FltUnregisterFilter() problem

Arkady_Frenkel · October 7, 2008, 12:44pm

Hi, dears!

One of the customers (driver on Server 2003) encountered unload problem

nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
nt!KiSwapThread+0x44f
nt!KeWaitForSingleObject+0x492
nt!ExfWaitForRundownProtectionRelease+0xe8
fltmgr!FltpObjectRundownWait+0x11 (FPO: [Non-Fpo])
fltmgr!FltUnregisterFilter+0xf6 (FPO: [Non-Fpo])

I try to find problematic context(s), instance(s), work item(s) from LiveKd dump
and see ZombiedFltObjectContexts=0
in
: kd> !frame 85abf000 f 1
FLTP_FRAME: 85abf000 “Frame 1” “0 to 303800”
Sml IrpCtrl StackSize : 0x01
Sml IrpCtrl Global LkAsd : 85abf200
Lrg IrpCtrl StackSize : 0x01
Lrg IrpCtrl Global LkAsd : 85abf280
AttachedFileSystems : (85abf0b4) mCount=4
ZombiedFltObjectContexts : (85abf0e0) mCount=0

but during
0: kd> dt fltmgr!_FLT_INSTANCE -r4 856b0b38
I see
+0x0e0 ZombiedFltObjectContexts : _FLT_MUTEX_LIST_HEAD
+0x000 mLock : _FAST_MUTEX
+0x000 Count : 1

So my question is how can I find which context/instance/… is problematic using fltkd.dll?
OTOH, question to MSFT guys. Is it planning to create manual ( similar to existing manuals for ndiskd.dll ) of using fltkd.dll?
TIA
Arkady

OSR_Community_User · October 7, 2008, 5:39pm

Hi Arkady,

The first frame in filter manager (the lowest one) is “Frame 0”. It should always have the altitude range starting at 0. But in your dump it looks like Frame 1 starts at 0…

What I normally do when I see something like this is !fltkd.instance 856b0b38, then take the volume from the instance and do a !fltkd.volume on it. This shows what other instances are there. Also, !fltkd.frames prints all the frames with all the instances. Could be a deadlock where the instance you’re looking at is waiting for another instance to unload which is deadlocked on something. As usual with deadlocks you’ll need to find who owns the lock and go from there…

Also, in this case, could you please do a !devstack on the DeviceObject from !fltkd.volume and paste it ? I’m wondering why the lowest frame is Frame 1…

I can’t comment on any plans for a manual but I’m using !fltkd.help with a lot of success. Is there something missing ? I’d appreciate the feedback.

Regards,
Alex.

Arkady_Frenkel · October 7, 2008, 6:55pm

Hi, Alex!

Tnx for quick answer.
Really in Vista/WS2008 filter manager set the driver of such altitude on Frame 0, but in WS2003 that always ( for different computers) layered on Frame 1 as “fltmc” show.

I’ll be out of the office for few days and I’ll post the results when be back.
In my case I have 2 instances (for disk C: and E:).

As for !fltkd.help that obviously show how to use command but only some manual can answer for questions like, how to find not released context ( completion/stream/volume ) during FltUnregisterFilter() I’m interested in now.
Something like “Debugging NDIS Drivers” document show using of ndiskd.dll.

Best wishes
Arkady

rod_widdowson · October 8, 2008, 6:16am

Alexandru,

Given that I’ve got your attention (and a big thanks for hanging out here by
the way), may I have a minor whine:

What I normally do when I see something like this is !fltkd.instance
856b0b38 […]

Yes, but you have source code access and un stripped symbols. For the rest
of us:

0: kd> !fltkd.instance 856b0b38

*** Extension DLL(6440 Free) does not match target system(2600 Checked)

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: FltMgr!_FLT_INSTANCE ***
*** ***
*************************************************************************

Could not read field “Base.Flags” of FltMgr!_FLT_INSTANCE from address:
856b0b38

OSR_Community_User · October 8, 2008, 1:54pm

Hi Rod,

I’m sorry about that. I have a couple of bugs opened against me to fix & improve fltkd and they’re next on my list (to be honest they’ve been “next on my list” for a couple of weeks now, but other stuff got in the way). Anyhow, there should be some improvement in that space really soon.

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

Arkady_Frenkel · October 12, 2008, 12:46pm

Hi, Alex!

Here the results ( c: is Volume1 and e: is Volume2 )
0: kd> .load WinDbg\winxp\fltkd.dll
0: kd> !frames

*** Extension DLL(6440 Free) does not match target system(3790 Free)

Frame List: f72772d8
FLTP_FRAME: 862f1000 “Frame 1” “0 to 303800”
FLT_FILTER: 8561a790 “mydriver” “303800”
FLT_INSTANCE: 856e5b28 “mydriver - Top Instance” “303800”
FLT_INSTANCE: 856e54b0 “mydriver - Top Instance” “303800”
FLTP_FRAME: 862f8000 “Frame 0” “0 to 0”
0: kd> !instance 856e5b28

*** Extension DLL(6440 Free) does not match target system(3790 Free)

FLT_INSTANCE: 856e5b28 “mydriver - Top Instance” “303800”
FLT_OBJECT: 856e5b28 [01000000] Instance
RundownRef : 0x00000002 (1)
PointerCount : 0x00000001
PrimaryLink : [85b7cb64-85b7cb64]
OperationRundownRef : 8636f5b8
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: 8636f5b8
Flags : [00000000]
Volume : 85b7cae0 “\Device\HarddiskVolume1”
Filter : 8561a790 “mydriver”
TrackCompletionNodes : 856e5b10
ContextLock : (856e5b64)
Context : 00000000
CallbackNodes : (856e5ba4)
VolumeLink : [85b7cb64-85b7cb64]
FilterLink : [856e54e4-8561a7f8]
0: kd> !instance 856e54b0

*** Extension DLL(6440 Free) does not match target system(3790 Free)

FLT_INSTANCE: 856e54b0 “mydriver - Top Instance” “303800”
FLT_OBJECT: 856e54b0 [01000000] Instance
RundownRef : 0x00000000 (0)
PointerCount : 0x00000001
PrimaryLink : [85b7c08c-85b7c08c]
OperationRundownRef : 86364850
Could not read field “Number” of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: 86364850
Flags : [00000000]
Volume : 85b7c008 “\Device\HarddiskVolume2”
Filter : 8561a790 “mydriver”
TrackCompletionNodes : 856e5498
ContextLock : (856e54ec)
Context : 00000000
CallbackNodes : (856e552c)
VolumeLink : [85b7c08c-85b7c08c]
FilterLink : [8561a7f8-856e5b5c]
0: kd> !volume 85b7c008

*** Extension DLL(6440 Free) does not match target system(3790 Free)

FLT_VOLUME: 85b7c008 “\Device\HarddiskVolume2”
FLT_OBJECT: 85b7c008 [04000000] Volume
RundownRef : 0x00000004 (2)
PointerCount : 0x00000002
PrimaryLink : [85b7caec-863425c4]
Frame : 862f1000 “Frame 1”
Flags : [00000024] SetupNotifyCalled EnableNameCaching
FileSystemType : [00000002] FLT_FSTYPE_NTFS
VolumeLink : [85b7caec-863425c4]
DeviceObject : 86342498
DiskDeviceObject : 8643c458
VolumeInNextFrame : 00000000
Guid : “”
CDODeviceName : “\Ntfs”
CDODriverName : “\FileSystem\Ntfs”
Callbacks : (85b7c098)
ContextLock : (85b7c228)
VolumeContexts : (85b7c260)
Could not read field “LeftChild” of nt!_RTL_SPLAY_LINKS from address: 8561d0a0 Count=1
StreamListCtrls : (85b7c264) rCount=5
NameCacheCtrl : (85b7c2a8)
InstanceList : (85b7c054)
FLT_INSTANCE: 856e54b0 “mydriver - Top Instance” “303800”

TIA
Arkady

N.B. BTW in W2K server it was on the frame 0 as in Vista/2008 but in Server 2003 fltmgr set it on the frame 1, as I wrote already

OSR_Community_User · October 13, 2008, 1:36pm

Hi Arkady,

I’m sorry but I don’t see anything unusual. I can only suggest the standard debugging steps:

checked build of filter manager and verifier (verifier has special tracking enabled to figure out some leaks and in this particular case I can see it will try to find lost objects so it could help)
try to figure out who has references to the filter object. At this point in the code filter manager is simply waiting for all the references to your filter to go away. Anyway, for the list of contexts that belong to one filter what I use is “!fltkd.filter [address] 6”. Hope this helps.

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

Sarosh_Havewala · October 15, 2008, 10:55pm

In Vista and later, filter manager has enhanced verifier support. Filter verifier will track the contexts, opens, file name information structures, etc. referenced by your filter and on unload will tell you what objects are preventing the unload.

So if this is reproducable you may want to try this on a Vista box and see if it helps you detect the leak. Filter verifier is enabled by enabling “I/O verification” in Driver Verifier for your filter.

Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

Arkady_Frenkel · October 17, 2008, 10:36am

Tnx, Alex and Sarosh!

That’s the problem that customer(s) use Server 2003 and OTOH I can’t reproduce that not on 2003 nor Vista.

Arkady

Arkady_Frenkel · October 19, 2008, 12:48pm

Additional question!
In such situation ( Server 2003, so no transactions yet ), what kind of contexts can be in the list of the contexts filter manager wait on : Stream and Volume or Completion contexts can be there too?

TIA
Arkady

OSR_Community_User · October 20, 2008, 5:38pm

Hi Arkady,

In 2003 you can have StreamHandle, Stream, Instance and Volume contexts.

Just to make sure I made this clear last time, in FltUnregisterFilter filter manager is waiting on the all the references to your filter to be released. It is not specifically waiting on contexts (though some contexts behind the scenes might hold references to the filter, there may be other references).

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

Arkady_Frenkel · October 21, 2008, 4:26am

Tnx, Alex!

Arkady