Our driver seems to be causing a STOP 0x35 (NO_MORE_IRP_STACK_LOCATIONS)
bugcheck. This occurs when the driver is attached to an anti-virus file
system filter driver, which in turn is attached to any lower level drivers.
The bugcheck only occurs when files are accessed from the network.
My driver attaches to DosDevices (A:, C:, …), FAT, NTFS, CDFS and
LanManRedirectory. In case of mapped network drives, we don’t attach to
those. Here are some device attach details (ThTrack is our driver, AVPG is
the anti-virus app) at the time of the bugcheck:
Device object (820b4a80) is for:
\Driver\avpg DriverObject 820fa4f0
DevExt 820b4b38 DevObjExt 820b4b40
AttachedDevice (Upper) 82023be0 \Driver\ThTrack
AttachedTo (Lower) 8221e2f0 \FileSystem\MRxSmb
Device object (82023be0) is for:
\Driver\ThTrack DriverObject 82082030
DevExt 82023c98 DevObjExt 82023ce8
AttachedTo (Lower) 820b4a80 \Driver\avpg
To pass the IRP to the lower level driver, I use:
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp, CompletionRoutine,
(PVOID) pCompletionContext, TRUE, TRUE, TRUE );
return (IoCallDriver( DeviceExtension->NextDeviceObject, Irp ));
In case we don’t need a completion routine (but simply pass the IRP on), I use:
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp, NULL, NULL, FALSE, FALSE, FALSE);
return (IoCallDriver( DeviceExtension->NextDeviceObject, Irp ));
I check the ‘NextDeviceObject’ fields, and it does point to the AVPG
driver. So far so good !?!
When the bugcheck appears, this is the IRP stack:
kd> !irp 820bcd48
Irp is active with 3 stacks 0 is current (= 0x820aab80)
No Mdl Thread bebbca38: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 820aab80 bebbccc4 00000000-00000000
\Driver\avpg
Args: bebbca38 01200000 00070000 00000000
[0, 0] 0 0 82046780 bebbccc4 00000000-00000000
\Driver\ThTrack
Args: bebbca38 01200000 00070000 00000000
[0, 0] 0 0 82046780 bebbccc4 00000000-00000000
\Driver\ThTrack
Args: bebbca38 01200000 00070000 00000000
Finally, this is the faulting stack:
Faulting Stack:
ChildEBP RetAddr
bebbc33c 8012c2bb nt!DbgBreakPointWithStatus+0x4
bebbc6c8 8011f607 nt!KeBugCheckEx+0x169
bebbc704 bf04370f nt!IoBuildSynchronousFsdRequest+0x77
bebbc8b8 be93bec7 avpg+0x970f
bebbc8c8 8011f61f ThTrac2k!ThTrackProcessCreate+0x3ca
bebbca64 80150cd0 nt!IoBuildSynchronousFsdRequest+0x8f
bebbcad0 8019daf9 nt!ObFindHandleForObject+0x5e9
bebbcbe0 801a579d nt!ObOpenObjectByName+0xbb
bebbcd54 801649a1 nt!RtlSubAuthorityCountSid+0x1d9
bebbcd64 001f01ff nt!ExReleaseResourceForThread+0xbd5
00180000 00000000 0x1f01ff
So something is going on here (I assume it has something to do with the
double listing of our ThTrack driver in the IRP stack), but I can’t figure
out what it is. I did try to increate the IrpStackSize parameter in the
LanMan registry key, but that didn’t work out.
If you have some spare time and can help me or give me hints or tips, like
what are the possible causes for a STOP 0x35 to occur, I would greatly
appreciate it.
Thanks.
Bartjan Wattel.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com