Ummm… I know it is my driver! I`m not one of these fly by night filemon
stealing monkeys you know! 
To answer the things so far.
-
Yes. I do update the pIrp->UserBuffer afetr constructing my replacment
MDL. -
Here is the -analyze -v, the memory address being accessed doesn`t appear
to
have been allocated by me, but I am pretty sure that it was as it is only
on
an encrypted file that this happens.
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ff4d3000, memory referenced
Arg2: 0000000d, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80069566, address which referenced memory
Debugging Details:
Database SolnDb not connected
READ_ADDRESS: ff4d3000 Nonpaged pool
CURRENT_IRQL: d
FAULTING_IP:
hal!WRITE_PORT_BUFFER_USHORT+e
80069566 f3666f rep outsw
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 8042c507 to 80456488
STACK_TEXT:
f2c1f934 8042c507 00000003 f2c1f97c ff4d3000
nt!RtlpBreakWithStatusInstruction
f2c1f964 8042c8cb 00000003 ff4d3000 80069566 nt!KiBugCheckDebugBreak+0x31
f2c1fcf0 80468b6f 00000000 ff4d3000 0000000d nt!KeBugCheckEx+0x390
f2c1fcf0 80069566 00000000 ff4d3000 0000000d nt!KiTrap0E+0x27c
f2c1fd7c fe2bfb1f 000001f0 ff4d2ee8 00000100
hal!WRITE_PORT_BUFFER_USHORT+0xe
f2c1fd9c fe2c03f1 00000000 00000200 fe5110e8 atapi!IdeReadWrite+0x2c9
f2c1fe18 fe2c0cc2 fe511328 fe462b48 fe5110e8 atapi!IdeSendCommand+0x19f
f2c1fe58 fe2c3a76 fe511328 fe462b48 fe5111c0 atapi!AtapiStartIo+0x177
f2c1fe84 80469781 fe511001 fe5110e8 fe510a02
atapi!SpStartIoSynchronized+0x198
f2c1fe9c fe2c3f9d fe4f1008 fe2c38de fe511030 nt!KeSynchronizeExecution+0x21
f2c1febc fe2c3f52 00000000 00000000 00000000
atapi!CallSpStartIoSynchronized+0x39
f2c1fed0 fe2c3209 fe511030 fe511030 fe383ca8
atapi!IdePortAllocateAccessToken+0x1a
f2c1fee8 8042138c fe511030 fe383ca8 fe383ca8 atapi!ScsiPortStartIo+0x12f
f2c1ff0c fe2c41a9 fe511030 fe383ca8 00000000 nt!IoStartPacket+0x93
f2c1ff34 fe2c4643 fe5110e8 fe510aa8 fe5111c0 atapi!GetNextLuRequest+0xff
f2c1ff70 fe2c34bd fe5110e8 fe5111c0 f2c1ffdf
atapi!SpProcessCompletedRequest+0x199
f2c1ffe0 80464bd4 fe5110a4 fe511030 00000000
atapi!ScsiPortCompletionDpc+0x1c7
f2c1fff4 804042be f2c7fb48 00000000 00000000 nt!KiRetireDpcList+0x30
FOLLOWUP_IP:
atapi!IdeReadWrite+2c9
fe2bfb1f 299e88000000 sub [esi+0x88],ebx
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: atapi!IdeReadWrite+2c9
MODULE_NAME: atapi
IMAGE_NAME: atapi.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3e89d599
STACK_COMMAND: kb
BUCKET_ID: 0xA_atapi!IdeReadWrite+2c9
Followup: MachineOwner
-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: 26 November 2003 06:13
To: Windows File Systems Devs Interest List
Subject: [ntfsd] RE: IRQL_NOT_LESS_OR_EQUAL in hal.dll after replacing
buffer in write
I was just about to reply “if you get a crash after installing your
driver, your
driver is faulty”, but you got me first:-)
What address is it crashing on? It is an address of a buffer you have
allocated
or not?
If I disable DMA access for the bus controller everything is NOT ok, just
Takes
longer to crash
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com