I’m developing a driver based on minifilter.
My filter works well on NTFS, but it will lead to BSOD on FAT. After debugging, I found the problem occured when I want to send an IRP(IRP_READ_OPERATION | IRP_NOCACHE) to read the content of file in the post routine of Create(STATUS: FILE_OPENED).
The faulting code is fastfat!FatSingleSyncCompletionRoutine+0x27, besides, according to my observation, the Flags of FILE_OBJECT was 0x42(FO_SYNCHRONOUS_IO|FO_CACHE_SUPPORTED).
I’m confused why this bug occured, can anyone help me? Any help will be appreciated!
>I’m confused why this bug occured, can anyone help me? Any help will be
appreciated!
We’ll need more that. I have issued IO in post create (subject to some
significant constraints), so I’d say that the Idea is good.
How about a !analyze -v or an abstract of the code. Meantime if you want a
swag
- Beware state STATUS_REPARSE is a SUCCESS status (unlikely from FAT, mind)
- Beware of the other success statuses, particularly those involved with
oplocks.
Meanwhile, what is stopping you stepping through FAT in the debugger? That
should point things out pretty quickly.
Observation:
IRP_NOCACHE
This is very good practice in the face of stack based file objects. Might
be not such a good plan if a lot of data has been cached for the file
Thanks rod!
With your advice, I debug fastfat.sys and find out what was happen.
The bug turns out to be a simple point: I forget to set Irp->UserBuffer when I use MDL to describe a buffer.
Now my filter works well, thanks for your help!