NULL FsContext

Hi,
We are having a crash with Followinf stack trace:

8335bb10 816651f8 8335bb58 00000000 85495568
Ntfs!NtfsFilterCallbackAcquireForCreateSection+0x14
8335bb34 81848e25 00000000 00000000 8335bc8b
nt!FsFilterPerformCallbacks+0xa0
8335bc90 81848f4e 86a6fa90 00000000 00000000
nt!FsRtlAcquireFileExclusiveCommon+0x10a
8335bca4 8165b020 86a6fa90 81750128 86596de0
nt!FsRtlAcquireFileExclusive+0x12
8335bcec 81654826 864db758 8335bd10 00000000 nt!CcWriteBehind+0x3ce
8335bd44 81652445 854e7808 00000000 854dc2d8 nt!CcWorkerThread+0x11e
8335bd7c 817efb18 854e7808 f7e5b8a9 00000000 nt!ExpWorkerThread+0xfd
8335bdc0 81648a2e 81652348 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
It always crashes on SAME file. It crashes while accessing FsContext field
of the FileObject which is NULL. The handle count is 0 but Pointer count is
2. How to debug this problem to find out who is setting this field to NULL.

It works fine when there is only our driver but crashes when Symantec
antivirus is installed. Symantec version is 11.0. Also, it works fine when
run with only Symantec. It crashes only when both Symantec and our driver is
loaded.

Please provide any pointers how to find who is setting FsContext to NULL.

Thanks
Ashish

Have you run Driver Verifier on your driver? Results? Have you run Driver
Verifier on Symantecs drivers? Results? Also set WDF Verifier if they are
WDF drivers.

The personal opinion of

Gary G. Little

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ashish Goyal
Sent: Saturday, September 19, 2009 8:29 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] NULL FsContext

Hi,

We are having a crash with Followinf stack trace:

8335bb10 816651f8 8335bb58 00000000 85495568
Ntfs!NtfsFilterCallbackAcquireForCreateSection+0x14
8335bb34 81848e25 00000000 00000000 8335bc8b
nt!FsFilterPerformCallbacks+0xa0
8335bc90 81848f4e 86a6fa90 00000000 00000000
nt!FsRtlAcquireFileExclusiveCommon+0x10a
8335bca4 8165b020 86a6fa90 81750128 86596de0
nt!FsRtlAcquireFileExclusive+0x12
8335bcec 81654826 864db758 8335bd10 00000000 nt!CcWriteBehind+0x3ce
8335bd44 81652445 854e7808 00000000 854dc2d8 nt!CcWorkerThread+0x11e
8335bd7c 817efb18 854e7808 f7e5b8a9 00000000 nt!ExpWorkerThread+0xfd
8335bdc0 81648a2e 81652348 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

It always crashes on SAME file. It crashes while accessing FsContext field
of the FileObject which is NULL. The handle count is 0 but Pointer count is
2. How to debug this problem to find out who is setting this field to NULL.

It works fine when there is only our driver but crashes when Symantec
antivirus is installed. Symantec version is 11.0. Also, it works fine when
run with only Symantec. It crashes only when both Symantec and our driver is
loaded.

Please provide any pointers how to find who is setting FsContext to NULL.

Thanks

Ashish

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 4441 (20090919) __________

The message was checked by ESET Smart Security.

http://www.eset.com

The Symantec Endpoint Protection software ‘should’ be using a minifilter for file system filtering. I believe the older Symantec Corporate Security (?) software used a legacy file system filter. I have not installed SEP on any of my systems yet to know for sure and I don’t have my company notebook at home this weekend to see if the later versions of SCS switched to the minifilter. I know for certain that some in the software group responsible reads this newsgroup and if an issue you post might be caused by their software and you have a valid email address in your post, they will contact the OP off-line. None of them post in a way you can determine that they work for Symantec since corporate policy prohibits this (unless that policy has been changed).

If you (OP) don’t get a response ensure the reply address for your post will work. If it is valid, check your software as you are probably looking for a bug in your software. I know they attend the IFS PlugFests and have worked very hard to get it stable. The OP should also check and see if there are any updates available as with Symantec branded software LiveUpdate does not update binaries, but virus definitions only. The IT department in the corporate environment is allowed to see all updates and decide when and if they should be pushed to their users. The Norton Internet Security and Antivirus products can be completely updated via LiveUpdate including an upgrade to the latest versions of the software.

This is one reason why I run Norton on my personal computers even though I can get a free copy of the Symantec software at work for home use. My company allows VPN access to the corporate network and they believe it is better to give us the protection than expose the corporate network to a zombie home system.

If your driver is in the file system stack (not the storage stack), then run Driver Verifier with all options except low resource simulation.

“Gary G. Little” wrote in message news:xxxxx@ntfsd…
Have you run Driver Verifier on your driver? Results? Have you run Driver Verifier on Symantecs drivers? Results? Also set WDF Verifier if they are WDF drivers.

The personal opinion of

Gary G. Little

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ashish Goyal
Sent: Saturday, September 19, 2009 8:29 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] NULL FsContext

Hi,

We are having a crash with Followinf stack trace:

8335bb10 816651f8 8335bb58 00000000 85495568 Ntfs!NtfsFilterCallbackAcquireForCreateSection+0x14
8335bb34 81848e25 00000000 00000000 8335bc8b nt!FsFilterPerformCallbacks+0xa0
8335bc90 81848f4e 86a6fa90 00000000 00000000 nt!FsRtlAcquireFileExclusiveCommon+0x10a
8335bca4 8165b020 86a6fa90 81750128 86596de0 nt!FsRtlAcquireFileExclusive+0x12
8335bcec 81654826 864db758 8335bd10 00000000 nt!CcWriteBehind+0x3ce
8335bd44 81652445 854e7808 00000000 854dc2d8 nt!CcWorkerThread+0x11e
8335bd7c 817efb18 854e7808 f7e5b8a9 00000000 nt!ExpWorkerThread+0xfd
8335bdc0 81648a2e 81652348 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

It always crashes on SAME file. It crashes while accessing FsContext field of the FileObject which is NULL. The handle count is 0 but Pointer count is 2. How to debug this problem to find out who is setting this field to NULL.

It works fine when there is only our driver but crashes when Symantec antivirus is installed. Symantec version is 11.0. Also, it works fine when run with only Symantec. It crashes only when both Symantec and our driver is loaded.

Please provide any pointers how to find who is setting FsContext to NULL.

Thanks

Ashish

— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Information from ESET Smart Security, version of virus signature database 4441 (20090919)

The message was checked by ESET Smart Security.

http://www.eset.com

Information from ESET Smart Security, version of virus signature database 4441 (20090919)

The message was checked by ESET Smart Security.

http://www.eset.com

Thanks for replies…I also thought of running Driver Verifier but since I
have to run at customer location I just thought of having alternate
solutions.

I did some research on FsContext field to find out WHEN IT CAN BE NULL. I
know that FsContext holds FCB which is used by CacheManager. Are there any
cases when it can be NULL like stream file…Because the file on which it
crashes is a stream file.

Thanks
Ashish

On Sun, Sep 20, 2009 at 1:46 AM, Gary G. Little wrote:

> Have you run Driver Verifier on your driver? Results? Have you run Driver
> Verifier on Symantecs drivers? Results? Also set WDF Verifier if they are
> WDF drivers.
>
>
>
> The personal opinion of
>
> Gary G. Little
>
>
>
>
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Ashish Goyal
> Sent: Saturday, September 19, 2009 8:29 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] NULL FsContext
>
>
>
> Hi,
>
> We are having a crash with Followinf stack trace:
>
>
>
> 8335bb10 816651f8 8335bb58 00000000 85495568
> Ntfs!NtfsFilterCallbackAcquireForCreateSection+0x14
> 8335bb34 81848e25 00000000 00000000 8335bc8b
> nt!FsFilterPerformCallbacks+0xa0
> 8335bc90 81848f4e 86a6fa90 00000000 00000000
> nt!FsRtlAcquireFileExclusiveCommon+0x10a
> 8335bca4 8165b020 86a6fa90 81750128 86596de0
> nt!FsRtlAcquireFileExclusive+0x12
> 8335bcec 81654826 864db758 8335bd10 00000000 nt!CcWriteBehind+0x3ce
> 8335bd44 81652445 854e7808 00000000 854dc2d8 nt!CcWorkerThread+0x11e
> 8335bd7c 817efb18 854e7808 f7e5b8a9 00000000 nt!ExpWorkerThread+0xfd
> 8335bdc0 81648a2e 81652348 00000000 00000000 nt!PspSystemThreadStartup+0x9d
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
> It always crashes on SAME file. It crashes while accessing FsContext field
> of the FileObject which is NULL. The handle count is 0 but Pointer count is
> 2. How to debug this problem to find out who is setting this field to NULL.
>
>
>
> It works fine when there is only our driver but crashes when Symantec
> antivirus is installed. Symantec version is 11.0. Also, it works fine when
> run with only Symantec. It crashes only when both Symantec and our driver is
> loaded.
>
>
>
> Please provide any pointers how to find who is setting FsContext to NULL.
>
>
>
> Thanks
>
> Ashish
>
> — NTFSD is sponsored by OSR For our schedule of debugging and file system
> seminars (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars To unsubscribe, visit the List Server section
> of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET Smart Security, version of virus signature
> database 4441 (20090919)

>
>
>
> The message was checked by ESET Smart Security.
>
>
>
> http://www.eset.com
>
>
> Information from ESET Smart Security, version of virus signature
> database 4441 (20090919)

>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>