hello,
I am trying to read from my file system with a User mode application (buffered access), works perfect, until I yank out the disk from the USB, then the FS release all resources, sends to the application that the FS is STATUS_NO_SUCH_DEVICE - the application receives error and zero buffer read. The FS replys to volume invalidation and surprise remove, releases all FCBs (and the open one),notify that FSRTL_VOLUME_DISMOUNT,…
But then The application (on purpose!!!) reads from the FS JUST this last time (after the volume was released), and I get the BSOD. Of course the debugger shows that the FS is not involved.
Is there something missing in my FS release that enables the “bad” handle used by the application to continue access to the my ghost FS which “long ago” was released?
I have attached the debugger’s log, if it might help.
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80581a9b, The address that the exception occurred at
Arg3: a9973c30, Trap Frame
Arg4: 00000000
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
nt!NtReadFile+2c1
80581a9b ff5608 call dword ptr [esi+8]
TRAP_FRAME: a9973c30 – (.trap 0xffffffffa9973c30)
ErrCode = 00000000
eax=a9973cd8 ebx=85c81478 ecx=85c81478 edx=fffff000 esi=00000000 edi=0011f544
eip=80581a9b esp=a9973ca4 ebp=a9973d38 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!NtReadFile+0x2c1:
80581a9b ff5608 call dword ptr [esi+8] ds:0023:00000008=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 8
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: transferProj.ex
LAST_CONTROL_TRANSFER: from 804dd99f to 80581a9b
STACK_TEXT:
a9973d38 804dd99f 000000bc 00000000 00000000 nt!NtReadFile+0x2c1
a9973d38 7c90eb94 000000bc 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0011f500 7c90e288 7c801875 000000bc 00000000 0x7c90eb94
0011f56c 00404474 000000bc 0011f588 00010000 0x7c90e288
0011f570 00000000 0011f588 00010000 0012f588 0x404474
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!NtReadFile+2c1
80581a9b ff5608 call dword ptr [esi+8]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77
SYMBOL_NAME: nt!NtReadFile+2c1
FAILURE_BUCKET_ID: 0x8E_nt!NtReadFile+2c1
BUCKET_ID: 0x8E_nt!NtReadFile+2c1
Followup: MachineOwner