Crash during read in PostCreate

Hi,

Once in a while I am getting a bugcheck (access violation, NTFS bugcheck) with the following stack:

Ntfs!NtfsAcquirePagingResourceExclusive+0x20
Ntfs!NtfsReadCacheCoherencyFlush+0x16
Ntfs!NtfsCommonRead+0x447
Ntfs!NtfsFsdRead+0x273
nt!IofCallDriver+0x63
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
fltmgr!FltPerformSynchronousIo+0xb9
fltmgr!FltReadFile+0x2ed
cpdrm!UtSyncReadFile+0x9f
cpdrm!DrmpSyncReadNextBlock+0x65
cpdrm!DrmcIsProtectedFile+0x4b
cpdrm!DrmPostCreate+0x1d7
fltmgr!FltpPerformPostCallbacks+0x1f1
fltmgr!FltpProcessIoCompletion+0x10
fltmgr!FltpPassThroughCompletion+0x94
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2e1
fltmgr!FltpCreate+0x2a1
nt!IofCallDriver+0x63
nt!IopParseDevice+0xf61
nt!ObpLookupObjectName+0x5a8
nt!ObOpenObjectByName+0x13c
nt!IopCreateFile+0x63b
nt!NtCreateFile+0x34
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwCreateFile+0xc
kernel32!CreateFileW+0x379
emdmgmt!EcbFileExtentsGetRetrievalPointers+0x25
emdmgmt!EcbFileExtentsGetFileLocationInfo+0x13a
emdmgmt!EcbFileExtentsLogicalToPhysicalOrdered+0xe6
emdmgmt!EcbFileExtentsLoadFxHistory+0x59
emdmgmt!EcbTraceGetBootHistories+0xe7
emdmgmt!EcbBootFilesProcess+0xe0
emdmgmt!EcSvcBootFilesProcess+0xa9
emdmgmt!EcSvcWorkThread+0x76
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x23
ntdll!_RtlUserThreadStart+0x1b

The file in question is $MFT. In general, I’m sure I am doing something wrong, though I would not expect what I am doing to cause an access violation (maybe a deadlock).

Is there special care needed around the “$” files? Does this look familiar to anyone?

I would be happy to ignore “$” files but from looking a the create parameters I’m not sure what I can do to realize these files are special other than special casing the name.

Any hints?

Thanks,
Matt

Can you do !analyze and “KF” [ENTER] inside windbg and post the output

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904aa
Arg2: 98ef259c
Arg3: 98ef2298
Arg4: 82a25ee5

Debugging Details:

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

EXCEPTION_RECORD: 98ef259c -- (.exr 0xffffffff98ef259c)
ExceptionAddress: 82a25ee5 (Ntfs!NtfsAcquirePagingResourceExclusive+0x00000020)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000044
Attempt to read from address 00000044

CONTEXT: 98ef2298 -- (.cxr 0xffffffff98ef2298)
eax=862c8d08 ebx=87660688 ecx=00000000 edx=05ab0004 esi=862c8d08 edi=00001000
eip=82a25ee5 esp=98ef2664 ebp=98ef2668 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
Ntfs!NtfsAcquirePagingResourceExclusive+0x20:
82a25ee5 ff7144 push dword ptr [ecx+44h] ds:0023:00000044=????????
Resetting default scope

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000044

READ_ADDRESS: 00000044

FOLLOWUP_IP:
Ntfs!NtfsAcquirePagingResourceExclusive+20
82a25ee5 ff7144 push dword ptr [ecx+44h]

FAULTING_IP:
Ntfs!NtfsAcquirePagingResourceExclusive+20
82a25ee5 ff7144 push dword ptr [ecx+44h]

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 82a15ace to 82a25ee5

STACK_TEXT:
98ef2668 82a15ace 87660688 862c8d08 00000001 Ntfs!NtfsAcquirePagingResourceExclusive+0x20
98ef2684 82a23c8f 87660688 875dd340 862c8d08 Ntfs!NtfsReadCacheCoherencyFlush+0x16
98ef2750 82a23787 87660688 875dd340 1a4b9c9f Ntfs!NtfsCommonRead+0x447
98ef27c0 81cd2fd3 862e5020 875dd340 875dd340 Ntfs!NtfsFsdRead+0x273
98ef27d8 807a3ba7 00000000 876e0a28 00000000 nt!IofCallDriver+0x63
98ef27fc 807a47c7 98ef281c 862c1e60 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
98ef2834 807a4be7 87b82008 87851640 87851588 fltmgr!FltPerformSynchronousIo+0xb9
98ef28a4 97ff8a4f 87b82008 879b0d00 98ef28d8 fltmgr!FltReadFile+0x2ed
98ef28e0 97ff8fa5 98ef29b8 00001000 98ef292c cpdrm!UtSyncReadFile+0x9f [d:\pikewerks\cp-drm\client\windows\filter\utility.c @ 151]
98ef290c 97ff8cdb 98ef2964 98ef292c 98ef2934 cpdrm!DrmpSyncReadNextBlock+0x65 [d:\pikewerks\cp-drm\client\windows\filter\platform.c @ 101]
98ef293c 97ff842a 98ef2964 98ef2978 00000000 cpdrm!DrmcIsProtectedFile+0x4b [d:\pikewerks\cp-drm\client\common\filter\parse.c @ 454]
98ef2994 807a00f3 878515e8 98ef29b8 00000000 cpdrm!DrmPostCreate+0x1da [d:\pikewerks\cp-drm\client\windows\filter\driver.c @ 524]
98ef29f8 807a3090 00851588 00000000 87851588 fltmgr!FltpPerformPostCallbacks+0x1f1
98ef2a0c 807a35c6 87851588 878e0b70 98ef2a4c fltmgr!FltpProcessIoCompletion+0x10
98ef2a1c 807a3c37 862c1e60 878e0b70 87851588 fltmgr!FltpPassThroughCompletion+0x94
98ef2a4c 807b6643 98ef2a6c 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2e1
98ef2a98 81cd2fd3 862c1e60 8629fa48 879b0d5c fltmgr!FltpCreate+0x2a1
98ef2ab0 81e37d11 6b2d9610 872c0564 85f41be8 nt!IofCallDriver+0x63
98ef2b80 81e5d3ff 85f41c00 00000000 872c04c0 nt!IopParseDevice+0xf61
98ef2c10 81e350f6 00000000 98ef2c68 00000040 nt!ObpLookupObjectName+0x5a8
98ef2c70 81e36bf3 01a9edbc 00000000 862c0101 nt!ObOpenObjectByName+0x13c
98ef2ce4 81e3dfea 01a9ee20 00100080 01a9edbc nt!IopCreateFile+0x63b
98ef2d30 81c6ea1a 01a9ee20 00100080 01a9edbc nt!NtCreateFile+0x34
98ef2d30 76f09a94 01a9ee20 00100080 01a9edbc nt!KiFastCallEntry+0x12a
01a9ed78 76f08014 75bece0b 01a9ee20 00100080 ntdll!KiFastSystemCallRet
01a9ed7c 75bece0b 01a9ee20 00100080 01a9edbc ntdll!ZwCreateFile+0xc
01a9ee18 70c03556 01a9ee90 00000000 00000001 kernel32!CreateFileW+0x379
01a9ee6c 70c0370a 01a9ee90 01a9ee8c 00000000 emdmgmt!EcbFileExtentsGetRetrievalPointers+0x25
01a9f2e8 70c03fad 70c42af8 00cce820 01a9f30c emdmgmt!EcbFileExtentsGetFileLocationInfo+0x13a
01a9f43c 70c04388 00000000 70c42af8 70c42b48 emdmgmt!EcbFileExtentsLogicalToPhysicalOrdered+0xe6
01a9f454 70c044b0 70c42b2c 0199d050 70c344e8 emdmgmt!EcbFileExtentsLoadFxHistory+0x59
01a9f8e8 70c0246d 01a9f908 0199d050 75bc0236 emdmgmt!EcbTraceGetBootHistories+0xe7
01a9ff28 70c02c8b 000003d4 00000000 00000000 emdmgmt!EcbBootFilesProcess+0xe0
01a9ff7c 70c0a4e7 000003d4 75be4911 00000000 emdmgmt!EcSvcBootFilesProcess+0xa9
01a9ff84 75be4911 00000000 01a9ffd0 76eee4b6 emdmgmt!EcSvcWorkThread+0x76
01a9ff90 76eee4b6 00000000 775e8d7e 00000000 kernel32!BaseThreadInitThunk+0xe
01a9ffd0 76eee489 70c01481 00000000 00000000 ntdll!__RtlUserThreadStart+0x23
01a9ffe8 00000000 70c01481 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsAcquirePagingResourceExclusive+20

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 47918a96

STACK_COMMAND: .cxr 0xffffffff98ef2298 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsAcquirePagingResourceExclusive+20

BUCKET_ID: 0x24_Ntfs!NtfsAcquirePagingResourceExclusive+20

Followup: MachineOwner

0: kd> kf
Memory ChildEBP RetAddr
98ef1c2c 81ce4257 nt!RtlpBreakWithStatusInstruction
50 98ef1c7c 81ce4d3d nt!KiBugCheckDebugBreak+0x1c
3cc 98ef2048 81ce40e3 nt!KeBugCheck2+0x66d
24 98ef206c 82a28316 nt!KeBugCheckEx+0x1e
28 98ef2094 82a237a1 Ntfs!NtfsExceptionFilter+0xad
c 98ef20a0 82a1cf54 Ntfs!NtfsFsdRead+0x288
14 98ef20b4 82a270ba Ntfs!_EH4_CallFilterFunc+0x12
28 98ef20dc 81cccae2 Ntfs!_except_handler4+0x8e
24 98ef2100 81cccab4 nt!ExecuteHandler2+0x26
bc 98ef21bc 81c4d557 nt!ExecuteHandler+0x24
3c4 98ef2580 81c6f5da nt!KiDispatchException+0x170
68 98ef25e8 81c6f58e nt!CommonDispatchException+0x4a
1c 98ef2604 81fd75b0 nt!Kei386EoiHelper+0x186
64 98ef2668 82a15ace hal!KfLowerIrql+0x64
1c 98ef2684 82a23c8f Ntfs!NtfsReadCacheCoherencyFlush+0x16
cc 98ef2750 82a23787 Ntfs!NtfsCommonRead+0x447
70 98ef27c0 81cd2fd3 Ntfs!NtfsFsdRead+0x273
18 98ef27d8 807a3ba7 nt!IofCallDriver+0x63
24 98ef27fc 807a47c7 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
38 98ef2834 807a4be7 fltmgr!FltPerformSynchronousIo+0xb9

0: kd> !fileobj 0x879b0d00

$MFT

Device Object: 0x85f41c00 \Driver\volmgr
Vpb: 0x85f41080

Flags: 0x42
Synchronous IO
Cache Supported

FsContext: 0x862c8d08 FsContext2: 0x8783b9f8
CurrentByteOffset: 0
Cache Data:
Section Object Pointers: 862c8b94
Shared Cache Map: 862f3530 File Offset: 0
Vacb: 844f8df0
Your data is at: 95c00000

xxxxx@yahoo.com wrote:

Hi,

Once in a while I am getting a bugcheck (access violation, NTFS bugcheck) with the following stack:

Ntfs!NtfsAcquirePagingResourceExclusive+0x20
Ntfs!NtfsReadCacheCoherencyFlush+0x16
Ntfs!NtfsCommonRead+0x447
Ntfs!NtfsFsdRead+0x273
nt!IofCallDriver+0x63
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
fltmgr!FltPerformSynchronousIo+0xb9
fltmgr!FltReadFile+0x2ed
cpdrm!UtSyncReadFile+0x9f
cpdrm!DrmpSyncReadNextBlock+0x65
cpdrm!DrmcIsProtectedFile+0x4b
cpdrm!DrmPostCreate+0x1d7
fltmgr!FltpPerformPostCallbacks+0x1f1
fltmgr!FltpProcessIoCompletion+0x10
fltmgr!FltpPassThroughCompletion+0x94
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2e1
fltmgr!FltpCreate+0x2a1
nt!IofCallDriver+0x63
nt!IopParseDevice+0xf61
nt!ObpLookupObjectName+0x5a8
nt!ObOpenObjectByName+0x13c
nt!IopCreateFile+0x63b
nt!NtCreateFile+0x34
nt!KiFastCallEntry+0x12a
ntdll!KiFastSystemCallRet
ntdll!ZwCreateFile+0xc
kernel32!CreateFileW+0x379
emdmgmt!EcbFileExtentsGetRetrievalPointers+0x25
emdmgmt!EcbFileExtentsGetFileLocationInfo+0x13a
emdmgmt!EcbFileExtentsLogicalToPhysicalOrdered+0xe6
emdmgmt!EcbFileExtentsLoadFxHistory+0x59
emdmgmt!EcbTraceGetBootHistories+0xe7
emdmgmt!EcbBootFilesProcess+0xe0
emdmgmt!EcSvcBootFilesProcess+0xa9
emdmgmt!EcSvcWorkThread+0x76
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x23
ntdll!_RtlUserThreadStart+0x1b

This is a bug in cpdrm.

$Mft is an internal NTFS system file. It is managed directly by NTFS.

This crash is being caused because the above filter is attempting to
perform noncached IO on this object directly. This is not supported.
$Mft is maintained by NTFS and only paging IO is expected.

Typically filters detect these files by FileId and path
(FileInternalInformation). Files < 16 by ID or beginning with
“$Extend” are NTFS system files. Which ones you choose to special case
depends somewhat on your application. Note that these objects can be
opened, restrictively, from usermode; depending on your application you
may wish to handle them specially or not at all.

• M

–
This posting is provided “AS IS” with no warranties, and confers no rights

Thanks - that is very helpful information. I have no interest in filtering those files so I will put in code to ignore them. A couple of questions:

1. Is this documented anywhere (the fact that anything with FileID below 16 is a ssytem file, etc.)? Or is this just “lore.”
2. What do you mean by “$Extend”? Do you mean anything where the first two characters are “$”?

Are there any similar rules/lore for other common filesystems that I should be aware of? (FAT/CDFS).

Thanks,
Matt