Invalid IRQL value [???]

OSR_Community_User · June 29, 2005, 10:34am

Hi,

My driver communicate with user-mode using a collection of IOCTLs handled by a corresponding IRP_MJ_DEVICE_CONTROL handler in the kernel, occasionally I get IRQL_NOT_LESS_OR_EQUAL exception from this context, I have dumped the memory and used WinDbg + !analyze -v expecting to see the code was executed at IRQL = PASSIVE_LEVEL BUT Surprisingly the IRQL was set to 0xFF, apparently this caused the IRQL_NOT_LESS_OR_EQUAL exception.

Why may cause the IRQL to be 0xFF ( -1 signed ), I my code doesn’t change the IRQL deliberately… what may cause such a problem [???]

Many thanks
Naddav.

WinDbg !analyze -v output:
****************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
…
Arguments:
Arg1: 81828fb8, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 80512922, address which referenced memory
Debugging Details:

MODULE_NAME: nt
FAULTING_MODULE: 804d4000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de35c
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
unable to get nt!MiSessionPoolStart
unable to get nt!MiSessionPoolEnd
81828fb8
CURRENT_IRQL: ff
FAULTING_IP:
nt!ExfInterlockedInsertTailList+d
80512922 8910 mov [eax],edx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 804dce53 to 805266db
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
fa6fea90 804dce53 0000000a 81828fb8 000000ff nt!KeBugCheckEx+0x19
fa6feaac fffff000 8065ac36 00005376 8065ac48 nt!Kei386EoiHelper+0x251c
c0207898 00004000 03fcc163 00004000 81e3a000 0xfffff000
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_NAME: MachineOwner
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · June 29, 2005, 12:20pm

You really need to fix your symbols - the debugger doesn’t provide much
in the way of useful output without the correct symbols (and while you
are omitting the big “your symbols are wrong” messages, the fact that it
can’t find pool boundaries and can’t unwind the stack clearly indicates
your symbols are wrong). Type “.symfix” and it will point you to the MS
symbol server to get better diagnostic information; I’m amazed that it
is working this well with export symbols.

The IRQL is reported as 0xFF when interrupts on the processor are
disabled. Since this is an x86 box, this is caused by someone executing
a “cli” instruction.

In this case, the export symbols point to ExfInterlockedInsertTailList.
Since the interlocked list functions are safe at any IRQL, they function
by disabling interrupts on the current processor and using spin locks or
atomic hardware operations to update the list. Thus, either the entry
you are inserting now, or an entry someone inserted previously (and is
adjacent) is in pageable memory. Try looking at the faulting address
(once you fix your symbols, commands like “!pte” will work) and figuring
out where it was allocated…

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com http:</http:>

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nadav
Sent: Wednesday, June 29, 2005 10:34 AM
To: ntfsd redirect
Subject: [ntfsd] Invalid IRQL value [???]

Hi,

My driver communicate with user-mode using a collection of IOCTLs
handled by a corresponding IRP_MJ_DEVICE_CONTROL handler in the kernel,
occasionally I get IRQL_NOT_LESS_OR_EQUAL exception from this context, I
have dumped the memory and used WinDbg + !analyze -v expecting to see
the code was executed at IRQL = PASSIVE_LEVEL BUT Surprisingly the IRQL
was set to 0xFF, apparently this caused the IRQL_NOT_LESS_OR_EQUAL
exception.

Why may cause the IRQL to be 0xFF ( -1 signed ), I my code doesn’t
change the IRQL deliberately… what may cause such a problem [???]

Many thanks

Naddav.

WinDbg !analyze -v output:

****************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
…

Arguments:
Arg1: 81828fb8, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 80512922, address which referenced memory

Debugging Details:

MODULE_NAME: nt

FAULTING_MODULE: 804d4000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de35c

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
unable to get nt!MiSessionPoolStart
unable to get nt!MiSessionPoolEnd
81828fb8

CURRENT_IRQL: ff

FAULTING_IP:
nt!ExfInterlockedInsertTailList+d
80512922 8910 mov [eax],edx

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 804dce53 to 805266db

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
fa6fea90 804dce53 0000000a 81828fb8 000000ff nt!KeBugCheckEx+0x19
fa6feaac fffff000 8065ac36 00005376 8065ac48 nt!Kei386EoiHelper+0x251c
c0207898 00004000 03fcc163 00004000 81e3a000 0xfffff000

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_NAME: MachineOwner

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@osr.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

Lyndon_J_Clarke-2 · June 29, 2005, 12:32pm

Does this help http://www.osronline.com/article.cfm?article=372
“Nadav” wrote in message news:xxxxx@ntfsd…
Hi,

My driver communicate with user-mode using a collection of IOCTLs handled by a corresponding IRP_MJ_DEVICE_CONTROL handler in the kernel, occasionally I get IRQL_NOT_LESS_OR_EQUAL exception from this context, I have dumped the memory and used WinDbg + !analyze -v expecting to see the code was executed at IRQL = PASSIVE_LEVEL BUT Surprisingly the IRQL was set to 0xFF, apparently this caused the IRQL_NOT_LESS_OR_EQUAL exception.

Why may cause the IRQL to be 0xFF ( -1 signed ), I my code doesn’t change the IRQL deliberately… what may cause such a problem [???]

Many thanks
Naddav.

WinDbg !analyze -v output:
****************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
…
Arguments:
Arg1: 81828fb8, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 80512922, address which referenced memory
Debugging Details:
------------------

MODULE_NAME: nt
FAULTING_MODULE: 804d4000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de35c
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
unable to get nt!MiSessionPoolStart
unable to get nt!MiSessionPoolEnd
81828fb8
CURRENT_IRQL: ff
FAULTING_IP:
nt!ExfInterlockedInsertTailList+d
80512922 8910 mov [eax],edx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 804dce53 to 805266db
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
fa6fea90 804dce53 0000000a 81828fb8 000000ff nt!KeBugCheckEx+0x19
fa6feaac fffff000 8065ac36 00005376 8065ac48 nt!Kei386EoiHelper+0x251c
c0207898 00004000 03fcc163 00004000 81e3a000 0xfffff000
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_NAME: MachineOwner
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com