BSOD when MmProbeAndLockPages( )

Hi,

In the IRP_MJ_READ handler of a FS filter driver, I take the following steps to lock Irp->UserBuffer. But sometimes I got BSOD when calling MmProbeAndLockPages( ). Error message is “Error=50(PAGE_FAULT_IN_NOPAGED_AREA) P1= EAE3B000 P2=0 P3=0 P4=2”.
Any idea to get rid of this bug? thx very much. OS is NT4 SP6a.

ReadBufferMdl = NULL;
if (currentIrpStack->Parameters.Read.ByteOffset.u.LowPart == 0)
{
if ((Irp->UserBuffer)
&& ((hookExt->FileSystem->Flags & DO_BUFFERED_IO) == 0)
&& ((hookExt->FileSystem->Flags & DO_DIRECT_IO) == 0))

ReadBufferMdl = IoAllocateMdl(Irp->UserBuffer,
currentIrpStack->Parameters.Read.Length,
FALSE, FALSE, NULL);
if (ReadBufferMdl)
{
__try
{
MmProbeAndLockPages(ReadBufferMdl, KernelMode, IoModifyAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(ReadBufferMdl);
ReadBufferMdl = NULL;
}
}

}
*nextIrpStack = *currentIrpStack;
IoSetCompletionRoutine( Irp, SpecialReadCompletionRoutine, (PVOID)ReadBufferMdl, TRUE, TRUE, TRUE );
return IoCallDriver( hookExt->FileSystem, Irp );

PassThrough:

*nextIrpStack = *currentIrpStack;
IoSetCompletionRoutine( Irp, NormalReadCompletionRoutine, NULL, TRUE, TRUE, TRUE );
return IoCallDriver( hookExt->FileSystem, Irp );

Are these paging IO operations? That is, is the IRP_PAGING_IO bit set in
Irp->Flags? If so, the user buffer address isn’t valid anyway. In that
case just use the MDL that is already attached.

There are some OTHER cases that would lead to this as well:
IRP_MJ_READ/IRP_MN_MDL would do the same thing (e.g., TransmitFile as
implemented in some implementations of AFD.)

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com http:

-----Original Message-----
From: zhangbo [mailto:xxxxx@gmx.net]
Sent: Thursday, November 25, 2004 7:51 AM
To: File Systems Developers
Subject: [ntfsd] BSOD when MmProbeAndLockPages( )

Hi,

In the IRP_MJ_READ handler of a FS filter driver, I take the following steps
to lock Irp->UserBuffer. But sometimes I got BSOD when calling
MmProbeAndLockPages( ). Error message is
“Error=50(PAGE_FAULT_IN_NOPAGED_AREA) P1= EAE3B000 P2=0 P3=0 P4=2”.

Any idea to get rid of this bug? thx very much. OS is NT4 SP6a.

ReadBufferMdl = NULL;
if (currentIrpStack->Parameters.Read.ByteOffset.u.LowPart == 0)
{
if ((Irp->UserBuffer)
&& ((hookExt->FileSystem->Flags & DO_BUFFERED_IO) == 0)
&& ((hookExt->FileSystem->Flags & DO_DIRECT_IO) == 0))

ReadBufferMdl = IoAllocateMdl(Irp->UserBuffer,
currentIrpStack->Parameters.Read.Length,
FALSE, FALSE, NULL);
if (ReadBufferMdl)
{
__try
{
MmProbeAndLockPages(ReadBufferMdl, KernelMode, IoModifyAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(ReadBufferMdl);
ReadBufferMdl = NULL;
}
}

}
*nextIrpStack = *currentIrpStack;
IoSetCompletionRoutine( Irp, SpecialReadCompletionRoutine,
(PVOID)ReadBufferMdl, TRUE, TRUE, TRUE );
return IoCallDriver( hookExt->FileSystem, Irp );

PassThrough:

*nextIrpStack = *currentIrpStack;
IoSetCompletionRoutine( Irp, NormalReadCompletionRoutine, NULL, TRUE,
TRUE, TRUE );
return IoCallDriver( hookExt->FileSystem, Irp );

b嫐.Ф\??辷?蝶j?矇璨??.炈洷殊m?澲洉╀zf?y炞靪隶娝l⑹</http:>

The system is bugchecking because you are trying to lock a system address. EAE3B000 falls in the kernel mode address space. The AccessMode parameter to MmProbeAndLockPages should not be hard code to KernelMode. In your particular case it should be Irp->RequestorMode so that MmProbeAndLockPages can validate the address and raise a STATUS_ACCESS_VIOLATION if this is not a valid user mode address. Setting the AccessMode to KernelMode bypasses that validation. In addition you need to make sure that a Mdl is not already present in the Irp.

Thanks
Ravinder Thind

MICROSOFT DISCLAIMER
INFORMATION PROVIDED IN THIS ELECTRONIC MAIL IS PROVIDED “AS IS” WITHOUT WARRANTY REPRESENTATION OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO CONDITIONS OR OTHER TERMS OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. THE USER ASSUMES THE ENTIRE RISK AS TO THE ACCURACY AND THE USE OF THIS DOCUMENT

-----Original Message-----
From: zhangbo [mailto:xxxxx@gmx.net]
Sent: Thursday, November 25, 2004 4:51 AM
To: File Systems Developers
Subject: [ntfsd] BSOD when MmProbeAndLockPages( )

Hi,
?
In the IRP_MJ_READ handler of a FS filter driver, I take the following steps to lock Irp->UserBuffer. But sometimes I got BSOD when calling MmProbeAndLockPages( ). Error message is “Error=50(PAGE_FAULT_IN_NOPAGED_AREA) P1= EAE3B000 P2=0 P3=0 P4=2”.
Any idea to get rid of this bug? thx very much.? OS is NT4 SP6a.
?
?
?ReadBufferMdl = NULL;
?if (currentIrpStack->Parameters.Read.ByteOffset.u.LowPart == 0)
?{
??if ((Irp->UserBuffer)
???&& ((hookExt->FileSystem->Flags & DO_BUFFERED_IO) == 0)
???&& ((hookExt->FileSystem->Flags & DO_DIRECT_IO) == 0))
?
??ReadBufferMdl = IoAllocateMdl(Irp->UserBuffer,
??? currentIrpStack->Parameters.Read.Length,
??? FALSE, FALSE, NULL);
??if (ReadBufferMdl)
??{
???__try
???{
??? MmProbeAndLockPages(ReadBufferMdl, KernelMode, IoModifyAccess);
???}
???__except(EXCEPTION_EXECUTE_HANDLER)
???{
??? ???IoFreeMdl(ReadBufferMdl);
??? ???ReadBufferMdl = NULL;
???}
??}
??
?}
??? *nextIrpStack = *currentIrpStack;
??? IoSetCompletionRoutine( Irp, SpecialReadCompletionRoutine, (PVOID)ReadBufferMdl, TRUE, TRUE, TRUE );
??? return IoCallDriver( hookExt->FileSystem, Irp );
?
PassThrough:?
?
??? *nextIrpStack = *currentIrpStack;
??? IoSetCompletionRoutine( Irp, NormalReadCompletionRoutine, NULL, TRUE, TRUE, TRUE );
??? return IoCallDriver( hookExt->FileSystem, Irp );

>The system is bugchecking because you are trying to lock a system
address. EAE3B000

falls in the kernel mode address space. The AccessMode parameter to
MmProbeAndLockPages should not be hard code to KernelMode.

Usually, Irp->RequestorMode is passed there.

Max