Hi,
I am working on minifilter driver based upon shadow file object design.
In IRP_MJ_CLOSE, we try to delete lowerfileobject through ObDereferenceObject, but after random iterations of file create->read/write->close, it crashes.
EXCEPTION_RECORD: ffffcf01832a7298 – (.exr 0xffffcf01832a7298)
ExceptionAddress: fffff802410f3caf (nt!ExAcquireFastMutex+0x00000000000000cf)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 00000000000001b7
Attempt to write to address 00000000000001b7
CONTEXT: ffffcf01832a6ae0 – (.cxr 0xffffcf01832a6ae0)
rax=0000000000000000 rbx=0000000000000000 rcx=7ffffffffffffffc
rdx=000000000000003a rsi=ffff960a2f47e3c0 rdi=00000000000001b7
rip=fffff802410f3caf rsp=ffffcf01832a74d0 rbp=0000000000000001
r8=00000000ffffffff r9=ffff960a2d080880 r10=0000000000000000
r11=ffff960a2f47e040 r12=0000000000000000 r13=ffff960a2d978420
r14=0000000000000000 r15=0000000000000012
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!ExAcquireFastMutex+0xcf:
fffff802410f3caf f00fba3700 lock btr dword ptr [rdi],0 ds:002b:00000000
000001b7=???
Call stack:
STACK_TEXT:
ffffcf01832a74d0 fffff802
7e43307c : ffffffffffffffff ffff960a
00000001 ffff960a2f4d9638 ffff960a
2f4d95e8 : nt!ExAcquireFastMutex+0xcf
ffffcf01832a7510 fffff802
7e40360a : ffffcf01832a75e0 ffff960a
2e47d860 ffff960a2d9437e0 ffff960a
2eb2e020 : FLTMGR!FltpCleanupFileObjectContextForCleanup+0x4c
ffffcf01832a7540 fffff802
7e40312e : ffff960a2d080880 ffff960a
2f4d95e8 ffff960a2eb2e020 ffff960a
2d673080 : FLTMGR!FltpPassThrough+0x42a
ffffcf01832a75c0 fffff802
414e15a0 : ffff960a2e47d860 ffff960a
2d943040 0000000000000000 ffff960a
2f8bbbe8 : FLTMGR!FltpDispatch+0x9e
ffffcf01832a7620 fffff802
415ea926 : 0000000000000001 ffff960a
2e47d860 0000000000000001 00000000
00000000 : nt!IopCloseFile+0x150
ffffcf01832a76b0 fffff802
414fd2e8 : ffffcf01832a7929 00000000
00000000 ffff960a2d14cf20 00000000
10000004 : nt!IopDeleteFile+0x109746
ffffcf01832a7730 fffff802
4111cf21 : 0000000000000000 00000000
00000000 ffffcf01832a7929 ffff960a
2e47d860 : nt!ObpRemoveObjectRoutine+0x78
ffffcf01832a7790 fffff802
7f960f87 : 0000000000000000 ffff960a
2ea2dc00 ffff960a2d9784a0 00000000
00000000 : nt!ObfDereferenceObject+0xa1
ffffcf01832a77d0 fffff802
7e4046ca : ffff960a2ea2dcd8 ffffcf01
832a7900 ffffcf01832a78e0 ffff960a
2d9437e0 : MyDriver!PfmCloseCallback+0x437
ffffcf01832a7880 fffff802
7e404278 : ffffcf01832a7a60 ffff960a
2f797900 0000000000000002 ffff960a
2f142000 : FLTMGR!FltpPerformPreCallbacks+0x2ea
ffffcf01832a7990 fffff802
7e403386 : ffff960a2f142010 ffffcf01
832a7a60 ffff960a2f142010 ffffcf01
832a7a70 : FLTMGR!FltpPassThroughInternal+0x88
ffffcf01832a79c0 fffff802
7e40312e : fffffffffffe7960 00000000
00000000 ffff960a2f142368 00000000
00000000 : FLTMGR!FltpPassThrough+0x1a6
ffffcf01832a7a40 fffff802
810f10f5 : ffff960a2f142320 ffff960a
2fdbb520 0000000000000000 00000000
00000001 : FLTMGR!FltpDispatch+0x9e
ffffcf01832a7aa0 fffff802
810fd1d4 : ffff960a2f142010 00000000
00000001 ffff960a2f142010 00000000
00000190 : FSpy+0x10f5
ffffcf01832a7b10 fffff802
414e130d : ffff960a2f142010 ffff960a
2d297080 ffff960a2f142010 ffff960a
2f4e2ec0 : FSpy+0xd1d4
ffffcf01832a7b40 fffff802
414fd2e8 : fffff8024146630c 00000000
00000001 ffff960a2d14cf20 00000000
00000001 : nt!IopDeleteFile+0x12d
ffffcf01832a7bc0 fffff802
414665e0 : 0000000000000000 ffff960a
2d297050 fffff8024146630c fffff802
41314f40 : nt!ObpRemoveObjectRoutine+0x78
ffffcf01832a7c20 fffff802
410dae09 : ffff960a2f47e040 fffff802
4146630c fffff80241314f40 fffff802
413cf280 : nt!ObpProcessRemoveObjectQueue+0x2d4
ffffcf01832a7cc0 fffff802
410ab2c1 : ffff960a2f47e040 00000000
00000080 ffff960a2d021040 ffff960a
2f47e040 : nt!ExpWorkerThread+0xe9
ffffcf01832a7d50 fffff802
41178c76 : ffffcf017ffc7180 ffff960a
2f47e040 fffff802410ab280 00000000
02000005 : nt!PspSystemThreadStartup+0x41
ffffcf01832a7da0 00000000
00000000 : ffffcf01832a8000 ffffcf01
832a2000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
Can anyone please help to understand this issue.
Thanks a lot in advance!