NO_MORE_IRP_STACK_LOCATIONS panic

I am hitting a NO_MORE_IRP_STACK_LOCATIONS panic possibly due to IRP corruption. My driver is a simple driver that creates the IRP (using IoAllocateIrp) to communicate with the lower driver. The IRP is created with a stack size of 1. I am hitting the panic as soon as the IoCallDriver is called. From the dump, the IRP shows negative vaues for the stack count and the current location fields.

The IoCompletion routine is set at the address that corresponds to the value derived from the negative count.

Any idea why this corruption is happening?

0: kd> dt _IRP 854ec508
nt!_IRP
+0x000 Type : 6
+0x002 Size : 0x190
+0x004 MdlAddress : (null)
+0x008 Flags : 0
+0x00c AssociatedIrp : __unnamed
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ‘’
+0x021 PendingReturned : 0 ‘’
+0x022 StackCount : -67 ‘’ <----------
+0x023 CurrentLocation : -67 ‘’<----------
+0x024 Cancel : 0 ‘’
+0x025 CancelIrql : 0 ‘’
+0x026 ApcEnvironment : 0 ‘’
+0x027 AllocationFlags : 0x4 ‘’
+0x028 UserIosb : (null)
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : __unnamed

Thanks,
Jing

You need to allocate the number of stack locations based on the driver you are sending it to, eg lowerDeviceObject->StackSize is what you should pass to IoAllocateIrp

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, April 22, 2010 9:50 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] NO_MORE_IRP_STACK_LOCATIONS panic

I am hitting a NO_MORE_IRP_STACK_LOCATIONS panic possibly due to IRP corruption. My driver is a simple driver that creates the IRP (using IoAllocateIrp) to communicate with the lower driver. The IRP is created with a stack size of 1. I am hitting the panic as soon as the IoCallDriver is called. From the dump, the IRP shows negative vaues for the stack count and the current location fields.

The IoCompletion routine is set at the address that corresponds to the value derived from the negative count.

Any idea why this corruption is happening?

0: kd> dt _IRP 854ec508
nt!_IRP
+0x000 Type : 6
+0x002 Size : 0x190
+0x004 MdlAddress : (null)
+0x008 Flags : 0
+0x00c AssociatedIrp : __unnamed
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ‘’
+0x021 PendingReturned : 0 ‘’
+0x022 StackCount : -67 ‘’ <----------
+0x023 CurrentLocation : -67 ‘’<----------
+0x024 Cancel : 0 ‘’
+0x025 CancelIrql : 0 ‘’
+0x026 ApcEnvironment : 0 ‘’
+0x027 AllocationFlags : 0x4 ‘’
+0x028 UserIosb : (null)
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : __unnamed

Thanks,
Jing


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Doron,

That is exactly what my driver is doing

IrpPtr = IoAllocateIrp( pMasterDeviceObject->StackSize, FALSE );
This stack size is 1.

However I am seeing the weird values for the stack count and current
location fields.

Regards,
Jing

On Thu, Apr 22, 2010 at 1:14 PM, Doron Holan wrote:

> You need to allocate the number of stack locations based on the driver you
> are sending it to, eg lowerDeviceObject->StackSize is what you should pass
> to IoAllocateIrp
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> Sent: Thursday, April 22, 2010 9:50 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] NO_MORE_IRP_STACK_LOCATIONS panic
>
> I am hitting a NO_MORE_IRP_STACK_LOCATIONS panic possibly due to IRP
> corruption. My driver is a simple driver that creates the IRP (using
> IoAllocateIrp) to communicate with the lower driver. The IRP is created with
> a stack size of 1. I am hitting the panic as soon as the IoCallDriver is
> called. From the dump, the IRP shows negative vaues for the stack count and
> the current location fields.
>
> The IoCompletion routine is set at the address that corresponds to the
> value derived from the negative count.
>
> Any idea why this corruption is happening?
>
> 0: kd> dt _IRP 854ec508
> nt!_IRP
> +0x000 Type : 6
> +0x002 Size : 0x190
> +0x004 MdlAddress : (null)
> +0x008 Flags : 0
> +0x00c AssociatedIrp : __unnamed
> +0x018 IoStatus : _IO_STATUS_BLOCK
> +0x020 RequestorMode : 0 ‘’
> +0x021 PendingReturned : 0 ‘’
> +0x022 StackCount : -67 ‘’ <----------
> +0x023 CurrentLocation : -67 ‘’<----------
> +0x024 Cancel : 0 ‘’
> +0x025 CancelIrql : 0 ‘’
> +0x026 ApcEnvironment : 0 ‘’
> +0x027 AllocationFlags : 0x4 ‘’
> +0x028 UserIosb : (null)
> +0x02c UserEvent : (null)
> +0x030 Overlay :__unnamed
> +0x038 CancelRoutine : (null)
> +0x03c UserBuffer : (null)
> +0x040 Tail : __unnamed
>
> Thanks,
> Jing
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

xxxxx@gmail.com wrote:

I am hitting a NO_MORE_IRP_STACK_LOCATIONS panic possibly due to IRP corruption. My driver is a simple driver that creates the IRP (using IoAllocateIrp) to communicate with the lower driver. The IRP is created with a stack size of 1. I am hitting the panic as soon as the IoCallDriver is called. From the dump, the IRP shows negative vaues for the stack count and the current location fields.

The IoCompletion routine is set at the address that corresponds to the value derived from the negative count.

Again, you’re expecting us to use our psychic abilities to help you.
You have a bug. Show us the code.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Negative numbers are not necessarily a problem. How did you get pMasterDeviceObject? What is the output of !analyze -v? is pMasterDeviceObject part of your pnp stack if you are a pnp driver?

d

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of jing bing
Sent: Thursday, April 22, 2010 10:19 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NO_MORE_IRP_STACK_LOCATIONS panic

Doron,

That is exactly what my driver is doing

IrpPtr = IoAllocateIrp( pMasterDeviceObject->StackSize, FALSE ); This stack size is 1.

However I am seeing the weird values for the stack count and current location fields.

Regards,
Jing

On Thu, Apr 22, 2010 at 1:14 PM, Doron Holan > wrote:
You need to allocate the number of stack locations based on the driver you are sending it to, eg lowerDeviceObject->StackSize is what you should pass to IoAllocateIrp

d

-----Original Message-----
From: xxxxx@lists.osr.commailto:xxxxx [mailto:xxxxx@lists.osr.commailto:xxxxx] On Behalf Of xxxxx@gmail.commailto:xxxxx
Sent: Thursday, April 22, 2010 9:50 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] NO_MORE_IRP_STACK_LOCATIONS panic

I am hitting a NO_MORE_IRP_STACK_LOCATIONS panic possibly due to IRP corruption. My driver is a simple driver that creates the IRP (using IoAllocateIrp) to communicate with the lower driver. The IRP is created with a stack size of 1. I am hitting the panic as soon as the IoCallDriver is called. From the dump, the IRP shows negative vaues for the stack count and the current location fields.

The IoCompletion routine is set at the address that corresponds to the value derived from the negative count.

Any idea why this corruption is happening?

0: kd> dt _IRP 854ec508
nt!_IRP
+0x000 Type : 6
+0x002 Size : 0x190
+0x004 MdlAddress : (null)
+0x008 Flags : 0
+0x00c AssociatedIrp : __unnamed
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ‘’
+0x021 PendingReturned : 0 ‘’
+0x022 StackCount : -67 ‘’ <----------
+0x023 CurrentLocation : -67 ‘’<----------
+0x024 Cancel : 0 ‘’
+0x025 CancelIrql : 0 ‘’
+0x026 ApcEnvironment : 0 ‘’
+0x027 AllocationFlags : 0x4 ‘’
+0x028 UserIosb : (null)
+0x02c UserEvent : (null)
+0x030 Overlay :__unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : __unnamed

Thanks,
Jing


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

Do you set a completion routine in IRP? If you do, IIRC you should reserve an extra location for your driver in IRP - otherwise IoCompleteRequest() will crash, because no more stack locations will be left in IRP by the time it wants to invoke your completion routine…

Anton Bassov