IoGetDiskDeviceObject crash.

kishor_ghait · August 10, 2009, 3:46am

Does IoGetDiskDeviceObject() handle the case where NTFS has not given up the control of the volume and the underline device has gone away ??

In my mini-filter I am making a call to IoGetDiskDeviceObject() from a worker thread which I queued from Instancesetup and suddenly storage volume gets dismounted.

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800018bb270, The address that the exception occurred at
Arg3: fffffa6001daa9a8, Exception Record Address
Arg4: fffffa6001daa380, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!ObfReferenceObject+20
fffff800`018bb270 f0480fc11f lock xadd qword ptr [rdi],rbx

EXCEPTION_RECORD: fffffa6001daa9a8 -- (.exr 0xfffffa6001daa9a8)
ExceptionAddress: fffff800018bb270 (nt!ObfReferenceObject+0x0000000000000020)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffffa6001daa380 -- (.cxr 0xfffffa6001daa380)
rax=fffff80001a7f400 rbx=0000000000000001 rcx=005c004e00450054
rdx=0000000000000000 rsi=fffffa6001daacc8 rdi=005c004e00450024
rip=fffff800018bb270 rsp=fffffa6001daabe0 rbp=fffffa800afe8030
r8=fffffa60005ec880 r9=fffffa80095b70d0 r10=fffffa6000eaa640
r11=fffffa800afe9360 r12=fffffa80095b7000 r13=0000000000000001
r14=0000000000000000 r15=fffffa60005efcc0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!ObfReferenceObject+0x20:
fffff800018bb270 f0480fc11f lock xadd qword ptr [rdi],rbx ds:002b:005c004e00450024=????????????????
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff

FOLLOWUP_IP:
myfilter!WorkerGetDosVolumeName+e5
fffffa60`013df0d1 488bcd mov rcx,rbp

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from fffff800019458e3 to fffff800018bb270

STACK_TEXT:
fffffa6001daabe0 fffff800019458e3 : 0000000000000000 fffffa800b2fcb80 0000000000000000 fffffa800afe8030 : nt!ObfReferenceObject+0x20
fffffa6001daac10 fffffa60013df0d1 : fffffa8009b44900 fffffa8009b449d0 0000000000000000 000000800000000a : nt!IoGetDiskDeviceObject+0x63
fffffa6001daac40 fffffa6000ebd733 : 0000000000000000 0000000000000000 0000000000000000 005c004e00450054 : myfilter!WorkerGetDosVolumeName+0xe5
fffffa6001daacb0 fffff800018b78c3 : fffffa6000ebd6f0 fffff800019e78a0 fffffa80039c0bb0 0000000000000000 : fltmgr!FltpProcessGenericWorkItem+0x43
fffffa6001daacf0 fffff80001abaf37 : fffffa80095b7098 0000000000000000 fffffa80039c0bb0 0000000000000080 : nt!ExpWorkerThread+0xfb
fffffa6001daad50 fffff800018ed616 : fffffa60005ec180 fffffa80039c0bb0 fffffa60005f5d40 fffffa80039ceca8 : nt!PspSystemThreadStartup+0x57
fffffa6001daad80 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: myfilter!WorkerGetDosVolumeName+e5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: myfilter

IMAGE_NAME: myfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a4e7369

STACK_COMMAND: .cxr 0xfffffa6001daa380 ; kb

FAILURE_BUCKET_ID: X64_0x7E_myfilter!WorkerGetDosVolumeName+e5

BUCKET_ID: X64_0x7E_myfilter!WorkerGetDosVolumeName+e5

Followup: MachineOwner

1: kd> !devobj fffffa800afe8030
Device object (fffffa800afe8030) is for:
\FileSystem\Ntfs DriverObject fffffa8004c4c750
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00040000
DevExt fffffa800afe8180 DevObjExt fffffa800afe9360
ExtensionFlags (0x00000802) DOE_DELETE_PENDING
Unknown flags 0x00000800
AttachedDevice (Upper) fffffa8008241300 \FileSystem\FltMgr
Device queue is not busy.

1: kd> dt nt!_DEVICE_OBJECT fffffa800afe8030
+0x000 Type : 3
+0x002 Size : 0x1330
+0x004 ReferenceCount : 0
+0x008 DriverObject : 0xfffffa8004c4c750 _DRIVER_OBJECT +0x010 NextDevice : 0xfffffa800a2ec030 _DEVICE_OBJECT
+0x018 AttachedDevice : 0xfffffa8008241300 _DEVICE_OBJECT +0x020 CurrentIrp : (null) +0x028 Timer : (null) +0x030 Flags : 0x40000 +0x034 Characteristics : 0 +0x038 Vpb : (null) +0x040 DeviceExtension : 0xfffffa800afe8180
+0x048 DeviceType : 8
+0x04c StackSize : 8 ''
+0x050 Queue :
+0x098 AlignmentRequirement : 0
+0x0a0 DeviceQueue : _KDEVICE_QUEUE
+0x0c8 Dpc : _KDPC
+0x108 ActiveThreadCount : 0
+0x110 SecurityDescriptor : (null)
+0x118 DeviceLock : _KEVENT
+0x130 SectorSize : 0x200
+0x132 Spare1 : 1
+0x138 DeviceObjectExtension : 0xfffffa800afe9360 _DEVOBJ_EXTENSION +0x140 Reserved : (null) 1: kd> dt nt!_DEVOBJ_EXTENSION 0xfffffa800afe9360
+0x000 Type : 13
+0x002 Size : 0
+0x008 DeviceObject : 0xfffffa800afe8030 _DEVICE_OBJECT +0x010 PowerFlags : 0 +0x018 Dope : (null) +0x020 ExtensionFlags : 0x802 +0x028 DeviceNode : (null) +0x030 AttachedTo : (null) +0x038 StartIoCount : 0 +0x03c StartIoKey : 0 +0x040 StartIoFlags : 0 +0x048 Vpb : 0xfffffa80086e2e00 _VPB
+0x050 DependentList : _LIST_ENTRY [0xfffffa800afe93b0 - 0xfffffa800afe93b0]
+0x060 ProviderList : _LIST_ENTRY [0xfffffa800afe93c0 - 0xfffffa800afe93c0]

1: kd> dt nt!_VPB 0xfffffa80086e2e00 +0x000 Type : 42 +0x002 Size : 92 +0x004 Flags : 0x4d +0x006 VolumeLabelLength : 0x41 +0x008 DeviceObject : 0x004e00410044004e _DEVICE_OBJECT
+0x010 RealDevice : 0x005c004e00450054 _DEVICE_OBJECT +0x018 SerialNumber : 0x43004b +0x01c ReferenceCount : 0x4d004f +0x020 VolumeLabel : [32] "P\LCEKCOPROD\MXTRACE.LOG" 1: kd> !vpb 0xfffffa80086e2e00
Vpb at 0xfffffa80086e2e00
Flags: 0x4d mounted persistent
DeviceObject: 0x004e00410044004e
RealDevice: 0x005c004e00450054
RefCount: 5046351
Volume Label: P\LCEKCOPROD\MXTRACE.LOG

Thanks,
-Kishor

kishor_ghait · August 10, 2009, 8:05am

1: kd> dd 0x005c004e00450054
005c004e00450054 ???????? ???????? ???????? ???????? 005c004e00450064 ??? ??? ??? ???
005c004e00450074 ???????? ???????? ???????? ???????? 005c004e00450084 ??? ??? ??? ???
005c004e00450094 ???????? ???????? ???????? ???????? 005c004e004500a4 ??? ??? ??? ???
005c004e004500b4 ???????? ???????? ???????? ???????? 005c004e004500c4 ??? ??? ??? ???

Petr_Kurtin · August 10, 2009, 8:24am

dd number represents unicode characters

kd> .formats 0x005c004e`00450054

Evaluate expression:

Hex: 005c004e`00450054

Chars: ..N.E.T

kd> .formats 0x004e0041`0044004e

Evaluate expression:

Hex: 004e0041`0044004e

Chars: .N.A.D.N

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 10. srpna 2009 14:05
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] IoGetDiskDeviceObject crash.

1: kd> dd 0x005c004e00450054

005c004e`00450054 ??? ??? ??? ???

005c004e`00450064 ??? ??? ??? ???

005c004e`00450074 ??? ??? ??? ???

005c004e`00450084 ??? ??? ??? ???

005c004e`00450094 ??? ??? ??? ???

005c004e`004500a4 ??? ??? ??? ???

005c004e`004500b4 ??? ??? ??? ???

005c004e`004500c4 ??? ??? ??? ???

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars

(including our new fs mini-filter seminar) visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

kishor_ghait · August 10, 2009, 8:58am

0x005c004e00450054 is the underlined device object which has been passed to nt!ObfReferenceObject by IoGetDiskDeviceObject()

Flags: 0x4d mounted persistent
DeviceObject: 0x004e00410044004e
RealDevice: 0x005c004e00450054
RefCount: 5046351

-Kishor.

Petr_Kurtin · August 10, 2009, 10:47am

VPB is totally invalid, type: “db 0xfffffa80`086e2e00” and you’ll see VPB
was already freed or reused.

if you look at DeviceObject->ReferenceCount, it dropped to zero; I think,
you didn’t reference PFLT_VOLUME, PFLT_INSTANCE or DeviceObject before
setting a workitem. Volume/Instance/DO, you’re working with, can be already
unmounted.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 10. srpna 2009 14:58
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] IoGetDiskDeviceObject crash.

0x005c004e00450054 is the underlined device object which has been passed to
nt!ObfReferenceObject by IoGetDiskDeviceObject()

Flags: 0x4d mounted persistent
DeviceObject: 0x004e00410044004e
RealDevice: 0x005c004e00450054
RefCount: 5046351

-Kishor.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

kishor_ghait · August 10, 2009, 11:14am

1: kd> db 0xfffffa80086e2e00 fffffa80086e2e00 2a 00 5c 00 4d 00 41 00-4e 00 44 00 41 00 4e 00 *..M.A.N.D.A.N.
fffffa80086e2e10 54 00 45 00 4e 00 5c 00-4b 00 43 00 4f 00 4d 00 T.E.N.\.K.C.O.M. fffffa80086e2e20 50 00 5c 00 4c 00 43 00-45 00 4b 00 43 00 4f 00 P..L.C.E.K.C.O.
fffffa80086e2e30 50 00 52 00 4f 00 44 00-5c 00 4d 00 58 00 54 00 P.R.O.D.\.M.X.T. fffffa80086e2e40 52 00 41 00 43 00 45 00-2e 00 4c 00 4f 00 47 00 R.A.C.E…L.O.G.
fffffa80086e2e50 00 00 00 03 00 00 00 00-00 d9 e5 04 00 00 00 00 ................ fffffa80086e2e60 07 00 05 02 4e 74 66 6e-00 00 00 00 00 00 00 00 …Ntfn…
fffffa80`086e2e70 07 07 40 00 00 00 00 00-00 00 00 00 00 00 00 00 …@…

Following is code in workeritem where IoGetDeviceAttachmentBaseRef increment the refernce count before return device object.

status = FltGetDeviceObject( instanceContext->Volume, &volumeDeviceObject );

if (!NT_SUCCESS(status))
{
goto WorkerGetDosVolumeNameCleanup;
}

baseFileSystemObject = IoGetDeviceAttachmentBaseRef(volumeDeviceObject);

ObDereferenceObject(volumeDeviceObject);

if (baseFileSystemObject == NULL)
{
goto WorkerGetDosVolumeNameCleanup;
}

status = IoGetDiskDeviceObject(baseFileSystemObject, &diskDeviceObject);
ObDereferenceObject( baseFileSystemObject );

kishor_ghait · August 10, 2009, 12:41pm

Thanks, Petr I got your point.

Thanks again.
-Kishor.