ObReferenceObjectByPointer(FileObject) causing REFERENCE_BY_POINTER (18)

Jorgen_Lundman

REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffb686dcf273e0, Object whose reference count is being lowered
Arg3: 0000000000000010, Reserved
Arg4: 0000000000000001, Reserved
The reference count of an object is illegal for the current state of the object.

fffff50d2051ec18 fffff805262bf74b : 0000000000000018 0000000000000000 ffffb686dcf273e0 0000000000000010 : nt!KeBugCheckEx
fffff50d2051ec20 fffff80540f132b3 : ffffb686e0b08920 0000000000000002 deadbeefdeadbeef ffffb6876c7c70c0 : nt!ObReferenceObjectByPointer+0x1d999b
fffff50d2051ec60 fffff8054118f5fb : 0000000000000111 ffffb686a1e36500 0000000000000889 fffff805411cc29a : OpenZFS!vflush+0x193 [C:\src\openzfs\module\os\windows\spl\spl-vnode.c @ 1503]

            try {
                Status = ObReferenceObjectByPointer(
                    fileobject, 
                    0,
                    *IoFileObjectType,
                    KernelMode);
            } except(EXCEPTION_EXECUTE_HANDLER) {
                Status = GetExceptionCode();
            }

2: kd> dt fileobject
Local var @ 0xfffff50d2051eca0 Type _FILE_OBJECT*
0xffffb686dcf273e0 +0x000 Type : 0n5 +0x002 Size : 0n216 +0x008 DeviceObject : 0xffffb686dd1cdb10 _DEVICE_OBJECT
+0x010 Vpb : 0xffffb686e3feb4e0 _VPB +0x018 FsContext : 0xffffb686a3f82008 Void
+0x020 FsContext2 : 0xffffb686aa6d40d0 Void +0x028 SectionObjectPointer : 0xffffb686a3f82098 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap : (null)
+0x038 FinalStatus : 0n132
+0x040 RelatedFileObject : (null)
+0x048 LockOperation : 0 ''
+0x049 DeletePending : 0 ''
+0x04a ReadAccess : 0x1 ''
+0x04b WriteAccess : 0x1 ''
+0x04c DeleteAccess : 0x1 ''
+0x04d SharedRead : 0 ''
+0x04e SharedWrite : 0 ''
+0x04f SharedDelete : 0 ''
+0x050 Flags : 0x44442
+0x058 FileName : _UNICODE_STRING "\curtin\cut_Assignment1_Semester1_2020.git\logs\refs\heads"
+0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x070 Waiters : 0
+0x074 Busy : 0
+0x078 LastLock : (null)
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : (null)
+0x0b8 IrpListLock : 0
+0x0c0 IrpList : _LIST_ENTRY [ 0xffffb686dcf274a0 - 0xffffb686dcf274a0 ]
+0x0d0 FileObjectExtension : (null)

2: kd> !object 0xffffb686`dcf273e0
Object: ffffb686dcf273e0 Type: (ffffb68692d34d20) File
ObjectHeader: ffffb686dcf273b0 (new version)
HandleCount: 0 PointerCount: 1
Directory Object: 00000000 Name: \curtin\cut.git\logs\refs\heads {Volume{f6c8424b-073d-3824-9868-}

Isn't PointerCount:1 and HandleCount:0 perfectly valid? I'm calling ObReferenceObjectByPointer() to increase PointerCount so I can use "fileobject". Is there something I need to call
before ObReferenceObjectByPointer()? Or, is it something else wrong, and this is just when it reports it to me? Why does it keep saying "lowered" in the text, ObReferenceObjectByPointer() is increasing it right?

rod_widdowson

See here

The ObReferenceObjectByPointer routine increments the pointer reference count for a given object.

i.e. ObReferenceObjectByPointer increments the HANDLE count, you handle count is zero hence the bugcheck.

I'm calling ObReferenceObjectByPointer() to increase PointerCount so I can use "fileobject".

You probably need ObReferenceObject which increments the refence count. See here

The ObReferenceObject routine increments the reference count to the given object.

Jorgen_Lundman

But.. but.. from the docs/link:
"The ObReferenceObjectByPointer routine increments the pointer reference count for a given object"

Are the docs just wrong then?

rod_widdowson

No, an object has two reference counts. One for handles (the ‘pointer reference count’) and one for itself (the ‘reference count’).