System Bugchecks after completing the IRP ?

HI all

I see following BSOD after I complete the allocated IRP in the completion
routine . I am following the following procedure in my driver code .

DispatchControl
Save the Main IRP in the Context
Allocate New Irp
Mark Main IRP pending
Set Completion routine for new IRP
Call Next Level driver
return status pending

In Completion routine
Complete Main Irp
Free the IRP
return STATUS_MORE_PROCESSING_REQUIRED

Is there any thing wrong in the above procedure ? CAn anybody point where I
am doing wrong ?

With the above procedure I am seeing the bugcheck as shown below .

thanks in advance
srinivasa

_____Bug Check result

---

Entered Create - Dispatch control
Entered Class Request Completion Routine Read - Completion Routine
Freeing allocated IRP - Completion Routine

*** Fatal System Error: 0x000000c1
(0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}

*** WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
ntoskrnl.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
USBD.SYS -
Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )

Followup: MachineOwner

nt!MmLockPagableSectionByHandle+62c:
80453d52 cc int 3
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack bactrace will reveal the guilty party.
Arguments:
Arg1: ab689ed8, address trying to free
Arg2: ab689fff, address where bits are corrupted
Arg3: 1e000124, (reserved)
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Debugging Details:

SPECIAL_POOL_CORRUPTION_TYPE: 24

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: C1

LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52

STACK_TEXT:
80470e44 8042c1c1 00000003 c02ada24 00000124
nt!MmLockPagableSectionByHandle+0x62c
804711d0 8053911f 000000c1 ab689ed8 ab689fff nt!IopWritePageToDisk+0x1b6
80471214 804689c8 ab689ed8 00000000 ab689ed8
nt!IopProcessNewDeviceNode+0x196
80471240 80468922 ab689ed8 00000000 8041fe15 nt!MmCreateKernelStack+0x198
80471264 8041fd76 ab689ed8 ef24e57b ab689ed8 nt!MmCreateKernelStack+0xf2
804712a4 8041f6c5 00000000 ab689ed8 82226368
nt!FsRtlFastCheckLockForWrite+0x148
804712d0 f0759c50 841b962b f07494ba ab689ed8
nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
WARNING: Stack unwind information not available. Following frames may be
wrong.
804712f4 f074ad26 81213ad0 ab689ed8 00000000 USBD!USBD_CompleteRequest+0x4e
80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00a23c1f nt!MmCheckCachedPageState+0x918

FOLLOWUP_IP:
USBD!USBD_CompleteRequest+4e
f0759c50 5b pop ebx

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: USBD!USBD_CompleteRequest+4e

MODULE_NAME: USBD

IMAGE_NAME: USBD

STACK_COMMAND: kb

BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e

Followup: MachineOwner

How do you allocate / free the IRPs ?

“Deevi, Srinivasa” wrote in message
news:xxxxx@ntdev…
>
> HI all
>
> I see following BSOD after I complete the allocated IRP in the completion
> routine . I am following the following procedure in my driver code .
>
> DispatchControl
> Save the Main IRP in the Context
> Allocate New Irp
> Mark Main IRP pending
> Set Completion routine for new IRP
> Call Next Level driver
> return status pending
>
> In Completion routine
> Complete Main Irp
> Free the IRP
> return STATUS_MORE_PROCESSING_REQUIRED
>
> Is there any thing wrong in the above procedure ? CAn anybody point where
I
> am doing wrong ?
>
> With the above procedure I am seeing the bugcheck as shown below .
>
> thanks in advance
> srinivasa
>
> Bug Check result
>__________________________________________________
>
>
> Entered Create - Dispatch control
> Entered Class Request Completion Routine Read - Completion Routine
> Freeing allocated IRP - Completion Routine
>
> Fatal System Error: 0x000000c1
> (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
>

>
>
>
> * Bugcheck Analysis
>
>
>
>

>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
>
> WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> ntoskrnl.exe
> ERROR: Symbol file could not be found. Defaulted to export symbols
for
> USBD.SYS -
> Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
>
> Followup: MachineOwner
> ---------
>
> nt!MmLockPagableSectionByHandle+62c:
> 80453d52 cc int 3
> kd> !analyze -v
>

>
>
>
> * Bugcheck Analysis
>
>
>
>

> ***
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: ab689ed8, address trying to free
> Arg2: ab689fff, address where bits are corrupted
> Arg3: 1e000124, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end of
> the allocation have been overwritten
>
> Debugging Details:
> ------------------
>
>
> SPECIAL_POOL_CORRUPTION_TYPE: 24
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: C1
>
> LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
>
> STACK_TEXT:
> 80470e44 8042c1c1 00000003 c02ada24 00000124
> nt!MmLockPagableSectionByHandle+0x62c
> 804711d0 8053911f 000000c1 ab689ed8 ab689fff nt!IopWritePageToDisk+0x1b6
> 80471214 804689c8 ab689ed8 00000000 ab689ed8
> nt!IopProcessNewDeviceNode+0x196
> 80471240 80468922 ab689ed8 00000000 8041fe15 nt!MmCreateKernelStack+0x198
> 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8 nt!MmCreateKernelStack+0xf2
> 804712a4 8041f6c5 00000000 ab689ed8 82226368
> nt!FsRtlFastCheckLockForWrite+0x148
> 804712d0 f0759c50 841b962b f07494ba ab689ed8
> nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 804712f4 f074ad26 81213ad0 ab689ed8 00000000
USBD!USBD_CompleteRequest+0x4e
> 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
>
>
> FOLLOWUP_IP:
> USBD!USBD_CompleteRequest+4e
> f0759c50 5b pop ebx
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
>
> MODULE_NAME: USBD
>
> IMAGE_NAME: USBD
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
>
> Followup: MachineOwner
> ---------
>
>
>

after you allocate the new irp put a watch point on the address
immediately following it (ba w 4

). When the watch-point hits
you've got your corruptor.

you aren't trying to use IoGetCurrentIrpStackLocation() on your newly
allocated irp are you? That will end up writing into a nonexistant
stack location after the end of the allocated irp (new irps only have a
next stack location)

-p

-----Original Message-----
From: Deevi, Srinivasa [mailto:xxxxx@microtune.com]
Sent: Thursday, July 18, 2002 10:12 AM
To: NT Developers Interest List
Subject: [ntdev] System Bugchecks after completing the IRP ?

HI all

I see following BSOD after I complete the allocated IRP in the
completion routine . I am following the following procedure in my driver
code .

DispatchControl
Save the Main IRP in the Context
Allocate New Irp
Mark Main IRP pending
Set Completion routine for new IRP
Call Next Level driver
return status pending

In Completion routine
Complete Main Irp
Free the IRP
return STATUS_MORE_PROCESSING_REQUIRED

Is there any thing wrong in the above procedure ? CAn anybody point
where I am doing wrong ?

With the above procedure I am seeing the bugcheck as shown below .

thanks in advance
srinivasa

_____Bug Check result
_______________________________________________________

Entered Create - Dispatch control
Entered Class Request Completion Routine Read - Completion Routine
Freeing allocated IRP - Completion Routine

***Fatal System Error: 0x000000c1
(0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***

Use !analyze -v to get detailed debugging information.

BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}

*** WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
ntoskrnl.exe
***ERROR: Symbol file could not be found. Defaulted to export symbols
for USBD.SYS -
Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )

Followup: MachineOwner
---------

nt!MmLockPagableSectionByHandle+62c:
80453d52 cc int 3
kd> !analyze -v
************************************************************************
****
***
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
****
***

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current
thread's stack bactrace will reveal the guilty party.
Arguments:
Arg1: ab689ed8, address trying to free
Arg2: ab689fff, address where bits are corrupted
Arg3: 1e000124, (reserved)
Arg4: 00000024, caller is freeing an address where bytes after the end
of the allocation have been overwritten

Debugging Details:
------------------

SPECIAL_POOL_CORRUPTION_TYPE: 24

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: C1

LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52

STACK_TEXT:
80470e44 8042c1c1 00000003 c02ada24 00000124
nt!MmLockPagableSectionByHandle+0x62c
804711d0 8053911f 000000c1 ab689ed8 ab689fff nt!IopWritePageToDisk+0x1b6
80471214 804689c8 ab689ed8 00000000 ab689ed8
nt!IopProcessNewDeviceNode+0x196 80471240 80468922 ab689ed8 00000000
8041fe15 nt!MmCreateKernelStack+0x198 80471264 8041fd76 ab689ed8
ef24e57b ab689ed8 nt!MmCreateKernelStack+0xf2 804712a4 8041f6c5 00000000
ab689ed8 82226368 nt!FsRtlFastCheckLockForWrite+0x148
804712d0 f0759c50 841b962b f07494ba ab689ed8
nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
WARNING: Stack unwind information not available. Following frames may be
wrong. 804712f4 f074ad26 81213ad0 ab689ed8 00000000
USBD!USBD_CompleteRequest+0x4e 80471344 f074a6e7 81213ad0 8149fe68
8297bf50 uhcd+0x2d26 80471380 80462235 81213cdc 81213ad0 00000000
uhcd+0x26e7 ffdff800 8047fce4 00000001 80471398 00139718
nt!MiEndingOffset+0x54d 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918 ffdff800 8047fce4 00000001 80471398
00139718 0xffdff800 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918

FOLLOWUP_IP:
USBD!USBD_CompleteRequest+4e
f0759c50 5b pop ebx

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: USBD!USBD_CompleteRequest+4e

MODULE_NAME: USBD

IMAGE_NAME: USBD

STACK_COMMAND: kb

BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e

Followup: MachineOwner
---------

---
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Hmmm… perhaps this is trying to tell you something? Recheck how you are allocating and using this IRP. Also it would help if
you used the right symbols when debugging, your stack frame would make more sense. Is ab689ed8 the address of the IRP you
allocated? If not then there is some side effect resulting from the IRP you sent down the stack that is causing the memory
corruption.

-----Original Message-----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Date: Thu, 18 Jul 2002 12:12:07 -0500
Subject: [ntdev] System Bugchecks after completing the IRP ?

> HI all
>
> I see following BSOD after I complete the allocated IRP in the
> completion
> routine . I am following the following procedure in my driver code .
>
> DispatchControl
> Save the Main IRP in the Context
> Allocate New Irp
> Mark Main IRP pending
> Set Completion routine for new IRP
> Call Next Level driver
> return status pending
>
> In Completion routine
> Complete Main Irp
> Free the IRP
> return STATUS_MORE_PROCESSING_REQUIRED
>
> Is there any thing wrong in the above procedure ? CAn anybody point
> where I
> am doing wrong ?
>
> With the above procedure I am seeing the bugcheck as shown below .
>
> thanks in advance
> srinivasa
>
> Bug Check result
>__________________________________________________
>
>
> Entered Create - Dispatch control
> Entered Class Request Completion Routine Read - Completion Routine
> Freeing allocated IRP - Completion Routine
>
> Fatal System Error: 0x000000c1
> (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been
> invoked.
>
> A fatal system error has occurred.
>
>********************************************************************
>
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
>
> WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> ntoskrnl.exe
> ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> USBD.SYS -
> Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
>
> Followup: MachineOwner
> ---------
>
> nt!MmLockPagableSectionByHandle+62c:
> 80453d52 cc int 3
> kd> !analyze -v
>
> **
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> ******************************************************************
>
> ***
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
> thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: ab689ed8, address trying to free
> Arg2: ab689fff, address where bits are corrupted
> Arg3: 1e000124, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end
> of
> the allocation have been overwritten
>
> Debugging Details:
> ------------------
>
>
> SPECIAL_POOL_CORRUPTION_TYPE: 24
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: C1
>
> LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
>
> STACK_TEXT:
> 80470e44 8042c1c1 00000003 c02ada24 00000124
> nt!MmLockPagableSectionByHandle+0x62c
> 804711d0 8053911f 000000c1 ab689ed8 ab689fff
> nt!IopWritePageToDisk+0x1b6
> 80471214 804689c8 ab689ed8 00000000 ab689ed8
> nt!IopProcessNewDeviceNode+0x196
> 80471240 80468922 ab689ed8 00000000 8041fe15
> nt!MmCreateKernelStack+0x198
> 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8
> nt!MmCreateKernelStack+0xf2
> 804712a4 8041f6c5 00000000 ab689ed8 82226368
> nt!FsRtlFastCheckLockForWrite+0x148
> 804712d0 f0759c50 841b962b f07494ba ab689ed8
> nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> WARNING: Stack unwind information not available. Following frames may
> be
> wrong.
> 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> USBD!USBD_CompleteRequest+0x4e
> 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
>
>
> FOLLOWUP_IP:
> USBD!USBD_CompleteRequest+4e
> f0759c50 5b pop ebx
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
>
> MODULE_NAME: USBD
>
> IMAGE_NAME: USBD
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
>
> Followup: MachineOwner
> ---------
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@hollistech.com
> To unsubscribe send a blank email to %%email.unsub%%

Hi Dan

thanks for the reply .

I allocated the IRP with IoAllocateIrp() and trying to free with
IoFreeIrp().

Thanks
srinivasa

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Thursday, July 18, 2002 10:31 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

How do you allocate / free the IRPs ?

“Deevi, Srinivasa” wrote in message
news:xxxxx@ntdev…
>
> HI all
>
> I see following BSOD after I complete the allocated IRP in the completion
> routine . I am following the following procedure in my driver code .
>
> DispatchControl
> Save the Main IRP in the Context
> Allocate New Irp
> Mark Main IRP pending
> Set Completion routine for new IRP
> Call Next Level driver
> return status pending
>
> In Completion routine
> Complete Main Irp
> Free the IRP
> return STATUS_MORE_PROCESSING_REQUIRED
>
> Is there any thing wrong in the above procedure ? CAn anybody point where
I
> am doing wrong ?
>
> With the above procedure I am seeing the bugcheck as shown below .
>
> thanks in advance
> srinivasa
>
> Bug Check result
>__________________________________________________
>
>
> Entered Create - Dispatch control
> Entered Class Request Completion Routine Read - Completion Routine
> Freeing allocated IRP - Completion Routine
>
> Fatal System Error: 0x000000c1
> (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
>

>
>
>
> * Bugcheck Analysis
>
>
>
>

>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
>
> WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> ntoskrnl.exe
> ERROR: Symbol file could not be found. Defaulted to export symbols
for
> USBD.SYS -
> Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
>
> Followup: MachineOwner
> ---------
>
> nt!MmLockPagableSectionByHandle+62c:
> 80453d52 cc int 3
> kd> !analyze -v
>

>
>
>
> * Bugcheck Analysis
>
>
>
>

> ***
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: ab689ed8, address trying to free
> Arg2: ab689fff, address where bits are corrupted
> Arg3: 1e000124, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end of
> the allocation have been overwritten
>
> Debugging Details:
> ------------------
>
>
> SPECIAL_POOL_CORRUPTION_TYPE: 24
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: C1
>
> LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
>
> STACK_TEXT:
> 80470e44 8042c1c1 00000003 c02ada24 00000124
> nt!MmLockPagableSectionByHandle+0x62c
> 804711d0 8053911f 000000c1 ab689ed8 ab689fff nt!IopWritePageToDisk+0x1b6
> 80471214 804689c8 ab689ed8 00000000 ab689ed8
> nt!IopProcessNewDeviceNode+0x196
> 80471240 80468922 ab689ed8 00000000 8041fe15 nt!MmCreateKernelStack+0x198
> 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8 nt!MmCreateKernelStack+0xf2
> 804712a4 8041f6c5 00000000 ab689ed8 82226368
> nt!FsRtlFastCheckLockForWrite+0x148
> 804712d0 f0759c50 841b962b f07494ba ab689ed8
> nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 804712f4 f074ad26 81213ad0 ab689ed8 00000000
USBD!USBD_CompleteRequest+0x4e
> 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
nt!MmCheckCachedPageState+0x918
>
>
> FOLLOWUP_IP:
> USBD!USBD_CompleteRequest+4e
> f0759c50 5b pop ebx
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
>
> MODULE_NAME: USBD
>
> IMAGE_NAME: USBD
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
>
> Followup: MachineOwner
> ---------
>
>
>

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Mark

Yes , that is the address of IRP . Interesting point is when I put KdPrint
statement to print the address of IRP , then the driver did not fail . When
I removed back then again it crashed . How would a KdPrint helped not to
crash in this case ?

thanks in advance
srinivasa

-----Original Message-----
From: Mark Roddy [mailto:xxxxx@hollistech.com]
Sent: Thursday, July 18, 2002 10:51 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Hmmm… perhaps this is trying to tell you something? Recheck how you are
allocating and using this IRP. Also it would help if
you used the right symbols when debugging, your stack frame would make more
sense. Is ab689ed8 the address of the IRP you
allocated? If not then there is some side effect resulting from the IRP you
sent down the stack that is causing the memory
corruption.

-----Original Message-----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Date: Thu, 18 Jul 2002 12:12:07 -0500
Subject: [ntdev] System Bugchecks after completing the IRP ?

> HI all
>
> I see following BSOD after I complete the allocated IRP in the
> completion
> routine . I am following the following procedure in my driver code .
>
> DispatchControl
> Save the Main IRP in the Context
> Allocate New Irp
> Mark Main IRP pending
> Set Completion routine for new IRP
> Call Next Level driver
> return status pending
>
> In Completion routine
> Complete Main Irp
> Free the IRP
> return STATUS_MORE_PROCESSING_REQUIRED
>
> Is there any thing wrong in the above procedure ? CAn anybody point
> where I
> am doing wrong ?
>
> With the above procedure I am seeing the bugcheck as shown below .
>
> thanks in advance
> srinivasa
>
> Bug Check result
>__________________________________________________
>
>
> Entered Create - Dispatch control
> Entered Class Request Completion Routine Read - Completion Routine
> Freeing allocated IRP - Completion Routine
>
> Fatal System Error: 0x000000c1
> (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been
> invoked.
>
> A fatal system error has occurred.
>
>********************************************************************
>
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
>
> WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> ntoskrnl.exe
> ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> USBD.SYS -
> Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
>
> Followup: MachineOwner
> ---------
>
> nt!MmLockPagableSectionByHandle+62c:
> 80453d52 cc int 3
> kd> !analyze -v
>
> **
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> ******************************************************************
>
> ***
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
> thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: ab689ed8, address trying to free
> Arg2: ab689fff, address where bits are corrupted
> Arg3: 1e000124, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end
> of
> the allocation have been overwritten
>
> Debugging Details:
> ------------------
>
>
> SPECIAL_POOL_CORRUPTION_TYPE: 24
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: C1
>
> LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
>
> STACK_TEXT:
> 80470e44 8042c1c1 00000003 c02ada24 00000124
> nt!MmLockPagableSectionByHandle+0x62c
> 804711d0 8053911f 000000c1 ab689ed8 ab689fff
> nt!IopWritePageToDisk+0x1b6
> 80471214 804689c8 ab689ed8 00000000 ab689ed8
> nt!IopProcessNewDeviceNode+0x196
> 80471240 80468922 ab689ed8 00000000 8041fe15
> nt!MmCreateKernelStack+0x198
> 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8
> nt!MmCreateKernelStack+0xf2
> 804712a4 8041f6c5 00000000 ab689ed8 82226368
> nt!FsRtlFastCheckLockForWrite+0x148
> 804712d0 f0759c50 841b962b f07494ba ab689ed8
> nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> WARNING: Stack unwind information not available. Following frames may
> be
> wrong.
> 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> USBD!USBD_CompleteRequest+0x4e
> 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
>
>
> FOLLOWUP_IP:
> USBD!USBD_CompleteRequest+4e
> f0759c50 5b pop ebx
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
>
> MODULE_NAME: USBD
>
> IMAGE_NAME: USBD
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
>
> Followup: MachineOwner
> ---------
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@hollistech.com
> To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%

Are you calling IoMarkIrpPending on the irp you allocated via
IoAllocateIrp? If so, you are marking a stack location which does not
exist, corrupting memory after the irp.

d

-----Original Message-----
From: Deevi, Srinivasa [mailto:xxxxx@microtune.com]
Sent: Thursday, July 18, 2002 11:28 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

Hi Mark

Yes , that is the address of IRP . Interesting point is when I put
KdPrint statement to print the address of IRP , then the driver did not
fail . When I removed back then again it crashed . How would a KdPrint
helped not to crash in this case ?

thanks in advance
srinivasa

-----Original Message-----
From: Mark Roddy [mailto:xxxxx@hollistech.com]
Sent: Thursday, July 18, 2002 10:51 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

Arg4: 00000024, caller is freeing an address where bytes after the end
of the allocation have been overwritten

Hmmm… perhaps this is trying to tell you something? Recheck how you
are allocating and using this IRP. Also it would help if
you used the right symbols when debugging, your stack frame would make
more sense. Is ab689ed8 the address of the IRP you
allocated? If not then there is some side effect resulting from the IRP
you sent down the stack that is causing the memory
corruption.

-----Original Message-----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Date: Thu, 18 Jul 2002 12:12:07 -0500
Subject: [ntdev] System Bugchecks after completing the IRP ?

> HI all
>
> I see following BSOD after I complete the allocated IRP in the
> completion routine . I am following the following procedure in my
> driver code .
>
> DispatchControl
> Save the Main IRP in the Context
> Allocate New Irp
> Mark Main IRP pending
> Set Completion routine for new IRP
> Call Next Level driver
> return status pending
>
> In Completion routine
> Complete Main Irp
> Free the IRP
> return STATUS_MORE_PROCESSING_REQUIRED
>
> Is there any thing wrong in the above procedure ? CAn anybody point
> where I am doing wrong ?
>
> With the above procedure I am seeing the bugcheck as shown below .
>
> thanks in advance
> srinivasa
>
> Bug Check result
>__________________________________________________
>
>
> Entered Create - Dispatch control
> Entered Class Request Completion Routine Read - Completion Routine
> Freeing allocated IRP - Completion Routine
>
> Fatal System Error: 0x000000c1
> (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been
> invoked.
>
> A fatal system error has occurred.
>
>******
>
> **
>
>
>
> * Bugcheck Analysis
>
>
>
>
******************************************************************
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
>
> WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> ntoskrnl.exe
> ERROR: Symbol file could not be found. Defaulted to export
> symbols for USBD.SYS -
> Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
>
> Followup: MachineOwner
> ---------
>
> nt!MmLockPagableSectionByHandle+62c:
> 80453d52 cc int 3
> kd> !analyze -v
>
> *
> **
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
******************************************************************
>
> ***
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
> thread’s stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: ab689ed8, address trying to free
> Arg2: ab689fff, address where bits are corrupted
> Arg3: 1e000124, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end
> of
> the allocation have been overwritten
>
> Debugging Details:
> ------------------
>
>
> SPECIAL_POOL_CORRUPTION_TYPE: 24
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: C1
>
> LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
>
> STACK_TEXT:
> 80470e44 8042c1c1 00000003 c02ada24 00000124
> nt!MmLockPagableSectionByHandle+0x62c
> 804711d0 8053911f 000000c1 ab689ed8 ab689fff
> nt!IopWritePageToDisk+0x1b6
> 80471214 804689c8 ab689ed8 00000000 ab689ed8
> nt!IopProcessNewDeviceNode+0x196
> 80471240 80468922 ab689ed8 00000000 8041fe15
> nt!MmCreateKernelStack+0x198
> 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8
> nt!MmCreateKernelStack+0xf2
> 804712a4 8041f6c5 00000000 ab689ed8 82226368
> nt!FsRtlFastCheckLockForWrite+0x148
> 804712d0 f0759c50 841b962b f07494ba ab689ed8
> nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> WARNING: Stack unwind information not available. Following frames may
> be
> wrong.
> 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> USBD!USBD_CompleteRequest+0x4e
> 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
>
>
> FOLLOWUP_IP:
> USBD!USBD_CompleteRequest+4e
> f0759c50 5b pop ebx
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
>
> MODULE_NAME: USBD
>
> IMAGE_NAME: USBD
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
>
> Followup: MachineOwner
> ---------
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@hollistech.com To
> unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

ab689ed8 does not seems a valid address for a IRP allocation. The OS will
allocate IRPs from nonpaged pool, using either lookaisde lists , either
callsic pool allocations. That memory (range where ab689ed8 fall in ) is
used for system PTEs and potentialy expansions of system cache. Check the
pointer you pass , its most likely bougus.

Dan

----- Original Message -----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Sent: Thursday, July 18, 2002 9:03 PM
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

> Hi Dan
>
> thanks for the reply .
>
> I allocated the IRP with IoAllocateIrp() and trying to free with
> IoFreeIrp().
>
> Thanks
> srinivasa
>
> -----Original Message-----
> From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> Sent: Thursday, July 18, 2002 10:31 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
>
>
> How do you allocate / free the IRPs ?
>
>
> “Deevi, Srinivasa” wrote in message
> news:xxxxx@ntdev…
> >
> > HI all
> >
> > I see following BSOD after I complete the allocated IRP in the
completion
> > routine . I am following the following procedure in my driver code .
> >
> > DispatchControl
> > Save the Main IRP in the Context
> > Allocate New Irp
> > Mark Main IRP pending
> > Set Completion routine for new IRP
> > Call Next Level driver
> > return status pending
> >
> > In Completion routine
> > Complete Main Irp
> > Free the IRP
> > return STATUS_MORE_PROCESSING_REQUIRED
> >
> > Is there any thing wrong in the above procedure ? CAn anybody point
where
> I
> > am doing wrong ?
> >
> > With the above procedure I am seeing the bugcheck as shown below .
> >
> > thanks in advance
> > srinivasa
> >
> > Bug Check result
> >__________________________________________________
> >
> >
> > Entered Create - Dispatch control
> > Entered Class Request Completion Routine Read - Completion Routine
> > Freeing allocated IRP - Completion Routine
> >
> > Fatal System Error: 0x000000c1
> > (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
> >
> > Break instruction exception - code 80000003 (first chance)
> >
> > A fatal system error has occurred.
> > Debugger entered on first try; Bugcheck callbacks have not been invoked.
> >
> > A fatal system error has occurred.
> >
> >
>

> >
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
>

> >
> >
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
> >
> > WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> > ntoskrnl.exe
> > ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> > USBD.SYS -
> > Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
> >
> > Followup: MachineOwner
> > ---------
> >
> > nt!MmLockPagableSectionByHandle+62c:
> > 80453d52 cc int 3
> > kd> !analyze -v
> >
>

> >
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
>

> > ***
> >
> > SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> > Special pool has detected memory corruption. Typically the current
> thread’s
> > stack bactrace will reveal the guilty party.
> > Arguments:
> > Arg1: ab689ed8, address trying to free
> > Arg2: ab689fff, address where bits are corrupted
> > Arg3: 1e000124, (reserved)
> > Arg4: 00000024, caller is freeing an address where bytes after the end
of
> > the allocation have been overwritten
> >
> > Debugging Details:
> > ------------------
> >
> >
> > SPECIAL_POOL_CORRUPTION_TYPE: 24
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: C1
> >
> > LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
> >
> > STACK_TEXT:
> > 80470e44 8042c1c1 00000003 c02ada24 00000124
> > nt!MmLockPagableSectionByHandle+0x62c
> > 804711d0 8053911f 000000c1 ab689ed8 ab689fff nt!IopWritePageToDisk+0x1b6
> > 80471214 804689c8 ab689ed8 00000000 ab689ed8
> > nt!IopProcessNewDeviceNode+0x196
> > 80471240 80468922 ab689ed8 00000000 8041fe15
nt!MmCreateKernelStack+0x198
> > 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8 nt!MmCreateKernelStack+0xf2
> > 804712a4 8041f6c5 00000000 ab689ed8 82226368
> > nt!FsRtlFastCheckLockForWrite+0x148
> > 804712d0 f0759c50 841b962b f07494ba ab689ed8
> > nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> > WARNING: Stack unwind information not available. Following frames may be
> > wrong.
> > 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> USBD!USBD_CompleteRequest+0x4e
> > 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> > 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> > ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> >
> >
> > FOLLOWUP_IP:
> > USBD!USBD_CompleteRequest+4e
> > f0759c50 5b pop ebx
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
> >
> > MODULE_NAME: USBD
> >
> > IMAGE_NAME: USBD
> >
> > STACK_COMMAND: kb
> >
> > BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
> >
> > Followup: MachineOwner
> > ---------
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@microtune.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

No I am not calling IoMarkIrpPending on the allocated IRP , but on the Main
IRP which has come from Application . And also , I am using the Stack
location given by the call “IoGetNextIrpStackLocation” only.

thanks
srinivasa

-----Original Message-----
From: Doron Holan [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, July 18, 2002 11:28 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

Are you calling IoMarkIrpPending on the irp you allocated via
IoAllocateIrp? If so, you are marking a stack location which does not
exist, corrupting memory after the irp.

d

-----Original Message-----
From: Deevi, Srinivasa [mailto:xxxxx@microtune.com]
Sent: Thursday, July 18, 2002 11:28 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

Hi Mark

Yes , that is the address of IRP . Interesting point is when I put
KdPrint statement to print the address of IRP , then the driver did not
fail . When I removed back then again it crashed . How would a KdPrint
helped not to crash in this case ?

thanks in advance
srinivasa

-----Original Message-----
From: Mark Roddy [mailto:xxxxx@hollistech.com]
Sent: Thursday, July 18, 2002 10:51 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

Arg4: 00000024, caller is freeing an address where bytes after the end
of the allocation have been overwritten

Hmmm… perhaps this is trying to tell you something? Recheck how you
are allocating and using this IRP. Also it would help if
you used the right symbols when debugging, your stack frame would make
more sense. Is ab689ed8 the address of the IRP you
allocated? If not then there is some side effect resulting from the IRP
you sent down the stack that is causing the memory
corruption.

-----Original Message-----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Date: Thu, 18 Jul 2002 12:12:07 -0500
Subject: [ntdev] System Bugchecks after completing the IRP ?

> HI all
>
> I see following BSOD after I complete the allocated IRP in the
> completion routine . I am following the following procedure in my
> driver code .
>
> DispatchControl
> Save the Main IRP in the Context
> Allocate New Irp
> Mark Main IRP pending
> Set Completion routine for new IRP
> Call Next Level driver
> return status pending
>
> In Completion routine
> Complete Main Irp
> Free the IRP
> return STATUS_MORE_PROCESSING_REQUIRED
>
> Is there any thing wrong in the above procedure ? CAn anybody point
> where I am doing wrong ?
>
> With the above procedure I am seeing the bugcheck as shown below .
>
> thanks in advance
> srinivasa
>
> Bug Check result
>__________________________________________________
>
>
> Entered Create - Dispatch control
> Entered Class Request Completion Routine Read - Completion Routine
> Freeing allocated IRP - Completion Routine
>
> Fatal System Error: 0x000000c1
> (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been
> invoked.
>
> A fatal system error has occurred.
>
>******
>
> **
>
>
>
> * Bugcheck Analysis
>
>
>
>
******************************************************************
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
>
> WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> ntoskrnl.exe
> ERROR: Symbol file could not be found. Defaulted to export
> symbols for USBD.SYS -
> Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
>
> Followup: MachineOwner
> ---------
>
> nt!MmLockPagableSectionByHandle+62c:
> 80453d52 cc int 3
> kd> !analyze -v
>
> *
> **
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
******************************************************************
>
> ***
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
> thread’s stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: ab689ed8, address trying to free
> Arg2: ab689fff, address where bits are corrupted
> Arg3: 1e000124, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end
> of
> the allocation have been overwritten
>
> Debugging Details:
> ------------------
>
>
> SPECIAL_POOL_CORRUPTION_TYPE: 24
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: C1
>
> LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
>
> STACK_TEXT:
> 80470e44 8042c1c1 00000003 c02ada24 00000124
> nt!MmLockPagableSectionByHandle+0x62c
> 804711d0 8053911f 000000c1 ab689ed8 ab689fff
> nt!IopWritePageToDisk+0x1b6
> 80471214 804689c8 ab689ed8 00000000 ab689ed8
> nt!IopProcessNewDeviceNode+0x196
> 80471240 80468922 ab689ed8 00000000 8041fe15
> nt!MmCreateKernelStack+0x198
> 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8
> nt!MmCreateKernelStack+0xf2
> 804712a4 8041f6c5 00000000 ab689ed8 82226368
> nt!FsRtlFastCheckLockForWrite+0x148
> 804712d0 f0759c50 841b962b f07494ba ab689ed8
> nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> WARNING: Stack unwind information not available. Following frames may
> be
> wrong.
> 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> USBD!USBD_CompleteRequest+0x4e
> 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
>
>
> FOLLOWUP_IP:
> USBD!USBD_CompleteRequest+4e
> f0759c50 5b pop ebx
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
>
> MODULE_NAME: USBD
>
> IMAGE_NAME: USBD
>
> STACK_COMMAND: kb
>
> BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
>
> Followup: MachineOwner
> ---------
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@hollistech.com To
> unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Dan

You may be right. Probably the stack locations number is wrong while I am
allocating IRP . Now I increased the stack locations to 3 , then it stopped
crashing . Now the IRP allocated address looks like below . Is this OK ?

Allocated IRP is at 0xbc05de90
Entered Class Request Completion Routine Read
Freeing allocated IRP 0xbc05de90

Actually I am trying to send my own IOCTLs through a fake device object
mechanism in Lower filter driver . While doing that I got a request which
need to be passed to Hardware , In this case I am creating a new IRP with
no. of stack locations using the original PDO + 1 which was causing the
crash . Now I have increased the stack locations to + 3 , looks like solved
problem .
Can you let me know if I am doing anything wrong ?

thanks
srinivasa

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Thursday, July 18, 2002 11:15 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

ab689ed8 does not seems a valid address for a IRP allocation. The OS will
allocate IRPs from nonpaged pool, using either lookaisde lists , either
callsic pool allocations. That memory (range where ab689ed8 fall in ) is
used for system PTEs and potentialy expansions of system cache. Check the
pointer you pass , its most likely bougus.

Dan

----- Original Message -----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Sent: Thursday, July 18, 2002 9:03 PM
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

> Hi Dan
>
> thanks for the reply .
>
> I allocated the IRP with IoAllocateIrp() and trying to free with
> IoFreeIrp().
>
> Thanks
> srinivasa
>
> -----Original Message-----
> From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> Sent: Thursday, July 18, 2002 10:31 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
>
>
> How do you allocate / free the IRPs ?
>
>
> “Deevi, Srinivasa” wrote in message
> news:xxxxx@ntdev…
> >
> > HI all
> >
> > I see following BSOD after I complete the allocated IRP in the
completion
> > routine . I am following the following procedure in my driver code .
> >
> > DispatchControl
> > Save the Main IRP in the Context
> > Allocate New Irp
> > Mark Main IRP pending
> > Set Completion routine for new IRP
> > Call Next Level driver
> > return status pending
> >
> > In Completion routine
> > Complete Main Irp
> > Free the IRP
> > return STATUS_MORE_PROCESSING_REQUIRED
> >
> > Is there any thing wrong in the above procedure ? CAn anybody point
where
> I
> > am doing wrong ?
> >
> > With the above procedure I am seeing the bugcheck as shown below .
> >
> > thanks in advance
> > srinivasa
> >
> > Bug Check result
> >__________________________________________________
> >
> >
> > Entered Create - Dispatch control
> > Entered Class Request Completion Routine Read - Completion Routine
> > Freeing allocated IRP - Completion Routine
> >
> > Fatal System Error: 0x000000c1
> > (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
> >
> > Break instruction exception - code 80000003 (first chance)
> >
> > A fatal system error has occurred.
> > Debugger entered on first try; Bugcheck callbacks have not been invoked.
> >
> > A fatal system error has occurred.
> >
> >
>

> >
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
>

> >
> >
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
> >
> > WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> > ntoskrnl.exe
> > ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> > USBD.SYS -
> > Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
> >
> > Followup: MachineOwner
> > ---------
> >
> > nt!MmLockPagableSectionByHandle+62c:
> > 80453d52 cc int 3
> > kd> !analyze -v
> >
>

> >
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
>

> > ***
> >
> > SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> > Special pool has detected memory corruption. Typically the current
> thread’s
> > stack bactrace will reveal the guilty party.
> > Arguments:
> > Arg1: ab689ed8, address trying to free
> > Arg2: ab689fff, address where bits are corrupted
> > Arg3: 1e000124, (reserved)
> > Arg4: 00000024, caller is freeing an address where bytes after the end
of
> > the allocation have been overwritten
> >
> > Debugging Details:
> > ------------------
> >
> >
> > SPECIAL_POOL_CORRUPTION_TYPE: 24
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: C1
> >
> > LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
> >
> > STACK_TEXT:
> > 80470e44 8042c1c1 00000003 c02ada24 00000124
> > nt!MmLockPagableSectionByHandle+0x62c
> > 804711d0 8053911f 000000c1 ab689ed8 ab689fff nt!IopWritePageToDisk+0x1b6
> > 80471214 804689c8 ab689ed8 00000000 ab689ed8
> > nt!IopProcessNewDeviceNode+0x196
> > 80471240 80468922 ab689ed8 00000000 8041fe15
nt!MmCreateKernelStack+0x198
> > 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8 nt!MmCreateKernelStack+0xf2
> > 804712a4 8041f6c5 00000000 ab689ed8 82226368
> > nt!FsRtlFastCheckLockForWrite+0x148
> > 804712d0 f0759c50 841b962b f07494ba ab689ed8
> > nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> > WARNING: Stack unwind information not available. Following frames may be
> > wrong.
> > 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> USBD!USBD_CompleteRequest+0x4e
> > 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> > 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> > ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> nt!MmCheckCachedPageState+0x918
> >
> >
> > FOLLOWUP_IP:
> > USBD!USBD_CompleteRequest+4e
> > f0759c50 5b pop ebx
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
> >
> > MODULE_NAME: USBD
> >
> > IMAGE_NAME: USBD
> >
> > STACK_COMMAND: kb
> >
> > BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
> >
> > Followup: MachineOwner
> > ---------
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@microtune.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%

You should always get the number of stack locations from DeviceObject which
is the target of the request. You cant just guess how many filters are
layered in, and stack location is advanced on every IoCallDriver(). If you
dont have enough stack locations , your will end corrupting memory.

----- Original Message -----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Sent: Thursday, July 18, 2002 9:57 PM
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

> Hi Dan
>
> You may be right. Probably the stack locations number is wrong while I am
> allocating IRP . Now I increased the stack locations to 3 , then it
stopped
> crashing . Now the IRP allocated address looks like below . Is this OK ?
>
> Allocated IRP is at 0xbc05de90
> Entered Class Request Completion Routine Read
> Freeing allocated IRP 0xbc05de90
>
> Actually I am trying to send my own IOCTLs through a fake device object
> mechanism in Lower filter driver . While doing that I got a request which
> need to be passed to Hardware , In this case I am creating a new IRP with
> no. of stack locations using the original PDO + 1 which was causing the
> crash . Now I have increased the stack locations to + 3 , looks like
solved
> problem .
> Can you let me know if I am doing anything wrong ?
>
> thanks
> srinivasa
>
> -----Original Message-----
> From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> Sent: Thursday, July 18, 2002 11:15 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
>
>
> ab689ed8 does not seems a valid address for a IRP allocation. The OS will
> allocate IRPs from nonpaged pool, using either lookaisde lists , either
> callsic pool allocations. That memory (range where ab689ed8 fall in ) is
> used for system PTEs and potentialy expansions of system cache. Check the
> pointer you pass , its most likely bougus.
>
> Dan
>
>
>
>
> ----- Original Message -----
> From: “Deevi, Srinivasa”
> To: “NT Developers Interest List”
> Sent: Thursday, July 18, 2002 9:03 PM
> Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
>
>
> > Hi Dan
> >
> > thanks for the reply .
> >
> > I allocated the IRP with IoAllocateIrp() and trying to free with
> > IoFreeIrp().
> >
> > Thanks
> > srinivasa
> >
> > -----Original Message-----
> > From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> > Sent: Thursday, July 18, 2002 10:31 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
> >
> >
> > How do you allocate / free the IRPs ?
> >
> >
> > “Deevi, Srinivasa” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > HI all
> > >
> > > I see following BSOD after I complete the allocated IRP in the
> completion
> > > routine . I am following the following procedure in my driver code .
> > >
> > > DispatchControl
> > > Save the Main IRP in the Context
> > > Allocate New Irp
> > > Mark Main IRP pending
> > > Set Completion routine for new IRP
> > > Call Next Level driver
> > > return status pending
> > >
> > > In Completion routine
> > > Complete Main Irp
> > > Free the IRP
> > > return STATUS_MORE_PROCESSING_REQUIRED
> > >
> > > Is there any thing wrong in the above procedure ? CAn anybody point
> where
> > I
> > > am doing wrong ?
> > >
> > > With the above procedure I am seeing the bugcheck as shown below .
> > >
> > > thanks in advance
> > > srinivasa
> > >
> > > Bug Check result
> > >__________________________________________________
> > >
> > >
> > > Entered Create - Dispatch control
> > > Entered Class Request Completion Routine Read - Completion Routine
> > > Freeing allocated IRP - Completion Routine
> > >
> > > Fatal System Error: 0x000000c1
> > > (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
> > >
> > > Break instruction exception - code 80000003 (first chance)
> > >
> > > A fatal system error has occurred.
> > > Debugger entered on first try; Bugcheck callbacks have not been
invoked.
> > >
> > > A fatal system error has occurred.
> > >
> > >
> >
>

> > >
> > >
> > >
> > > * Bugcheck Analysis
> > >
> > >
> > >
> > >
> >
>

> > >
> > >
> > > Use !analyze -v to get detailed debugging information.
> > >
> > > BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
> > >
> > > WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> > > ntoskrnl.exe
> > > ERROR: Symbol file could not be found. Defaulted to export
symbols
> > for
> > > USBD.SYS -
> > > Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
> > >
> > > Followup: MachineOwner
> > > ---------
> > >
> > > nt!MmLockPagableSectionByHandle+62c:
> > > 80453d52 cc int 3
> > > kd> !analyze -v
> > >
> >
>

> > >
> > >
> > >
> > > * Bugcheck Analysis
> > >
> > >
> > >
> > >
> >
>

> > > ***
> > >
> > > SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> > > Special pool has detected memory corruption. Typically the current
> > thread’s
> > > stack bactrace will reveal the guilty party.
> > > Arguments:
> > > Arg1: ab689ed8, address trying to free
> > > Arg2: ab689fff, address where bits are corrupted
> > > Arg3: 1e000124, (reserved)
> > > Arg4: 00000024, caller is freeing an address where bytes after the end
> of
> > > the allocation have been overwritten
> > >
> > > Debugging Details:
> > > ------------------
> > >
> > >
> > > SPECIAL_POOL_CORRUPTION_TYPE: 24
> > >
> > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > >
> > > BUGCHECK_STR: C1
> > >
> > > LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
> > >
> > > STACK_TEXT:
> > > 80470e44 8042c1c1 00000003 c02ada24 00000124
> > > nt!MmLockPagableSectionByHandle+0x62c
> > > 804711d0 8053911f 000000c1 ab689ed8 ab689fff
nt!IopWritePageToDisk+0x1b6
> > > 80471214 804689c8 ab689ed8 00000000 ab689ed8
> > > nt!IopProcessNewDeviceNode+0x196
> > > 80471240 80468922 ab689ed8 00000000 8041fe15
> nt!MmCreateKernelStack+0x198
> > > 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8
nt!MmCreateKernelStack+0xf2
> > > 804712a4 8041f6c5 00000000 ab689ed8 82226368
> > > nt!FsRtlFastCheckLockForWrite+0x148
> > > 804712d0 f0759c50 841b962b f07494ba ab689ed8
> > > nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> > > WARNING: Stack unwind information not available. Following frames may
be
> > > wrong.
> > > 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> > USBD!USBD_CompleteRequest+0x4e
> > > 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> > > 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> > > ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > >
> > >
> > > FOLLOWUP_IP:
> > > USBD!USBD_CompleteRequest+4e
> > > f0759c50 5b pop ebx
> > >
> > > FOLLOWUP_NAME: MachineOwner
> > >
> > > SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
> > >
> > > MODULE_NAME: USBD
> > >
> > > IMAGE_NAME: USBD
> > >
> > > STACK_COMMAND: kb
> > >
> > > BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
> > >
> > > Followup: MachineOwner
> > > ---------
> > >
> > >
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@microtune.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@microtune.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Hi Dan

Now I ended up in other problem . When I compiled it with free build , it
again started giving me the same problem. The Bugcheck code looks as shown
below:

Would there be any difference between checked build and free build ?

thanks in advance
srinivasa

------------Bugcheck result with free build version --------------

*** Fatal System Error: 0x000000c1
(0xBA24DE90,0xBA24DFFF,0x1200016C,0x00000024)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck C1, {ba24de90, ba24dfff, 1200016c, 24}

*** WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
ntoskrnl.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
USBD.SYS -
Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )

Followup: MachineOwner

nt!MmLockPagableSectionByHandle+62c:
80453d52 cc int 3
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack bactrace will reveal the guilty party.
Arguments:
Arg1: ba24de90, address trying to free
Arg2: ba24dfff, address where bits are corrupted
Arg3: 1200016c, (reserved)
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Debugging Details:

SPECIAL_POOL_CORRUPTION_TYPE: 24

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: C1

LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52

STACK_TEXT:
80470e64 8042c1c1 00000003 c02e8934 0000016c
nt!MmLockPagableSectionByHandle+0x62c
804711f0 8053911f 000000c1 ba24de90 ba24dfff nt!IopWritePageToDisk+0x1b6
80471234 804689c8 ba24de90 00000000 ba24de90
nt!IopProcessNewDeviceNode+0x196
80471260 80468922 ba24de90 00000000 8041fe15 nt!MmCreateKernelStack+0x198
80471284 8041fd76 ba24de90 f09406aa ba24de90 nt!MmCreateKernelStack+0xf2
804712a4 8041f6c5 00000000 ba24de90 80a9d528
nt!FsRtlFastCheckLockForWrite+0x148
804712d0 f0759c50 84bc792b f07494ba ba24de90
nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
WARNING: Stack unwind information not available. Following frames may be
wrong.
804712f4 f074ad26 81212ad0 ba24de90 00000000 USBD!USBD_CompleteRequest+0x4e
80471344 f074a6e7 81212ad0 87309268 84689e50 uhcd+0x2d26
80471380 80462235 81212cdc 81212ad0 00000000 uhcd+0x26e7
ffdff800 8047fce4 00000001 80471398 00005921 nt!MiEndingOffset+0x54d
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918
ffdff800 8047fce4 00000001 80471398 00005921 0xffdff800
8047fce4 ffdff800 804317b5 00000000 00010d13 nt!MmCheckCachedPageState+0x918

FOLLOWUP_IP:
USBD!USBD_CompleteRequest+4e
f0759c50 5b pop ebx

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: USBD!USBD_CompleteRequest+4e

MODULE_NAME: USBD

IMAGE_NAME: USBD

STACK_COMMAND: kb

BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e

Followup: MachineOwner

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Thursday, July 18, 2002 1:08 PM
To: NT Developers Interest List
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

You should always get the number of stack locations from DeviceObject which
is the target of the request. You cant just guess how many filters are
layered in, and stack location is advanced on every IoCallDriver(). If you
dont have enough stack locations , your will end corrupting memory.

----- Original Message -----
From: “Deevi, Srinivasa”
To: “NT Developers Interest List”
Sent: Thursday, July 18, 2002 9:57 PM
Subject: [ntdev] Re: System Bugchecks after completing the IRP ?

> Hi Dan
>
> You may be right. Probably the stack locations number is wrong while I am
> allocating IRP . Now I increased the stack locations to 3 , then it
stopped
> crashing . Now the IRP allocated address looks like below . Is this OK ?
>
> Allocated IRP is at 0xbc05de90
> Entered Class Request Completion Routine Read
> Freeing allocated IRP 0xbc05de90
>
> Actually I am trying to send my own IOCTLs through a fake device object
> mechanism in Lower filter driver . While doing that I got a request which
> need to be passed to Hardware , In this case I am creating a new IRP with
> no. of stack locations using the original PDO + 1 which was causing the
> crash . Now I have increased the stack locations to + 3 , looks like
solved
> problem .
> Can you let me know if I am doing anything wrong ?
>
> thanks
> srinivasa
>
> -----Original Message-----
> From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> Sent: Thursday, July 18, 2002 11:15 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
>
>
> ab689ed8 does not seems a valid address for a IRP allocation. The OS will
> allocate IRPs from nonpaged pool, using either lookaisde lists , either
> callsic pool allocations. That memory (range where ab689ed8 fall in ) is
> used for system PTEs and potentialy expansions of system cache. Check the
> pointer you pass , its most likely bougus.
>
> Dan
>
>
>
>
> ----- Original Message -----
> From: “Deevi, Srinivasa”
> To: “NT Developers Interest List”
> Sent: Thursday, July 18, 2002 9:03 PM
> Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
>
>
> > Hi Dan
> >
> > thanks for the reply .
> >
> > I allocated the IRP with IoAllocateIrp() and trying to free with
> > IoFreeIrp().
> >
> > Thanks
> > srinivasa
> >
> > -----Original Message-----
> > From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> > Sent: Thursday, July 18, 2002 10:31 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: System Bugchecks after completing the IRP ?
> >
> >
> > How do you allocate / free the IRPs ?
> >
> >
> > “Deevi, Srinivasa” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > HI all
> > >
> > > I see following BSOD after I complete the allocated IRP in the
> completion
> > > routine . I am following the following procedure in my driver code .
> > >
> > > DispatchControl
> > > Save the Main IRP in the Context
> > > Allocate New Irp
> > > Mark Main IRP pending
> > > Set Completion routine for new IRP
> > > Call Next Level driver
> > > return status pending
> > >
> > > In Completion routine
> > > Complete Main Irp
> > > Free the IRP
> > > return STATUS_MORE_PROCESSING_REQUIRED
> > >
> > > Is there any thing wrong in the above procedure ? CAn anybody point
> where
> > I
> > > am doing wrong ?
> > >
> > > With the above procedure I am seeing the bugcheck as shown below .
> > >
> > > thanks in advance
> > > srinivasa
> > >
> > > Bug Check result
> > >__________________________________________________
> > >
> > >
> > > Entered Create - Dispatch control
> > > Entered Class Request Completion Routine Read - Completion Routine
> > > Freeing allocated IRP - Completion Routine
> > >
> > > Fatal System Error: 0x000000c1
> > > (0xAB689ED8,0xAB689FFF,0x1E000124,0x00000024)
> > >
> > > Break instruction exception - code 80000003 (first chance)
> > >
> > > A fatal system error has occurred.
> > > Debugger entered on first try; Bugcheck callbacks have not been
invoked.
> > >
> > > A fatal system error has occurred.
> > >
> > >
> >
>

> > >
> > >
> > >
> > > * Bugcheck Analysis
> > >
> > >
> > >
> > >
> >
>

> > >
> > >
> > > Use !analyze -v to get detailed debugging information.
> > >
> > > BugCheck C1, {ab689ed8, ab689fff, 1e000124, 24}
> > >
> > > WARNING: symbols timestamp is wrong 0x39760637 0x3975dff1 for
> > > ntoskrnl.exe
> > > ERROR: Symbol file could not be found. Defaulted to export
symbols
> > for
> > > USBD.SYS -
> > > Probably caused by : USBD ( USBD!USBD_CompleteRequest+4e )
> > >
> > > Followup: MachineOwner
> > > ---------
> > >
> > > nt!MmLockPagableSectionByHandle+62c:
> > > 80453d52 cc int 3
> > > kd> !analyze -v
> > >
> >
>

> > >
> > >
> > >
> > > * Bugcheck Analysis
> > >
> > >
> > >
> > >
> >
>

> > > ***
> > >
> > > SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> > > Special pool has detected memory corruption. Typically the current
> > thread’s
> > > stack bactrace will reveal the guilty party.
> > > Arguments:
> > > Arg1: ab689ed8, address trying to free
> > > Arg2: ab689fff, address where bits are corrupted
> > > Arg3: 1e000124, (reserved)
> > > Arg4: 00000024, caller is freeing an address where bytes after the end
> of
> > > the allocation have been overwritten
> > >
> > > Debugging Details:
> > > ------------------
> > >
> > >
> > > SPECIAL_POOL_CORRUPTION_TYPE: 24
> > >
> > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > >
> > > BUGCHECK_STR: C1
> > >
> > > LAST_CONTROL_TRANSFER: from 8042c1c1 to 80453d52
> > >
> > > STACK_TEXT:
> > > 80470e44 8042c1c1 00000003 c02ada24 00000124
> > > nt!MmLockPagableSectionByHandle+0x62c
> > > 804711d0 8053911f 000000c1 ab689ed8 ab689fff
nt!IopWritePageToDisk+0x1b6
> > > 80471214 804689c8 ab689ed8 00000000 ab689ed8
> > > nt!IopProcessNewDeviceNode+0x196
> > > 80471240 80468922 ab689ed8 00000000 8041fe15
> nt!MmCreateKernelStack+0x198
> > > 80471264 8041fd76 ab689ed8 ef24e57b ab689ed8
nt!MmCreateKernelStack+0xf2
> > > 804712a4 8041f6c5 00000000 ab689ed8 82226368
> > > nt!FsRtlFastCheckLockForWrite+0x148
> > > 804712d0 f0759c50 841b962b f07494ba ab689ed8
> > > nt!FsRtlFindFirstOverlappingExclusiveNode+0x5b
> > > WARNING: Stack unwind information not available. Following frames may
be
> > > wrong.
> > > 804712f4 f074ad26 81213ad0 ab689ed8 00000000
> > USBD!USBD_CompleteRequest+0x4e
> > > 80471344 f074a6e7 81213ad0 8149fe68 8297bf50 uhcd+0x2d26
> > > 80471380 80462235 81213cdc 81213ad0 00000000 uhcd+0x26e7
> > > ffdff800 8047fce4 00000001 80471398 00139718 nt!MiEndingOffset+0x54d
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > > ffdff800 8047fce4 00000001 80471398 00139718 0xffdff800
> > > 8047fce4 ffdff800 804317b5 00000000 00a23c1f
> > nt!MmCheckCachedPageState+0x918
> > >
> > >
> > > FOLLOWUP_IP:
> > > USBD!USBD_CompleteRequest+4e
> > > f0759c50 5b pop ebx
> > >
> > > FOLLOWUP_NAME: MachineOwner
> > >
> > > SYMBOL_NAME: USBD!USBD_CompleteRequest+4e
> > >
> > > MODULE_NAME: USBD
> > >
> > > IMAGE_NAME: USBD
> > >
> > > STACK_COMMAND: kb
> > >
> > > BUCKET_ID: 0xC1_USBD!USBD_CompleteRequest+4e
> > >
> > > Followup: MachineOwner
> > > ---------
> > >
> > >
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@microtune.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@microtune.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

—
You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to %%email.unsub%%