kernel->user->kernel signalling

I’m trying to get some signalling to work in the IRP_MJ_CREATE context of
my filter driver. The filter works in conjunction with a user-level app.
During a file create event in the file system, I wish to signal the user
app, then wait for a response before proceeding to complete the
IRP_MJ_CREATE.

This is *partially* working… The filter code signals the upward event
and does a WaitForSingleObject on the downward event, the user app wakes
from its WaitForSingleObject as a result of the upward event and signals
the downward event. The filter code wakes from its wait and complete the
IRP_MJ_CREATE processing. So far so good… Problem is that no subsequent
file activity comes in for the file open I’ve initiated (“type
thisfile.txt”). I should see about three IRP_MJ_CREATE calls but never
see any past the first if I have this wait mechanism in place. And the
“type thisfile.txt” command just hangs.

?

I use the same technique and don’t have any big troubles with it. Look for
errors in your code or send pieces of your code here so the people of the
list could see where the problem is.

----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Tuesday, January 07, 2003 8:41 PM
Subject: [ntfsd] kernel->user->kernel signalling

> I’m trying to get some signalling to work in the IRP_MJ_CREATE context of
> my filter driver. The filter works in conjunction with a user-level app.
> During a file create event in the file system, I wish to signal the user
> app, then wait for a response before proceeding to complete the
> IRP_MJ_CREATE.
>
> This is partially working… The filter code signals the upward event
> and does a WaitForSingleObject on the downward event, the user app wakes
> from its WaitForSingleObject as a result of the upward event and signals
> the downward event. The filter code wakes from its wait and complete the
> IRP_MJ_CREATE processing. So far so good… Problem is that no subsequent
> file activity comes in for the file open I’ve initiated (“type
> thisfile.txt”). I should see about three IRP_MJ_CREATE calls but never
> see any past the first if I have this wait mechanism in place. And the
> “type thisfile.txt” command just hangs.
>
> ?
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

It sounds as though you may not be releasing a resource. Have you
debugged the problem and determined that your create entry point is not
called at all or that it is blocking in the initial stages? Are you
correctly completing the create Irp?

Be very careful of re-entrancy issues which can easily lead to dead lock
situations.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bill
Sent: Tuesday, January 07, 2003 11:41 AM
To: File Systems Developers
Subject: [ntfsd] kernel->user->kernel signalling

I’m trying to get some signalling to work in the IRP_MJ_CREATE context
of
my filter driver. The filter works in conjunction with a user-level
app.
During a file create event in the file system, I wish to signal the user
app, then wait for a response before proceeding to complete the
IRP_MJ_CREATE.

This is *partially* working… The filter code signals the upward event
and does a WaitForSingleObject on the downward event, the user app wakes
from its WaitForSingleObject as a result of the upward event and signals
the downward event. The filter code wakes from its wait and complete
the
IRP_MJ_CREATE processing. So far so good… Problem is that no
subsequent
file activity comes in for the file open I’ve initiated (“type
thisfile.txt”). I should see about three IRP_MJ_CREATE calls but never
see any past the first if I have this wait mechanism in place. And the
“type thisfile.txt” command just hangs.

?

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The event objects are created in the user program and made accessible via
RtlInitUnicodeString and IoCreateNotificationEvent when my device
interface is opened. The acess to the event/handles is successful.

Leaving out some of the other details, my kernel code that does the
signalling and waiting looks like the following. It is done within a
function called from the IRP_MJ_CREATE handler.

//snip

DbgPrint( “SIGNALLING USER\n” );

if (UpwardEvent != NULL) {
DbgPrint( “SIGNALLED USER\n” );
KePulseEvent( UpwardEvent, 0, TRUE);
}
DbgPrint( “WAITING FOR USER\n” );

KeWaitForSingleObject
(
DownwardEvent,
UserRequest,
KernelMode,
TRUE,
NULL
);

DbgPrint( “WOKE UP FROM USER EVENT\n” );

KeClearEvent( DownwardEvent );

return;

Leaving out some of the other details, the user mode code that does the
signalling and responding looks like this…

do {
waitResult = WaitForSingleObject( UpwardEvent, 10000 );

switch (waitResult) {

case WAIT_ABANDONED:
printf( “Sorry, wait has been abandoned\n” );
break;

case WAIT_OBJECT_0:
printf( “Yippee! A signal from below, send it back.\n” );
PulseEvent( DownwardEvent );
break;

case WAIT_TIMEOUT:
printf( “A timeout has occurred in test.exe\n” );
break;

default:
printf( “Shouldn’t get here!\n” );
break;
}
} while (1);

The end result of this *should be* that my filter, which otherwise is
operating as expected, should be seeing a slight delay in processing the
CREATE calls due to the extra communication with Ring 3. Once the
signalling is working, I can add the code that is the *real* reason for
the communications oin the first place.

Again, this works the first time, but I never get called at my
IRP_MJ_CREATE entry point again (should see three such calls for the file
action I’m doing).

If I remove the signalling component from the filter driver, everything is
copacetic.

Any help or pointers/samples would be appreciated. I’m sure this is
something dumb…

Nope. I’m confident that there are no resource locking issues at play
here. The only thing that differs between the not-working and working
scenarios is the inclusion (or not) of the KePulseEvent and
KeWaitForSingleObject calls. If I don’t make those calls, everything
works correctly. If I make those calls, then the I/O for that file access
action comes to a halt (my IRP_MJ_CREATE handler doesn’t get called again)
after the successful completion of the first such call.

Funny thing is that there is another, similar, wait in that processing
path - the wait for the Read completion by the lower level FSD. That has
always been there and has always worked. (So it’s not that I shouldn’t be
waiting in that context, right?).

It sounds as though you may not be releasing a resource. Have you
debugged the problem and determined that your create entry point is not
called at all or that it is blocking in the initial stages? Are you
correctly completing the create Irp?

Be very careful of re-entrancy issues which can easily lead to dead lock
situations.

Pete

Peter Scott
xxxxx@KernelDrivers.com
www.KernelDrivers.com

Does first IRP_MJ_CREATE complete well? Is KeWaitForSingleObject satisfied
at least once? What do you mean by saying ‘never get another IRP_MJ_CREATE
again’?

Also note that you must not hold file operations performed by your own
user-mode process or by process you depend on (i.e. COM server in another
EXE). On Windows XP csrss.exe may hold your process on some circumstaices
until some file operation is completed. Also if your user mode application
raise an exception and something like Dr.Watson catches it you will end up
in deadlock as Dr.Watson freezes your process too.

If you want you may contact me on ICQ 155268104 to further discuss your
problems.

----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Tuesday, January 07, 2003 9:38 PM
Subject: [ntfsd] Re: kernel->user->kernel signalling

> The event objects are created in the user program and made accessible via
> RtlInitUnicodeString and IoCreateNotificationEvent when my device
> interface is opened. The acess to the event/handles is successful.
>
> Leaving out some of the other details, my kernel code that does the
> signalling and waiting looks like the following. It is done within a
> function called from the IRP_MJ_CREATE handler.
>
> //snip
>
> DbgPrint( “SIGNALLING USER\n” );
>
> if (UpwardEvent != NULL) {
> DbgPrint( “SIGNALLED USER\n” );
> KePulseEvent( UpwardEvent, 0, TRUE);
> }
> DbgPrint( “WAITING FOR USER\n” );
>
> KeWaitForSingleObject
> (
> DownwardEvent,
> UserRequest,
> KernelMode,
> TRUE,
> NULL
> );
>
> DbgPrint( “WOKE UP FROM USER EVENT\n” );
>
> KeClearEvent( DownwardEvent );
>
> return;
>
>
> Leaving out some of the other details, the user mode code that does the
> signalling and responding looks like this…
>
> do {
> waitResult = WaitForSingleObject( UpwardEvent, 10000 );
>
> switch (waitResult) {
>
> case WAIT_ABANDONED:
> printf( “Sorry, wait has been abandoned\n” );
> break;
>
> case WAIT_OBJECT_0:
> printf( “Yippee! A signal from below, send it back.\n” );
> PulseEvent( DownwardEvent );
> break;
>
> case WAIT_TIMEOUT:
> printf( “A timeout has occurred in test.exe\n” );
> break;
>
> default:
> printf( “Shouldn’t get here!\n” );
> break;
> }
> } while (1);
>
> The end result of this should be that my filter, which otherwise is
> operating as expected, should be seeing a slight delay in processing the
> CREATE calls due to the extra communication with Ring 3. Once the
> signalling is working, I can add the code that is the real reason for
> the communications oin the first place.
>
> Again, this works the first time, but I never get called at my
> IRP_MJ_CREATE entry point again (should see three such calls for the file
> action I’m doing).
>
> If I remove the signalling component from the filter driver, everything is
> copacetic.
>
> Any help or pointers/samples would be appreciated. I’m sure this is
> something dumb…
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

> Does first IRP_MJ_CREATE complete well? Is KeWaitForSingleObject satisfied

at least once? What do you mean by saying ‘never get another IRP_MJ_CREATE
again’?

Thanks for your interest and answers, Alexey.

The first IRP_MJ_CREATE does complete well, and it does so as a result of
the first KeWaitForSingleObject being satisfied from the user signal. I
know this because my trace log shows the DbgPrint after the Wait and then
shows that I go on and finish out the _CREATE processing (e.g. add the FCB
and FileObject to my splay tree where I keep track of open files and other
ops). I also see a subsequent query and IRP_MJ_CLEANUP and _CLOSE on that
FileObject, so the _CREATE must have been satisfied, right?

What I mean by not getting another _CREATE call is that, in any most file
accesse by application programs, the file is actually opened and closed
several (sometimes many) times. If I comment out the signalling code. I
see a series of three _CREATE/_CLOSE cycles. The first two are for
querying various info, the third is where the data is actually read from
the file.

Note that file access for ‘other’ files proceed OK, but the specific file
I was trying to filter on doesn’t get the other expected IRP_MJ_CREATE
calls. It’s like the I/O manager gave up on it for some reason.

Also note that you must not hold file operations performed by your own
user-mode process or by process you depend on (i.e. COM server in another
EXE). On Windows XP csrss.exe may hold your process on some circumstaices
until some file operation is completed. Also if your user mode application
raise an exception and something like Dr.Watson catches it you will end up
in deadlock as Dr.Watson freezes your process too.

“Assuming” there is no exception and failure in the Ring 3 code I’ve
signalled and am awaiting response from, is there a difference between the
Wait I do for the Create completion by the lower level FSD and the Wait on
an event that just happens to get signalled by Ring 3? I coded them both
the same way and have seen no ill effects as a result of waiting on the
FSD completion; only on the user signalled event does this problem show
up.

Do other application continue working fine? I still cannot understand what
you mean under not getting any _CREATE requests. If you don’t receive
IRP_MJ_CREATE it means files are not opened, right?

----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Wednesday, January 08, 2003 3:03 AM
Subject: [ntfsd] Re: kernel->user->kernel signalling

> > Does first IRP_MJ_CREATE complete well? Is KeWaitForSingleObject
satisfied
> > at least once? What do you mean by saying ‘never get another
IRP_MJ_CREATE
> > again’?
> >
>
> Thanks for your interest and answers, Alexey.
>
> The first IRP_MJ_CREATE does complete well, and it does so as a result of
> the first KeWaitForSingleObject being satisfied from the user signal. I
> know this because my trace log shows the DbgPrint after the Wait and then
> shows that I go on and finish out the _CREATE processing (e.g. add the FCB
> and FileObject to my splay tree where I keep track of open files and other
> ops). I also see a subsequent query and IRP_MJ_CLEANUP and _CLOSE on that
> FileObject, so the _CREATE must have been satisfied, right?
>
> What I mean by not getting another _CREATE call is that, in any most file
> accesse by application programs, the file is actually opened and closed
> several (sometimes many) times. If I comment out the signalling code. I
> see a series of three _CREATE/_CLOSE cycles. The first two are for
> querying various info, the third is where the data is actually read from
> the file.
>
> Note that file access for ‘other’ files proceed OK, but the specific file
> I was trying to filter on doesn’t get the other expected IRP_MJ_CREATE
> calls. It’s like the I/O manager gave up on it for some reason.
>
> > Also note that you must not hold file operations performed by your own
> > user-mode process or by process you depend on (i.e. COM server in
another
> > EXE). On Windows XP csrss.exe may hold your process on some
circumstaices
> > until some file operation is completed. Also if your user mode
application
> > raise an exception and something like Dr.Watson catches it you will end
up
> > in deadlock as Dr.Watson freezes your process too.
>
> “Assuming” there is no exception and failure in the Ring 3 code I’ve
> signalled and am awaiting response from, is there a difference between the
> Wait I do for the Create completion by the lower level FSD and the Wait on
> an event that just happens to get signalled by Ring 3? I coded them both
> the same way and have seen no ill effects as a result of waiting on the
> FSD completion; only on the user signalled event does this problem show
> up.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

> Do other application continue working fine? I still cannot understand what

you mean under not getting any _CREATE requests. If you don’t receive
IRP_MJ_CREATE it means files are not opened, right?

Yes. Other all other applications and file access continued working fine.
The problem is with continued access to a single file (or any of the files
I was intentionally intercepting with my filter). The problem *was*, as I
said, that I was not getting the subsequent file open requests I should
have seen for a typical scenario of an application (editor, WinAmp,
type.exe, whatever) when accessing a file. I got the first in the series
of opens, but no more. Take a look with FileMon to see what I mean.
Simply execute “type autoexec.bat” while monitoring and you will see that
completing that command requires a series (I think three) of
IRP_MJ_CREATE/IRP_MJ_CLOSE cycles. The first two are for querying
information about the file; the data is actually read on the third such
cycle.

At any rate, this problem has been solved thanks to a separate e-mail I
got from another reader. In short, I was using KePulseEvent in kernel
mode and PulseEvent in the user mode application. According to this
reader (I’ll post his full message when I get home and can access it),
KePulseEvent does not always work as expected. Sometimes the target
thread is removed from the wait event before the call is actually made,
when KePulseEvent runs the wait list, the target thread is no longer there
and does not get woken up.

I got fooled on this one because I missed the very first such failure in
my log. Had I been recording at that time, I would have seen an
unfulfilled wait request. When I terminated my test program and unloaded
my driver, there was still an unrequited wait outstanding within the
context of an IRP_MJ_CREATE call. I believe that was enough to prevent
the I/O manager from passing along any further _CREATE requests against
that jammed file.

Changing to KeSetEvent and SetEvent for ring0 and ring3 respectively
allowed this to work without missing any signals.

If the app crashes the event is released anyway.

Alexey Logachyov wrote:

Also note that you must not hold file operations performed by your own
user-mode process or by process you depend on (i.e. COM server in another
EXE). On Windows XP csrss.exe may hold your process on some circumstaices
until some file operation is completed. Also if your user mode application
raise an exception and something like Dr.Watson catches it you will end up
in deadlock as Dr.Watson freezes your process too.

–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.

I had this kind of problem. Dr.Watson injects its module into the process
before the process is cleaned up and shutdown. So, the faulting process
still holds the event. Anyway, I just made a notice. The actual behaviour
may differ in another scenario.

----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Wednesday, January 08, 2003 4:51 PM
Subject: [ntfsd] Re: kernel->user->kernel signalling

>
> If the app crashes the event is released anyway.
>
> Alexey Logachyov wrote:
>
> > Also note that you must not hold file operations performed by your own
> > user-mode process or by process you depend on (i.e. COM server in
another
> > EXE). On Windows XP csrss.exe may hold your process on some
circumstaices
> > until some file operation is completed. Also if your user mode
application
> > raise an exception and something like Dr.Watson catches it you will end
up
> > in deadlock as Dr.Watson freezes your process too.
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com ICQ#: 56570367
> Alfa File Monitor - File monitoring library for Win32 developers.
> Alfa File Protector - File protection and hiding library for Win32
developers.
>
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>