Write Through Paging Write past EOF

Hi,

We all know that paging writes can never extend EOF. However, there seems to be an exception in NTFS paging write for the case of write through.

Basically, I perform a cache write (offset 0 to offset 100). NTFS does CcCopyWrite which eventually results in CcFlushCache. Now a reentrant paging write comes in. At this point, the FileSize and ValidDataLength attributes in the FCB structure are still 0. Yet the paging write successfully writes the page to disk (there were no subsequent paging writes, and after a reboot the file contents were persisted).

Has anyone observed similar behaviour in NTFS? I am not sure if I missed something in my analysis. If this is indeed the behaviour, does anyone know how NTFS handles such re-entrant paging writes and allow them to write past the FCB FileSize (ie EOF)?

In FAT32, the file sizes and VDLs are updated to the correct values before reaching the re-entrant paging write. This is consistent with what we know about paging writes.

thanks
aaron

It’s entirely up to NTFS how it updates its structures. What you describe
is unusual but not a bug. Indeed if NTFS wants to keep the lengths
somewhere else it is entirely within its rights to (I have done it, and
apart from some idiocies at the edges of Cc where the API isn’t sufficiently
rich it “just works”). Consider the situation where a file has been
extended in a transaction, what value would you expect in the FCB?

Basically, I perform a cache write (offset 0 to offset 100). NTFS does
CcCopyWrite which eventually results in CcFlushCache. Now a reentrant
paging write comes in.

The word re-entrant suggests that it is NTFS which is issuing the flush. In
the FAT case write through is done by the IO subsystem so you tend to see
the cached write pre/post then a AcquireForCcFlush pre/post and then a
paging write pre/post (sequential, not re-entrant).

And if I had to guess I’d suggest that this might be a small file whose
contents are going into the MFT…

/Rod

Hi Rod,

No, this is not a MFT resident file. EOF (FCB->FileSize) gets updated to the correct value at the end of the cache write.

The FAT and NTFS call stacks are exactly the same, CcFlushCache initiated by CcCopyWriteEx.

The difference in behaviour is FAT updates FileSize before calling CcCopyWriteEx, whereas NTFS does not.

I thought that FCB->FileSize was what all file systems use to track EOF, but it seems I cannot make that assumption anymore.

thanks
aaron