Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well. Does anyone know for sure that it
does?

And on that subject, does anyone else agree that bugchecking on the
close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to
duplicate, but it can be done.

Jerry

If your driver creates its handles in the system process’s context, you’re safe from this problem.

Another solution would be to have the application close the handle, rather than your driver. This is easy if it’s your application. It’s still possible using APC’s, even if it’s not your application, but I don’t recommend that.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m assuming this is case for NT4 as well. Does anyone know for sure that it does?

And on that subject, does anyone else agree that bugchecking on the close of an invalid handle is a rather harsh action to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the whole system down. Now, I’m not saying that we should be sloppy with handles. A driver should still carefully manage them and be responsible for their state. However, I have seen cases where errant applications have closed handles at will and inadvertently closed one that a driver was using and was carefully tracking. Then when the driver correctly called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Ah yes, but if it were that simple. It’s not always convenient,
quick, or efficient to be in the system process context. For this case,
it’s in an arbitrary context. Attaching to the system process would be
too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context,
you’re safe from this problem.

Another solution would be to have the application close the handle,
rather than your driver. This is easy if it’s your application. It’s
still possible using APC’s, even if it’s not your application, but I
don’t recommend that.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is
invalid. I’m assuming this is case for NT4 as well. Does anyone know for
sure that it does?

And on that subject, does anyone else agree that bugchecking on
the close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and
hard to duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

After further testing, it appears that NT4 does not bugcheck in ZwClose
on NT4. Evidently, this was a feature added in W2K to aid debugging.

-----Original Message-----
From: Kelley, Jerry
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well. Does anyone know for sure that it
does?

And on that subject, does anyone else agree that bugchecking on the
close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to
duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

Does ZwClose bugcheck in NT4?>I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m assuming this is case for NT4 as well.

Does anyone know for sure that it does?

This protects your code from severe bugs.

applications have closed handles at will and inadvertently closed one that a driver was using and was
carefully tracking.

Never track app’s handles in the driver. Use ObReferenceObjectByHandle, possibly followed by ObOpenObjectByPointer in System process context.
Tracking app’s handles in the driver is exactly the OS misuse which ZwClose bugcheck catches.

Max

MessageThen dereference the handle to the pointer and use the pointer.

Max
----- Original Message -----
From: Kelley, Jerry
To: File Systems Developers
Sent: Tuesday, May 14, 2002 7:28 PM
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient, quick, or efficient to be in the system process context. For this case, it’s in an arbitrary context. Attaching to the system process would be too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context, you’re safe from this problem.

Another solution would be to have the application close the handle, rather than your driver. This is easy if it’s your application. It’s still possible using APC’s, even if it’s not your application, but I don’t recommend that.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m assuming this is case for NT4 as well. Does anyone know for sure that it does?

And on that subject, does anyone else agree that bugchecking on the close of an invalid handle is a rather harsh action to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the whole system down. Now, I’m not saying that we should be sloppy with handles. A driver should still carefully manage them and be responsible for their state. However, I have seen cases where errant applications have closed handles at will and inadvertently closed one that a driver was using and was carefully tracking. Then when the driver correctly called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

I’m not tracking app handles in the driver. The driver opens a file,
gets a handle, uses it to get the object pointer, then closes the handle
to properly clean up the reference counting. It’s that close that
bugchecks the system because it thinks the handle is invalid.

Here’s the pseudocode:

Status = ZwCreateFile(&hFile …)

if (!NT_SUCCESS(Status)) handle the error and bail

Status = ObReferenceObjectByHandle(hFile, … , &pFileObject);

ZwClose(hFile)

if (!NT_SUCCESS(Status)) handle the error and bail

… use pFileObject

These operations are sequential and the ZwCreateFile status code was
checked for failure. The goal is to get the FO pointer from the handle.
Now, I’ve seen cases where the ZwClose bugchecks on an invalid handle.
Somehow, the handle that the driver thought was valid has become
invalid. There could be a check after the ObReferenceObjectByHandle to
see if the handle is now invalid and not perform the close. That’s
actually one bit of defensive coding that has been done.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, May 14, 2002 1:03 PM
To: File Systems Developers
Subject: [ntfsd] Re: Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well.
Does anyone know for sure that it does?

This protects your code from severe bugs.

applications have closed handles at will and inadvertently closed one
that a driver was using and was
carefully tracking.

Never track app’s handles in the driver. Use ObReferenceObjectByHandle,
possibly followed by ObOpenObjectByPointer in System process context.
Tracking app’s handles in the driver is exactly the OS misuse which
ZwClose bugcheck catches.

Max

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

It does.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, May 14, 2002 1:12 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Then dereference the handle to the pointer and use the pointer.

Max

----- Original Message -----
From: Kelley, Jerry mailto:xxxxx
To: File Systems Developers mailto:xxxxx
Sent: Tuesday, May 14, 2002 7:28 PM
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always
convenient, quick, or efficient to be in the system process context. For
this case, it’s in an arbitrary context. Attaching to the system process
would be too expensive and queuing it to a worker would add undesirable
delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s
context, you’re safe from this problem.

Another solution would be to have the application close the
handle, rather than your driver. This is easy if it’s your application.
It’s still possible using APC’s, even if it’s not your application, but
I don’t recommend that.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle
is invalid. I’m assuming this is case for NT4 as well. Does anyone know
for sure that it does?

And on that subject, does anyone else agree that
bugchecking on the close of an invalid handle is a rather harsh action
to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead
of bringing the whole system down. Now, I’m not saying that we should be
sloppy with handles. A driver should still carefully manage them and be
responsible for their state. However, I have seen cases where errant
applications have closed handles at will and inadvertently closed one
that a driver was using and was carefully tracking. Then when the driver
correctly called ZwClose - bugcheck.

The race conditions where this has happened have been
tight and hard to duplicate, but it can be done.

Jerry

—
You are currently subscribed to ntfsd as:
xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as:
xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx></mailto:xxxxx>

Let me be a bit clearer. We have to decrement the handle count and that
is being done via ZwClose. Whenever you receive a handle, e.g., through
ZwCreateFile, the handle count gets incremented and the object
referenced. If I just dereference the object, the handle count is not
taken care of. Is there a documented way to decrement the handle count
without calling ZwClose? If so, we could just decrement the handle count
and decrement the reference count on the object.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, May 14, 2002 1:12 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Then dereference the handle to the pointer and use the pointer.

Max

----- Original Message -----
From: Kelley, Jerry mailto:xxxxx
To: File Systems Developers mailto:xxxxx
Sent: Tuesday, May 14, 2002 7:28 PM
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always
convenient, quick, or efficient to be in the system process context. For
this case, it’s in an arbitrary context. Attaching to the system process
would be too expensive and queuing it to a worker would add undesirable
delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s
context, you’re safe from this problem.

Another solution would be to have the application close the
handle, rather than your driver. This is easy if it’s your application.
It’s still possible using APC’s, even if it’s not your application, but
I don’t recommend that.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle
is invalid. I’m assuming this is case for NT4 as well. Does anyone know
for sure that it does?

And on that subject, does anyone else agree that
bugchecking on the close of an invalid handle is a rather harsh action
to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead
of bringing the whole system down. Now, I’m not saying that we should be
sloppy with handles. A driver should still carefully manage them and be
responsible for their state. However, I have seen cases where errant
applications have closed handles at will and inadvertently closed one
that a driver was using and was carefully tracking. Then when the driver
correctly called ZwClose - bugcheck.

The race conditions where this has happened have been
tight and hard to duplicate, but it can be done.

Jerry

—
You are currently subscribed to ntfsd as:
xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as:
xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx></mailto:xxxxx>

>>I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for

>NT4 as well. Does anyone know for sure that it does?

This protects your code from severe bugs.

I think it might be sufficient to return STATUS_INVALID_HANDLE, as Jerry
suggested, and to ASSERT in the checked build. This would catch actual
driver errors in testing, but not crash the system in production because
of the actions of a badly coded application.

>applications have closed handles at will and inadvertently closed one
that a driver was using
>and was carefully tracking.

Never track app’s handles in the driver. Use ObReferenceObjectByHandle,
possibly followed by
ObOpenObjectByPointer in System process context.
Tracking app’s handles in the driver is exactly the OS misuse which
ZwClose bugcheck catches.

This isn’t really the issue. The issue is that a driver can create a
handle to some object in kernel mode, intended to be for the driver’s
own exclusive use, in kernel mode, and the unprivileged process can, in
another thread in user mode, close the driver’s handle. I’ve seen this
happen when an application issues a double close on a handle.
ObReferenceing the handle doesn’t really help, because it still leaves a
window between the handle creation and the the ObReference.

VMS (in addition to having clusters that work, but that’s another ntfsd
thread from hell) associates the processor mode with a channel (the VMS
word for handle), and a kernel mode channel cannot be accessed from user
mode. It would have been nice if this had been designed into NT, but
it’s probably too late now.

• Dan.

My comments below.

-----Original Message-----
From: Dan Kyler [mailto:xxxxx@privtek.com]
Sent: Tuesday, May 14, 2002 2:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: Does ZwClose bugcheck in NT4?

>I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for
>NT4 as well. Does anyone know for sure that it does?

This protects your code from severe bugs.

I think it might be sufficient to return STATUS_INVALID_HANDLE, as Jerry
suggested, and to ASSERT in the checked build. This would catch actual
driver errors in testing, but not crash the system in production because
of the actions of a badly coded application.

>applications have closed handles at will and inadvertently closed one
that a driver was using
>and was carefully tracking.

Never track app’s handles in the driver. Use ObReferenceObjectByHandle,
possibly followed by
ObOpenObjectByPointer in System process context.
Tracking app’s handles in the driver is exactly the OS misuse which
ZwClose bugcheck catches.

This isn’t really the issue. The issue is that a driver can create a
handle to some object in kernel mode, intended to be for the driver’s
own exclusive use, in kernel mode, and the unprivileged process can, in
another thread in user mode, close the driver’s handle. I’ve seen this
happen when an application issues a double close on a handle.
ObReferenceing the handle doesn’t really help, because it still leaves a
window between the handle creation and the the ObReference.

This is exactly what I’ve seen as well and was trying to say. I didn’t
do a very good job of explaining it though.

VMS (in addition to having clusters that work, but that’s another ntfsd
thread from hell) associates the processor mode with a channel (the VMS
word for handle), and a kernel mode channel cannot be accessed from user
mode. It would have been nice if this had been designed into NT, but
it’s probably too late now.

• Dan.

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

How do you know using a worker thread is too expensive? Did you measure this? Many components of the operating system use worker threads, especially in the realm of file systems.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 10:28 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient, quick, or efficient to be in the system process context. For this case, it’s in an arbitrary context. Attaching to the system process would be too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context, you’re safe from this problem.

Another solution would be to have the application close the handle, rather than your driver. This is easy if it’s your application. It’s still possible using APC’s, even if it’s not your application, but I don’t recommend that.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m assuming this is case for NT4 as well. Does anyone know for sure that it does?

And on that subject, does anyone else agree that bugchecking on the close of an invalid handle is a rather harsh action to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the whole system down. Now, I’m not saying that we should be sloppy with handles. A driver should still carefully manage them and be responsible for their state. However, I have seen cases where errant applications have closed handles at will and inadvertently closed one that a driver was using and was carefully tracking. Then when the driver correctly called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

If you decrement the handle count without calling ZwClose, IRP_MJ_CLEANUP may not be called for your file object. Do you intend to implement the other 99% of the functionality in ZwClose as well as decrementing the handle count? That sounds like an enjoyable exercise in disassembly.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 1:58 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Let me be a bit clearer. We have to decrement the handle count and that is being done via ZwClose. Whenever you receive a handle, e.g., through ZwCreateFile, the handle count gets incremented and the object referenced. If I just dereference the object, the handle count is not taken care of. Is there a documented way to decrement the handle count without calling ZwClose? If so, we could just decrement the handle count and decrement the reference count on the object.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, May 14, 2002 1:12 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Then dereference the handle to the pointer and use the pointer.

Max

----- Original Message -----
From: Kelley, Jerry mailto:xxxxx
To: File Systems Developers mailto:xxxxx
Sent: Tuesday, May 14, 2002 7:28 PM
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient, quick, or efficient to be in the system process context. For this case, it’s in an arbitrary context. Attaching to the system process would be too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context, you’re safe from this problem.

Another solution would be to have the application close the handle, rather than your driver. This is easy if it’s your application. It’s still possible using APC’s, even if it’s not your application, but I don’t recommend that.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m assuming this is case for NT4 as well. Does anyone know for sure that it does?

And on that subject, does anyone else agree that bugchecking on the close of an invalid handle is a rather harsh action to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the whole system down. Now, I’m not saying that we should be sloppy with handles. A driver should still carefully manage them and be responsible for their state. However, I have seen cases where errant applications have closed handles at will and inadvertently closed one that a driver was using and was carefully tracking. Then when the driver correctly called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to duplicate, but it can be done.

Jerry

—
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx></mailto:xxxxx>

In reply to various comments in this thread…

If the worry is that a handle you open in kernel-mode
can inadvertantly be closed by a user-mode process,
then specify the OBJ_KERNEL_HANDLE flag in
InitializeObjectAttributes(). I’m not sure which OS
revision this flag was introduced on, but it causes
the opened handle to be valid for kernel-mode code
only.

=====

• Nicholas Ryan

Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

Drivers should specify OBJ_KERNEL_HANDLE for the Attributes when opening
a handle in arbitrary process contexts. This ensures that the handle
table that is used is the system process handle table - and prevents
apps from being able to access or close these handles. Using worker
threads is totally unnecessary in this case.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 2:37 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

How do you know using a worker thread is too expensive? Did you measure
this? Many components of the operating system use worker threads,
especially in the realm of file systems.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 10:28 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient,
quick, or efficient to be in the system process context. For this case,
it’s in an arbitrary context. Attaching to the system process would be
too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context,
you’re safe from this problem.

Another solution would be to have the application close the handle,
rather than your driver. This is easy if it’s your application. It’s
still possible using APC’s, even if it’s not your application, but I
don’t recommend that.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well. Does anyone know for sure that it
does?

And on that subject, does anyone else agree that bugchecking on the
close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to
duplicate, but it can be done.

Jerry

Cool. I think that’s a W2K and later function. That should work since ZwClose doesn’t blue screen under NT4.

-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: Tuesday, May 14, 2002 4:38 PM
To: File Systems Developers
Subject: [ntfsd] Re: Does ZwClose bugcheck in NT4?

In reply to various comments in this thread…

If the worry is that a handle you open in kernel-mode
can inadvertantly be closed by a user-mode process,
then specify the OBJ_KERNEL_HANDLE flag in
InitializeObjectAttributes(). I’m not sure which OS
revision this flag was introduced on, but it causes
the opened handle to be valid for kernel-mode code
only.

=====

• Nicholas Ryan

Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

OBJ_KERNEL_HANDLE is missing from the documentation for InitializeObjectAttributes in the W2K DDK, although it does appear in ntdef.h. Is it documented in the XP DDK?

-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, May 14, 2002 4:49 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Drivers should specify OBJ_KERNEL_HANDLE for the Attributes when opening
a handle in arbitrary process contexts. This ensures that the handle
table that is used is the system process handle table - and prevents
apps from being able to access or close these handles. Using worker
threads is totally unnecessary in this case.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 2:37 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

How do you know using a worker thread is too expensive? Did you measure
this? Many components of the operating system use worker threads,
especially in the realm of file systems.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 10:28 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient,
quick, or efficient to be in the system process context. For this case,
it’s in an arbitrary context. Attaching to the system process would be
too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context,
you’re safe from this problem.

Another solution would be to have the application close the handle,
rather than your driver. This is easy if it’s your application. It’s
still possible using APC’s, even if it’s not your application, but I
don’t recommend that.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well. Does anyone know for sure that it
does?

And on that subject, does anyone else agree that bugchecking on the
close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to
duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Yes, the latest one tells you to specify this when creating files etc.
if you are not in the system process context.
By the way - performance implications or otherwise, this flag WILL have
to be specified for private driver handles, or you’d be leaving a huge
hole in the driver where the app under whose process context you are
creating the handle, can merrily access and bugcheck your machine - or
even worse get access to privileged data at will in another thread.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 3:08 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

OBJ_KERNEL_HANDLE is missing from the documentation for
InitializeObjectAttributes in the W2K DDK, although it does appear in
ntdef.h. Is it documented in the XP DDK?

-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, May 14, 2002 4:49 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Drivers should specify OBJ_KERNEL_HANDLE for the Attributes when opening
a handle in arbitrary process contexts. This ensures that the handle
table that is used is the system process handle table - and prevents
apps from being able to access or close these handles. Using worker
threads is totally unnecessary in this case.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 2:37 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

How do you know using a worker thread is too expensive? Did you measure
this? Many components of the operating system use worker threads,
especially in the realm of file systems. -----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 10:28 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient,
quick, or efficient to be in the system process context. For this case,
it’s in an arbitrary context. Attaching to the system process would be
too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context,
you’re safe from this problem.

Another solution would be to have the application close the handle,
rather than your driver. This is easy if it’s your application. It’s
still possible using APC’s, even if it’s not your application, but I
don’t recommend that. -----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well. Does anyone know for sure that it
does?

And on that subject, does anyone else agree that bugchecking on the
close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to
duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@inin.com To
unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

This is an inappropriate suggestion for Jerry’s original query - note that
he did specify NT 4.0, and the OBJ_KERNEL_HANDLE is not valid for Windows NT
4.0. It IS valid for Windows 2000 and Windows XP, but it does not work for
Windows NT 4.0.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Ravisankar Pudipeddi [mailto:xxxxx@windows.microsoft.com]
Sent: Tuesday, May 14, 2002 5:49 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Drivers should specify OBJ_KERNEL_HANDLE for the Attributes when opening
a handle in arbitrary process contexts. This ensures that the handle
table that is used is the system process handle table - and prevents
apps from being able to access or close these handles. Using worker
threads is totally unnecessary in this case.
Ravi
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 2:37 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

How do you know using a worker thread is too expensive? Did you measure
this? Many components of the operating system use worker threads,
especially in the realm of file systems.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 10:28 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always convenient,
quick, or efficient to be in the system process context. For this case,
it’s in an arbitrary context. Attaching to the system process would be
too expensive and queuing it to a worker would add undesirable delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system process’s context,
you’re safe from this problem.

Another solution would be to have the application close the handle,
rather than your driver. This is easy if it’s your application. It’s
still possible using APC’s, even if it’s not your application, but I
don’t recommend that.
-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the handle is invalid. I’m
assuming this is case for NT4 as well. Does anyone know for sure that it
does?

And on that subject, does anyone else agree that bugchecking on the
close of an invalid handle is a rather harsh action to take? IMHO,
ZwClose should just return STATUS_INVALID_HANDLE instead of bringing the
whole system down. Now, I’m not saying that we should be sloppy with
handles. A driver should still carefully manage them and be responsible
for their state. However, I have seen cases where errant applications
have closed handles at will and inadvertently closed one that a driver
was using and was carefully tracking. Then when the driver correctly
called ZwClose - bugcheck.

The race conditions where this has happened have been tight and hard to
duplicate, but it can be done.

Jerry

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

No, I don’t want to do that.

I’m just saying that the downside is that ZwClose on W2K will bring the
system down if the handle is (somehow) invalid. That seems rather harsh
especially on a production server.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 4:44 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If you decrement the handle count without calling ZwClose,
IRP_MJ_CLEANUP may not be called for your file object. Do you intend to
implement the other 99% of the functionality in ZwClose as well as
decrementing the handle count? That sounds like an enjoyable exercise
in disassembly.

-----Original Message-----
From: Kelley, Jerry [mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 1:58 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Let me be a bit clearer. We have to decrement the handle count
and that is being done via ZwClose. Whenever you receive a handle, e.g.,
through ZwCreateFile, the handle count gets incremented and the object
referenced. If I just dereference the object, the handle count is not
taken care of. Is there a documented way to decrement the handle count
without calling ZwClose? If so, we could just decrement the handle count
and decrement the reference count on the object.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, May 14, 2002 1:12 PM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Then dereference the handle to the pointer and use the pointer.

Max

----- Original Message -----
From: Kelley, Jerry mailto:xxxxx
To: File Systems Developers mailto:xxxxx

Sent: Tuesday, May 14, 2002 7:28 PM
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

Ah yes, but if it were that simple. It’s not always
convenient, quick, or efficient to be in the system process context. For
this case, it’s in an arbitrary context. Attaching to the system process
would be too expensive and queuing it to a worker would add undesirable
delays.

-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Tuesday, May 14, 2002 9:30 AM
To: File Systems Developers
Subject: [ntfsd] RE: Does ZwClose bugcheck in NT4?

If your driver creates its handles in the system
process’s context, you’re safe from this problem.

Another solution would be to have the application close
the handle, rather than your driver. This is easy if it’s your
application. It’s still possible using APC’s, even if it’s not your
application, but I don’t recommend that.

-----Original Message-----
From: Kelley, Jerry
[mailto:xxxxx@nsisoftware.com]
Sent: Tuesday, May 14, 2002 8:15 AM
To: File Systems Developers
Subject: [ntfsd] Does ZwClose bugcheck in NT4?

I know that ZwClose will bugcheck in W2K if the
handle is invalid. I’m assuming this is case for NT4 as well. Does
anyone know for sure that it does?

And on that subject, does anyone else agree that
bugchecking on the close of an invalid handle is a rather harsh action
to take? IMHO, ZwClose should just return STATUS_INVALID_HANDLE instead
of bringing the whole system down. Now, I’m not saying that we should be
sloppy with handles. A driver should still carefully manage them and be
responsible for their state. However, I have seen cases where errant
applications have closed handles at will and inadvertently closed one
that a driver was using and was carefully tracking. Then when the driver
correctly called ZwClose - bugcheck.

The race conditions where this has happened have
been tight and hard to duplicate, but it can be done.

Jerry

—
You are currently subscribed to ntfsd as:
xxxxx@inin.com
To unsubscribe send a blank email to
%%email.unsub%%

—
You are currently subscribed to ntfsd as:
xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as:
xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as:
xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%% —
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx></mailto:xxxxx>