Handling the cache funtion in minifilter cause crash.

NTFSD
1

Hello all,

Currently i am working with one file redirector minifilter driver. In this driver i am intercepting the IRP_MJ_WRITE and IRP_MJ_READ calls. whenever i get irp_mj_write call i need to add the updated data into dummy file at some other store location and whenever i get irp_mj_read call i need to append the updated dummy file data into actual file data. For this purpose in irp_mj_write call i am doing two tasks
1] writing the updated data into dummy file and
2] adding the updated data into cache.

For caching purpose i am using the Cc functions provided.

This is working fine when i update the file with increasing file size. i.e. ex:- Lets say file 1.txt with data like “abcd” and i update it like “12345”. It works file when next time i open file with notepad i can see the data like “12345”. Its also work if i again update the file with data “1234567” and so on.

Now the problem is like that when i update the file with decreasing file size. i.e. ex:- Lets say file 1.txt with cointains like “abcd” and i update it like “123”. Now it also works fine for one time i.e. if i open the file with notepad i can see the cointails like “123”. But if i again try to updated the file with data like “12”. this time i am getting the crash with bug check 0x34

I am not getting why its crashing this way. Please see the below crash call stack. Any suggestion will be very helpful. Thanks in advance.

*** Fatal System Error: 0x00000034
(0x00050830,0x8A013BB4,0x8A013790,0x95478601)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x86 compatible target at (Mon Nov 19 20:03:41.223 2012 (GMT+6)), ptr64 FALSE
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 34, {50830, 8a013bb4, 8a013790, 95478601}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : ntkrnlmp.exe ( nt!ExfTryToWakePushLock+ac1 )

Followup: MachineOwner

nt!DbgBreakPointWithStatus+0x4:
8286cbc0 cc int 3
*** ERROR: Module load completed but symbols could not be loaded for kdcom.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for halacpi.dll -
*** ERROR: Module load completed but symbols could not be loaded for mcupdate_GenuineIntel.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for PSHED.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for BOOTVID.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CLFS.SYS -
*** ERROR: Module load completed but symbols could not be loaded for CI.dll
*** ERROR: Module load completed but symbols could not be loaded for Wdf01000.sys
*** ERROR: Module load completed but symbols could not be loaded for WDFLDR.SYS
*** ERROR: Module load completed but symbols could not be loaded for ACPI.sys
*** ERROR: Module load completed but symbols could not be loaded for WMILIB.SYS
*** ERROR: Module load completed but symbols could not be loaded for msisadrv.sys
*** ERROR: Module load completed but symbols could not be loaded for pci.sys
*** ERROR: Module load completed but symbols could not be loaded for vdrvroot.sys
*** ERROR: Module load completed but symbols could not be loaded for partmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for compbatt.sys
*** ERROR: Module load completed but symbols could not be loaded for BATTC.SYS
*** ERROR: Module load completed but symbols could not be loaded for volmgr.sys
*** WARNING: Unable to verify timestamp for volmgrx.sys
*** ERROR: Module load completed but symbols could not be loaded for volmgrx.sys
*** ERROR: Module load completed but symbols could not be loaded for intelide.sys
*** ERROR: Module load completed but symbols could not be loaded for PCIIDEX.SYS
*** ERROR: Module load completed but symbols could not be loaded for mountmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for atapi.sys
*** ERROR: Module load completed but symbols could not be loaded for ataport.SYS
*** ERROR: Module load completed but symbols could not be loaded for msahci.sys
*** ERROR: Module load completed but symbols could not be loaded for amdxata.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for fltmgr.sys -
*** ERROR: Module load completed but symbols could not be loaded for fileinfo.sys
*** ERROR: Module load completed but symbols could not be loaded for discache.sys
*** ERROR: Module load completed but symbols could not be loaded for lltdio.sys
*** ERROR: Module load completed but symbols could not be loaded for rspndr.sys
*** ERROR: Module load completed but symbols could not be loaded for Ntfs.sys
*** WARNING: Unable to verify timestamp for msrpc.sys
*** ERROR: Module load completed but symbols could not be loaded for msrpc.sys
*** ERROR: Module load completed but symbols could not be loaded for ksecdd.sys
*** ERROR: Module load completed but symbols could not be loaded for cng.sys
*** ERROR: Module load completed but symbols could not be loaded for VBoxGuest.sys
*** ERROR: Module load completed but symbols could not be loaded for pcw.sys
*** WARNING: Unable to verify timestamp for Fs_Rec.sys
*** ERROR: Module load completed but symbols could not be loaded for Fs_Rec.sys
*** ERROR: Module load completed but symbols could not be loaded for ndis.sys
*** ERROR: Module load completed but symbols could not be loaded for NETIO.SYS
*** ERROR: Module load completed but symbols could not be loaded for ksecpkg.sys
*** ERROR: Module load completed but symbols could not be loaded for netbt.sys
*** ERROR: Module load completed but symbols could not be loaded for VBoxSF.sys
*** ERROR: Module load completed but symbols could not be loaded for wanarp.sys
*** ERROR: Module load completed but symbols could not be loaded for termdd.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for rdbss.sys -
*** ERROR: Module load completed but symbols could not be loaded for pacer.sys
*** ERROR: Module load completed but symbols could not be loaded for nsiproxy.sys
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
*** ERROR: Module load completed but symbols could not be loaded for fwpkclnt.sys
*** WARNING: Unable to verify timestamp for vmstorfl.sys
*** ERROR: Module load completed but symbols could not be loaded for vmstorfl.sys
*** ERROR: Module load completed but symbols could not be loaded for volsnap.sys
*** ERROR: Module load completed but symbols could not be loaded for spldr.sys
*** ERROR: Module load completed but symbols could not be loaded for rdyboost.sys
*** ERROR: Module load completed but symbols could not be loaded for mup.sys
*** ERROR: Module load completed but symbols could not be loaded for hwpolicy.sys
*** ERROR: Module load completed but symbols could not be loaded for fvevol.sys
*** ERROR: Module load completed but symbols could not be loaded for disk.sys
*** ERROR: Module load completed but symbols could not be loaded for CLASSPNP.SYS
*** ERROR: Module load completed but symbols could not be loaded for monitor.sys
*** ERROR: Module load completed but symbols could not be loaded for luafv.sys
*** ERROR: Module load completed but symbols could not be loaded for cdrom.sys
*** ERROR: Module load completed but symbols could not be loaded for Null.SYS
*** ERROR: Module load completed but symbols could not be loaded for Beep.SYS
*** ERROR: Module load completed but symbols could not be loaded for vga.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VIDEOPRT.SYS -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for watchdog.sys -
*** ERROR: Module load completed but symbols could not be loaded for RDPCDD.sys
*** ERROR: Module load completed but symbols could not be loaded for rdpencdd.sys
*** ERROR: Module load completed but symbols could not be loaded for rdprefmp.sys
*** ERROR: Module load completed but symbols could not be loaded for Msfs.SYS
*** ERROR: Module load completed but symbols could not be loaded for Npfs.SYS
*** ERROR: Module load completed but symbols could not be loaded for tdx.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for TDI.SYS -
*** ERROR: Module load completed but symbols could not be loaded for afd.sys
*** ERROR: Module load completed but symbols could not be loaded for wfplwf.sys
*** ERROR: Module load completed but symbols could not be loaded for netbios.sys
*** ERROR: Module load completed but symbols could not be loaded for dump_dumpfve.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Dxapi.sys -
*** ERROR: Module load completed but symbols could not be loaded for csc.sys
*** ERROR: Module load completed but symbols could not be loaded for dfsc.sys
*** ERROR: Module load completed but symbols could not be loaded for blbdrive.sys
*** ERROR: Module load completed but symbols could not be loaded for tunnel.sys
*** ERROR: Module load completed but symbols could not be loaded for i8042prt.sys
*** ERROR: Module load completed but symbols could not be loaded for kbdclass.sys
*** ERROR: Module load completed but symbols could not be loaded for VBoxMouse.sys
*** ERROR: Module load completed but symbols could not be loaded for mouclass.sys
*** ERROR: Module load completed but symbols could not be loaded for parport.sys
*** ERROR: Module load completed but symbols could not be loaded for VBoxVideo.sys
*** ERROR: Module load completed but symbols could not be loaded for E1G60I32.sys
*** ERROR: Module load completed but symbols could not be loaded for HDAudBus.sys
*** ERROR: Module load completed but symbols could not be loaded for usbohci.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for USBPORT.SYS -
*** ERROR: Module load completed but symbols could not be loaded for usbehci.sys
*** ERROR: Module load completed but symbols could not be loaded for CmBatt.sys
*** ERROR: Module load completed but symbols could not be loaded for CompositeBus.sys
*** ERROR: Module load completed but symbols could not be loaded for AgileVpn.sys
*** ERROR: Module load completed but symbols could not be loaded for rasl2tp.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ndistapi.sys -
*** ERROR: Module load completed but symbols could not be loaded for ndiswan.sys
*** ERROR: Module load completed but symbols could not be loaded for raspppoe.sys
*** ERROR: Module load completed but symbols could not be loaded for raspptp.sys
*** ERROR: Module load completed but symbols could not be loaded for rassstp.sys
*** ERROR: Module load completed but symbols could not be loaded for rdpbus.sys
*** ERROR: Module load completed but symbols could not be loaded for swenum.sys
*** ERROR: Module load completed but symbols could not be loaded for ks.sys
*** ERROR: Module load completed but symbols could not be loaded for umbus.sys
*** ERROR: Module load completed but symbols could not be loaded for usbhub.sys
*** ERROR: Module load completed but symbols could not be loaded for NDProxy.SYS
*** ERROR: Module load completed but symbols could not be loaded for HdAudio.sys
*** ERROR: Module load completed but symbols could not be loaded for portcls.sys
*** ERROR: Module load completed but symbols could not be loaded for drmk.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for crashdmp.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for dump_dumpata.sys -
*** ERROR: Module load completed but symbols could not be loaded for dump_msahci.sys
*** WARNING: Unable to verify timestamp for win32k.sys
*** ERROR: Module load completed but symbols could not be loaded for win32k.sys
*** WARNING: Unable to verify timestamp for dxg.sys
*** ERROR: Module load completed but symbols could not be loaded for dxg.sys
*** WARNING: Unable to verify timestamp for TSDDD.dll
*** ERROR: Module load completed but symbols could not be loaded for TSDDD.dll
*** WARNING: Unable to verify timestamp for VBoxDisp.dll
*** ERROR: Module load completed but symbols could not be loaded for VBoxDisp.dll
*** ERROR: Module load completed but symbols could not be loaded for HTTP.sys
*** ERROR: Module load completed but symbols could not be loaded for bowser.sys
*** ERROR: Module load completed but symbols could not be loaded for mpsdrv.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mrxsmb.sys -
*** ERROR: Module load completed but symbols could not be loaded for mrxsmb10.sys
*** ERROR: Module load completed but symbols could not be loaded for mrxsmb20.sys
*** ERROR: Module load completed but symbols could not be loaded for parvdm.sys
*** ERROR: Module load completed but symbols could not be loaded for peauth.sys
*** ERROR: Module load completed but symbols could not be loaded for secdrv.SYS
*** ERROR: Symbol file could not be found. Defaulted to export symbols for srvnet.sys -
*** ERROR: Module load completed but symbols could not be loaded for tcpipreg.sys
*** ERROR: Module load completed but symbols could not be loaded for srv2.sys
*** ERROR: Module load completed but symbols could not be loaded for srv.sys
*** ERROR: Module load completed but symbols could not be loaded for spsys.sys
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CACHE_MANAGER (34)
See the comment for FAT_FILE_SYSTEM (0x23)
Arguments:
Arg1: 00050830
Arg2: 8a013bb4
Arg3: 8a013790
Arg4: 95478601

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: 82814000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbffc

EXCEPTION_RECORD: 8a013bb4 – (.exr 0xffffffff8a013bb4)
ExceptionAddress: 95478601
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000

CONTEXT: 8a013790 – (.cxr 0xffffffff8a013790)
eax=95478508 ebx=00000000 ecx=00000000 edx=00000000 esi=841806f8 edi=855d9d30
eip=95478601 esp=8a013c7c ebp=8a013ca8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
95478601 0001 add byte ptr [ecx],al ds:0023:00000000=??
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x34

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 828a0971 to 95478601

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8a013c78 828a0971 842e90e8 00000001 855d9d30 0x95478601
8a013ca8 828a7fb3 8a013cc4 f9f0c550 83fd80a8 nt!ExfTryToWakePushLock+0xac1
8a013d00 8286f043 83fd80a8 00000000 83fdfa70 nt!KeSetPriorityThread+0x370
8a013d50 829fbd16 00000000 f9f0c5c0 00000000 nt!KeInsertQueueDpc+0x36e
8a013d90 8289d159 8286ef36 00000000 00000000 nt!PsGetProcessSecurityPort+0xb5
00000000 00000000 00000000 00000000 00000000 nt!KeTestAlertThread+0x15a

FOLLOWUP_IP:
nt!ExfTryToWakePushLock+ac1
828a0971 84c0 test al,al

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExfTryToWakePushLock+ac1

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .cxr 0xffffffff8a013790 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

2
  1. Fix your symbols:

***** Kernel symbols are WRONG. Please fix symbols to do analysis

  1. I don’t know what you man by

For caching purpose i am using the Cc functions provided.

but unless you are setting up and managing (very carefully)
FileObject->SectionObjectPointer you are not allowed to use
CcCopyRead/CcCopyWrite.

3

Hello rod,

Thanks for your reply.

  1. Fix your symbols: > ***** Kernel symbols are WRONG. Please fix symbols to do analysis

I have fix the os symbols and re posting the crash dump again, please see below for it.

  1. I don’t know what you man by > For caching purpose i am using the Cc functions provided.

Cc means i am using the function like
CcInitializeCacheMap()
CcSetFileSizes()
CcCopyWrite()
CcUninitializeCacheMap()

I am using them as per below,

In pre IRP_MJ_WRITE callback I am doing the things as per below.

if((!FlagOn(Data->Iopb->TargetFileObject->Flags, FO_NO_INTERMEDIATE_BUFFERING))
&& FlagOn(Data->Iopb->TargetFileObject->Flags, FO_CACHE_SUPPORTED))
{
BOOLEAN bCacheReturn = FALSE;
CC_FILE_SIZES FileSizes = {0};
CACHE_MANAGER_CALLBACKS CacheManagerCallbacks = {0};

__try
{
//Write the updated data into cache. So that when next time when this
//file gets read from cache it will get updated data.
FileSizes.AllocationSize.QuadPart =
FileSizes.FileSize.QuadPart =
FileSizes.ValidDataLength.QuadPart =
(Data->Iopb->Parameters.Write.ByteOffset.QuadPart +
Data->Iopb->Parameters.Write.Length);

CacheManagerCallbacks.AcquireForLazyWrite = &CdAcquireForCache;
CacheManagerCallbacks.ReleaseFromLazyWrite = &CdReleaseFromCache;
CacheManagerCallbacks.AcquireForReadAhead = &CdAcquireForCache;
CacheManagerCallbacks.ReleaseFromReadAhead = &CdReleaseFromCache;

CcInitializeCacheMap(Data->Iopb->TargetFileObject, &FileSizes, TRUE,
&CacheManagerCallbacks, pDeviceExtension);

CcSetFileSizes(Data->Iopb->TargetFileObject, &FileSizes);

bCacheReturn = CcCopyWrite(Data->Iopb->TargetFileObject,
&Data->Iopb->Parameters.Write.ByteOffset,
Data->Iopb->Parameters.Write.Length,
TRUE,
Data->Iopb->Parameters.Write.WriteBuffer);

}
__except(EXCEPTION_EXECUTE_HANDLER)
{

FSRKU_DbgPrintLog(L"###ERR: Exception caught for CcCopyWrite().Reason:
Unknown\n");
}
}

where CdAcquireForCache and CdReleaseFromCache are as per below.

BOOLEAN CdAcquireForCache (
__inout PFSR_CacheInfo pCacheInfo,
__in BOOLEAN Wait
)
{
PAGED_CODE();
ASSERT(IoGetTopLevelIrp() == NULL);
IoSetTopLevelIrp((PIRP)FSRTL_CACHE_TOP_LEVEL_IRP);

return ExAcquireResourceSharedLite( &pCacheInfo->CacheResource, Wait );
}

VOID CdReleaseFromCache (
__inout PFSR_CacheInfo pCacheInfo
)
{
PAGED_CODE();
ASSERT(IoGetTopLevelIrp() == (PIRP)FSRTL_CACHE_TOP_LEVEL_IRP);
IoSetTopLevelIrp( NULL );

ExReleaseResourceLite( &pCacheInfo->CacheResource );
}

And in pre IRP_MJ_CLEANUP, i am doing below things.

BOOLEAN bUninitCacheMap = FALSE;
if(NULL != Data->Iopb->TargetFileObject->PrivateCacheMap)
{
bUninitCacheMap = CcUninitializeCacheMap(Data->Iopb->TargetFileObject, NULL, NULL);
}

But still i am getting the below crash.

*** Fatal System Error: 0x00000034
(0x00050830,0x8A01BBB4,0x8A01B790,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x86 compatible target at (Tue Nov 20 13:08:40.262 2012 (GMT+6)), ptr64 FALSE
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 34, {50830, 8a01bbb4, 8a01b790, 0}

Probably caused by : ntkrnlmp.exe ( nt!CcWriteBehind+6cf )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
82875bc0 cc int 3
*** ERROR: Module load completed but symbols could not be loaded for intelide.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxGuest.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxSF.sys -
*** ERROR: Module load completed but symbols could not be loaded for spldr.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for drmk.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxMouse.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxVideo.sys -
*** WARNING: Unable to verify timestamp for VBoxDisp.dll
*** ERROR: Module load completed but symbols could not be loaded for VBoxDisp.dll
*** ERROR: Module load completed but symbols could not be loaded for peauth.sys
*** ERROR: Module load completed but symbols could not be loaded for secdrv.SYS
*** ERROR: Symbol file could not be found. Defaulted to export symbols for spsys.sys -
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CACHE_MANAGER (34)
See the comment for FAT_FILE_SYSTEM (0x23)
Arguments:
Arg1: 00050830
Arg2: 8a01bbb4
Arg3: 8a01b790
Arg4: 00000000

Debugging Details:

EXCEPTION_RECORD: 8a01bbb4 – (.exr 0xffffffff8a01bbb4)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: 8a01b790 – (.cxr 0xffffffff8a01b790)
eax=95817030 ebx=00000000 ecx=00000000 edx=00000000 esi=83f8e758 edi=85866f18
eip=00000000 esp=8a01bc7c ebp=8a01bca8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
nt!CcWriteBehind+6cf
828a9971 84c0 test al,al

FAULTING_IP:
+5e80952f0278d80c
00000000 ?? ???

FAILED_INSTRUCTION_ADDRESS:
+5e80952f0278d80c
00000000 ?? ???

BUGCHECK_STR: 0x34

LAST_CONTROL_TRANSFER: from 828a9971 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8a01bc78 828a9971 840be648 00000001 85866f18 0x0
8a01bca8 828b0fb3 8a01bcc4 7adbcc60 83fec0b0 nt!CcWriteBehind+0x6cf
8a01bd00 82878043 83fec0b0 00000000 83fdf4c0 nt!CcWorkerThread+0x164
8a01bd50 82a04d16 00000000 7adbccf0 00000000 nt!ExpWorkerThread+0x10d
8a01bd90 828a6159 82877f36 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!CcWriteBehind+6cf

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbffc

STACK_COMMAND: .cxr 0xffffffff8a01b790 ; kb

FAILURE_BUCKET_ID: 0x34_NULL_IP_nt!CcWriteBehind+6cf

BUCKET_ID: 0x34_NULL_IP_nt!CcWriteBehind+6cf

Followup: MachineOwner

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CACHE_MANAGER (34)
See the comment for FAT_FILE_SYSTEM (0x23)
Arguments:
Arg1: 00050830
Arg2: 8a01bbb4
Arg3: 8a01b790
Arg4: 00000000

Debugging Details:

EXCEPTION_RECORD: 8a01bbb4 – (.exr 0xffffffff8a01bbb4)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: 8a01b790 – (.cxr 0xffffffff8a01b790)
eax=95817030 ebx=00000000 ecx=00000000 edx=00000000 esi=83f8e758 edi=85866f18
eip=00000000 esp=8a01bc7c ebp=8a01bca8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
nt!CcWriteBehind+6cf
828a9971 84c0 test al,al

FAULTING_IP:
+5e80952f0278d80c
00000000 ?? ???

FAILED_INSTRUCTION_ADDRESS:
+5e80952f0278d80c
00000000 ?? ???

BUGCHECK_STR: 0x34

LAST_CONTROL_TRANSFER: from 828a9971 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8a01bc78 828a9971 840be648 00000001 85866f18 0x0
8a01bca8 828b0fb3 8a01bcc4 7adbcc60 83fec0b0 nt!CcWriteBehind+0x6cf
8a01bd00 82878043 83fec0b0 00000000 83fdf4c0 nt!CcWorkerThread+0x164
8a01bd50 82a04d16 00000000 7adbccf0 00000000 nt!ExpWorkerThread+0x10d
8a01bd90 828a6159 82877f36 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!CcWriteBehind+6cf

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbffc

STACK_COMMAND: .cxr 0xffffffff8a01b790 ; kb

FAILURE_BUCKET_ID: 0x34_NULL_IP_nt!CcWriteBehind+6cf

BUCKET_ID: 0x34_NULL_IP_nt!CcWriteBehind+6cf

Followup: MachineOwner

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CACHE_MANAGER (34)
See the comment for FAT_FILE_SYSTEM (0x23)
Arguments:
Arg1: 00050830
Arg2: 8a01bbb4
Arg3: 8a01b790
Arg4: 00000000

Debugging Details:

EXCEPTION_RECORD: 8a01bbb4 – (.exr 0xffffffff8a01bbb4)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: 8a01b790 – (.cxr 0xffffffff8a01b790)
eax=95817030 ebx=00000000 ecx=00000000 edx=00000000 esi=83f8e758 edi=85866f18
eip=00000000 esp=8a01bc7c ebp=8a01bca8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
nt!CcWriteBehind+6cf
828a9971 84c0 test al,al

FAULTING_IP:
+5e80952f0278d80c
00000000 ?? ???

FAILED_INSTRUCTION_ADDRESS:
+5e80952f0278d80c
00000000 ?? ???

BUGCHECK_STR: 0x34

LAST_CONTROL_TRANSFER: from 828a9971 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8a01bc78 828a9971 840be648 00000001 85866f18 0x0
8a01bca8 828b0fb3 8a01bcc4 7adbcc60 83fec0b0 nt!CcWriteBehind+0x6cf
8a01bd00 82878043 83fec0b0 00000000 83fdf4c0 nt!CcWorkerThread+0x164
8a01bd50 82a04d16 00000000 7adbccf0 00000000 nt!ExpWorkerThread+0x10d
8a01bd90 828a6159 82877f36 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!CcWriteBehind+6cf

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbffc

STACK_COMMAND: .cxr 0xffffffff8a01b790 ; kb

FAILURE_BUCKET_ID: 0x34_NULL_IP_nt!CcWriteBehind+6cf

BUCKET_ID: 0x34_NULL_IP_nt!CcWriteBehind+6cf

Followup: MachineOwner

Please let me know what will be the possible reason. Thanks in advance.

4

Hello all,

The previous crash of “Fatal System Error: 0x00000034” was solved. Actually i was missing to handle the reference count. So now i am using the function “ObReferenceObject()” when doing the “CcInitializeCacheMap()” to increase the reference count. And using the function “ObDereferenceObject()” after calling the function “CcUninitializeCacheMap()” to decrease the reference count.

So it solve the previous “Fatal System Error: 0x00000034” crash. But now i am getting another crash “Fatal System Error: 0x0000000a” . Its stating that the probable cause “Probably caused by : ntkrnlmp.exe ( nt!CcFlushCache+79 )”. But i am not using the CcFlushCache() function any where.

Please find the crash dump below.

*** Fatal System Error: 0x0000000a
(0x005C0077,0x00000002,0x00000000,0x828A6545)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x86 compatible target at (Tue Nov 20 17:44:03.225 2012 (GMT+5)), ptr64 FALSE
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {5c0077, 2, 0, 828a6545}

Probably caused by : ntkrnlmp.exe ( nt!CcFlushCache+79 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
82897bc0 cc int 3
*** ERROR: Module load completed but symbols could not be loaded for intelide.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxGuest.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxSF.sys -
*** ERROR: Module load completed but symbols could not be loaded for spldr.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxMouse.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxVideo.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for drmk.sys -
*** ERROR: Module load completed but symbols could not be loaded for peauth.sys
*** ERROR: Module load completed but symbols could not be loaded for secdrv.SYS
*** WARNING: Unable to verify timestamp for VBoxDisp.dll
*** ERROR: Module load completed but symbols could not be loaded for VBoxDisp.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for spsys.sys -
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 005c0077, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 828a6545, address which referenced memory

Debugging Details:

READ_ADDRESS: 005c0077

CURRENT_IRQL: 2

FAULTING_IP:
nt!CcFlushCache+79
828a6545 8b7104 mov esi,dword ptr [ecx+4]

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: 8a01bb7c – (.trap 0xffffffff8a01bb7c)
ErrCode = 00000000
eax=00000000 ebx=00000005 ecx=005c0073 edx=00000000 esi=859b29b8 edi=8a01bcc4
eip=828a6545 esp=8a01bbf0 ebp=8a01bc70 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!CcFlushCache+0x79:
828a6545 8b7104 mov esi,dword ptr [ecx+4] ds:0023:005c0077=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 829106d5 to 82897bc0

STACK_TEXT:
8a01b744 829106d5 00000003 b96e6dc1 00000065 nt!RtlpBreakWithStatusInstruction
8a01b794 829111d1 00000003 005c0077 828a6545 nt!KiBugCheckDebugBreak+0x1c
8a01bb5c 82877b5b 0000000a 005c0077 00000002 nt!KeBugCheck2+0x68b
8a01bb5c 828a6545 0000000a 005c0077 00000002 nt!KiTrap0E+0x2cf
8a01bc70 828cb3a7 005c0073 00000000 00000001 nt!CcFlushCache+0x79
8a01bca8 828d2fb3 8a01bcc4 b96e6755 83fdc0a8 nt!CcWriteBehind+0x105
8a01bd00 8289a043 83fdc0a8 00000000 83fdf4c0 nt!CcWorkerThread+0x164
8a01bd50 82a26d16 00000000 b96e67c5 00000000 nt!ExpWorkerThread+0x10d
8a01bd90 828c8159 82899f36 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!CcFlushCache+79
828a6545 8b7104 mov esi,dword ptr [ecx+4]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!CcFlushCache+79

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbffc

FAILURE_BUCKET_ID: 0xA_nt!CcFlushCache+79

BUCKET_ID: 0xA_nt!CcFlushCache+79

Followup: MachineOwner

Please let me know where should i look to fix this issue. Thanks in advance.

5

So you’re writing a file system driver, or you are using shadow file object, correct?

Tony
OSR

6

Hello Tony,

I am writing the file minifilter driver, which is using the reparese mechanism. I have used the sample “Simrep” provided in WinDDK. I am basically trying to avoid the updation of actual file and instead of that writing the updated data into dummy file. After that whenever the read call come i am giving the data from both the actual file as well as dummy file.

7

If you are neither using shadow file objects nor writing a filesystem (==
owning SOP) then you cannot use any of those functions. Or to be more
accurately if you do it *will* crash and it *will* corrupt your users’
data.

8

So you are using shadow file objects? In other words, you own the file objects that you are using for caching.

Tony
OSR

9

Hi Tony,

Firstly thanks for your reply.

I am not using the shadow file object i.e. I dont own the file object. I am trying to cache the file object which is given by windows. Actually if I use the shadow file object it will be completely point to different file. But in my case I just want to get the original file data as well as the updated data which I have added into dummy file.

Ex:- Suppose I am having the file like c:\1.txt with data “abc”. Now if I update the data like “abcd”, so in this case I wont add the “abcd” into c:\1.txt instead I will keep the c:\1.txt untouched and add the updated data into dummy file c:\store\1.txt like offset=4, length=1, data=d.

Now when next time I try to open the file c:\1.txt, I just want to show the complete data like “abcd”. For that purpose I need to collect the data from two file 1]c:\1.txt and 2]c:\store\1.txt. It is perfectly working if I get the IRP_MJ_READ call, but in case of notepad which using the memory mapped io I wont get IRP_MJ_READ call so I decided to handle the cache. Hence in this case I cant use the shadow file object mechanism because in that case it will only point to c:\store\1.txt but I want the data from both.

Actually now I have also solved the above crash. I can cache the file object i.e. my CcCopyWrite function is working fine in all the cases. But now getting the crash of " Fatal System Error: 0x00000034" and it stated that “Probably caused by : ntkrnlmp.exe ( nt!CcCopyRead+17b )” after some time.

please give your comments on it.

10

What Tony and Rod have pointed out is that if you do not own the file
object, and thus you have not allocated the SOP pointer in the file
object, then it is unsafe to call any CC or MM calls on that file object.

Also, having an SFO does not necessarily mean it points to a different
file, it can point to the same underlying file. You just handle all of
the cache interface using your file object;i.e. you call
CcCinitializeCacheMap(), CcCopyRead, CcOpyWrite, etc. using the
underlying file to retrieve the data via non-cached IO requests, if you
want. In this way you have ownership of the ‘top’ file object where you
can safely call all the CC and MM calls for it. Just don’t allow this
file object to go down to the underlying file system or else NTFS will
crash the system, not understanding what the FsContext pointer references.

Pete

On 11/22/2012 5:50 AM, xxxxx@hotmail.com wrote:

Hi Tony,

Firstly thanks for your reply.

I am not using the shadow file object i.e. I dont own the file object. I am trying to cache the file object which is given by windows. Actually if I use the shadow file object it will be completely point to different file. But in my case I just want to get the original file data as well as the updated data which I have added into dummy file.

Ex:- Suppose I am having the file like c:\1.txt with data “abc”. Now if I update the data like “abcd”, so in this case I wont add the “abcd” into c:\1.txt instead I will keep the c:\1.txt untouched and add the updated data into dummy file c:\store\1.txt like offset=4, length=1, data=d.

Now when next time I try to open the file c:\1.txt, I just want to show the complete data like “abcd”. For that purpose I need to collect the data from two file 1]c:\1.txt and 2]c:\store\1.txt. It is perfectly working if I get the IRP_MJ_READ call, but in case of notepad which using the memory mapped io I wont get IRP_MJ_READ call so I decided to handle the cache. Hence in this case I cant use the shadow file object mechanism because in that case it will only point to c:\store\1.txt but I want the data from both.

Actually now I have also solved the above crash. I can cache the file object i.e. my CcCopyWrite function is working fine in all the cases. But now getting the crash of " Fatal System Error: 0x00000034" and it stated that “Probably caused by : ntkrnlmp.exe ( nt!CcCopyRead+17b )” after some time.

please give your comments on it.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

11

Hello All,

Thanks a lot for your comments, its really work for me.

Now I am using the the shadow file object. In IRP_MJ_WRITE I am creating the shadow file object and using all the Cc functions on it. I am using the function like

CcInitializeCacheMap()
CcSetFileSizes()
CcCopyWrite()
CcUninitializeCacheMap()

Which all works fine. But when next time i open the file with notepad its shows me changes as per below.

1] Due to CcSetFileSizes() the file size got changed and its shows correct file size.
2] Then whatever I am writing by CcCopyWrite() into cache, that changed data is not visible into notepad. Instead of it shows me the old data.

Ex:- Suppose i am having the file c:\1.txt with data “abcd” and i update the data like “123”
So in this case i get IRP_MJ_WRITE call in which i am doing below things

1] Keeping file c:\1.txt unchanged and writing the “123” into dummy file c:\stor\1.txt.
2] Creating the Shadow file object and writing the “123” into cache manager for SFO.

Now when i open the file c:\1.txt next time i am getting the data like “abc”. So here the changes by function CcSetFileSizes() clearly visible but showing the old data instead of “123”.

So my questions are like
1] Do i have to also write the updated data into notepad file memory map i.e. whatever data i wrote into cache manager do i have to also write onto the notepad memory maped page.
2] Is there any cache function to tell the cache manager that data is dirty so that cache manager can give the CcCopyRead function and read the updated data from cache to notepad mapped memory.

Please give your comments on this. Thanks a lot in advance.

12

Are you setting up FileObject->SectionObjectPointers? It sounds like you
are not.

13

Hello Rod,

Actually i have created the “FileObject->SectionObjectPointers” of my own. Previously not setting the pointer form “Data->Iopb->TargetFileObject->SectionObjectPointer” thats why i was not getting the updated cache.

Now i am setting the SectionObjectPointers as per below.

//////////////////////////////////////////////////////////////////////////////////////////////////////

PFILE_OBJECT pShadowFileObject = NULL;
PSECTION_OBJECT_POINTERS pSectionObject = NULL;

pShadowFileObject = IoCreateStreamFileObjectLite(NULL, Data->Iopb->TargetFileObject->Vpb->RealDevice);
if(NULL == pShadowFileObject)
{
goto FSRPreWriteExit;
}

pShadowFileObject->ReadAccess = TRUE;
pShadowFileObject->WriteAccess = FALSE;
pShadowFileObject->DeleteAccess = FALSE;

ExAllocatePoolWithTag(NonPagedPool, pSectionObject, sizeof(SECTION_OBJECT_POINTERS));
if(NULL == pSectionObject)
{
goto FSRPreWriteExit;
}

RtlCopyMemory(pSectionObject, Data->Iopb->TargetFileObject->SectionObjectPointer,
sizeof(SECTION_OBJECT_POINTERS));
pShadowFileObject->SectionObjectPointer = pSectionObject;

//////////////////////////////////////////////////////////////////////////////////////////////////////

After that i am using the Cc functions on my ‘pSectionObject’ as per below.
In IRP_MJ_WRITE precall back
ObReferenceObject(pShadowFileObject);
CcInitializeCacheMap(pShadowFileObject…)

Data->Iopb->TargetFileObject = pShadowFileObject;
pShadowFileObject = NULL;

CcSetFileSizes(Data->Iopb->TargetFileObject…)
CcCopyWrite(Data->Iopb->TargetFileObject…)
ObDereferenceObject(Data->Iopb->TargetFileObject);
CcUninitializeCacheMap(Data->Iopb->TargetFileObject)

So after that the last issue was solved. Now i am getting the updated text from cache manager.

But now after some time i am getting the crash with “BugCheck 34, {1d5, c0000420, 0, 0}” and "Probably caused by : ntkrnlmp.exe ( nt!CcCopyRead+17b )
".

Is it means like cache manager give the call of ‘CcCopyRead’ and as i did ‘CcUninitializeCacheMap(Data->Iopb->TargetFileObject)’ in IRP_MJ_WRITE itself, so the FILE_OBJECTS’s sharedcachemap and privatecachemap are NULL and it cause crash.

I also tried to handle the ‘CcUninitializeCacheMap(Data->Iopb->TargetFileObject)’ into IRP_MJ_CLEANUP but still gets same crash.

Please provide your valuable comments.

14

You show the write logic but not the read logic. You also don’t show the stack back trace at the time of the crash, which makes it difficult to understand the context of the failing operation.

Cache integration does work, but it’s complicated. You can look at FastFat in the WDK as a sample implementation.

Tony
OSR

15

Hi,

Sorry for the incomplete information, please see the read logic and crash log below.

1)You show the write logic but not the read logic.

> Please see below for my read logic.
if(FlagOn(Data->Flags, FLTFL_CALLBACK_DATA_FAST_IO_OPERATION))
{
BOOLEAN bCacheReturn = FALSE;
CC_FILE_SIZES FileSizes = {0};
LONG_PTR refCount = 0;
PFILE_OBJECT pShadowFileObject = NULL;
PSECTION_OBJECT_POINTERS pSectionObject = NULL;
IO_STATUS_BLOCK IoCcCopyReadStatus = {0};

pShadowFileObject = IoCreateStreamFileObjectLite(NULL,
Data->Iopb->TargetFileObject->Vpb->RealDevice);
if(NULL == pShadowFileObject)
{
return returnStatus;
}

pShadowFileObject->ReadAccess = TRUE;
pShadowFileObject->WriteAccess = TRUE;
pShadowFileObject->DeleteAccess = FALSE;

FSR_ALLOCATE(NonPagedPool, pSectionObject, sizeof(SECTION_OBJECT_POINTERS));
if(NULL == pSectionObject)
{
return returnStatus;
}

FSR_COPY_MEMORY(pSectionObject,
Data->Iopb->TargetFileObject->SectionObjectPointer,
sizeof(SECTION_OBJECT_POINTERS));
pShadowFileObject->SectionObjectPointer = pSectionObject;

pShadowFileObject->FsContext = Data->Iopb->TargetFileObject->FsContext;
pShadowFileObject->FsContext2 = NULL;
pShadowFileObject->Vpb = Data->Iopb->TargetFileObject->Vpb;

pShadowFileObject->FileName.MaximumLength =
Data->Iopb->TargetFileObject->FileName.MaximumLength;
FSR_ALLOCATE(NonPagedPool, pShadowFileObject->FileName.Buffer,
pShadowFileObject->FileName.MaximumLength);
if(NULL == pShadowFileObject->FileName.Buffer)
{
return returnStatus;
}
RtlCopyUnicodeString(&pShadowFileObject->FileName,
&Data->Iopb->TargetFileObject->FileName);

__try
{
//Write the updated data into cache. So that when next time when this
//file gets read from cache it will get updated data.
FileSizes.AllocationSize.QuadPart =
FileSizes.FileSize.QuadPart =
FileSizes.ValidDataLength.QuadPart =
(Data->Iopb->Parameters.Write.ByteOffset.QuadPart +
Data->Iopb->Parameters.Write.Length);

refCount = ObReferenceObject(pShadowFileObject);
CcInitializeCacheMap(pShadowFileObject,
(PCC_FILE_SIZES)&FileSizes.AllocationSize, TRUE,
pCacheManagerCallbacks, pCacheResource);

CcSetReadAheadGranularity(pShadowFileObject, 0x10000);

Data->Iopb->TargetFileObject = pShadowFileObject;
pShadowFileObject = NULL;

AddContextInPrivateCacheList(&pDeviceExtension->PrivateCacheHead,
&pDeviceExtension->PrivateCacheLock,
Data->Iopb->TargetFileObject);

if(!FlagOn(Data->Iopb->MinorFunction, IRP_MN_MDL))
{
PCHAR pReadBuffer = NULL;
if(NULL != Data->Iopb->Parameters.Read.MdlAddress)
{
pReadBuffer =
MmGetSystemAddressForMdlSafe(Data->Iopb->Parameters.Read.MdlAddress,
NormalPagePriority);
}
else
{
pReadBuffer = Data->Iopb->Parameters.Read.ReadBuffer;
}

if (!CcCopyRead(Data->Iopb->TargetFileObject,
&Data->Iopb->Parameters.Read.ByteOffset,
Data->Iopb->Parameters.Read.Length,
TRUE,
pReadBuffer,
&IoCcCopyReadStatus))
{
FSRKU_DbgPrintLog(L"Cached Read could not wait\n");
}
}
else
{
CcMdlRead(Data->Iopb->TargetFileObject,
&Data->Iopb->Parameters.Read.ByteOffset,
Data->Iopb->Parameters.Read.Length,
&Data->Iopb->Parameters.Read.MdlAddress,
&IoCcCopyReadStatus);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
FSRKU_DbgPrintLog(L"###ERR: Exception caught for CcCopyRead().Reason: Unknown\n");
}

Data->IoStatus.Status = STATUS_SUCCESS;
Data->IoStatus.Information = Data->Iopb->Parameters.Read.Length;
returnStatus = FLT_PREOP_COMPLETE;

return returnStatus;
}

  1. You also don’t show the stack back trace at the time of the crash, which makes it difficult to understand the context of the failing operation.

> Please find the crash log below.

*** Fatal System Error: 0x00000034
(0x000001D5,0xC0000420,0x00000000,0x00000000)

WARNING: This break is not a step/trace completion.
The last command has been cleared to prevent
accidental continuation of this unrelated event.
Check the event, location and thread before resuming.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x86 compatible target at (Mon Nov 26 16:57:23.760 2012 (GMT+5)), ptr64 FALSE
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 34, {1d5, c0000420, 0, 0}

Probably caused by : FSRedirector.sys ( FSRedirector!FSRPreReadCallback+382 )

Followup: MachineOwner

CACHE_MANAGER (34)
See the comment for FAT_FILE_SYSTEM (0x23)
Arguments:
Arg1: 000001d5
Arg2: c0000420
Arg3: 00000000
Arg4: 00000000

Debugging Details:

EXCEPTION_RECORD: c0000420 – (.exr 0xffffffffc0000420)
ExceptionAddress: 00000000
ExceptionCode: 00000000
ExceptionFlags: 00000000
NumberParameters: 0

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x34

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from 828e16d5 to 82868bc0

STACK_TEXT:
8a0eb6a4 828e16d5 00000003 4a9d4230 00000065 nt!RtlpBreakWithStatusInstruction
8a0eb6f4 828e21d1 00000003 859728c0 84866b14 nt!KiBugCheckDebugBreak+0x1c
8a0ebab8 828e1574 00000034 000001d5 c0000420 nt!KeBugCheck2+0x68b
8a0ebadc 82a68830 00000034 000001d5 c0000420 nt!KeBugCheckEx+0x1e
8a0ebb14 94f46e82 840bab68 84866b14 00010000 nt!CcCopyRead+0x17b
8a0ebbac 873a8aeb 84866ad0 8a0ebbcc 8a0ebbf8 FSRedirector!FSRPreReadCallback+0x382 [d:\work\fsr\trunk\fsredirector\src\fsredirector\fsrread.c @ 152]
8a0ebc18 873ab17b 8a0ebc54 840afa60 8a0ebcac fltmgr!FltpPerformPreCallbacks+0x34d
8a0ebc30 873bdc37 000ebc54 873bdad4 00000000 fltmgr!FltpPassThroughFastIo+0x3d
8a0ebc74 82a14dfa 840afa60 8a0ebcb4 00010000 fltmgr!FltpFastIoRead+0x163
8a0ebd08 8284579a 84da28b0 00000000 00000000 nt!NtReadFile+0x2d5
8a0ebd08 770564f4 84da28b0 00000000 00000000 nt!KiFastCallEntry+0x12a
00cfe438 7705570c 74202dce 00000610 00000000 ntdll!KiFastSystemCallRet
00cfe43c 74202dce 00000610 00000000 00000000 ntdll!ZwReadFile+0xc
00cfe49c 74202fc2 00000610 00011000 00000000 wevtsvc!FileView::ReadIn+0x36
00cfe500 741f2a76 00000001 00000000 00cfe87c wevtsvc!File::MapInWriteChunk+0x70
00cfe53c 741f29f6 00cfe718 00cfe87c ffffffff wevtsvc!File::WriteOneEventToBuffer+0x6d
00cfe5cc 741f28b8 00cfe718 ffffffff ffffffff wevtsvc!File::ActualWriteRecord+0x9b
00cfe5f0 741f2893 00cfe718 ffffffff ffffffff wevtsvc!File::WriteRecord+0x1c
00cfe608 741f7f3b 00cfe718 00cfe628 f34af0ac wevtsvc!LogConsumer::Indicate+0x16
00cfe644 741f27bc 00cfe718 f34af020 002e5338 wevtsvc!Channel::ActualProcessEvent+0x4c
00cfe6c8 741f65d1 00cfe718 f34af010 002e5338 wevtsvc!Channel::ProcessEvent+0xa4
00cfe6f8 741f6bfb 019d01c8 00cfe718 f34afb2c wevtsvc!WriteEventToChannel+0x1b
00cfedc4 741f2fac 002e5338 f34af9a8 002e5338 wevtsvc!Publisher::ProcessNormalEvent+0x286
00cfef40 741f2ea6 00cfef64 002e5350 f34ae2dc wevtsvc!PublisherManager::ProcessEvent+0x9c5
00cff434 741f2e3a 002e5338 f34ae28c 002e5338 wevtsvc!PublisherManager::ProcessEvent+0x5f
00cff464 762e0295 002e5338 f353e00e 002e5338 wevtsvc!PublisherManager::EventCallback+0x1e
00cff4ac 762e0327 00336328 002e5338 00000000 ADVAPI32!EtwpDoEventCallbacks+0x36
00cff4e4 762dfe40 00000001 005c0000 00000000 ADVAPI32!EtwpLoadEventTrigger+0x148
00cff518 762e0dca 00000002 00336328 00000000 ADVAPI32!EtwpProcessRealTimeTraces+0xb1
00cff860 7422bf65 00000008 00000001 00000000 ADVAPI32!ProcessTrace+0x254
00cff888 75e41174 0031d970 00cff8d4 7706b3f5 wevtsvc!ProcessEventsThread+0x4d
00cff894 7706b3f5 0031d970 77c1a9ee 00000000 kernel32!BaseThreadInitThunk+0xe
00cff8d4 7706b3c8 7422bf18 0031d970 00000000 ntdll!__RtlUserThreadStart+0x70
00cff8ec 00000000 7422bf18 0031d970 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: kb

FOLLOWUP_IP:
FSRedirector!FSRPreReadCallback+382 [d:\work\fsr\trunk\fsredirector\src\fsredirector\fsrread.c @ 152]
94f46e82 0fb6c8 movzx ecx,al

FAULTING_SOURCE_CODE:
147 if (!CcCopyRead(Data->Iopb->TargetFileObject,
148: &Data->Iopb->Parameters.Read.ByteOffset,
149: Data->Iopb->Parameters.Read.Length,
150: TRUE,
151: pReadBuffer,

152: &IoCcCopyReadStatus))
153: {
154: FSRKU_DbgPrintLog(L"Cached Read could not wait\n");
155: }
156: }
157: else

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: FSRedirector!FSRPreReadCallback+382

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: FSRedirector

IMAGE_NAME: FSRedirector.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50b35070

FAILURE_BUCKET_ID: 0x34_FSRedirector!FSRPreReadCallback+382

BUCKET_ID: 0x34_FSRedirector!FSRPreReadCallback+382

Followup: MachineOwner

Please provide your comments.

16

Wow, this looks like a disaster waiting to happen.

You can’t use the underlying FSD’s structures ad hoc like you are doing here (you use their FsContext pointer but not their FsContext2 pointer). You either own the file object (and own all the structures) or you don’t own it and you leave them alone. Copying the contents of the SOP structure isn’t going to work - you cannot use someone else’s cache as your own. I suspect that’s why Cc is unhappy with you.

Maybe I’m missing the indentation here, but it looks to me like the MDL path is broken. But since almost nobody uses it, you won’t notice that for a while, which is probably a good thing.

Tony
OSR