Tail.Overlay.Thread = 818a8620
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = bb574f6c
Tail.Overlay.OriginalFileObject = 84bbfb48 Tail.Apc =
00000000 Tail.CompletionKey = 00000000
??? cmd? flg cl Device?? File??? Completion-Context
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]? ?0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000???

??? Args: 00000000 00000000 00000000 00000000
>[? 4,34]?? 0 e0 84bbf470 00000000 eb2b3658-00000000 Success Error
>Cancel
??? ??? \Driver\saview?? savirt!Bus_PDO_QueryDeviceRelations
??? Args: 00000400 00000000 0000ae00 00000000
?[? 4,34]?? 0 e1 ff586e30 00000000 bffa4a20-84e34f08 Success
Error Cancel pending
??? ??? \Driver\savirt?? ftdisk!FtpRefCountCompletionRoutine
??? Args: 00000400 00000000 0000ae00 00000000
?[? 4, 0]?? 0 e1 84e34e50 00000000 bfe567ff-eb43f94c Success
Error Cancel pending
??? ??? \Driver\Ftdisk?? Ntfs!NtfsSingleSyncCompletionRoutine
??? Args: 00000400 00000000 00003000 00000000
?[? 4, 0]?? 0? 0 839da800 84bbfb48 00000000-00000000
??? ??? \FileSystem\Ntfs
??? Args: 00001000 00000000 00000000 00000000

kd> dt saview!_IO_STACK_LOCATION 0xbb574f6c -r
?? +0x000 MajorFunction??? : 0x4 ‘’
?? +0x001 MinorFunction??? : 0x34 ‘4’
?? +0x002 Flags??? : 0 ‘’
?? +0x003 Control??? : 0xe0 ‘’
?? +0x004 Parameters??? : __unnamed
??? +0x000 Create??? : __unnamed
??? +0x000 SecurityContext? : 0x00000400
??? +0x004 Options??? : 0
??? +0x008 FileAttributes?? : 0xae00
??? +0x00a ShareAccess??? : 0
??? +0x00c EaLength??? : 0
??? +0x000 Read??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 Key??? : 0
??? +0x008 ByteOffset??? : _LARGE_INTEGER 0xae00
??? +0x000 Write??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 Key??? : 0
??? +0x008 ByteOffset??? : _LARGE_INTEGER 0xae00
??? +0x000 QueryFile??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 FileInformationClass : 0
??? +0x000 SetFile??? : __unnamed
??? ???+0x000 Length??? : 0x400
??? +0x004 FileInformationClass : 0
??? +0x008 FileObject??? : 0x0000ae00
??? +0x00c ReplaceIfExists? : 0 ‘’
??? +0x00d AdvanceOnly??? : 0 ‘’
??? +0x00c ClusterCount??? : 0
??? +0x00c DeleteHandle??? : (null)
??? +0x000 QueryVolume??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 FsInformationClass : 0
??? +0x000 DeviceIoControl? : __unnamed
??? +0x000 OutputBufferLength : 0x400
??? +0x004 InputBufferLength : 0
??? +0x008 IoControlCode??? : 0xae00
??? +0x00c Type3InputBuffer : (null)
??? +0x000 QuerySecurity??? : __unnamed
??? +0x000 SecurityInformation : 0x400
??? +0x004 Length??? : 0
??? +0x000 SetSecurity??? : __unnamed
??? +0x000 SecurityInformation : 0x400
??? +0x004 SecurityDescriptor : (null)
??? +0x000 MountVolume??? : __unnamed
??? +0x000 Vpb??? : 0x00000400
??? +0x004 DeviceObject??? : (null)
?? ???+0x000 VerifyVolume??? : __unnamed
??? +0x000 Vpb??? : 0x00000400
??? +0x004 DeviceObject??? : (null)
??? +0x000 Scsi??? : __unnamed
??? +0x000 Srb??? : 0x00000400
??? +0x000 QueryDeviceRelations : __unnamed
??? +0x000 Type??? : 1024
??? +0x000 QueryInterface?? : __unnamed
??? +0x000 InterfaceType??? : 0x00000400
??? +0x004 Size??? : 0
??? +0x006 Version??? : 0
??? +0x008 Interface??? : 0x0000ae00
??? +0x00c InterfaceSpecificData : (null)
??? +0x000 DeviceCapabilities : __unnamed
??? +0x000 Capabilities??? : 0x00000400
??? +0x000 FilterResourceRequirements : __unnamed
??? +0x000 IoResourceRequirementList : 0x00000400
??? +0x000 ReadWriteConfig? : __unnamed
??? +0x000 WhichSpace??? : 0x400
??? +0x004 Buffer??? : (null)
??? +0x008 Offset??? : 0xae00
??? +0x00c Length??? : 0
??? +0x000 SetLock??? : __unnamed
??? +0x000 Lock??? : 0 ‘’
??? +0x000 QueryId??? : __unnamed
??? +0x000 IdType??? : 1024
??? +0x000 QueryDeviceText? : __unnamed
??? +0x000 DeviceTextType?? : 1024
??? +0x004 LocaleId??? : 0
??? +0x000 UsageNotification : __unnamed
??? +0x000 InPath??? : 0 ‘’
??? +0x001 Reserved??? : [3]? “???”
??? +0x004 Type??? : 0
??? +0x000 WaitWake??? : __unnamed
??? +0x000 PowerState??? : 1024
??? +0x000 PowerSequence??? : __unnamed
??? +0x000 PowerSequence??? : 0x00000400
??? +0x000 Power??? : __unnamed
??? +0x000 SystemContext??? : 0x400
??? +0x004 Type??? : 0
??? +0x008 State??? : _POWER_STATE
??? +0x00c ShutdownType?? ??: 0
??? +0x000 StartDevice??? : __unnamed
??? +0x000 AllocatedResources : 0x00000400
??? +0x004 AllocatedResourcesTranslated : (null)
??? +0x000 WMI??? : __unnamed
??? +0x000 ProviderId??? : 0x400
??? +0x004 DataPath??? : (null)
??? +0x008 BufferSize??? : 0xae00
??? +0x00c Buffer??? : (null)
??? +0x000 Others??? : __unnamed
??? +0x000 Argument1??? : 0x00000400
??? +0x004 Argument2??? : (null)
??? +0x008 Argument3??? : 0x0000ae00
??? +0x00c Argument4??? : (null)
?? +0x014 DeviceObject??? : 0x84bbf470
??? +0x000 Type??? : 3
??? +0x002 Size??? : 0x148
??? +0x004 ReferenceCount?? : 0
??? +0x008 DriverObject??? : 0x8150d1f0
??? +0x000 Type??? : 4
??? +0x002 Size??? : 168
??? +0x004 DeviceObject??? : 0x84bbf470
??? +0x008 Flags??? : 0x12
??? +0x00c DriverStart??? : 0xbfc50000
??? +0x010 DriverSize??? : 0x1aaf60
??? +0x014 DriverSection??? : 0x818ceb48
??? +0x018 DriverExtension? : 0x8150d298
??? +0x01c DriverName??? : _UNICODE_STRING “\Driver\saview”
??? +0x024 HardwareDatabase : 0x8053fd98?
“\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
??? +0x028 FastIoDispatch?? : (null)
??? +0x02c DriverInit??? : 0xbfc5baa1???
saview!DriverEntry+0
??? +0x030 DriverStartIo??? : (null)
??? +0x034 DriverUnload??? : 0xbfc5bc5d???
saview!SaViewDriverUnload+0
??? +0x038 MajorFunction??? : [28] 0xbfc5bcc0???
saview!SaViewCreateClose+0
??? +0x00c NextDevice??? : 0x81881cf0
??? +0x000 Type??? : 3
?? ???+0x002 Size??? : 0x1c8
??? +0x004 ReferenceCount?? : 1
??? +0x008 DriverObject??? : 0x8150d1f0
??? +0x00c NextDevice??? : (null)
??? +0x010 AttachedDevice?? : (null)
??? +0x014 CurrentIrp??? : (null)
??? ???+0x018 Timer??? : (null)
??? +0x01c Flags??? : 0x40
??? +0x020 Characteristics? : 0
??? +0x024 Vpb??? : (null)
??? +0x028 DeviceExtension? : 0x81881da8
??? +0x02c DeviceType??? : 0x22
??? +0x030 StackSize??? : 1 ‘’
??? +0x034 Queue??? : __unnamed
??? +0x05c AlignmentRequirement : 0
??? +0x060 DeviceQueue??? : _KDEVICE_QUEUE
??? +0x074 Dpc??? : _KDPC
??? +0x094 ActiveThreadCount : 0
??? +0x098 SecurityDescriptor : 0xe13b01a8
??? +0x09c DeviceLock??? : _KEVENT
??? +0x0ac SectorSize??? : 0
??? +0x0ae Spare1??? : 0
??? +0x0b0 DeviceObjectExtension : 0x81881eb8
??? +0x0b4 Reserved??? : (null)
??? +0x010 AttachedDevice?? : (null)
??? +0x014 CurrentIrp??? : (null)
??? +0x018 Timer??? : (null)
??? +0x01c Flags??? : 0x50
??? +0x020 Characteristics? : 0x100
??? +0x024 Vpb??? : (null)
??? +0x028 DeviceExtension? : 0x84bbf528
??? +0x02c DeviceType??? : 0x22
??? +0x030 StackSize??? : 1 ‘’
??? +0x034 Queue??? : __unnamed
??? +0x000 ListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x000 Wcb??? : _WAIT_CONTEXT_BLOCK
??? +0x05c AlignmentRequirement : 0
??? +0x060 DeviceQueue??? : _KDEVICE_QUEUE
??? +0x000 Type??? : 20
??? +0x002 Size??? : 20
??? +0x004 DeviceListHead?? : _LIST_ENTRY [ 0x84bbf4d4 -
0x84bbf4d4 ]
??? +0x00c Lock ???: 0
??? +0x010 Busy??? : 0 ‘’
??? +0x074 Dpc??? : _KDPC
??? +0x000 Type??? : 0
??? +0x002 Number??? : 0 ‘’
??? +0x003 Importance??? : 0 ‘’
??? +0x004 DpcListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x00c DeferredRoutine? : (null)
??? +0x010 DeferredContext? : (null)
??? +0x014 SystemArgument1? : (null)
??? +0x018 SystemArgument2? : (null)
??? +0x01c Lock??? : (null)
??? +0x094 ActiveThreadCount : 0
??? +0x098 SecurityDescriptor : 0xe1fb75e8
??? +0x09c DeviceLock??? : _KEVENT
??? +0x000 Header??? : _DISPATCHER_HEADER
??? +0x0ac SectorSize??? : 0
??? +0x0ae Spare1??? : 0
??? +0x0b0 DeviceObjectExtension : 0x84bbf5b8
??? +0x000 Type??? : 13
??? +0x002 Size??? : 0
??? +0x004 DeviceObject??? : 0x84bbf470
??? +0x0b4 Reserved??? : (null)
?? +0x018 FileObject??? : (null)
?? +0x01c CompletionRoutine : 0xeb2b3658???
savirt!Bus_PDO_QueryDeviceRelations+0
?? +0x020 Context??? : (null)

This mail was sent via storeage.com

**************************************************************
**********************
This footnote confirms that this email message has been
scanned by PineApp Mail-SeCure for the presence of malicious
code, vandals & computer viruses.
**************************************************************
**********************

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

It is usually used to obtain the parameter to IoBuildPartialMdl. The latter
routine is misdesigned in having Va instead of StartOffset in the parameters.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Calvin Guan”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, June 07, 2005 12:05 PM
Subject: Re: [ntdev] FW: IRP with bad MDL.

> Why on Earth use MmGetMdlVirtualAddress? The return value of this function
> could be an index to an MDL, not a valid address at all. Driver must not
> access “memory” pointed by the return value of this function. It’s mainly
> used for doing MapTransfer for pre-DMA setup.
>
> I did the similar logic as yours (rebuilding IRP and passing down). I use
> MmGetSystemAddressForMdlSafe.
>
>
> Calvin Guan Windows DDK MVP
> Staff SW Engineer, NetXtreme MINIPORT
> Enterprise Network Controller Engineering
> Broadcom Corporation www.broadcom.com
>
>
> ----- Original Message -----
> From: “Tamir Offek”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, June 07, 2005 12:52 AM
> Subject: [ntdev] FW: IRP with bad MDL.
>
>
> Hi all,
>
> I’m having some trouble in ReadWrite dispatch routine.
> The driver works with direct IO.
> The routine is basically forwarding the IRP to other lower drivers through
> some logic in the middle.
> This logic builds a new IRP to the lower driver.
> Sometimes the logic builds MDL for the new IRP from a buffer, and sometimes
> it builds the MDL from the MDL of the old IRP.
>
> The problem is that after a few successful IO’s, the ReadWrite routine gets
> an IRP with a bad MDL, its virtual address is null, and of course the
> program can’t continue and build the new IRP.
>
> For the extraction of the virtual address I’m using MmGetMdlVirtualAddress
> and MmGetMdlByteCount, for the build of the new MDL I’m using IoAllocateMdl,
> and IoBuildPartialMdl for MDL from MDL or MmBuildMdlForNonPagedPool for MDL
> from buffer.
>
> Appended a dump of the bad IRP and its IO_STACK the bad MDL in the IRP is
> marked.
>
> If you have any ideas I’ll be happy to get it.
>
> Thanks.
> Best Regards, Tamir
>
>
> kd> dt saview!_IRP 0xbb574e48 -r
> +0x000 Type : 6
> +0x002 Size : 0x1b4
> +0x004 MdlAddress : 0xeb43fb0c
> +0x000 Next : (null)
> +0x004 Size : 92
> +0x006 MdlFlags : 2
> +0x008 Process : 0xbb916e48
> +0x00c MappedSystemVa : (null)
> +0x010 StartVa : (null) <- this is the bad address
> +0x014 ByteCount : 0x1000
> +0x018 ByteOffset : 0
> +0x008 Flags : 0x40000043
> +0x00c AssociatedIrp : __unnamed
> +0x000 MasterIrp : (null)
> +0x000 IrpCount : 0
> +0x000 SystemBuffer : (null)
> +0x010 ThreadListEntry : _LIST_ENTRY [0xbb574e58 - 0xbb574e58]
> +0x000 Flink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
> +0x000 Flink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
> +0x004 Blink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
> +0x004 Blink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
> +0x000 Flink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
> +0x004 Blink : 0xbb574e58 [0xbb574e58 - 0xbb574e58]
> +0x018 IoStatus : _IO_STATUS_BLOCK
> +0x000 Status : 0
> +0x000 Pointer : (null)
> +0x004 Information : 0
> +0x020 RequestorMode : 0 ‘’
> +0x021 PendingReturned : 0 ‘’
> +0x022 StackCount : 9 ‘’
> +0x023 CurrentLocation : 6 ‘’
> +0x024 Cancel : 0 ‘’
> +0x025 CancelIrql : 0 ‘’
> +0x026 ApcEnvironment : 0 ‘’
> +0x027 AllocationFlags : 0x80 ‘’
> +0x028 UserIosb : 0xeb43fd50
> +0x000 Status : 0
> +0x000 Pointer : (null)
> +0x004 Information : 0
> +0x02c UserEvent : 0xeb43fb7c
> +0x000 Header : _DISPATCHER_HEADER
> +0x000 Type : 0 ‘’
> +0x001 Absolute : 0 ‘’
> +0x002 Size : 0x4 ‘’
> +0x003 Inserted : 0 ‘’
> +0x004 SignalState : 0
> +0x008 WaitListHead : _LIST_ENTRY [0xeb43fb84 - 0xeb43fb84]
> +0x030 Overlay :__unnamed
> +0x000 AsynchronousParameters : __unnamed
> +0x000 UserApcRoutine : (null)
> +0x004 UserApcContext : (null)
> +0x000 AllocationSize : _LARGE_INTEGER 0x0
> +0x000 LowPart : 0
> +0x004 HighPart : 0
> +0x000 u :__unnamed
> +0x000 QuadPart : 0
> +0x038 CancelRoutine : (null)
> +0x03c UserBuffer : (null)
> +0x040 Tail : unnamed
> +0x000 Overlay : unnamed
> +0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
> +0x000 DriverContext : [4] (null)
> +0x010 Thread : 0x818a8620
> +0x014 AuxiliaryBuffer : (null)
> +0x018 ListEntry : _LIST_ENTRY [0x0 - 0x0]
> +0x020 CurrentStackLocation : 0xbb574f6c
> +0x020 PacketType : 0xbb574f6c
> +0x024 OriginalFileObject : 0x84bbfb48
> +0x000 Apc : _KAPC
> +0x000 Type : 0
> +0x002 Size : 0
> +0x004 Spare0 : 0
> +0x008 Thread : (null)
> +0x00c ApcListEntry : _LIST_ENTRY [0x0 - 0x818a8620]
> +0x014 KernelRoutine : (null)
> +0x018 RundownRoutine : (null)
> +0x01c NormalRoutine : (null)
> +0x020 NormalContext : 0xbb574f6c
> +0x024 SystemArgument1 : 0x84bbfb48
> +0x028 SystemArgument2 : (null)
> +0x02c ApcStateIndex : 0 ‘’
> +0x02d ApcMode : 0 ‘’
> +0x02e Inserted : 0 ‘’
> +0x000 CompletionKey : (null)
>
> kd> !irp 0xbb574e48 1
> Irp is active with 9 stacks 6 is current (= 0xbb574f6c)
> Mdl = eb43fb0c Thread 818a8620: Irp stack trace.
> Flags = 40000043
> ThreadListEntry.Flink = bb574e58
> ThreadListEntry.Blink = bb574e58
> IoStatus.Status = 00000000
> IoStatus.Information = 00000000
> RequestorMode = 00000000
> Cancel = 00
> CancelIrql = 0
> ApcEnvironment = 00
> UserIosb = eb43fd50
> UserEvent = eb43fb7c
> Overlay.AsynchronousParameters.UserApcRoutine = 00000000
> Overlay.AsynchronousParameters.UserApcContext = 00000000
> Overlay.AllocationSize = 00000000 - 00000000
> CancelRoutine = 00000000
> UserBuffer = 00000000
> &Tail.Overlay.DeviceQueueEntry = 00ebcf54
> Tail.Overlay.Thread = 818a8620
> Tail.Overlay.AuxiliaryBuffer = 00000000
> Tail.Overlay.ListEntry.Flink = 00000000
> Tail.Overlay.ListEntry.Blink = 00000000
> Tail.Overlay.CurrentStackLocation = bb574f6c
> Tail.Overlay.OriginalFileObject = 84bbfb48
> Tail.Apc = 00000000
> Tail.CompletionKey = 00000000
> cmd flg cl Device File Completion-Context
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> >[4,34] 0 e0 84bbf470 00000000 eb2b3658-00000000 Success Error Cancel
> \Driver\saview savirt!Bus_PDO_QueryDeviceRelations
> Args: 00000400 00000000 0000ae00 00000000
> [4,34] 0 e1 ff586e30 00000000 bffa4a20-84e34f08 Success Error Cancel
> pending
> \Driver\savirt ftdisk!FtpRefCountCompletionRoutine
> Args: 00000400 00000000 0000ae00 00000000
> [4, 0] 0 e1 84e34e50 00000000 bfe567ff-eb43f94c Success Error Cancel
> pending
> \Driver\Ftdisk Ntfs!NtfsSingleSyncCompletionRoutine
> Args: 00000400 00000000 00003000 00000000
> [4, 0] 0 0 839da800 84bbfb48 00000000-00000000
> \FileSystem\Ntfs
> Args: 00001000 00000000 00000000 00000000
>
>
> kd> dt saview!_IO_STACK_LOCATION 0xbb574f6c -r
> +0x000 MajorFunction : 0x4 ‘’
> +0x001 MinorFunction : 0x34 ‘4’
> +0x002 Flags : 0 ‘’
> +0x003 Control : 0xe0 ‘’
> +0x004 Parameters : unnamed
> +0x000 Create : unnamed
> +0x000 SecurityContext : 0x00000400
> +0x004 Options : 0
> +0x008 FileAttributes : 0xae00
> +0x00a ShareAccess : 0
> +0x00c EaLength : 0
> +0x000 Read : _unnamed
> +0x000 Length : 0x400
> +0x004 Key : 0
> +0x008 ByteOffset : LARGE_INTEGER 0xae00
> +0x000 Write : unnamed
> +0x000 Length : 0x400
> +0x004 Key : 0
> +0x008 ByteOffset : _LARGE_INTEGER 0xae00
> +0x000 QueryFile : unnamed
> +0x000 Length : 0x400
> +0x004 FileInformationClass : 0
> +0x000 SetFile : unnamed
> +0x000 Length : 0x400
> +0x004 FileInformationClass : 0
> +0x008 FileObject : 0x0000ae00
> +0x00c ReplaceIfExists : 0 ‘’
> +0x00d AdvanceOnly : 0 ‘’
> +0x00c ClusterCount : 0
> +0x00c DeleteHandle : (null)
> +0x000 QueryVolume : unnamed
> +0x000 Length : 0x400
> +0x004 FsInformationClass : 0
> +0x000 DeviceIoControl : unnamed
> +0x000 OutputBufferLength : 0x400
> +0x004 InputBufferLength : 0
> +0x008 IoControlCode : 0xae00
> +0x00c Type3InputBuffer : (null)
> +0x000 QuerySecurity : unnamed
> +0x000 SecurityInformation : 0x400
> +0x004 Length : 0
> +0x000 SetSecurity : unnamed
> +0x000 SecurityInformation : 0x400
> +0x004 SecurityDescriptor : (null)
> +0x000 MountVolume : __unnamed
> +0x000 Vpb : 0x00000400
> +0x004 DeviceObject : (null)
> +0x000 VerifyVolume :__unnamed
> +0x000 Vpb : 0x00000400
> +0x004 DeviceObject : (null)
> +0x000 Scsi : unnamed
> +0x000 Srb : 0x00000400
> +0x000 QueryDeviceRelations : unnamed
> +0x000 Type : 1024
> +0x000 QueryInterface : __unnamed
> +0x000 InterfaceType : 0x00000400
> +0x004 Size : 0
> +0x006 Version : 0
> +0x008 Interface : 0x0000ae00
> +0x00c InterfaceSpecificData : (null)
> +0x000 DeviceCapabilities :__unnamed
> +0x000 Capabilities : 0x00000400
> +0x000 FilterResourceRequirements : unnamed
> +0x000 IoResourceRequirementList : 0x00000400
> +0x000 ReadWriteConfig : unnamed
> +0x000 WhichSpace : 0x400
> +0x004 Buffer : (null)
> +0x008 Offset : 0xae00
> +0x00c Length : 0
> +0x000 SetLock : unnamed
> +0x000 Lock : 0 ‘’
> +0x000 QueryId : unnamed
> +0x000 IdType : 1024
> +0x000 QueryDeviceText : unnamed
> +0x000 DeviceTextType : 1024
> +0x004 LocaleId : 0
> +0x000 UsageNotification : unnamed
> +0x000 InPath : 0 ‘’
> +0x001 Reserved : [3] “???”
> +0x004 Type : 0
> +0x000 WaitWake : unnamed
> +0x000 PowerState : 1024
> +0x000 PowerSequence : unnamed
> +0x000 PowerSequence : 0x00000400
> +0x000 Power : _unnamed
> +0x000 SystemContext : 0x400
> +0x004 Type : 0
> +0x008 State : POWER_STATE
> +0x00c ShutdownType : 0
> +0x000 StartDevice : unnamed
> +0x000 AllocatedResources : 0x00000400
> +0x004 AllocatedResourcesTranslated : (null)
> +0x000 WMI : __unnamed
> +0x000 ProviderId : 0x400
> +0x004 DataPath : (null)
> +0x008 BufferSize : 0xae00
> +0x00c Buffer : (null)
> +0x000 Others :__unnamed
> +0x000 Argument1 : 0x00000400
> +0x004 Argument2 : (null)
> +0x008 Argument3 : 0x0000ae00
> +0x00c Argument4 : (null)
> +0x014 DeviceObject : 0x84bbf470
> +0x000 Type : 3
> +0x002 Size : 0x148
> +0x004 ReferenceCount : 0
> +0x008 DriverObject : 0x8150d1f0
> +0x000 Type : 4
> +0x002 Size : 168
> +0x004 DeviceObject : 0x84bbf470
> +0x008 Flags : 0x12
> +0x00c DriverStart : 0xbfc50000
> +0x010 DriverSize : 0x1aaf60
> +0x014 DriverSection : 0x818ceb48
> +0x018 DriverExtension : 0x8150d298
> +0x01c DriverName : _UNICODE_STRING “\Driver\saview”
> +0x024 HardwareDatabase : 0x8053fd98
> “\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
> +0x028 FastIoDispatch : (null)
> +0x02c DriverInit : 0xbfc5baa1 saview!DriverEntry+0
> +0x030 DriverStartIo : (null)
> +0x034 DriverUnload : 0xbfc5bc5d saview!SaViewDriverUnload+0
> +0x038 MajorFunction : [28] 0xbfc5bcc0 saview!SaViewCreateClose+0
> +0x00c NextDevice : 0x81881cf0
> +0x000 Type : 3
> +0x002 Size : 0x1c8
> +0x004 ReferenceCount : 1
> +0x008 DriverObject : 0x8150d1f0
> +0x00c NextDevice : (null)
> +0x010 AttachedDevice : (null)
> +0x014 CurrentIrp : (null)
> +0x018 Timer : (null)
> +0x01c Flags : 0x40
> +0x020 Characteristics : 0
> +0x024 Vpb : (null)
> +0x028 DeviceExtension : 0x81881da8
> +0x02c DeviceType : 0x22
> +0x030 StackSize : 1 ‘’
> +0x034 Queue : __unnamed
> +0x05c AlignmentRequirement : 0
> +0x060 DeviceQueue : _KDEVICE_QUEUE
> +0x074 Dpc : _KDPC
> +0x094 ActiveThreadCount : 0
> +0x098 SecurityDescriptor : 0xe13b01a8
> +0x09c DeviceLock : _KEVENT
> +0x0ac SectorSize : 0
> +0x0ae Spare1 : 0
> +0x0b0 DeviceObjectExtension : 0x81881eb8
> +0x0b4 Reserved : (null)
> +0x010 AttachedDevice : (null)
> +0x014 CurrentIrp : (null)
> +0x018 Timer : (null)
> +0x01c Flags : 0x50
> +0x020 Characteristics : 0x100
> +0x024 Vpb : (null)
> +0x028 DeviceExtension : 0x84bbf528
> +0x02c DeviceType : 0x22
> +0x030 StackSize : 1 ‘’
> +0x034 Queue :__unnamed
> +0x000 ListEntry : _LIST_ENTRY [0x0 - 0x0]
> +0x000 Wcb : _WAIT_CONTEXT_BLOCK
> +0x05c AlignmentRequirement : 0
> +0x060 DeviceQueue : _KDEVICE_QUEUE
> +0x000 Type : 20
> +0x002 Size : 20
> +0x004 DeviceListHead : _LIST_ENTRY [0x84bbf4d4 - 0x84bbf4d4]
> +0x00c Lock : 0
> +0x010 Busy : 0 ‘’
> +0x074 Dpc : _KDPC
> +0x000 Type : 0
> +0x002 Number : 0 ‘’
> +0x003 Importance : 0 ‘’
> +0x004 DpcListEntry : _LIST_ENTRY [0x0 - 0x0]
> +0x00c DeferredRoutine : (null)
> +0x010 DeferredContext : (null)
> +0x014 SystemArgument1 : (null)
> +0x018 SystemArgument2 : (null)
> +0x01c Lock : (null)
> +0x094 ActiveThreadCount : 0
> +0x098 SecurityDescriptor : 0xe1fb75e8
> +0x09c DeviceLock : _KEVENT
> +0x000 Header : _DISPATCHER_HEADER
> +0x0ac SectorSize : 0
> +0x0ae Spare1 : 0
> +0x0b0 DeviceObjectExtension : 0x84bbf5b8
> +0x000 Type : 13
> +0x002 Size : 0
> +0x004 DeviceObject : 0x84bbf470
> +0x0b4 Reserved : (null)
> +0x018 FileObject : (null)
> +0x01c CompletionRoutine : 0xeb2b3658 savirt!Bus_PDO_QueryDeviceRelations+0
> +0x020 Context : (null)
>
>
>
> This mail was sent via storeage.com
>
>
**************************************************************************

> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
**************************************************************************

>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

I have a driver that has similar mirroring logic in it.
Let’s say Driver gets IRP O (orig) in it’s write dispatch.
My Driver creates two clones of it. Say IRP A and IRP B. IRP A is for original destination and IRP B is intended for another device.

In my cloning logic, I do the following
IRP_A->MdlAddress = IRP_O->MdlAddress;
If (I need to split the IO) {
IRP_A->MdlAddress = IoAllocateMDl(MmGetMdlVirtualAddress(IRP_O),
MmGetMdlByteCount(IRP_O));

IoBuildPartialMdl(IRP_O->MdlAddress, IRP_A->MdlAddress,
MmGetMdlVirtualAddress(IRP_O) + split_offset, 0);
} else {
/* IRP_A and IRP_B will carry the same MDl as in IRP_O */
}

Completion routine for IRP_A and IRP_B
{
If (IRP->MdlAddress->MdlFlags & MDL_PARTIAL) {
If (this was an IRP for which I did IoAllocateMDl) {
IoFreeMdl(IRP->MdlAddress);
}
}
…

IoCompleteRequest(IRP_O);

Return STATUS_MORE_PROCESSING_REQUIRED;
/* this is very important because otherwise IoManager will try to
* unlock the MDl and do some other stuff which we don’t want done
* on IRP_A or IRP_B. we clean them up ourselves.
*/
}
Please don’t read more into the splitting logic because I’ve not described it fully or correctly. Look at the API usage.

See if this logic suits you…It seems to be working for me.
Harish

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-211186-
xxxxx@lists.osr.com] On Behalf Of Tamir Offek
Sent: Tuesday, June 07, 2005 12:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] FW: IRP with bad MDL.

Hi all,

I’m having some trouble in ReadWrite dispatch routine.
The driver works with direct IO.
The routine is basically forwarding the IRP to other lower drivers through
some logic in the middle.
This logic builds a new IRP to the lower driver.
Sometimes the logic builds MDL for the new IRP from a buffer, and
sometimes it builds the MDL from the MDL of the old IRP.

The problem is that after a few successful IO’s, the ReadWrite routine
gets an IRP with a bad MDL, its virtual address is null, and of course the
program can’t continue and build the new IRP.

For the extraction of the virtual address I’m using MmGetMdlVirtualAddress
and MmGetMdlByteCount, for the build of the new MDL I’m using
IoAllocateMdl, and IoBuildPartialMdl for MDL from MDL or
MmBuildMdlForNonPagedPool for MDL from buffer.

Appended a dump of the bad IRP and its IO_STACK the bad MDL in the IRP is
marked.

If you have any ideas I’ll be happy to get it.

Thanks.
Best Regards, Tamir

kd> dt saview!_IRP 0xbb574e48 -r
?? +0x000 Type??? : 6
?? +0x002 Size??? : 0x1b4
?? +0x004 MdlAddress??? : 0xeb43fb0c
??? +0x000 Next??? : (null)
??? +0x004 Size??? : 92
??? +0x006 MdlFlags??? : 2
??? +0x008 Process??? : 0xbb916e48
??? +0x00c MappedSystemVa?? : (null)
??? +0x010 StartVa??? : (null) <- this is the bad
address
??? +0x014 ByteCount??? : 0x1000
??? +0x018 ByteOffset??? : 0
?? +0x008 Flags??? : 0x40000043
?? +0x00c AssociatedIrp?? ?: __unnamed
??? +0x000 MasterIrp??? : (null)
??? +0x000 IrpCount??? : 0
??? +0x000 SystemBuffer??? : (null)
?? +0x010 ThreadListEntry? : _LIST_ENTRY [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x004 Blink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x004 Blink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x000 Flink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
??? +0x004 Blink??? : 0xbb574e58? [0xbb574e58 - 0xbb574e58]
?? +0x018 IoStatus??? : _IO_STATUS_BLOCK
??? +0x000 Status?? ???: 0
??? +0x000 Pointer??? : (null)
??? +0x004 Information??? : 0
?? +0x020 RequestorMode??? : 0 ‘’
?? +0x021 PendingReturned? : 0 ‘’
?? +0x022 StackCount??? : 9 ‘’
?? +0x023 CurrentLocation? : 6 ‘’
?? +0x024 Cancel??? : 0 ‘’
?? +0x025 CancelIrql??? : 0 ‘’
?? +0x026 ApcEnvironment?? : 0 ‘’
?? +0x027 AllocationFlags? : 0x80 ‘’
?? +0x028 UserIosb??? : 0xeb43fd50
??? +0x000 Status??? : 0
??? +0x000 Pointer??? : (null)
??? +0x004 Information??? : 0
? ?+0x02c UserEvent??? : 0xeb43fb7c
??? +0x000 Header??? : _DISPATCHER_HEADER
??? +0x000 Type??? : 0 ‘’
??? +0x001 Absolute??? : 0 ‘’
??? +0x002 Size??? : 0x4 ‘’
??? +0x003 Inserted??? : 0 ‘’
??? +0x004 SignalState??? : 0
??? +0x008 WaitListHead??? : _LIST_ENTRY [0xeb43fb84 - 0xeb43fb84]
?? +0x030 Overlay??? : __unnamed
??? +0x000 AsynchronousParameters : __unnamed
??? +0x000 UserApcRoutine?? : (null)
??? +0x004 UserApcContext?? : (null)
??? +0x000 AllocationSize?? : _LARGE_INTEGER 0x0
??? +0x000 LowPart??? : 0
??? +0x004 HighPart??? : 0
??? +0x000 u??? : __unnamed
??? +0x000 QuadPart??? : 0
?? +0x038 CancelRoutine??? : (null)
?? +0x03c UserBuffer??? : (null)
?? +0x040 Tail??? : __unnamed
??? +0x000 Overlay??? : __unnamed
??? +0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
??? +0x000 DriverContext??? : [4] (null)
??? +0x010 Thread??? : 0x818a8620
??? +0x014 AuxiliaryBuffer? : (null)
??? +0x018 ListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x020 CurrentStackLocation : 0xbb574f6c
??? +0x020 PacketType??? : 0xbb574f6c
??? +0x024 OriginalFileObject : 0x84bbfb48
??? +0x000 Apc??? : _KAPC
??? +0x000 Type??? : 0
??? +0x002 Size??? : 0
??? +0x004 Spare0??? : 0
??? +0x008 Thread??? : (null)
??? +0x00c ApcListEntry??? : _LIST_ENTRY [0x0 - 0x818a8620]
??? +0x014 KernelRoutine??? : (null)
??? +0x018 RundownRoutine?? : (null)
??? +0x01c NormalRoutine??? : (null)
??? +0x020 NormalContext??? : 0xbb574f6c
??? +0x024 SystemArgument1? : 0x84bbfb48
??? +0x028 SystemArgument2? : (null)
??? +0x02c ApcStateIndex??? : 0 ‘’
??? +0x02d ApcMode??? : 0 ‘’
??? +0x02e Inserted??? : 0 ‘’
??? +0x000 CompletionKey??? : (null)

kd> !irp 0xbb574e48 1
Irp is active with 9 stacks 6 is current (= 0xbb574f6c)
?Mdl = eb43fb0c Thread 818a8620:? Irp stack trace.
Flags = 40000043
ThreadListEntry.Flink = bb574e58
ThreadListEntry.Blink = bb574e58
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = eb43fd50
UserEvent = eb43fb7c
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = 00ebcf54
Tail.Overlay.Thread = 818a8620
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = bb574f6c
Tail.Overlay.OriginalFileObject = 84bbfb48
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
??? cmd? flg cl Device?? File??? Completion-Context
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]? ?0? 0 00000000 00000000 00000000-00000000

??? Args: 00000000 00000000 00000000 00000000
?[? 0, 0]?? 0? 0 00000000 00000000 00000000-00000000

??? Args: 00000000 00000000 00000000 00000000
>[? 4,34]?? 0 e0 84bbf470 00000000 eb2b3658-00000000 Success Error Cancel
??? ??? \Driver\saview?? savirt!Bus_PDO_QueryDeviceRelations
??? Args: 00000400 00000000 0000ae00 00000000
?[? 4,34]?? 0 e1 ff586e30 00000000 bffa4a20-84e34f08 Success Error Cancel
pending
??? ??? \Driver\savirt?? ftdisk!FtpRefCountCompletionRoutine
??? Args: 00000400 00000000 0000ae00 00000000
?[? 4, 0]?? 0 e1 84e34e50 00000000 bfe567ff-eb43f94c Success Error Cancel
pending
??? ??? \Driver\Ftdisk?? Ntfs!NtfsSingleSyncCompletionRoutine
??? Args: 00000400 00000000 00003000 00000000
?[? 4, 0]?? 0? 0 839da800 84bbfb48 00000000-00000000
??? ??? \FileSystem\Ntfs
??? Args: 00001000 00000000 00000000 00000000

kd> dt saview!_IO_STACK_LOCATION 0xbb574f6c -r
?? +0x000 MajorFunction??? : 0x4 ‘’
?? +0x001 MinorFunction??? : 0x34 ‘4’
?? +0x002 Flags??? : 0 ‘’
?? +0x003 Control??? : 0xe0 ‘’
?? +0x004 Parameters??? : __unnamed
??? +0x000 Create??? : __unnamed
??? +0x000 SecurityContext? : 0x00000400
??? +0x004 Options??? : 0
??? +0x008 FileAttributes?? : 0xae00
??? +0x00a ShareAccess??? : 0
??? +0x00c EaLength??? : 0
??? +0x000 Read??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 Key??? : 0
??? +0x008 ByteOffset??? : _LARGE_INTEGER 0xae00
??? +0x000 Write??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 Key??? : 0
??? +0x008 ByteOffset??? : _LARGE_INTEGER 0xae00
??? +0x000 QueryFile??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 FileInformationClass : 0
??? +0x000 SetFile??? : __unnamed
??? ???+0x000 Length??? : 0x400
??? +0x004 FileInformationClass : 0
??? +0x008 FileObject??? : 0x0000ae00
??? +0x00c ReplaceIfExists? : 0 ‘’
??? +0x00d AdvanceOnly??? : 0 ‘’
??? +0x00c ClusterCount??? : 0
??? +0x00c DeleteHandle??? : (null)
??? +0x000 QueryVolume??? : __unnamed
??? +0x000 Length??? : 0x400
??? +0x004 FsInformationClass : 0
??? +0x000 DeviceIoControl? : __unnamed
??? +0x000 OutputBufferLength : 0x400
??? +0x004 InputBufferLength : 0
??? +0x008 IoControlCode??? : 0xae00
??? +0x00c Type3InputBuffer : (null)
??? +0x000 QuerySecurity??? : __unnamed
??? +0x000 SecurityInformation : 0x400
??? +0x004 Length??? : 0
??? +0x000 SetSecurity??? : __unnamed
??? +0x000 SecurityInformation : 0x400
??? +0x004 SecurityDescriptor : (null)
??? +0x000 MountVolume??? : __unnamed
??? +0x000 Vpb??? : 0x00000400
??? +0x004 DeviceObject??? : (null)
?? ???+0x000 VerifyVolume??? : __unnamed
??? +0x000 Vpb??? : 0x00000400
??? +0x004 DeviceObject??? : (null)
??? +0x000 Scsi??? : __unnamed
??? +0x000 Srb??? : 0x00000400
??? +0x000 QueryDeviceRelations : __unnamed
??? +0x000 Type??? : 1024
??? +0x000 QueryInterface?? : __unnamed
??? +0x000 InterfaceType??? : 0x00000400
??? +0x004 Size??? : 0
??? +0x006 Version??? : 0
??? +0x008 Interface??? : 0x0000ae00
??? +0x00c InterfaceSpecificData : (null)
??? +0x000 DeviceCapabilities : __unnamed
??? +0x000 Capabilities??? : 0x00000400
??? +0x000 FilterResourceRequirements : __unnamed
??? +0x000 IoResourceRequirementList : 0x00000400
??? +0x000 ReadWriteConfig? : __unnamed
??? +0x000 WhichSpace??? : 0x400
??? +0x004 Buffer??? : (null)
??? +0x008 Offset??? : 0xae00
??? +0x00c Length??? : 0
??? +0x000 SetLock??? : __unnamed
??? +0x000 Lock??? : 0 ‘’
??? +0x000 QueryId??? : __unnamed
??? +0x000 IdType??? : 1024
??? +0x000 QueryDeviceText? : __unnamed
??? +0x000 DeviceTextType?? : 1024
??? +0x004 LocaleId??? : 0
??? +0x000 UsageNotification : __unnamed
??? +0x000 InPath??? : 0 ‘’
??? +0x001 Reserved??? : [3]? “???”
??? +0x004 Type??? : 0
??? +0x000 WaitWake??? : __unnamed
??? +0x000 PowerState??? : 1024
??? +0x000 PowerSequence??? : __unnamed
??? +0x000 PowerSequence??? : 0x00000400
??? +0x000 Power??? : __unnamed
??? +0x000 SystemContext??? : 0x400
??? +0x004 Type??? : 0
??? +0x008 State??? : _POWER_STATE
??? +0x00c ShutdownType?? ??: 0
??? +0x000 StartDevice??? : __unnamed
??? +0x000 AllocatedResources : 0x00000400
??? +0x004 AllocatedResourcesTranslated : (null)
??? +0x000 WMI??? : __unnamed
??? +0x000 ProviderId??? : 0x400
??? +0x004 DataPath??? : (null)
??? +0x008 BufferSize??? : 0xae00
??? +0x00c Buffer??? : (null)
??? +0x000 Others??? : __unnamed
??? +0x000 Argument1??? : 0x00000400
??? +0x004 Argument2??? : (null)
??? +0x008 Argument3??? : 0x0000ae00
??? +0x00c Argument4??? : (null)
?? +0x014 DeviceObject??? : 0x84bbf470
??? +0x000 Type??? : 3
??? +0x002 Size??? : 0x148
??? +0x004 ReferenceCount?? : 0
??? +0x008 DriverObject??? : 0x8150d1f0
??? +0x000 Type??? : 4
??? +0x002 Size??? : 168
??? +0x004 DeviceObject??? : 0x84bbf470
??? +0x008 Flags??? : 0x12
??? +0x00c DriverStart??? : 0xbfc50000
??? +0x010 DriverSize??? : 0x1aaf60
??? +0x014 DriverSection??? : 0x818ceb48
??? +0x018 DriverExtension? : 0x8150d298
??? +0x01c DriverName??? : _UNICODE_STRING “\Driver\saview”
??? +0x024 HardwareDatabase : 0x8053fd98
“\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
??? +0x028 FastIoDispatch?? : (null)
??? +0x02c DriverInit??? : 0xbfc5baa1
saview!DriverEntry+0
??? +0x030 DriverStartIo??? : (null)
??? +0x034 DriverUnload??? : 0xbfc5bc5d
saview!SaViewDriverUnload+0
??? +0x038 MajorFunction??? : [28] 0xbfc5bcc0
saview!SaViewCreateClose+0
??? +0x00c NextDevice??? : 0x81881cf0
??? +0x000 Type??? : 3
?? ???+0x002 Size??? : 0x1c8
??? +0x004 ReferenceCount?? : 1
??? +0x008 DriverObject??? : 0x8150d1f0
??? +0x00c NextDevice??? : (null)
??? +0x010 AttachedDevice?? : (null)
??? +0x014 CurrentIrp??? : (null)
??? ???+0x018 Timer??? : (null)
??? +0x01c Flags??? : 0x40
??? +0x020 Characteristics? : 0
??? +0x024 Vpb??? : (null)
??? +0x028 DeviceExtension? : 0x81881da8
??? +0x02c DeviceType??? : 0x22
??? +0x030 StackSize??? : 1 ‘’
??? +0x034 Queue??? : __unnamed
??? +0x05c AlignmentRequirement : 0
??? +0x060 DeviceQueue??? : _KDEVICE_QUEUE
??? +0x074 Dpc??? : _KDPC
??? +0x094 ActiveThreadCount : 0
??? +0x098 SecurityDescriptor : 0xe13b01a8
??? +0x09c DeviceLock??? : _KEVENT
??? +0x0ac SectorSize??? : 0
??? +0x0ae Spare1??? : 0
??? +0x0b0 DeviceObjectExtension : 0x81881eb8
??? +0x0b4 Reserved??? : (null)
??? +0x010 AttachedDevice?? : (null)
??? +0x014 CurrentIrp??? : (null)
??? +0x018 Timer??? : (null)
??? +0x01c Flags??? : 0x50
??? +0x020 Characteristics? : 0x100
??? +0x024 Vpb??? : (null)
??? +0x028 DeviceExtension? : 0x84bbf528
??? +0x02c DeviceType??? : 0x22
??? +0x030 StackSize??? : 1 ‘’
??? +0x034 Queue??? : __unnamed
??? +0x000 ListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x000 Wcb??? : _WAIT_CONTEXT_BLOCK
??? +0x05c AlignmentRequirement : 0
??? +0x060 DeviceQueue??? : _KDEVICE_QUEUE
??? +0x000 Type??? : 20
??? +0x002 Size??? : 20
??? +0x004 DeviceListHead?? : _LIST_ENTRY [0x84bbf4d4 - 0x84bbf4d4]
??? +0x00c Lock ???: 0
??? +0x010 Busy??? : 0 ‘’
??? +0x074 Dpc??? : _KDPC
??? +0x000 Type??? : 0
??? +0x002 Number??? : 0 ‘’
??? +0x003 Importance??? : 0 ‘’
??? +0x004 DpcListEntry??? : _LIST_ENTRY [0x0 - 0x0]
??? +0x00c DeferredRoutine? : (null)
??? +0x010 DeferredContext? : (null)
??? +0x014 SystemArgument1? : (null)
??? +0x018 SystemArgument2? : (null)
??? +0x01c Lock??? : (null)
??? +0x094 ActiveThreadCount : 0
??? +0x098 SecurityDescriptor : 0xe1fb75e8
??? +0x09c DeviceLock??? : _KEVENT
??? +0x000 Header??? : _DISPATCHER_HEADER
??? +0x0ac SectorSize??? : 0
??? +0x0ae Spare1??? : 0
??? +0x0b0 DeviceObjectExtension : 0x84bbf5b8
??? +0x000 Type??? : 13
??? +0x002 Size??? : 0
??? +0x004 DeviceObject??? : 0x84bbf470
??? +0x0b4 Reserved??? : (null)
?? +0x018 FileObject??? : (null)
?? +0x01c CompletionRoutine : 0xeb2b3658
savirt!Bus_PDO_QueryDeviceRelations+0
?? +0x020 Context??? : (null)

This mail was sent via storeage.com

**************************************************************************
**********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
**************************************************************************
**********

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com