My minifilter provides an interface that allows reading of files using
FltReadFile(). I have been working on a BSOD that is a bugcheck 0x24
out of ntfs.sys and only occurs on Vista (XP+SP2 works fine). I am
invoking FltReadFile() from a generic Filter Manager worker item and the
bugcheck always occurs when a request is sent to my minifilter against
the ‘$MFT’ file that resides in the root directory of a volume and the
initiating thread is owned by svchost.exe (note that using this method
reading other files seems to work fine); info from windbg is below, any
hints on what I may be doing wrong is appreciated…thanks
Parameters sent to FltReadFile() are:
- valid instance and file object pointers
- byte offset is zero (0)
- length is 0x600 (1536)
- buffer is valid, allocated using FltAllocatePoolAlignedWithTag()
- flags is FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET
- pointer supplied for bytes read
- both callback routine and callback context are NULL
============================================================
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904ab
Arg2: 8753a9f8
Arg3: 8753a6f4
Arg4: 870ff466
Debugging Details:
EXCEPTION_RECORD: 8753a9f8 – (.exr ffffffff8753a9f8)
ExceptionAddress: 870ff466
(Ntfs!NtfsAcquirePagingResourceShared+0x00000020)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000044
Attempt to read from address 00000044
CONTEXT: 8753a6f4 – (.cxr ffffffff8753a6f4)
eax=8402cc60 ebx=00000000 ecx=00000000 edx=d37e0035 esi=8402cc60
edi=00000600
eip=870ff466 esp=8753aac0 ebp=8753aac4 iopl=0 nv up ei pl zr na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
Ntfs!NtfsAcquirePagingResourceShared+0x20:
870ff466 ff7144 push dword ptr [ecx+0x44]
ds:0023:00000044=???
Resetting default scope
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 00000044
BUGCHECK_STR: 0x24
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 870f58ac to 870ff466
STACK_TEXT:
8753aac4 870f58ac 852a1110 8402cc60 870fb001
Ntfs!NtfsAcquirePagingResourceShared+0x20
8753ab88 870f5282 852a1110 851f24c8 87d4b97f Ntfs!NtfsCommonRead+0x568
8753abf8 81867cc9 8402c020 851f24c8 851f24c8 Ntfs!NtfsFsdRead+0x273
8753ac10 8736ca5c 00000000 85267e40 00000000 nt!IofCallDriver+0x63
8753ac34 8736d677 8753ac54 84017d08 00000000
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a
8753ac6c 8736da97 84656e58 84656e58 840b0e78
fltmgr!FltPerformSynchronousIo+0xb9
8753acdc 9605bbbb 84656e58 85229830 96036a48 fltmgr!FltReadFile+0x2ed
8753ad14 87389b70 840b0e78 84656e58 8508f6f8
issfltr!data_transfer_worker+0x7b <=======my minifilter
8753ad44 8186b8aa 00000000 00000000 83087580
fltmgr!FltpProcessGenericWorkItem+0x32
8753ad7c 819afbfd 840b0e78 87531680 00000000 nt!ExpWorkerThread+0xfd
8753adc0 8189a396 8186b7ad 00000001 00000000
nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
Ntfs!NtfsAcquirePagingResourceShared+20
870ff466 ff7144 push dword ptr [ecx+0x44]
FAULTING_SOURCE_CODE:
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: Ntfs!NtfsAcquirePagingResourceShared+20
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549aceb
STACK_COMMAND: .cxr 0xffffffff8753a6f4 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsAcquirePagingResourceShared+20
BUCKET_ID: 0x24_Ntfs!NtfsAcquirePagingResourceShared+20