Strange !irpfind outputs

NTDEV
1

Hello folks,
I am currently analyze a memory dump in which Non-paged pool seems exhausted, and "Irp " tag is the top consumer of NPP.

0:kd> !poolused 2
Sorting by NonPaged Pool Consumed

Pool Used:
NonPaged Paged
Tag Allocs Used Allocs Used
Irp 103439 67870840 0 0 Io, IRP packets
LSwn 1875 38400000 0 0 normal work context
LSrf 101338 25131824 0 0 RFCB
File 109332 16624576 0 0 File objects
NDCM 18086 11456064 0 0 UNKNOWN pooltag ‘NDCM’, please update pooltag.txt

And !irpfind show 100K+ irps, as follows:
0: kd> !irpfind
Searching NonPaged pool (85301000 : 8d200000) for Tag: Irp?

Irp [Thread] irpStack: (Mj,Mn) DevObj [Driver] MDL Process
853015c0 [8be0ab80] Irp is complete (CurrentLocation 16 > StackCount 15)
85301a60 [8b89edb0] Irp is complete (CurrentLocation 16 > StackCount 15)
85301d70 [8be0ab80] Irp is complete (CurrentLocation 16 > StackCount 15)
853023a0 [8be2ddb0] Irp is complete (CurrentLocation 16 > StackCount 15)
853026c0 [8be2ddb0] Irp is complete (CurrentLocation 16 > StackCount 15)
85302980 [8be36db0] Irp is complete (CurrentLocation 16 > StackCount 15)
85302d70 [8be2ddb0] Irp is complete (CurrentLocation 16 > StackCount 15)
85303008 [8b893db0] Irp is complete (CurrentLocation 16 > StackCount 15)
85303658 [8b898db0] Irp is complete (CurrentLocation 16 > StackCount 15)
85303d70 [8be2ddb0] Irp is complete (CurrentLocation 16 > StackCount 15)

Here are my questons:

  1. Why the [Thread] parameter of these IRPs are not 0? IMHO, normal completed IRPs should have [Thread] as 0.
  2. Why the IO stack location of these IRPs are not zeroed out given these IRPs are completed? e.g:
    0: kd> !irp 853015c0
    Irp is active with 15 stacks 16 is current (= 0x8530184c)
    No Mdl: No System Buffer: Thread 8be0ab80: Irp is completed. Pending has been returned
    cmd flg cl Device File Completion-Context
    [0, 0] 0 0 00000000 00000000 00000000-00000000
    Args: 00000000 00000000 00000000 00000000

    [d, 0] 0 0 8bbbe308 00000000 bae67468-87f300d8
    \FileSystem\Ntfs fltmgr!FltpPassThroughCompletion
    Args: 00000000 00000000 00000000 00000000
    [d, 0] 0 0 8bb47020 00000000 b71d9680-887bf2f0
    \FileSystem\FltMgr srv!SrvFsdOplockCompletionRoutine
    Args: 00000000 00000000 00000000 00000000
  3. Why these IRPs are not freeed since they are completed?

Any comments are greately appreciated. Thanks.

2

> I am currently analyze a memory dump in which Non-paged pool seems exhausted, and "Irp " tag is

the top consumer of NPP.

Can be an artifact of a lookaside list.

Try doing the same with Verifier on, it switches off the lookasides.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com