Hi all,
My minifilter calls FltCreateFile to open the file in Precreate for checking whether it is a encrypted file. It looks causing deadlook on some resource.
In my precreate codes, it composes the file path string as below:
RtlAppendUnicodeToString(&FullFileName, L"\??\");
RtlAppendUnicodeStringToString(&FullFileName,
&volCtx->Name);
RtlAppendUnicodeStringToString(&FullFileName,
&FltObjects->FileObject->FileName);
Then I passed the path into a sub function to open the file. I use thread based reentry checking. (I know it has potential problem from the IFS FAQ, and plan to improve it later. it should not be the cause here.)
InitializeObjectAttributes(
&oa, FileName,
OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,
Handle,
NULL);
SetCreateEntry(CHECKING_FILE_ENCRYPTION, NULL);
status = FltCreateFile(
GblDrvData.Filter,
instance, //optional - can be NULL
&FileHandle,
FILE_READ_DATA,
&oa,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN ,
FILE_NON_DIRECTORY_FILE,
NULL,
0,
IO_IGNORE_SHARE_ACCESS_CHECK);
ClearCreateEntry();
The application which access the file are dumped stack as below. I tried to run "locks " command to find the resources locked, but it is not working. (It used to work well. Anyone know how to fix it, I 'd apprecate!).
Could you please point out any thing I should pay attention to fix this problem? Thanks.
kd> !ntsdexts.locks
NTSDEXTS: Unable to resolve ntdll!RtlCriticalSectionList
NTSDEXTS: Please check your symbols
kd> !process 815a7318
PROCESS 815a7318 SessionId: 0 Cid: 014c Peb: 7ffde000 ParentCid: 00a0
DirBase: 0ef1a000 ObjectTable: e17f7f60 HandleCount: 406.
Image: explorer.exe
VadRoot 81533508 Vads 249 Clone 0 Private 2498. Modified 6905. Locked 0.
DeviceMap e1ee99b8
Token e182b388
ElapsedTime 04:07:10.040
UserTime 00:00:10.374
KernelTime 00:00:42.591
QuotaPoolUsage[PagedPool] 83516
QuotaPoolUsage[NonPagedPool] 14320
Working Set Sizes (now,min,max) (3342, 50, 345) (13368KB, 200KB, 1380KB)
PeakWorkingSetSize 5122
VirtualSize 83 Mb
PeakVirtualSize 91 Mb
PageFaultCount 22828
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 3068
THREAD 815f72f8 Cid 014c.015c Teb: 7ffdd000 Win32Thread: e18344f0 WAIT: (Executive) KernelMode Non-Alertable
817c2810 Semaphore Limit 0x7fffffff
815f73e8 NotificationTimer
IRP List:
816008d8: (0006,01fc) Flags: 00000884 Mdl: 00000000
815ff008: (0006,01fc) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap e1ee99b8
Owning Process 815a7318 Image: explorer.exe
Wait Start TickCount 948608 Ticks: 360 (0:00:00:03.605)
Context Switch Count 14152 LargeStack
UserTime 00:00:01.742
KernelTime 00:00:10.915
Win32 Start Address 0x0101e24e
Start Address 0x7c810867
Stack Init f9aebaf0 Current f9aeac54 Base f9aec000 Limit f9ae7000 Call f9aebafc
Priority 15 BasePriority 8 PriorityDecrement 5 DecrementCount 16
ChildEBP RetAddr
f9aeac6c 804dd6a6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f9aeac78 804dd6f2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f9aeaca0 8051893b nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f9aeacdc 804f25b0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
f9aeacf0 f98da72e nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
f9aead2c 804ef696 0xf98da72e
f9aeae54 f98dff64 nt!FsRtlLookupLargeMcbEntry+0xe1 (FPO: [Non-Fpo])
f9aeaf34 804e4d77 0xf98dff64
f9aeaf90 804e4d77 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeb05c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeaf90 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f9aeb05c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeb04c 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f9aeb13c 8056486c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeb13c 8056486c nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f9aeb1c4 80568c63 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f9aeb218 80572477 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f9aeb294 8057c274 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f9aeb2dc f9981c45 nt!IoCreateFileSpecifyDeviceObjectHint+0x52 (FPO: [Non-Fpo])
f9aeb388 f5c3c9b7 0xf9981c45
f9aeb40c f5c2ebe6 docCrypto!PreCreateCheckEncryption+0xc7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\smartlock\cryptodrv\check_reentry.c @ 110]
f9aeb490 f9971944 docCrypto!CryptoPreCreate+0x236 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\smartlock\cryptodrv\mf_create.c @ 111]
f9aeb550 804e4d77 0xf9971944
f9aeb560 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeb504 f997fccb nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f9aeb550 804e4d77 0xf997fccb
f9aeb560 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeb550 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f9aeb640 8056486c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f9aeb640 8056486c nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f9aeb6c8 80568c63 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f9aeb71c 80572477 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f9aeb798 80572546 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f9aeb7f4 8057260e nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
f9aeb834 804e006b nt!NtOpenFile+0x27 (FPO: [Non-Fpo])
f9aeb834 7c92eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f9aeb854)
0007f3ac 00000000 0x7c92eb94
THREAD 8170e558 Cid 014c.0518 Teb: 7ff9e000 Win32Thread: e19663a8 WAIT: (Executive) KernelMode Non-Alertable
817c2810 Semaphore Limit 0x7fffffff
8170e648 NotificationTimer
IRP List:
816605d8: (0006,01fc) Flags: 00000884 Mdl: 00000000
815c3ab8: (0006,01fc) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap e1ee99b8
Owning Process 815a7318 Image: explorer.exe
Wait Start TickCount 948908 Ticks: 60 (0:00:00:00.600)
Context Switch Count 468 LargeStack
UserTime 00:00:00.190
KernelTime 00:00:02.072
Win32 Start Address 0x7c930760
Start Address 0x7c810856
Stack Init f5f16000 Current f5f15164 Base f5f16000 Limit f5f13000 Call 0
Priority 15 BasePriority 8 PriorityDecrement 7 DecrementCount 16
ChildEBP RetAddr
f5f1517c 804dd6a6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f5f15188 804dd6f2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f5f151b0 8051893b nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f5f151ec 804f25b0 nt!ExpWaitForResource+0xd2 (FPO: [Non-Fpo])
f5f15200 f98da72e nt!ExAcquireResourceSharedLite+0xb2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
f5f15238 804dd6bc 0xf98da72e
f5f15244 804dd6f2 nt!KiSwapThread+0x68 (FPO: [0,0,0])
f5f15364 f98dff64 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f5f15444 804e4d77 0xf98dff64
f5f154a0 804e4d77 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f1556c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f154a0 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f1556c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f1555c 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f155bc 8054c635 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f1564c 8056486c nt!ExAllocatePoolWithTag+0x7c5 (FPO: [Non-Fpo])
f5f156d4 80568c63 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f15728 80572477 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f5f157a4 8057c274 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f5f157ec f9981c45 nt!IoCreateFileSpecifyDeviceObjectHint+0x52 (FPO: [Non-Fpo])
f5f15898 f5c3c9b7 0xf9981c45
f5f1591c f5c2ebe6 docCrypto!PreCreateCheckEncryption+0xc7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\smartlock\cryptodrv\check_reentry.c @ 110]
f5f159a0 f9971944 docCrypto!CryptoPreCreate+0x236 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\smartlock\cryptodrv\mf_create.c @ 111]
f5f15a60 804e4d77 0xf9971944
f5f15a70 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f15a14 f997fccb nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f15a60 804e4d77 0xf997fccb
f5f15a70 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f15a60 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f15b50 8056486c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f15b50 8056486c nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f15bd8 80568c63 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f15c2c 80572477 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f5f15ca8 80572546 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f5f15d04 8057260e nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
f5f15d44 804e006b nt!NtOpenFile+0x27 (FPO: [Non-Fpo])
f5f15d44 7c92eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f5f15d64)
02b3f8e8 00000000 0x7c92eb94
kd> !process 815627c8
PROCESS 815627c8 SessionId: 0 Cid: 020c Peb: 7ffdd000 ParentCid: 014c
DirBase: 05529000 ObjectTable: e1945968 HandleCount: 0.
Image: UEDIT32.EXE
VadRoot 815c1710 Vads 10 Clone 0 Private 9. Modified 0. Locked 0.
DeviceMap e1ee99b8
Token e225e030
ElapsedTime 00:00:46.647
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 6300
QuotaPoolUsage[NonPagedPool] 400
Working Set Sizes (now,min,max) (17, 50, 345) (68KB, 200KB, 1380KB)
PeakWorkingSetSize 17
VirtualSize 3 Mb
PeakVirtualSize 3 Mb
PageFaultCount 13
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 40
THREAD 8167d770 Cid 020c.0318 Teb: 7ffdf000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f5f4902c NotificationEvent
IRP List:
816008d8: (0006,01fc) Flags: 00000884 Mdl: 00000000
81671b00: (0006,01fc) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap e1ee99b8
Owning Process 815627c8 Image: UEDIT32.EXE
Wait Start TickCount 918602 Ticks: 4651 (0:00:00:46.576)
Context Switch Count 8
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00496a95
Start Address 0x7c810867
Stack Init f5f4a000 Current f5f48fb8 Base f5f4a000 Limit f5f47000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f5f48fd0 804dd6a6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f5f48fdc 804dd6f2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f5f49004 8061ae0e nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f5f49040 805e4a7f nt!IoReportTargetDeviceChange+0xeb (FPO: [Non-Fpo])
f5f49084 f9914aba nt!FsRtlNotifyVolumeEvent+0xb7 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
f5f491ec 804e4d77 0xf9914aba
f5f49248 804e4d77 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f4930c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f491ec 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f4930c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f49248 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f4930c 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f492fc 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f493ec 8056486c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f493ec 8056486c nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f49474 80568c63 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f494c8 80572477 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f5f49544 8057c274 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f5f4958c f9981c45 nt!IoCreateFileSpecifyDeviceObjectHint+0x52 (FPO: [Non-Fpo])
f5f49638 f5c3c9b7 0xf9981c45
f5f496bc f5c2ebe6 docCrypto!PreCreateCheckEncryption+0xc7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\smartlock\cryptodrv\check_reentry.c @ 110]
f5f49740 f9971944 docCrypto!CryptoPreCreate+0x236 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\smartlock\cryptodrv\mf_create.c @ 111]
f5f49800 804e4d77 0xf9971944
f5f49810 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f497b4 f997fccb nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f49800 804e4d77 0xf997fccb
f5f49810 80571f9c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f49800 804e4d77 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
f5f498f0 8056486c nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f5f498f0 8056486c nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f49978 80568c63 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
f5f499cc 80572477 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
f5f49a48 80572546 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f5f49aa4 8057267c nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
f5f49ae4 804e006b nt!NtCreateFile+0x30 (FPO: [Non-Fpo])
f5f49ae4 804ddfb9 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f5f49b18)
f5f49b88 8058fb6a nt!ZwCreateFile+0x11 (FPO: [11,0,0])
f5f49c18 805905fb nt!CcPfQueryVolumeInfo+0x6b (FPO: [Non-Fpo])
f5f49c5c 8058f954 nt!CcPfOpenVolumesForPrefetch+0xa3 (FPO: [Non-Fpo])
f5f49c88 8058f7ed nt!CcPfPrefetchScenario+0x5e (FPO: [Non-Fpo])