is it a W2K's bug or my filter driver's bug?

hi

we’re developing anti-virus software include file filter driver.

my filter driver works well on the NT4.0 but raise a problem on the W2K professional
sometimes(very few), the problem is page fault from ntfs. bluescreen messages are

bugcheck = 0x24( NTFS_FILE_SYSTEM ) …

i’m debugging with bugcheck code and extra parameters.

A few days ago i found the point to down window 2000. the point is


call IoGetTopLevelIrp
push dword ptr [eax+0x14] ; of cause eax == 0, so die

the code fragments exist in Ntfs!NtfsCleanupIrpContext, Ntfs!NtfsCreateCompletionRoutine,
and so on.

the call stack is

Ntfs!NtfsCleanupIrpContext+0xe0 <----- the point to be crash
Ntfs!NtfsCompleteRequest+0x32
Ntfs!NtfsCommonCleanup+0x24e2
Ntfs!NtfsFsdCleanup+0x113
ntoskrnl!IopfCallDriver+0x35
v3filw2k!V3filterHookRoutine+0x50 <----- my filter driver routine
ntoskrnl!ObpDecrementHandleCount+0x13c
ntoskrnl!NtClose+0x1f0
ntoskrnl!KiSystemService+0xc4
ntdll!NtClose+0xb
KERNEL32!DeleteFileW+0x24b
KERNEL32!DeleteFileA+0x15

what i want to know is as follows

  1. i can’t understand why IoGetTopLevelIrp return 0.

we think the system never be crashed druring normal operation( without my filter driver ),
because IoGetTopLevelIrp always return non zero on the same condition( as above call stack )

But sometimes the system is crashed while my filter driver is running.
does my filter driver affect Ntfs? is it right?
TopLevelIrp to be NULL because of my filter driver???

  1. Why doesn’t the procedure(NtfsCleanupIrpContext) do NULL check?

All routines use IoGetTopLevelIrp always check the return value whether it is zero
or not when i was debugging NT4.0 ntfs. But W2K does not( as above code fragments ).

is it correct? if so, how does NTFS make sure TopLevelIrp is not NULL in NtfsCleanupIrpContext
routine or NtfsCreateCompletionRoutine?
( IoGetTopLevelIrp can return NULL by W2K DDK Document )

please let me know the mystery!!!

Best regards,
Kim SungHyun

Can you tell me a little bit more?

  • How are you reading file data in create completion?
  • Is the DeleteFile the only case where it crashes?

There may be something wrong with the reference count of the file. Is the
file in question an EXE file? If so, has it been extecuted?

Have you tested under FASTFAT.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@ahnlab.co.kr
Sent: Monday, May 08, 2000 4:13 AM
To: File Systems Developers
Subject: [ntfsd] is it a W2K’s bug or my filter driver’s bug?

hi

we’re developing anti-virus software include file filter driver.

my filter driver works well on the NT4.0 but raise a problem on
the W2K professional
sometimes(very few), the problem is page fault from ntfs.
bluescreen messages are

bugcheck = 0x24( NTFS_FILE_SYSTEM ) …

i’m debugging with bugcheck code and extra parameters.

A few days ago i found the point to down window 2000. the point is



call IoGetTopLevelIrp
push dword ptr [eax+0x14] ; of cause eax == 0, so die


the code fragments exist in Ntfs!NtfsCleanupIrpContext,
Ntfs!NtfsCreateCompletionRoutine,
and so on.

the call stack is

Ntfs!NtfsCleanupIrpContext+0xe0 <----- the point to be crash
Ntfs!NtfsCompleteRequest+0x32
Ntfs!NtfsCommonCleanup+0x24e2
Ntfs!NtfsFsdCleanup+0x113
ntoskrnl!IopfCallDriver+0x35
v3filw2k!V3filterHookRoutine+0x50 <----- my filter
driver routine
ntoskrnl!ObpDecrementHandleCount+0x13c
ntoskrnl!NtClose+0x1f0
ntoskrnl!KiSystemService+0xc4
ntdll!NtClose+0xb
KERNEL32!DeleteFileW+0x24b
KERNEL32!DeleteFileA+0x15

what i want to know is as follows

  1. i can’t understand why IoGetTopLevelIrp return 0.

we think the system never be crashed druring normal
ration(
without my filter driver ),
because IoGetTopLevelIrp always return non zero on the same
condition( as above call stack )

But sometimes the system is crashed while my filter driver is running.
does my filter driver affect Ntfs? is it right?
TopLevelIrp to be NULL because of my filter driver???

  1. Why doesn’t the procedure(NtfsCleanupIrpContext) do NULL check?

All routines use IoGetTopLevelIrp always check the return value
whether it is zero
or not when i was debugging NT4.0 ntfs. But W2K does not( as
above code fragments ).

is it correct? if so, how does NTFS make sure TopLevelIrp is not
NULL in NtfsCleanupIrpContext
routine or NtfsCreateCompletionRoutine?
( IoGetTopLevelIrp can return NULL by W2K DDK Document )

please let me know the mystery!!!

Best regards,
Kim SungHyun

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

thanks for your help!
there are some information for your request.

  • How are you reading file data in create completion?

i don’t use completion routine. when i recieve IRP_MJ_CREATE, just call
ZwCreateFile() to open the file, do something, call ZwClose() and call
IrpSkipCurrentIrpStackLocation(), IoCallDriver().

  • Is the DeleteFile the only case where it crashes?

No. sometimes CreateFile, CloseFile and so on
There are various case where it crash, but the reason is same that eax
is NULL after IoGetTopLevelIrp() is called.

There may be something wrong with the reference count of the file.

I think so. but why?

Is the file in question an EXE file? If so, has it been extecuted?

sorry i don’t know the file type.

Have you tested under FASTFAT.

it works well, no problem!

Best regard,
Kim SungHyun