I have an AV style mini-filter and use FltIsDirectory to determine directories and ignore them without adding to my stream handle context. The moment I turn on File-based write filter (fbwf) on Embedded POSReady 2009, the system crashes (BSOD) with NULL_CLASS_PTR_DEREFERENCE in Post create callback of my driver. This problem is specific to POSReady 2009 OS but not seen on Win XP SP3, Win 7, POSReady 7 systems.
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: f6c72548
Arg3: f6c72244
Arg4: f7689736
Debugging Details:
EXCEPTION_RECORD: f6c72548 – (.exr 0xfffffffff6c72548)
ExceptionAddress: f7689736 (Ntfs!NtfsDecodeFileObject+0x00000037)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004
CONTEXT: f6c72244 – (.cxr 0xfffffffff6c72244)
eax=00000000 ebx=f6c72700 ecx=00000000 edx=f6c7264c esi=f6c7265c edi=f6c7288c
eip=f7689736 esp=f6c72610 ebp=f6c72614 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
Ntfs!NtfsDecodeFileObject+0x37:
f7689736 8b4804 mov ecx,dword ptr [eax+4] ds:0023:00000004=???
Resetting default scope
PROCESS_NAME: rundll32.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000004
READ_ADDRESS: 00000004
FOLLOWUP_IP:
Ntfs!NtfsDecodeFileObject+37
f7689736 8b4804 mov ecx,dword ptr [eax+4]
FAULTING_IP:
Ntfs!NtfsDecodeFileObject+37
f7689736 8b4804 mov ecx,dword ptr [eax+4]
BUGCHECK_STR: 0x24
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f76b0edc to f7689736
STACK_TEXT:
f6c72614 f76b0edc f6c72700 f6c72cc0 f6c72650 Ntfs!NtfsDecodeFileObject+0x37
f6c72688 f76af49c f6c72700 86571e48 8672a380 Ntfs!NtfsCommonQueryInformation+0x56
f6c726ec f76af4d5 f6c72700 86571e48 00000001 Ntfs!NtfsFsdDispatchSwitch+0x12a
f6c72810 804e37f7 862aa020 86571e48 86671280 Ntfs!NtfsFsdDispatchWait+0x1c
f6c72820 f773e459 f6c72864 804e37f7 8672a380 nt!IopfCallDriver+0x31
f6c72828 804e37f7 8672a380 86571e48 86571e48 sr!SrPassThrough+0x31
f6c72838 f77627a9 00000000 86359738 00000000 nt!IopfCallDriver+0x31
f6c72864 f7764d56 8672a380 f6c72cc0 f6c7288c fltmgr!FltpQueryInformationFile+0x99
f6c728ac f7765329 8672a5b8 00000000 80552000 fltmgr!SetStreamListStandardInformationFlags+0x7e
f6c728d0 f614b869 f6c72cc0 86359738 859add58 fltmgr!FltIsDirectory+0x4b
f6c728f4 f614bf33 8649ba2c f6c72930 00000001 mytestdriver!StartTrace+0x95
f6c7290c f7750ef3 8649ba2c f6c72930 00000000 mytestdriver!PostCreateCallback+0x3b
f6c72974 f7753338 0049b9d0 00000000 8649b9d0 fltmgr!FltpPerformPostCallbacks+0x1c5
f6c72988 f7753867 8649b9d0 864f06a8 f6c729c8 fltmgr!FltpProcessIoCompletion+0x10
f6c72998 f7753d24 862dc2b0 864f06a8 8649b9d0 fltmgr!FltpPassThroughCompletion+0x89
f6c729c8 f7760754 f6c729e8 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x94
f6c72a04 804e37f7 862dc2b0 864f06a8 864f06a8 fltmgr!FltpCreate+0x26a
f6c72a14 8056c712 86433018 864982b4 f6c72bbc nt!IopfCallDriver+0x31
f6c72af4 80563fec 86433030 00000000 86498210 nt!IopParseDevice+0xa12
f6c72b7c 805684da 00000000 f6c72bbc 00000040 nt!ObpLookupObjectName+0x56a
f6c72bd0 805745a3 00000000 00000000 8621eb01 nt!ObOpenObjectByName+0xeb
f6c72d54 804de7ec 0007f428 0007f400 0007f454 nt!NtQueryAttributesFile+0xf1
f6c72d54 7c90e4f4 0007f428 0007f400 0007f454 nt!KiFastCallEntry+0xf8
0007f3e0 7c90d6fc 7c916ea2 0007f428 0007f400 ntdll!KiFastSystemCallRet
0007f3e4 7c916ea2 0007f428 0007f400 0007f7dc ntdll!NtQueryAttributesFile+0xc
0007f454 7c916f13 0007f464 00000001 00420040 ntdll!RtlDoesFileExists_UstrEx+0x6b
0007f46c 7c9172f3 0007f7dc 00000001 0007f7cc ntdll!RtlDoesFileExists_UEx+0x27
0007f48c 7c916023 00093bd8 0007f7dc 00000000 ntdll!RtlDosSearchPath_U+0x1f
0007f754 7c91621b 00093bd8 0007f7cc 00000000 ntdll!LdrpCheckForLoadedDll+0x18c
0007fa10 7c9164b3 00000000 00093bd8 0007fd04 ntdll!LdrpLoadDll+0x1ba
0007fcb8 7c801bbd 00093bd8 0007fd04 0007fce4 ntdll!LdrLoadDll+0x230
0007fd20 7c80aeec 4ffcb390 00000000 00000000 kernel32!LoadLibraryExW+0x18e
0007fd34 4ffb4e2d 4ffcb390 00000000 000ac9d8 kernel32!LoadLibraryW+0x11
0007fd44 4ffb991f 00000000 00000001 0007fea4 bthprops!CplAddRef+0x3c
0007fd60 4ffb442e 00000000 0007fed0 4ffb3ea3 bthprops!BluetoothRegisterForAuthentication+0x60
0007fd78 4ffb49c8 0007fdf0 4ffb4916 0007fdb4 bthprops!CAuthenticationAgent::RegisterForAuthentication+0x1c
0007fd88 7e418734 000100c4 00000113 00000001 bthprops!CAuthenticationAgent::s_WndProc+0xb2
WARNING: Stack unwind information not available. Following frames may be wrong.
0007fdb4 7e418816 4ffb4916 000100c4 00000113 USER32!GetDC+0x6d
0007fe1c 7e4189cd 00098c88 4ffb4916 000100c4 USER32!GetDC+0x14f
0007fe7c 7e418a10 0007fefc 00000000 0007ff18 USER32!GetWindowLongW+0x127
0007fe8c 4ffb4c74 0007fefc 00000001 00000000 USER32!DispatchMessageW+0xf
0007ff18 01001abb 000300ba 01000000 000aa908 bthprops!BluetoothAuthenticationAgent+0xe5
0007ff60 01001bcf 01000000 00000000 00020622 rundll32!WinMainT+0x104
0007ffc0 7c817067 80000001 015cea68 7ffde000 rundll32!_ModuleEntry+0x84
0007fff0 00000000 01001bdc 00000000 78746341 kernel32!BaseProcessStart+0x23
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsDecodeFileObject+37
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5
STACK_COMMAND: .cxr 0xfffffffff6c72244 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject+37
BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject+37
Followup: MachineOwner
The closest link I found is this, but have few questions regarding that link too
http://www.osronline.com/showThread.cfm?link=104827
where the crash was happening as “Windows System Image Manager” uses wimfltr.sys which controls file objects.
However, FltIsDirectory was sending the IRP to NTFS resulting it in parsing FSContext structures it is not aware of resulting in a crash.
The solution suggested to determine that the driver owns the file objects and not invoke FltIsDirectory in such cases.
According to the msdn, fbwf redirects all I/O for protected volume to an overlay RAM cache. So it looks like fbwf shall be responsible for owning file objects (same case as in above link).
a) The code already checks for status being success (and this was not a STATUS_REPARSE status either) and only then invokes FltIsDirectory
b) The fileobject fields (vpb, FsContext) all seem to be valid in this case
c) The system restore object (sr) seems to be misplaced but Alex C excellent post answers the question for me.
http://fsfilters.blogspot.com/2011/11/investigating-srsys-issue.html
d) The crash in NtfsDecodeFileObject requires me to trace parameters passed from almost 6-7 functions. It looks like crashing when accessing FsContext structures but I am not sure.
So give the above am I on the right path? what do i need to do to confirm? and most importantly how to detect and fix it so that it would not crash.