hang in FltCreateFile in Minifilter

OSR_Community_User · April 21, 2009, 11:15am

Hi all,
I’m writing a minifilter that has a kernel thread that need to do some updates to files in the background.
From time to time it receive tasks to change a file.
Because I don’t want anybody else to touch the file while the thread is accesing it I suspended any other pre-create of this specific file until the thread finish the task.
The suspension is done by waiting on an event until the thread finish and signal this event (which is per file).
The thread function use FltCreateFile, FltReadFile FltWriteFile and FltCloseFile.
My problem is that the FltCreateFile is hang and never return.
This happen only when I get a pre-create on the file that the thread is working on.
If I remove the open suspension from the pre-create the FltCreateFile never hang.

Any help is welcome,
Sagi

Eric_Diven · April 21, 2009, 12:09pm

At the risk of asking a dumb question, is your thread the one making the
create request that’s hanging? If not, could it be happening indirectly
because of a driver below you?

This sounds like the sort of thing that has the potential to cause a lot
of hangs if IO goes to the top of the stack for a file while your thread
is operating on it.

Eric

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@giant-steps.com
Sent: Tuesday, April 21, 2009 11:17 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] hang in FltCreateFile in Minifilter

Hi all,
I’m writing a minifilter that has a kernel thread that need
to do some updates to files in the background.
From time to time it receive tasks to change a file.
Because I don’t want anybody else to touch the file while the
thread is accesing it I suspended any other pre-create of
this specific file until the thread finish the task.
The suspension is done by waiting on an event until the
thread finish and signal this event (which is per file).
The thread function use FltCreateFile, FltReadFile
FltWriteFile and FltCloseFile.
My problem is that the FltCreateFile is hang and never return.
This happen only when I get a pre-create on the file that the
thread is working on.
If I remove the open suspension from the pre-create the
FltCreateFile never hang.

Any help is welcome,
Sagi

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · April 21, 2009, 4:24pm

Hi,
My thread is making the FltCreateFile request.
I use the instance parameter so that the request will get to the driver below me and not start at the top of the stack.
Thanks,
Sagi

Aditya_Shrivastava · April 22, 2009, 1:43am

@ Sagi Zar

This approach should surly cause trouble AFAIK. AV filter drivers (not minifilters) could be sitting below you and they actually do a create and read on the fileobject recieved which again goes to the top of stack and wih your approach this will be a deadlock, you waiting for the request to be completed by AV, AV waiting for the request completed by you. IIRC i observe this behavior with some version of symmantec AV.

Thanks,
Aditya

Dmitry_G · April 22, 2009, 3:58am

Try using
IoCreateFileSpecifyDeviceObjectHint() writing directly to the lowest DO.

wrote in message news:xxxxx@ntfsd…
>@ Sagi Zar
>
> This approach should surly cause trouble AFAIK. AV filter drivers (not
> minifilters) could be sitting below you and they actually do a create and
> read on the fileobject recieved which again goes to the top of stack and
> wih your approach this will be a deadlock, you waiting for the request to
> be completed by AV, AV waiting for the request completed by you. IIRC i
> observe this behavior with some version of symmantec AV.
>
> Thanks,
> Aditya
>

Ayush_Gupta-2 · April 22, 2009, 4:01am

> Try using

IoCreateFileSpecifyDeviceObjectHint() writing directly to
the lowest DO.

Bypassing other filters/ minifilters on the stack is not a recommended method.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

Own a website.Get an unlimited package.Pay next to nothing.*Go to http://in.business.yahoo.com/

Aditya_Shrivastava · April 22, 2009, 8:37am

>>Bypassing other filters/ minifilters on the stack is not a recommended method.

True, plus the rider that IoCreateFileSpecifyDeviceObjectHint is available from XP so no 2K support. Unless you are not doing a anti-malware software, which uses similar techniques.

OSR_Community_User · April 22, 2009, 12:59pm

So, what is the create you issued blocked on ? Also, is there any other thread waiting on your lock? Copy&paste some stacks…

Also, using IoCreateFileSpecifyDeviceObjectHint to skip filters below you (mini or legacy) is something to be avoided. The end result to the user could be disastrous, from security holes to data corruption.

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

OSR_Community_User · April 24, 2009, 8:44am

> Because I don’t want anybody else to touch the file while the thread is accesing it

Use zero in sharing mode parameter to do this.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com