BSOD by fileinfo.sys

NTFSD
1

Hi, all
Recently I got a problem with fileinfo.sys.
My target platform is :
Windows 7 Kernel Version 7600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621

And the following is the call stack:
Child-SP          RetAddr           Call Site
fffff88003384808 fffff8000323fc84 nt!KeBugCheckEx
fffff88003384810 fffff800031f9341 nt!PspUnhandledExceptionInSystemThread+0x24
fffff88003384850 fffff80002efed1c nt! ?? ::NNGAKEGL::string'+0x222d fffff88003384880 fffff80002ef640d nt!_C_specific_handler+0x8c fffff880033848f0 fffff80002efda90 nt!RtlpExecuteHandlerForException+0xd fffff88003384920 fffff80002f0a9ef nt!RtlDispatchException+0x410 fffff88003385000 fffff80002ecfd82 nt!KiDispatchException+0x16f fffff88003385690 fffff80002ece8fa nt!KiExceptionDispatch+0xc2 fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a fffff88003385a00 fffff8800105532e nt!FsRtlLookupPerStreamContextInternal+0x7c fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e fffff88003385aa0 fffff880010745ef fltmgr!FltpGetFileNameInformation+0x127 fffff88003385b20 fffff880011cc9a3 fltmgr!FltGetFileNameInformationUnsafe+0x7f fffff88003385b90 fffff880011ce500 fileinfo!FIVolumeAddPagefile+0x14b fffff88003385c20 fffff88001081f13 fileinfo!FIPagefileQueryWorker+0x64 fffff88003385c70 fffff80002edd961 fltmgr!FltpProcessGenericWorkItem+0x43 fffff88003385cb0 fffff80003174c06 nt!ExpWorkerThread+0x111 fffff88003385d40 fffff80002eaec26 nt!PspSystemThreadStartup+0x5a fffff88003385d80 00000000`00000000 nt!KxStartSystemThread+0x16

The result of analyze -v is shows that it was fileinfo.sys which cause the BSOD.
I analyzed the FltGetFileNameInformationUnsafe function call in the stack, and
find that the fileobject parameter to this function was a file of my file
system. But I don’t know in what condition the FltGetFileNameInformationUnsafe
will raise a page fault exception. What’s should I check next? Thanks in
advance.

2

First off, post the full !analyze -v output so people have a better idea as
to what’s going on. You also need to switch to the correct context record
with .cxr (the address of the context record should be in the !analyze -v
output)

But I don’t know in what condition the FltGetFileNameInformationUnsafe
will raise a page fault exception.

Routines don’t raise page fault exceptions directly, they are raised by the
processor when an invalid virtual address is dereferenced. Thus, you have an
invalid memory reference so something is probably corrupted or bad. You’re
also skipping a bunch of frames, it’s not FltGetFileInformation that’s
causing the page fault it’s FsRtlGetPerStreamContextInternal:

fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a
fffff88003385a00 fffff8800105532e
nt!FsRtlLookupPerStreamContextInternal+0x7c
fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e
fffff88003385aa0 fffff880010745ef
fltmgr!FltpGetFileNameInformation+0x127
fffff88003385b20 fffff880011cc9a3
fltmgr!FltGetFileNameInformationUnsafe+0x7f

You said that this was one of your file objects, are you properly setting up
the advanced FCB header in FsContext?

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

"光凯 å¼ " wrote in message news:xxxxx@ntfsd…
> Hi, all
> Recently I got a problem with fileinfo.sys.
> My target platform is :
> Windows 7 Kernel Version 7600 MP (8 procs) Free x64
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
>
> And the following is the call stack:
> Child-SP RetAddr Call Site
> fffff88003384808 fffff8000323fc84 nt!KeBugCheckEx
> fffff88003384810 fffff800031f9341
> nt!PspUnhandledExceptionInSystemThread+0x24
> fffff88003384850 fffff80002efed1c nt! ?? ::NNGAKEGL::string'+0x222d<br>&gt; fffff88003384880 fffff80002ef640d nt!_C_specific_handler+0x8c<br>&gt; fffff880033848f0 fffff80002efda90 nt!RtlpExecuteHandlerForException+0xd<br>&gt; fffff88003384920 fffff80002f0a9ef nt!RtlDispatchException+0x410<br>&gt; fffff88003385000 fffff80002ecfd82 nt!KiDispatchException+0x16f<br>&gt; fffff88003385690 fffff80002ece8fa nt!KiExceptionDispatch+0xc2<br>&gt; fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a<br>&gt; fffff88003385a00 fffff8800105532e <br>&gt; nt!FsRtlLookupPerStreamContextInternal+0x7c<br>&gt; fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e<br>&gt; fffff88003385aa0 fffff880010745ef <br>&gt; fltmgr!FltpGetFileNameInformation+0x127<br>&gt; fffff88003385b20 fffff880011cc9a3 <br>&gt; fltmgr!FltGetFileNameInformationUnsafe+0x7f<br>&gt; fffff88003385b90 fffff880011ce500 fileinfo!FIVolumeAddPagefile+0x14b<br>&gt; fffff88003385c20 fffff88001081f13 fileinfo!FIPagefileQueryWorker+0x64<br>&gt; fffff88003385c70 fffff80002edd961 fltmgr!FltpProcessGenericWorkItem+0x43<br>&gt; fffff88003385cb0 fffff80003174c06 nt!ExpWorkerThread+0x111<br>&gt; fffff88003385d40 fffff80002eaec26 nt!PspSystemThreadStartup+0x5a<br>&gt; fffff88003385d80 00000000`00000000 nt!KxStartSystemThread+0x16
>
> The result of analyze -v is shows that it was fileinfo.sys which cause the
> BSOD.
> I analyzed the FltGetFileNameInformationUnsafe function call in the stack,
> and
> find that the fileobject parameter to this function was a file of my file
> system. But I don’t know in what condition the
> FltGetFileNameInformationUnsafe
> will raise a page fault exception. What’s should I check next? Thanks in
> advance.
>
>
>
>
>

3

Thanks very much for your reply. The file system driver we maintained is an old driver which already exists about 4 to 5 years ago. We make it running in Win7 now. We’re using FSRTL_COMMON_FCB_HEADER instead of FSRTL_ADVANCED_FCB_HEADER, and the driver was built with W2K3 IFS DDK. We know it must be a problem. But for convenience we did not modified that yet. And it didn’t always BSOD the system in our environment. So I guess this time we must be the “lucky dog”? Maybe it’s time to do the modification now.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Friday, November 05, 2010 6:49 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] BSOD by fileinfo.sys

First off, post the full !analyze -v output so people have a better idea as
to what’s going on. You also need to switch to the correct context record
with .cxr (the address of the context record should be in the !analyze -v
output)

But I don’t know in what condition the FltGetFileNameInformationUnsafe
will raise a page fault exception.

Routines don’t raise page fault exceptions directly, they are raised by the
processor when an invalid virtual address is dereferenced. Thus, you have an
invalid memory reference so something is probably corrupted or bad. You’re
also skipping a bunch of frames, it’s not FltGetFileInformation that’s
causing the page fault it’s FsRtlGetPerStreamContextInternal:

fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a
fffff88003385a00 fffff8800105532e
nt!FsRtlLookupPerStreamContextInternal+0x7c
fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e
fffff88003385aa0 fffff880010745ef
fltmgr!FltpGetFileNameInformation+0x127
fffff88003385b20 fffff880011cc9a3
fltmgr!FltGetFileNameInformationUnsafe+0x7f

You said that this was one of your file objects, are you properly setting up
the advanced FCB header in FsContext?

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“光凯 张” wrote in message news:xxxxx@ntfsd…
> Hi, all
> Recently I got a problem with fileinfo.sys.
> My target platform is :
> Windows 7 Kernel Version 7600 MP (8 procs) Free x64
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
>
> And the following is the call stack:
> Child-SP RetAddr Call Site
> fffff88003384808 fffff8000323fc84 nt!KeBugCheckEx
> fffff88003384810 fffff800031f9341
> nt!PspUnhandledExceptionInSystemThread+0x24
> fffff88003384850 fffff80002efed1c nt! ?? ::NNGAKEGL::string'+0x222d<br>&gt; fffff88003384880 fffff80002ef640d nt!_C_specific_handler+0x8c<br>&gt; fffff880033848f0 fffff80002efda90 nt!RtlpExecuteHandlerForException+0xd<br>&gt; fffff88003384920 fffff80002f0a9ef nt!RtlDispatchException+0x410<br>&gt; fffff88003385000 fffff80002ecfd82 nt!KiDispatchException+0x16f<br>&gt; fffff88003385690 fffff80002ece8fa nt!KiExceptionDispatch+0xc2<br>&gt; fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a<br>&gt; fffff88003385a00 fffff8800105532e <br>&gt; nt!FsRtlLookupPerStreamContextInternal+0x7c<br>&gt; fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e<br>&gt; fffff88003385aa0 fffff880010745ef <br>&gt; fltmgr!FltpGetFileNameInformation+0x127<br>&gt; fffff88003385b20 fffff880011cc9a3 <br>&gt; fltmgr!FltGetFileNameInformationUnsafe+0x7f<br>&gt; fffff88003385b90 fffff880011ce500 fileinfo!FIVolumeAddPagefile+0x14b<br>&gt; fffff88003385c20 fffff88001081f13 fileinfo!FIPagefileQueryWorker+0x64<br>&gt; fffff88003385c70 fffff80002edd961 fltmgr!FltpProcessGenericWorkItem+0x43<br>&gt; fffff88003385cb0 fffff80003174c06 nt!ExpWorkerThread+0x111<br>&gt; fffff88003385d40 fffff80002eaec26 nt!PspSystemThreadStartup+0x5a<br>&gt; fffff88003385d80 00000000`00000000 nt!KxStartSystemThread+0x16
>
> The result of analyze -v is shows that it was fileinfo.sys which cause the
> BSOD.
> I analyzed the FltGetFileNameInformationUnsafe function call in the stack,
> and
> find that the fileobject parameter to this function was a file of my file
> system. But I don’t know in what condition the
> FltGetFileNameInformationUnsafe
> will raise a page fault exception. What’s should I check next? Thanks in
> advance.
>
>
>
>
>


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

__________________________________________________
¸Ï¿ì×¢²áÑÅ»¢³¬´óÈÝÁ¿Ãâ·ÑÓÊÏä?
http://cn.mail.yahoo.com

4

Filter manager won’t work without support for FSRTL_ADVANCED_FCB_HEADER. Start with fixing that (should be a fairly easy addition) and then we can go from there…

“…it didn’t always BSOD the system in our environment” -> I sure hope so, if it always bugchecked it wouldn’t be any good, would it ? :slight_smile:

Thanks,
Alex.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ted Chang
Sent: Friday, November 05, 2010 6:43 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] BSOD by fileinfo.sys

Thanks very much for your reply. The file system driver we maintained is an old driver which already exists about 4 to 5 years ago. We make it running in Win7 now. We’re using FSRTL_COMMON_FCB_HEADER instead of FSRTL_ADVANCED_FCB_HEADER, and the driver was built with W2K3 IFS DDK. We know it must be a problem. But for convenience we did not modified that yet. And it didn’t always BSOD the system in our environment. So I guess this time we must be the “lucky dog”? Maybe it’s time to do the modification now.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Friday, November 05, 2010 6:49 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] BSOD by fileinfo.sys

First off, post the full !analyze -v output so people have a better idea as to what’s going on. You also need to switch to the correct context record with .cxr (the address of the context record should be in the !analyze -v
output)

But I don’t know in what condition the FltGetFileNameInformationUnsafe
will raise a page fault exception.

Routines don’t raise page fault exceptions directly, they are raised by the processor when an invalid virtual address is dereferenced. Thus, you have an invalid memory reference so something is probably corrupted or bad. You’re also skipping a bunch of frames, it’s not FltGetFileInformation that’s causing the page fault it’s FsRtlGetPerStreamContextInternal:

fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a
fffff88003385a00 fffff8800105532e
nt!FsRtlLookupPerStreamContextInternal+0x7c
fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e
fffff88003385aa0 fffff880010745ef
fltmgr!FltpGetFileNameInformation+0x127
fffff88003385b20 fffff880011cc9a3
fltmgr!FltGetFileNameInformationUnsafe+0x7f

You said that this was one of your file objects, are you properly setting up the advanced FCB header in FsContext?

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“光凯 张” wrote in message news:xxxxx@ntfsd…
> Hi, all
> Recently I got a problem with fileinfo.sys.
> My target platform is :
> Windows 7 Kernel Version 7600 MP (8 procs) Free x64
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
>
> And the following is the call stack:
> Child-SP RetAddr Call Site
> fffff88003384808 fffff8000323fc84 nt!KeBugCheckEx
> fffff88003384810 fffff800031f9341
> nt!PspUnhandledExceptionInSystemThread+0x24
> fffff88003384850 fffff80002efed1c nt! ?? ::NNGAKEGL::string'+0x222d<br>&gt; fffff88003384880 fffff80002ef640d nt!_C_specific_handler+0x8c<br>&gt; fffff880033848f0 fffff80002efda90 nt!RtlpExecuteHandlerForException+0xd<br>&gt; fffff88003384920 fffff80002f0a9ef nt!RtlDispatchException+0x410<br>&gt; fffff88003385000 fffff80002ecfd82 nt!KiDispatchException+0x16f<br>&gt; fffff88003385690 fffff80002ece8fa nt!KiExceptionDispatch+0xc2<br>&gt; fffff88003385870 fffff80002eb0524 nt!KiPageFault+0x23a<br>&gt; fffff88003385a00 fffff8800105532e <br>&gt; nt!FsRtlLookupPerStreamContextInternal+0x7c<br>&gt; fffff88003385a40 fffff88001057407 fltmgr!FltpGetStreamListCtrl+0x8e<br>&gt; fffff88003385aa0 fffff880010745ef <br>&gt; fltmgr!FltpGetFileNameInformation+0x127<br>&gt; fffff88003385b20 fffff880011cc9a3 <br>&gt; fltmgr!FltGetFileNameInformationUnsafe+0x7f<br>&gt; fffff88003385b90 fffff880011ce500 fileinfo!FIVolumeAddPagefile+0x14b<br>&gt; fffff88003385c20 fffff88001081f13 fileinfo!FIPagefileQueryWorker+0x64<br>&gt; fffff88003385c70 fffff80002edd961 fltmgr!FltpProcessGenericWorkItem+0x43<br>&gt; fffff88003385cb0 fffff80003174c06 nt!ExpWorkerThread+0x111<br>&gt; fffff88003385d40 fffff80002eaec26 nt!PspSystemThreadStartup+0x5a<br>&gt; fffff88003385d80 00000000`00000000 nt!KxStartSystemThread+0x16
>
> The result of analyze -v is shows that it was fileinfo.sys which cause the
> BSOD.
> I analyzed the FltGetFileNameInformationUnsafe function call in the stack,
> and
> find that the fileobject parameter to this function was a file of my file
> system. But I don’t know in what condition the
> FltGetFileNameInformationUnsafe
> will raise a page fault exception. What’s should I check next? Thanks in
> advance.
>
>
>
>
>


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

__________________________________________________
Ͽ ע Ż ?
http://cn.mail.yahoo.com


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

>exists about 4 to 5 years ago. We make it running in Win7 now.

Such an effort will require major testing suite, so, changing the FCB header and moving to newer WDK is OK before such a testing effort.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com