The reasons for paging IO to complete with STATUS_SUCCESS without data transfer( i.e. no-op) are as follows ( in order of decreasing probability )
write beyond the end of file , paging IO doesn’t extend files
the offset and/or data size is not sector aligned and FSD opted to no-op instead of an error ( a strange design choice )
a file has valid data length less than starting offset for Paging IO write and FSD has no reason to extend it ( e.g. there were no mappings, no caching )
a file has never been written with cached IO and has never been mapped, in that case FSD can optimize out paging IO write as “spurious”
The last two cases are common among remote file systems.
Thanks to your reply! i am a beginner of minifilter.
after reread MSDN document
i use NULL to replace ByteOffset in FltWriteFile function,because file is opende in synchronous I/O way.And the buffer i want to write into file is:
PWCH tmpbf = NULL;
size_t length = sizeof(L"123456789");
tmpbf = (PWCH)FltAllocatePoolAlignedWithTag(FltObjects->Instance, PagedPool,length,‘tmpb’);
RtlCopyMemory(tmpbf, L"123456789", length);
I really have no idea where is wrong with my code.
could you speak more specific?
This FILE_NO_INTERMEDIATE_BUFFERING flag is wrong for FltWriteFile. This is a flag for the IO Manager it doesn’t belong to the Filter Manager.
You must have a good reason to use FLTFL_IO_OPERATION_PAGING. You don’t have one. If you are using FLTFL_IO_OPERATION_PAGING the current file object offset is not used - the offset must be provided. The buffer address and offset must be page size aligned ( actually to a sector size, but they are always page size aligned in the system and FSD developers do not expect anything else ).
You must align buffer size and offset to a sector size for FLTFL_IO_OPERATION_NON_CACHED . Unless you are working with a network redirector, that might have sector size equal to 0, the buffer size is not an integral of a sector size in your example.
FILE_NO_INTERMEDIATE_BUFFERING is the issue. Your buffer has to start on
sector alignment, and you must write sector aligned length.
It is not page alignment as stated by slavaim. However, by making it page
aligned, it will work on small sector and large sector drives.
– Jamey
On Mon, Jun 19, 2017 at 8:19 AM wrote:
>
> > All flags are wrong. All three of them. > > This FILE_NO_INTERMEDIATE_BUFFERING flag is wrong for FltWriteFile. This > is a flag for the IO Manager it doesn’t belong to the Filter Manager. > > You must have a good reason to use FLTFL_IO_OPERATION_PAGING. You don’t > have one. If you are using FLTFL_IO_OPERATION_PAGING the current file > object offset is not used - the offset must be provided. The buffer address > and offset must be page size aligned ( actually to a sector size, but they > are always page size aligned in the system and FSD developers do not expect > anything else ). > > You must align buffer size and offset to a sector size for > FLTFL_IO_OPERATION_NON_CACHED . Unless you are working with a network > redirector, that might have sector size equal to 0, the buffer size is not > an integral of a sector size in your example. > > — > NTFSD is sponsored by OSR > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:>
Thanks,Slava and Jamey !
I made a mistake,yes,FILE_NO_INTERMEDIATE_BUFFERING is not a flag for FltWrite.Thank you!
the length of tmpbf is changed to 1024?the FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET is the only flag now.
tmpofset.LowPart = 1024;
tmpofset.HighPart = 0;
after that?FltWriteFile return c0000054 ?STATUS_FILE_LOCK_CONFLICT
i`m confused…Why?
If you are still utilizing paging IO making FSD believe a call has come from the Memory Manager then it is normal for FSD to return STATUS_FILE_LOCK_CONFLICT when some resources are unavailable as the Memory Manager reattempts to flush dirty pages when STATUS_FILE_LOCK_CONFLICT is returned.
Thank you ,Slava
i change my code,the FltWriteFile function is:
tmpofset.LowPart = 8;
tmpofset.HighPart = 0;
ntst = FltWriteFile(FltObjects->Instance,
ptmpfo,
&tmpofset,
(ULONG)8,
tmpbf,
FLTFL_IO_OPERATION_NON_CACHED,
&ordlen, NULL, NULL);
and the buffer is:
char * tmpbf = NULL;
tmpbf = (char *)FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, 8, ‘tmpb’);
RtlCopyMemory(tmpbf, L"1234567", 8);
no paging_io flag now.
when i start the service, FltWriteFile return 0,and the ordlen is 8. Does it means FltWriteFile has write buffer into file?
If so, then I cant stop service. And I also cant open other files successfully.They all have no response. It seems like the whole system are suspended. I need to close my compute to slove this situation. But the file still have nothing.
The data was allegedly written into the cache. That is why the write was successful with non zero BytesWritten value returned.
Then your filter deadlocked the system so no files can be opened and the Memory Manager was unable to flush the cache. There are myriads of reasons. Failure to complete requests properly, issuing IO when it is not allowed ( e.g when APCs are disabled ), synchronization resources not being released, synchronization resources not being acquired in correct order are among the most common.
Attach a debugger or make a memory dump and continue your investigation with !locks command output.
Thanks again,Slava!
I fix the problem,maybe not…
I find that when I run the driver for a long time, the system will hang,other files cant be opened,then I have to turn off the power directly. But if i run the driver only one time,that is to say ,the FltWriteFile is executed for one time, no matter how long the run time is, the driver could work fine. I cant understand what happened…
Whats more, when i use FILE_OPEN_IF to open a file.If the files size is big, such as 45k,the FltWriteFile will return c0000002?STATUS_NOT_IMPLEMENTED.But when i use FILE_OVERWRITE_IF,everything works fine.
All my test is on vmware win7_32 ,notepad
I really want to know why.Thank you!
Because you are using FLTFL_IO_OPERATION_NON_CACHED flag to write a buffer which size is not multiple of a sector size.
The file system rounds the buffer size to the sector size and founds that it will overwrite some valid data at the end of the sector with garbage from a user address space( it is safe to touch beyond user buffer as pages will be probed and locked ).
FSD might decide to continue if the overwritten portion doesn’t contain valid data which is a case of FILE_OVERWRITE_IF when an empty file is created.
STATUS_NOT_IMPLEMENTED is returned because to support such unaligned non cached IO a file system driver should either use cached IO or use an intermediate buffering and issue a non cached read IO to fill its portion with valid data.
Really thank you for your reply! But I still have the same problem “I find that when I run the driver for a long time, the system will hang,other files can`t be opened,then I have to turn off the power directly.”
FltCreateFileEx(FltObjects->Filter,
FltObjects->Instance,
&hfile,
&ptmpfo,
FILE_GENERIC_WRITE | FILE_WRITE_DATA,
&oa,
&iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OVERWRITE_IF,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_ALERT,
NULL,
0,
IO_IGNORE_SHARE_ACCESS_CHECK
);
FltWriteFile(FltObjects->Instance,
ptmpfo,
NULL,
strlen(temp),
tmpbf,
0,
&ordlen,
NULL, NULL);
that`s the code update , could you tell me where are wrong ? And how to fix them ?
there are few people around me study minifilter or other kind of driver , so i need to ask all the questions online. Thank you !