Deadlock... Do I need to rearchitecture my Filter driver behaviour

NTFSD
1

Hi,

I see deadlock happening on Windows 2000 professional when our file system
filter driver is installed along with anti virus driver.

Our filter driver basically pends READ requests and gives a chance to our
appliocation running in user mode to read the file and once our application
sends the response the filter driver will either deny the read request or
send the read request to next lower driver.

This work fine on system without anti virus driver but dead locks with anti
virus driver. So we are in feeling that we need to reachitecture the driver
but we wanted to know if there is any workaround for this.

Following is the brief dump analaysis of the system when the dead lock
happened. The scenario is wmplayer is trying to play a file whose read
request is pended by our filter driver and our application is trying to read
the same file.

kd> !devstack 81779d40

!DevObj !DrvObj !DevExt ObjectName

81779d40 \FileSystem\p2pfsfd 81779df8

81b930e0 \Driver\SymEvent 81b93198

8203e020 \FileSystem\Ntfs 8203e0d8

!process 8177ad60 (wmplayer.exe)

thread 817948e0

IRP List:

8176d008: (0006,01b4) Flags: 00000900 Mdl: 81905688

8190c788: (0006,01b4) Flags: 00000884 Mdl: 00000000

ChildEBP RetAddr Args to Child

b6d683b4 80505e88 8176d008 00000000 8067eb7c nt!KiSwapThread+0xc5

b6d683dc 80592263 8176d924 00000000 00000000
nt!KeWaitForSingleObject+0x1a1

b6d68404 8057171b 81779d40 00000103 8176d8c8
nt!IopSynchronousServiceTail+0xbf

b6d684d8 8053d691 000001d4 00000000 00000000 nt!NtReadFile+0x5f4

b6d684d8 804d9255 000001d4 00000000 00000000
nt!_KiSystemService+0xc4

b6d68574 b7b3ac43 000001d4 00000000 00000000 nt!ZwReadFile+0xb

b6d685bc b7b090f6 818eef80 b7b09070 b6d6862c savrt+0x3dc43

!handle 0x1d4 3 8177ad60

file 8176d8c8, Name: \music\tpid\tpid2.mp3 {HarddiskVolume2}

!irp 8176d008

MJ_READ file 8176d8c8, pending by p2pfsfd

!irp 8190c788

MJ_CREATE file 81795328, “\music\tpid\tpid2.mp3” (no vpb)

pending by SymEvent

!process 81798d60 (DCMSimulator.exe)

thread 81778020

81902790 Mutant - owning thread 817948e0

819027b0 NotificationEvent

IRP List:

8176c608: (0006,01b4) Flags: 00000884 Mdl: 00000000

ChildEBP RetAddr Args to Child

b6c505fc 80505ba9 e4232b70 81902770 81902790 nt!KiSwapThread+0xc5

b6c50630 b7b11b1b 00000002 b6c50668 00000001
nt!KeWaitForMultipleObjects+0x266

b6c507c0 b7b7cb32 b6c50804 e12dc90c b6c50804 savrt+0x14b1b

b6c507d0 b7b832b8 b6c50804 81b930e0 b6c50804
SYMEVENT!SYMEvent_GetVMDataPtr+0x5392

b6c50820 804f7b8b 81b930e0 8176c608 8176c790
SYMEVENT!EventObjectCreate+0x3e8

b6c50910 80574945 80546400 8057441b b6c50c08 nt!IopfCallDriver+0x35

b6c50cf0 8056ff27 00f5cb88 c0100080 00f5cb24 nt!IoCreateFile+0x3ec

!obja 00f5cb24: ??\D:\music\tpid\tpid2.mp3

KeWaitForMultipleObjects(2, {Mutant, NotificationEvent}, WaitAny);

If anyone is interested I can send the full memory dump zipped which is
about 100 mb.

Any information is helpful.

Thanks,

Kedar.

2

Hi,

I want to add following information.

One is wmplayer.exe, who tries to open \music\tpid\tpid2.mp3
{HarddiskVolume2} file. During this time, symevent tries to pending the
IRP_MJ_CREATE operation first, and issuing a MJ_READ (to peek into the file
whether it is virus-free, I’d guess). The READ operation in turn is pended
by your p2pfsfd driver immediately.

The other process is DCMSimulator.exe which, upon requests from p2pfsfd,
tries to open D:\music\tpid\tpid2.mp3 for read. However symevent notices
that the file has not completed the required virus check, thus pending the
CREATE request again.

Thanks,

Kedar.

“kedar” wrote in message news:xxxxx@ntfsd…
> Hi,
>
> I see deadlock happening on Windows 2000 professional when our file system
> filter driver is installed along with anti virus driver.
>
> Our filter driver basically pends READ requests and gives a chance to our
> appliocation running in user mode to read the file and once our
> application
> sends the response the filter driver will either deny the read request or
> send the read request to next lower driver.
>
> This work fine on system without anti virus driver but dead locks with
> anti
> virus driver. So we are in feeling that we need to reachitecture the
> driver
> but we wanted to know if there is any workaround for this.
>
> Following is the brief dump analaysis of the system when the dead lock
> happened. The scenario is wmplayer is trying to play a file whose read
> request is pended by our filter driver and our application is trying to
> read
> the same file.
>
> kd> !devstack 81779d40
>
>
>
> !DevObj !DrvObj !DevExt ObjectName
>
>
>
>> 81779d40 \FileSystem\p2pfsfd 81779df8
>
>
>
> 81b930e0 \Driver\SymEvent 81b93198
>
>
>
> 8203e020 \FileSystem\Ntfs 8203e0d8
>
>
>
>
>
>
>
> !process 8177ad60 (wmplayer.exe)
>
>
>
> thread 817948e0
>
>
>
> IRP List:
>
>
>
> 8176d008: (0006,01b4) Flags: 00000900 Mdl: 81905688
>
>
>
> 8190c788: (0006,01b4) Flags: 00000884 Mdl: 00000000
>
>
>
>
>
>
>
> ChildEBP RetAddr Args to Child
>
>
>
> b6d683b4 80505e88 8176d008 00000000 8067eb7c nt!KiSwapThread+0xc5
>
>
>
> b6d683dc 80592263 8176d924 00000000 00000000
> nt!KeWaitForSingleObject+0x1a1
>
>
>
> b6d68404 8057171b 81779d40 00000103 8176d8c8
> nt!IopSynchronousServiceTail+0xbf
>
>
>
> b6d684d8 8053d691 000001d4 00000000 00000000 nt!NtReadFile+0x5f4
>
>
>
> b6d684d8 804d9255 000001d4 00000000 00000000
> nt!_KiSystemService+0xc4
>
>
>
> b6d68574 b7b3ac43 000001d4 00000000 00000000 nt!ZwReadFile+0xb
>
>
>
> b6d685bc b7b090f6 818eef80 b7b09070 b6d6862c savrt+0x3dc43
>
>
>
>
>
>
>
> !handle 0x1d4 3 8177ad60
>
>
>
> file 8176d8c8, Name: \music\tpid\tpid2.mp3 {HarddiskVolume2}
>
>
>
>
>
>
>
> !irp 8176d008
>
>
>
> MJ_READ file 8176d8c8, pending by p2pfsfd
>
>
>
>
>
>
>
> !irp 8190c788
>
>
>
> MJ_CREATE file 81795328, “\music\tpid\tpid2.mp3” (no vpb)
>
>
>
> pending by SymEvent
>
>
>
>
>
>
>
> !process 81798d60 (DCMSimulator.exe)
>
>
>
> thread 81778020
>
>
>
> 81902790 Mutant - owning thread 817948e0
>
>
>
> 819027b0 NotificationEvent
>
>
>
> IRP List:
>
>
>
> 8176c608: (0006,01b4) Flags: 00000884 Mdl: 00000000
>
>
>
>
>
>
>
> ChildEBP RetAddr Args to Child
>
>
>
> b6c505fc 80505ba9 e4232b70 81902770 81902790 nt!KiSwapThread+0xc5
>
>
>
> b6c50630 b7b11b1b 00000002 b6c50668 00000001
> nt!KeWaitForMultipleObjects+0x266
>
>
>
> b6c507c0 b7b7cb32 b6c50804 e12dc90c b6c50804 savrt+0x14b1b
>
>
>
> b6c507d0 b7b832b8 b6c50804 81b930e0 b6c50804
> SYMEVENT!SYMEvent_GetVMDataPtr+0x5392
>
>
>
> b6c50820 804f7b8b 81b930e0 8176c608 8176c790
> SYMEVENT!EventObjectCreate+0x3e8
>
>
>
> b6c50910 80574945 80546400 8057441b b6c50c08 nt!IopfCallDriver+0x35
>
>
>
> …
>
>
>
> b6c50cf0 8056ff27 00f5cb88 c0100080 00f5cb24 nt!IoCreateFile+0x3ec
>
>
>
>
>
>
>
> !obja 00f5cb24: ??\D:\music\tpid\tpid2.mp3
>
>
>
> KeWaitForMultipleObjects(2, {Mutant, NotificationEvent}, WaitAny);
>
>
>
> If anyone is interested I can send the full memory dump zipped which is
> about 100 mb.
>
>
>
> Any information is helpful.
>
>
>
> Thanks,
>
> Kedar.
>
>
>
>
>
>
>
>
>

3

Not a good idea to examine files on READ request:

  1. Examine on IRP_CREATE and be sure that you don’t interfere with other
    non-AV-applications that may open the file, too
  2. Use “Shadow Device technique”, described in OSR Online IFS FAQ #34

“kedar” schrieb im Newsbeitrag news:xxxxx@ntfsd…
> Hi,
>
> I see deadlock happening on Windows 2000 professional when our file system
> filter driver is installed along with anti virus driver.
>
> Our filter driver basically pends READ requests and gives a chance to our
> appliocation running in user mode to read the file and once our
> application
> sends the response the filter driver will either deny the read request or
> send the read request to next lower driver.
>
> This work fine on system without anti virus driver but dead locks with
> anti
> virus driver. So we are in feeling that we need to reachitecture the
> driver
> but we wanted to know if there is any workaround for this.
>
> Following is the brief dump analaysis of the system when the dead lock
> happened. The scenario is wmplayer is trying to play a file whose read
> request is pended by our filter driver and our application is trying to
> read
> the same file.
>
> kd> !devstack 81779d40
>
>
>
> !DevObj !DrvObj !DevExt ObjectName
>
>
>
>> 81779d40 \FileSystem\p2pfsfd 81779df8
>
>
>
> 81b930e0 \Driver\SymEvent 81b93198
>
>
>
> 8203e020 \FileSystem\Ntfs 8203e0d8
>
>
>
>
>
>
>
> !process 8177ad60 (wmplayer.exe)
>
>
>
> thread 817948e0
>
>
>
> IRP List:
>
>
>
> 8176d008: (0006,01b4) Flags: 00000900 Mdl: 81905688
>
>
>
> 8190c788: (0006,01b4) Flags: 00000884 Mdl: 00000000
>
>
>
>
>
>
>
> ChildEBP RetAddr Args to Child
>
>
>
> b6d683b4 80505e88 8176d008 00000000 8067eb7c nt!KiSwapThread+0xc5
>
>
>
> b6d683dc 80592263 8176d924 00000000 00000000
> nt!KeWaitForSingleObject+0x1a1
>
>
>
> b6d68404 8057171b 81779d40 00000103 8176d8c8
> nt!IopSynchronousServiceTail+0xbf
>
>
>
> b6d684d8 8053d691 000001d4 00000000 00000000 nt!NtReadFile+0x5f4
>
>
>
> b6d684d8 804d9255 000001d4 00000000 00000000
> nt!_KiSystemService+0xc4
>
>
>
> b6d68574 b7b3ac43 000001d4 00000000 00000000 nt!ZwReadFile+0xb
>
>
>
> b6d685bc b7b090f6 818eef80 b7b09070 b6d6862c savrt+0x3dc43
>
>
>
>
>
>
>
> !handle 0x1d4 3 8177ad60
>
>
>
> file 8176d8c8, Name: \music\tpid\tpid2.mp3 {HarddiskVolume2}
>
>
>
>
>
>
>
> !irp 8176d008
>
>
>
> MJ_READ file 8176d8c8, pending by p2pfsfd
>
>
>
>
>
>
>
> !irp 8190c788
>
>
>
> MJ_CREATE file 81795328, “\music\tpid\tpid2.mp3” (no vpb)
>
>
>
> pending by SymEvent
>
>
>
>
>
>
>
> !process 81798d60 (DCMSimulator.exe)
>
>
>
> thread 81778020
>
>
>
> 81902790 Mutant - owning thread 817948e0
>
>
>
> 819027b0 NotificationEvent
>
>
>
> IRP List:
>
>
>
> 8176c608: (0006,01b4) Flags: 00000884 Mdl: 00000000
>
>
>
>
>
>
>
> ChildEBP RetAddr Args to Child
>
>
>
> b6c505fc 80505ba9 e4232b70 81902770 81902790 nt!KiSwapThread+0xc5
>
>
>
> b6c50630 b7b11b1b 00000002 b6c50668 00000001
> nt!KeWaitForMultipleObjects+0x266
>
>
>
> b6c507c0 b7b7cb32 b6c50804 e12dc90c b6c50804 savrt+0x14b1b
>
>
>
> b6c507d0 b7b832b8 b6c50804 81b930e0 b6c50804
> SYMEVENT!SYMEvent_GetVMDataPtr+0x5392
>
>
>
> b6c50820 804f7b8b 81b930e0 8176c608 8176c790
> SYMEVENT!EventObjectCreate+0x3e8
>
>
>
> b6c50910 80574945 80546400 8057441b b6c50c08 nt!IopfCallDriver+0x35
>
>
>
> …
>
>
>
> b6c50cf0 8056ff27 00f5cb88 c0100080 00f5cb24 nt!IoCreateFile+0x3ec
>
>
>
>
>
>
>
> !obja 00f5cb24: ??\D:\music\tpid\tpid2.mp3
>
>
>
> KeWaitForMultipleObjects(2, {Mutant, NotificationEvent}, WaitAny);
>
>
>
> If anyone is interested I can send the full memory dump zipped which is
> about 100 mb.
>
>
>
> Any information is helpful.
>
>
>
> Thanks,
>
> Kedar.
>
>
>
>
>
>
>
>
>

4

Hi Plu1,

How dows shadow device technique help me in this issue. Even from the shadow
device object I need to pass the request to lower AV driver.

Any information is helpful.

Thanks,
Kedar.

“plu1” wrote in message news:xxxxx@ntfsd…
> Not a good idea to examine files on READ request:
>
> 1. Examine on IRP_CREATE and be sure that you don’t interfere with other
> non-AV-applications that may open the file, too
> 2. Use “Shadow Device technique”, described in OSR Online IFS FAQ #34
>
>
> “kedar” schrieb im Newsbeitrag news:xxxxx@ntfsd…
>> Hi,
>>
>> I see deadlock happening on Windows 2000 professional when our file
>> system
>> filter driver is installed along with anti virus driver.
>>
>> Our filter driver basically pends READ requests and gives a chance to our
>> appliocation running in user mode to read the file and once our
>> application
>> sends the response the filter driver will either deny the read request or
>> send the read request to next lower driver.
>>
>> This work fine on system without anti virus driver but dead locks with
>> anti
>> virus driver. So we are in feeling that we need to reachitecture the
>> driver
>> but we wanted to know if there is any workaround for this.
>>
>> Following is the brief dump analaysis of the system when the dead lock
>> happened. The scenario is wmplayer is trying to play a file whose read
>> request is pended by our filter driver and our application is trying to
>> read
>> the same file.
>>
>> kd> !devstack 81779d40
>>
>>
>>
>> !DevObj !DrvObj !DevExt ObjectName
>>
>>
>>
>>> 81779d40 \FileSystem\p2pfsfd 81779df8
>>
>>
>>
>> 81b930e0 \Driver\SymEvent 81b93198
>>
>>
>>
>> 8203e020 \FileSystem\Ntfs 8203e0d8
>>
>>
>>
>>
>>
>>
>>
>> !process 8177ad60 (wmplayer.exe)
>>
>>
>>
>> thread 817948e0
>>
>>
>>
>> IRP List:
>>
>>
>>
>> 8176d008: (0006,01b4) Flags: 00000900 Mdl: 81905688
>>
>>
>>
>> 8190c788: (0006,01b4) Flags: 00000884 Mdl: 00000000
>>
>>
>>
>>
>>
>>
>>
>> ChildEBP RetAddr Args to Child
>>
>>
>>
>> b6d683b4 80505e88 8176d008 00000000 8067eb7c nt!KiSwapThread+0xc5
>>
>>
>>
>> b6d683dc 80592263 8176d924 00000000 00000000
>> nt!KeWaitForSingleObject+0x1a1
>>
>>
>>
>> b6d68404 8057171b 81779d40 00000103 8176d8c8
>> nt!IopSynchronousServiceTail+0xbf
>>
>>
>>
>> b6d684d8 8053d691 000001d4 00000000 00000000 nt!NtReadFile+0x5f4
>>
>>
>>
>> b6d684d8 804d9255 000001d4 00000000 00000000
>> nt!_KiSystemService+0xc4
>>
>>
>>
>> b6d68574 b7b3ac43 000001d4 00000000 00000000 nt!ZwReadFile+0xb
>>
>>
>>
>> b6d685bc b7b090f6 818eef80 b7b09070 b6d6862c savrt+0x3dc43
>>
>>
>>
>>
>>
>>
>>
>> !handle 0x1d4 3 8177ad60
>>
>>
>>
>> file 8176d8c8, Name: \music\tpid\tpid2.mp3 {HarddiskVolume2}
>>
>>
>>
>>
>>
>>
>>
>> !irp 8176d008
>>
>>
>>
>> MJ_READ file 8176d8c8, pending by p2pfsfd
>>
>>
>>
>>
>>
>>
>>
>> !irp 8190c788
>>
>>
>>
>> MJ_CREATE file 81795328, “\music\tpid\tpid2.mp3” (no vpb)
>>
>>
>>
>> pending by SymEvent
>>
>>
>>
>>
>>
>>
>>
>> !process 81798d60 (DCMSimulator.exe)
>>
>>
>>
>> thread 81778020
>>
>>
>>
>> 81902790 Mutant - owning thread 817948e0
>>
>>
>>
>> 819027b0 NotificationEvent
>>
>>
>>
>> IRP List:
>>
>>
>>
>> 8176c608: (0006,01b4) Flags: 00000884 Mdl: 00000000
>>
>>
>>
>>
>>
>>
>>
>> ChildEBP RetAddr Args to Child
>>
>>
>>
>> b6c505fc 80505ba9 e4232b70 81902770 81902790 nt!KiSwapThread+0xc5
>>
>>
>>
>> b6c50630 b7b11b1b 00000002 b6c50668 00000001
>> nt!KeWaitForMultipleObjects+0x266
>>
>>
>>
>> b6c507c0 b7b7cb32 b6c50804 e12dc90c b6c50804 savrt+0x14b1b
>>
>>
>>
>> b6c507d0 b7b832b8 b6c50804 81b930e0 b6c50804
>> SYMEVENT!SYMEvent_GetVMDataPtr+0x5392
>>
>>
>>
>> b6c50820 804f7b8b 81b930e0 8176c608 8176c790
>> SYMEVENT!EventObjectCreate+0x3e8
>>
>>
>>
>> b6c50910 80574945 80546400 8057441b b6c50c08
>> nt!IopfCallDriver+0x35
>>
>>
>>
>> …
>>
>>
>>
>> b6c50cf0 8056ff27 00f5cb88 c0100080 00f5cb24 nt!IoCreateFile+0x3ec
>>
>>
>>
>>
>>
>>
>>
>> !obja 00f5cb24: ??\D:\music\tpid\tpid2.mp3
>>
>>
>>
>> KeWaitForMultipleObjects(2, {Mutant, NotificationEvent}, WaitAny);
>>
>>
>>
>> If anyone is interested I can send the full memory dump zipped which is
>> about 100 mb.
>>
>>
>>
>> Any information is helpful.
>>
>>
>>
>> Thanks,
>>
>> Kedar.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>

5

Hi Plu 1,

I went through the IFS FAQ and still in the process of implementing the
shadow device technique but had few questions about how this technique will
solve my problem. Do you say that my problem is related to reentrancy
problem in my driver.

As I can think there will be no difference if we are passing the request to
anti virus driver from either the shadow device object or normal device
object. When the anti virus driver sees the file request it will also know
that there is a request pending on that and still the dead lock happens.

I am not saying this technique will not work but I wanted to know why it
will wrok rather thatn just getting it to work.

Thanks,
Kedar.

“plu1” wrote in message news:xxxxx@ntfsd…
> Not a good idea to examine files on READ request:
>
> 1. Examine on IRP_CREATE and be sure that you don’t interfere with other
> non-AV-applications that may open the file, too
> 2. Use “Shadow Device technique”, described in OSR Online IFS FAQ #34
>
>
> “kedar” schrieb im Newsbeitrag news:xxxxx@ntfsd…
>> Hi,
>>
>> I see deadlock happening on Windows 2000 professional when our file
>> system
>> filter driver is installed along with anti virus driver.
>>
>> Our filter driver basically pends READ requests and gives a chance to our
>> appliocation running in user mode to read the file and once our
>> application
>> sends the response the filter driver will either deny the read request or
>> send the read request to next lower driver.
>>
>> This work fine on system without anti virus driver but dead locks with
>> anti
>> virus driver. So we are in feeling that we need to reachitecture the
>> driver
>> but we wanted to know if there is any workaround for this.
>>
>> Following is the brief dump analaysis of the system when the dead lock
>> happened. The scenario is wmplayer is trying to play a file whose read
>> request is pended by our filter driver and our application is trying to
>> read
>> the same file.
>>
>> kd> !devstack 81779d40
>>
>>
>>
>> !DevObj !DrvObj !DevExt ObjectName
>>
>>
>>
>>> 81779d40 \FileSystem\p2pfsfd 81779df8
>>
>>
>>
>> 81b930e0 \Driver\SymEvent 81b93198
>>
>>
>>
>> 8203e020 \FileSystem\Ntfs 8203e0d8
>>
>>
>>
>>
>>
>>
>>
>> !process 8177ad60 (wmplayer.exe)
>>
>>
>>
>> thread 817948e0
>>
>>
>>
>> IRP List:
>>
>>
>>
>> 8176d008: (0006,01b4) Flags: 00000900 Mdl: 81905688
>>
>>
>>
>> 8190c788: (0006,01b4) Flags: 00000884 Mdl: 00000000
>>
>>
>>
>>
>>
>>
>>
>> ChildEBP RetAddr Args to Child
>>
>>
>>
>> b6d683b4 80505e88 8176d008 00000000 8067eb7c nt!KiSwapThread+0xc5
>>
>>
>>
>> b6d683dc 80592263 8176d924 00000000 00000000
>> nt!KeWaitForSingleObject+0x1a1
>>
>>
>>
>> b6d68404 8057171b 81779d40 00000103 8176d8c8
>> nt!IopSynchronousServiceTail+0xbf
>>
>>
>>
>> b6d684d8 8053d691 000001d4 00000000 00000000 nt!NtReadFile+0x5f4
>>
>>
>>
>> b6d684d8 804d9255 000001d4 00000000 00000000
>> nt!_KiSystemService+0xc4
>>
>>
>>
>> b6d68574 b7b3ac43 000001d4 00000000 00000000 nt!ZwReadFile+0xb
>>
>>
>>
>> b6d685bc b7b090f6 818eef80 b7b09070 b6d6862c savrt+0x3dc43
>>
>>
>>
>>
>>
>>
>>
>> !handle 0x1d4 3 8177ad60
>>
>>
>>
>> file 8176d8c8, Name: \music\tpid\tpid2.mp3 {HarddiskVolume2}
>>
>>
>>
>>
>>
>>
>>
>> !irp 8176d008
>>
>>
>>
>> MJ_READ file 8176d8c8, pending by p2pfsfd
>>
>>
>>
>>
>>
>>
>>
>> !irp 8190c788
>>
>>
>>
>> MJ_CREATE file 81795328, “\music\tpid\tpid2.mp3” (no vpb)
>>
>>
>>
>> pending by SymEvent
>>
>>
>>
>>
>>
>>
>>
>> !process 81798d60 (DCMSimulator.exe)
>>
>>
>>
>> thread 81778020
>>
>>
>>
>> 81902790 Mutant - owning thread 817948e0
>>
>>
>>
>> 819027b0 NotificationEvent
>>
>>
>>
>> IRP List:
>>
>>
>>
>> 8176c608: (0006,01b4) Flags: 00000884 Mdl: 00000000
>>
>>
>>
>>
>>
>>
>>
>> ChildEBP RetAddr Args to Child
>>
>>
>>
>> b6c505fc 80505ba9 e4232b70 81902770 81902790 nt!KiSwapThread+0xc5
>>
>>
>>
>> b6c50630 b7b11b1b 00000002 b6c50668 00000001
>> nt!KeWaitForMultipleObjects+0x266
>>
>>
>>
>> b6c507c0 b7b7cb32 b6c50804 e12dc90c b6c50804 savrt+0x14b1b
>>
>>
>>
>> b6c507d0 b7b832b8 b6c50804 81b930e0 b6c50804
>> SYMEVENT!SYMEvent_GetVMDataPtr+0x5392
>>
>>
>>
>> b6c50820 804f7b8b 81b930e0 8176c608 8176c790
>> SYMEVENT!EventObjectCreate+0x3e8
>>
>>
>>
>> b6c50910 80574945 80546400 8057441b b6c50c08
>> nt!IopfCallDriver+0x35
>>
>>
>>
>> …
>>
>>
>>
>> b6c50cf0 8056ff27 00f5cb88 c0100080 00f5cb24 nt!IoCreateFile+0x3ec
>>
>>
>>
>>
>>
>>
>>
>> !obja 00f5cb24: ??\D:\music\tpid\tpid2.mp3
>>
>>
>>
>> KeWaitForMultipleObjects(2, {Mutant, NotificationEvent}, WaitAny);
>>
>>
>>
>> If anyone is interested I can send the full memory dump zipped which is
>> about 100 mb.
>>
>>
>>
>> Any information is helpful.
>>
>>
>>
>> Thanks,
>>
>> Kedar.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>

6

Kedar,

If the AV filter is sitting above you in the stack then requests directed at
the shadow device will not be processed by the AV filter instance above you.
Hence in this scenario it can prevent this type of deadlock. Though if the
AV Filter is below you in the stack, and you are passing requests from your
standard instance and your shadow instance to the driver below you in the
stack, then the AV filter will not ‘know’ any difference. In this case, if
there is a deadlock occurring it will not be alleviated by the shadow device
technique.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kedar
Sent: Wednesday, July 06, 2005 8:40 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Deadlock… Do I need to rearchitecture my Filter driver
behaviour

Hi Plu 1,

I went through the IFS FAQ and still in the process of implementing the
shadow device technique but had few questions about how this technique will
solve my problem. Do you say that my problem is related to reentrancy
problem in my driver.

As I can think there will be no difference if we are passing the request to
anti virus driver from either the shadow device object or normal device
object. When the anti virus driver sees the file request it will also know
that there is a request pending on that and still the dead lock happens.

I am not saying this technique will not work but I wanted to know why it
will wrok rather thatn just getting it to work.

Thanks,
Kedar.

“plu1” wrote in message news:xxxxx@ntfsd…
> Not a good idea to examine files on READ request:
>
> 1. Examine on IRP_CREATE and be sure that you don’t interfere with other
> non-AV-applications that may open the file, too
> 2. Use “Shadow Device technique”, described in OSR Online IFS FAQ #34
>
>
> “kedar” schrieb im Newsbeitrag news:xxxxx@ntfsd…
>> Hi,
>>
>> I see deadlock happening on Windows 2000 professional when our file
>> system
>> filter driver is installed along with anti virus driver.
>>
>> Our filter driver basically pends READ requests and gives a chance to our
>> appliocation running in user mode to read the file and once our
>> application
>> sends the response the filter driver will either deny the read request or
>> send the read request to next lower driver.
>>
>> This work fine on system without anti virus driver but dead locks with
>> anti
>> virus driver. So we are in feeling that we need to reachitecture the
>> driver
>> but we wanted to know if there is any workaround for this.
>>
>> Following is the brief dump analaysis of the system when the dead lock
>> happened. The scenario is wmplayer is trying to play a file whose read
>> request is pended by our filter driver and our application is trying to
>> read
>> the same file.
>>
>> kd> !devstack 81779d40
>>
>>
>>
>> !DevObj !DrvObj !DevExt ObjectName
>>
>>
>>
>>> 81779d40 \FileSystem\p2pfsfd 81779df8
>>
>>
>>
>> 81b930e0 \Driver\SymEvent 81b93198
>>
>>
>>
>> 8203e020 \FileSystem\Ntfs 8203e0d8
>>
>>
>>
>>
>>
>>
>>
>> !process 8177ad60 (wmplayer.exe)
>>
>>
>>
>> thread 817948e0
>>
>>
>>
>> IRP List:
>>
>>
>>
>> 8176d008: (0006,01b4) Flags: 00000900 Mdl: 81905688
>>
>>
>>
>> 8190c788: (0006,01b4) Flags: 00000884 Mdl: 00000000
>>
>>
>>
>>
>>
>>
>>
>> ChildEBP RetAddr Args to Child
>>
>>
>>
>> b6d683b4 80505e88 8176d008 00000000 8067eb7c nt!KiSwapThread+0xc5
>>
>>
>>
>> b6d683dc 80592263 8176d924 00000000 00000000
>> nt!KeWaitForSingleObject+0x1a1
>>
>>
>>
>> b6d68404 8057171b 81779d40 00000103 8176d8c8
>> nt!IopSynchronousServiceTail+0xbf
>>
>>
>>
>> b6d684d8 8053d691 000001d4 00000000 00000000 nt!NtReadFile+0x5f4
>>
>>
>>
>> b6d684d8 804d9255 000001d4 00000000 00000000
>> nt!_KiSystemService+0xc4
>>
>>
>>
>> b6d68574 b7b3ac43 000001d4 00000000 00000000 nt!ZwReadFile+0xb
>>
>>
>>
>> b6d685bc b7b090f6 818eef80 b7b09070 b6d6862c savrt+0x3dc43
>>
>>
>>
>>
>>
>>
>>
>> !handle 0x1d4 3 8177ad60
>>
>>
>>
>> file 8176d8c8, Name: \music\tpid\tpid2.mp3 {HarddiskVolume2}
>>
>>
>>
>>
>>
>>
>>
>> !irp 8176d008
>>
>>
>>
>> MJ_READ file 8176d8c8, pending by p2pfsfd
>>
>>
>>
>>
>>
>>
>>
>> !irp 8190c788
>>
>>
>>
>> MJ_CREATE file 81795328, “\music\tpid\tpid2.mp3” (no vpb)
>>
>>
>>
>> pending by SymEvent
>>
>>
>>
>>
>>
>>
>>
>> !process 81798d60 (DCMSimulator.exe)
>>
>>
>>
>> thread 81778020
>>
>>
>>
>> 81902790 Mutant - owning thread 817948e0
>>
>>
>>
>> 819027b0 NotificationEvent
>>
>>
>>
>> IRP List:
>>
>>
>>
>> 8176c608: (0006,01b4) Flags: 00000884 Mdl: 00000000
>>
>>
>>
>>
>>
>>
>>
>> ChildEBP RetAddr Args to Child
>>
>>
>>
>> b6c505fc 80505ba9 e4232b70 81902770 81902790 nt!KiSwapThread+0xc5
>>
>>
>>
>> b6c50630 b7b11b1b 00000002 b6c50668 00000001
>> nt!KeWaitForMultipleObjects+0x266
>>
>>
>>
>> b6c507c0 b7b7cb32 b6c50804 e12dc90c b6c50804 savrt+0x14b1b
>>
>>
>>
>> b6c507d0 b7b832b8 b6c50804 81b930e0 b6c50804
>> SYMEVENT!SYMEvent_GetVMDataPtr+0x5392
>>
>>
>>
>> b6c50820 804f7b8b 81b930e0 8176c608 8176c790
>> SYMEVENT!EventObjectCreate+0x3e8
>>
>>
>>
>> b6c50910 80574945 80546400 8057441b b6c50c08
>> nt!IopfCallDriver+0x35
>>
>>
>>
>> …
>>
>>
>>
>> b6c50cf0 8056ff27 00f5cb88 c0100080 00f5cb24 nt!IoCreateFile+0x3ec
>>
>>
>>
>>
>>
>>
>>
>> !obja 00f5cb24: ??\D:\music\tpid\tpid2.mp3
>>
>>
>>
>> KeWaitForMultipleObjects(2, {Mutant, NotificationEvent}, WaitAny);
>>
>>
>>
>> If anyone is interested I can send the full memory dump zipped which is
>> about 100 mb.
>>
>>
>>
>> Any information is helpful.
>>
>>
>>
>> Thanks,
>>
>> Kedar.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com