BSOD from FltEnumerateVolumes

NTFSD Folk:

I have a client that has a laptop running WinXP Home and got a crash in
FltEnumerateVolumes() called from my mini-filter. It was at boot time. My
mini-filter driver is set to auto-start.

It’s been working for months – this is the first time it crashed.

The code calling FltEnumerateVolumes() is straightforward:

PFLT_VOLUME aVolumeList[256];

status = FltEnumerateVolumes( FKFilter, aVolumeList,
RTL_NUMBER_OF(aVolumeList), &iNumVolumes );

Here’s a clip from the analyze -v:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
fltmgr!FltEnumerateVolumes+14
f919abd4 8b7014 mov esi,[eax+0x14]

TRAP_FRAME: ef5a320c – (.trap ffffffffef5a320c)
ErrCode = 00000000
eax=00000000 ebx=00004000 ecx=ef5a374c edx=0000002e esi=f0696520
edi=00000000
eip=f919abd4 esp=ef5a3280 ebp=ef5a3290 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
fltmgr!FltEnumerateVolumes+0x14:
f919abd4 8b7014 mov esi,[eax+0x14]
ds:0023:00000014=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from f0691242 to f919abd4

STACK_TEXT:
ef5a3290 f0691242 00000000 ef5a32b4 00000100 fltmgr!FltEnumerateVolumes+0x14
ef5a3968 f069d46a f069cbe0 ffba2008 ffb6dbc0 fkdriver!FKFindRepository+0xa4
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fklib.c @ 611]
ef5a398c f918e944 ffb6dc1c ef5a39ac ef5a39dc
fkdriver!FKDriverPreCreate+0x114
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fkdriver.c @ 1616]
ef5a39ec f9190352 005a3a30 ffb6dbc0 00000000
fltmgr!FltpPerformPreCallbacks+0x2d4
ef5a3a00 f919cccb ef5a3a30 f919b094 00000000
fltmgr!FltpPassThroughInternal+0x32
ef5a3a18 f919d142 ef5a3a30 fce1a018 81ad25b0 fltmgr!FltpCreateInternal+0x63
ef5a3a4c 804e37f7 ffad63e0 fce1a1bc fce1a008 fltmgr!FltpCreate+0x1d2
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef5a3b3c 8056316c 81b56868 00000000 fd10a9a0 nt!IofCallDriver+0x32
ef5a3bc4 8056729a 00000000 ef5a3c04 00000040 nt!RtlEqualUnicodeString+0x4cf
ef5a3c18 80570b73 00000000 00000000 5a3d3001 nt!ObOpenObjectByName+0xdb
ef5a3c94 80570c42 028efac0 40100080 028efa60
nt!FsRtlCurrentBatchOplock+0x212
ef5a3cf0 80570d78 028efac0 40100080 028efa60 nt!IoCreateFile+0x4f
ef5a3d30 804de7ec 028efac0 40100080 028efa60 nt!NtCreateFile+0x30
ef5a3d64 7c90eb94 badb0d00 028efa28 efdb1d98 nt!ZwYieldExecution+0xb78
028efab8 00000000 00000000 00000000 00000000 0x7c90eb94

Any thoughts?

Ken

Looking at the stack and the assembly, it looks like you passed a null
pointer in to the first parameter of FltEnumerateVolumes:

|- That should be a valid pointer to a PFLT_FILTER
ef5a3290 f0691242 00000000 ef5a32b4 00000100
fltmgr!FltEnumerateVolumes+0x14
ef5a3968 f069d46a f069cbe0 ffba2008 ffb6dbc0
fkdriver!FKFindRepository+0xa4

…and just as further confirmation, that assembly instruction is trying
to get the Frame that the current filter is in, which is exactly 20
bytes away from the start of a PFLT_FILTER structure (looks like this is
an x86 system) but EAX is null.

eax=00000000 ebx=00004000 ecx=ef5a374c edx=0000002e = esi=f0696520
edi=00000000

fltmgr!FltEnumerateVolumes+0x14:
f919abd4 8b7014 mov esi,[eax+0x14]

If you can get a dump, I would look to see why FKFilter is null. Also, I
noticed that you are doing this operation in PreCreate… I would check
the FLT_RELATED_OBJECTS structure (FltObjects) to see what its Filter
member is. If it is also null, please send me a dump and I’ll be happy
to take a look at it; if FLT_RELATED_OBJECTS->Filter is not null, it is
very possibly some weird condition in your driver.

Thanks!
Apurva Doshi

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Tuesday, August 16, 2005 2:01 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] BSOD from FltEnumerateVolumes

NTFSD Folk:

I have a client that has a laptop running WinXP Home and got a crash in
FltEnumerateVolumes() called from my mini-filter. It was at boot time.
My
mini-filter driver is set to auto-start.

It’s been working for months – this is the first time it crashed.

The code calling FltEnumerateVolumes() is straightforward:

PFLT_VOLUME aVolumeList[256];

status = FltEnumerateVolumes( FKFilter, aVolumeList,
RTL_NUMBER_OF(aVolumeList), &iNumVolumes );

Here’s a clip from the analyze -v:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
fltmgr!FltEnumerateVolumes+14
f919abd4 8b7014 mov esi,[eax+0x14]

TRAP_FRAME: ef5a320c – (.trap ffffffffef5a320c)
ErrCode = 00000000
eax=00000000 ebx=00004000 ecx=ef5a374c edx=0000002e esi=f0696520
edi=00000000
eip=f919abd4 esp=ef5a3280 ebp=ef5a3290 iopl=0 nv up ei pl zr na
po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
fltmgr!FltEnumerateVolumes+0x14:
f919abd4 8b7014 mov esi,[eax+0x14]
ds:0023:00000014=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from f0691242 to f919abd4

STACK_TEXT:
ef5a3290 f0691242 00000000 ef5a32b4 00000100
fltmgr!FltEnumerateVolumes+0x14
ef5a3968 f069d46a f069cbe0 ffba2008 ffb6dbc0
fkdriver!FKFindRepository+0xa4
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fklib.c @ 611]
ef5a398c f918e944 ffb6dc1c ef5a39ac ef5a39dc
fkdriver!FKDriverPreCreate+0x114
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fkdriver.c @ 1616]
ef5a39ec f9190352 005a3a30 ffb6dbc0 00000000
fltmgr!FltpPerformPreCallbacks+0x2d4
ef5a3a00 f919cccb ef5a3a30 f919b094 00000000
fltmgr!FltpPassThroughInternal+0x32
ef5a3a18 f919d142 ef5a3a30 fce1a018 81ad25b0
fltmgr!FltpCreateInternal+0x63
ef5a3a4c 804e37f7 ffad63e0 fce1a1bc fce1a008 fltmgr!FltpCreate+0x1d2
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef5a3b3c 8056316c 81b56868 00000000 fd10a9a0 nt!IofCallDriver+0x32
ef5a3bc4 8056729a 00000000 ef5a3c04 00000040
nt!RtlEqualUnicodeString+0x4cf
ef5a3c18 80570b73 00000000 00000000 5a3d3001 nt!ObOpenObjectByName+0xdb
ef5a3c94 80570c42 028efac0 40100080 028efa60
nt!FsRtlCurrentBatchOplock+0x212
ef5a3cf0 80570d78 028efac0 40100080 028efa60 nt!IoCreateFile+0x4f
ef5a3d30 804de7ec 028efac0 40100080 028efa60 nt!NtCreateFile+0x30
ef5a3d64 7c90eb94 badb0d00 028efa28 efdb1d98 nt!ZwYieldExecution+0xb78
028efab8 00000000 00000000 00000000 00000000 0x7c90eb94

Any thoughts?

Ken


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yep, that’s a very big clue. Now that I look at it, there’s a potential
race condition when the driver is being torn down. (That may have happed on
this particular boot.)

The FKFilter location gets cleared (by my code) in an Unload handler. It
could have occurred between the start of the pre-create callback and the
point where FltEnumerateVolumes() is called. Yuck.

I’ll need to synchronize things better.

Thanks very much!

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Apurva Doshi
Sent: Tuesday, August 16, 2005 7:03 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] BSOD from FltEnumerateVolumes

Looking at the stack and the assembly, it looks like you passed a null
pointer in to the first parameter of FltEnumerateVolumes:

|- That should be a valid pointer to a PFLT_FILTER
ef5a3290 f0691242 00000000 ef5a32b4 00000100
fltmgr!FltEnumerateVolumes+0x14
ef5a3968 f069d46a f069cbe0 ffba2008 ffb6dbc0
fkdriver!FKFindRepository+0xa4

…and just as further confirmation, that assembly instruction is trying
to get the Frame that the current filter is in, which is exactly 20
bytes away from the start of a PFLT_FILTER structure (looks like this is
an x86 system) but EAX is null.

eax=00000000 ebx=00004000 ecx=ef5a374c edx=0000002e = esi=f0696520
edi=00000000

fltmgr!FltEnumerateVolumes+0x14:
f919abd4 8b7014 mov esi,[eax+0x14]

If you can get a dump, I would look to see why FKFilter is null. Also, I
noticed that you are doing this operation in PreCreate… I would check
the FLT_RELATED_OBJECTS structure (FltObjects) to see what its Filter
member is. If it is also null, please send me a dump and I’ll be happy
to take a look at it; if FLT_RELATED_OBJECTS->Filter is not null, it is
very possibly some weird condition in your driver.

Thanks!
Apurva Doshi

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Tuesday, August 16, 2005 2:01 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] BSOD from FltEnumerateVolumes

NTFSD Folk:

I have a client that has a laptop running WinXP Home and got a crash in
FltEnumerateVolumes() called from my mini-filter. It was at boot time.
My
mini-filter driver is set to auto-start.

It’s been working for months – this is the first time it crashed.

The code calling FltEnumerateVolumes() is straightforward:

PFLT_VOLUME aVolumeList[256];

status = FltEnumerateVolumes( FKFilter, aVolumeList,
RTL_NUMBER_OF(aVolumeList), &iNumVolumes );

Here’s a clip from the analyze -v:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
fltmgr!FltEnumerateVolumes+14
f919abd4 8b7014 mov esi,[eax+0x14]

TRAP_FRAME: ef5a320c – (.trap ffffffffef5a320c)
ErrCode = 00000000
eax=00000000 ebx=00004000 ecx=ef5a374c edx=0000002e esi=f0696520
edi=00000000
eip=f919abd4 esp=ef5a3280 ebp=ef5a3290 iopl=0 nv up ei pl zr na
po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
fltmgr!FltEnumerateVolumes+0x14:
f919abd4 8b7014 mov esi,[eax+0x14]
ds:0023:00000014=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from f0691242 to f919abd4

STACK_TEXT:
ef5a3290 f0691242 00000000 ef5a32b4 00000100
fltmgr!FltEnumerateVolumes+0x14
ef5a3968 f069d46a f069cbe0 ffba2008 ffb6dbc0
fkdriver!FKFindRepository+0xa4
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fklib.c @ 611]
ef5a398c f918e944 ffb6dc1c ef5a39ac ef5a39dc
fkdriver!FKDriverPreCreate+0x114
[c:\winddk\3790.1830\src\filesys\minifilter\fkdriver\fkdriver.c @ 1616]
ef5a39ec f9190352 005a3a30 ffb6dbc0 00000000
fltmgr!FltpPerformPreCallbacks+0x2d4
ef5a3a00 f919cccb ef5a3a30 f919b094 00000000
fltmgr!FltpPassThroughInternal+0x32
ef5a3a18 f919d142 ef5a3a30 fce1a018 81ad25b0
fltmgr!FltpCreateInternal+0x63
ef5a3a4c 804e37f7 ffad63e0 fce1a1bc fce1a008 fltmgr!FltpCreate+0x1d2
WARNING: Stack unwind information not available. Following frames may be
wrong.
ef5a3b3c 8056316c 81b56868 00000000 fd10a9a0 nt!IofCallDriver+0x32
ef5a3bc4 8056729a 00000000 ef5a3c04 00000040
nt!RtlEqualUnicodeString+0x4cf
ef5a3c18 80570b73 00000000 00000000 5a3d3001 nt!ObOpenObjectByName+0xdb
ef5a3c94 80570c42 028efac0 40100080 028efa60
nt!FsRtlCurrentBatchOplock+0x212
ef5a3cf0 80570d78 028efac0 40100080 028efa60 nt!IoCreateFile+0x4f
ef5a3d30 804de7ec 028efac0 40100080 028efa60 nt!NtCreateFile+0x30
ef5a3d64 7c90eb94 badb0d00 028efa28 efdb1d98 nt!ZwYieldExecution+0xb78
028efab8 00000000 00000000 00000000 00000000 0x7c90eb94

Any thoughts?

Ken


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com