Page Fault for Filesize Modification under Win XP

OSR_Community_User · January 13, 2003, 5:39am

I’ve a routine of a filter driver that tries to modify the filesize of
some specified files. It works well under Win NT and Win 2K, but it causes
“page fault in nonpaged area” error under Win XP.

It seems the problem is due to the casting of “Irp->UserBuffer”.

…
…
case IRP_MN_QUERY_DIRECTORY:

pQueryDirectory = (PQUERY_DIRECTORY)&currentIrpStack->Parameters;

if ( pQueryDirectory )
{
switch ( … )
{
case FileBothDirectoryInformation:

…
…

pFBDInfo = (PFILE_BOTH_DIR_INFORMATION)Irp->UserBuffer;

while ( pFBDInfo->NextEntryOffset != 0 )
{
…
…

if ( Check for the specified files )
{
pFBDInfo->EndOfFile.HighPart = newFileLengthHigh;
pFBDInfo->EndOfFile.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.HighPart = newFileLengthHigh;
}

pFBDInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)pFBDInfo +
pFBDInfo->NextEntryOffset);
}

if ( Check for the specified files )
{
pFBDInfo->EndOfFile.HighPart = newFileLengthHigh;
pFBDInfo->EndOfFile.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.HighPart = newFileLengthHigh;
}
…
…

return TRUE;
break;

Would anybody here help me to sort out the problem. A more comprehensive
sample is greatly appreciated.

Thanks in advance.

– Philip

OSR_Community_User · January 13, 2003, 7:42am

You don’t mention which file sytem, nor do you provide a stack trace or
other diagnostic information. Is it possible, for instance, that you have
started filtering some file system that is using the DO_DIRECT_IO or
DO_BUFFERED_IO bit in their device object’s Flags field?

Do you validate that the buffer is OK? The I/O Manager is not doing so for
neither I/O and I don’t see any validation code here - neither a check to
ensure the address is in user mode (if this is a user mode call), nor a
try/except.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Philip Hong [mailto:xxxxx@issl.com.hk]
Sent: Monday, January 13, 2003 5:47 AM
To: File Systems Developers
Subject: [ntfsd] Page Fault for Filesize Modification under Win XP

I’ve a routine of a filter driver that tries to modify the filesize of
some specified files. It works well under Win NT and Win 2K, but it causes
“page fault in nonpaged area” error under Win XP.

It seems the problem is due to the casting of “Irp->UserBuffer”.

…
…
case IRP_MN_QUERY_DIRECTORY:

pQueryDirectory = (PQUERY_DIRECTORY)&currentIrpStack->Parameters;

if ( pQueryDirectory )
{
switch ( … )
{
case FileBothDirectoryInformation:

…
…

pFBDInfo = (PFILE_BOTH_DIR_INFORMATION)Irp->UserBuffer;

while ( pFBDInfo->NextEntryOffset != 0 )
{
…
…

if ( Check for the specified files )
{
pFBDInfo->EndOfFile.HighPart = newFileLengthHigh;
pFBDInfo->EndOfFile.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.HighPart = newFileLengthHigh;
}

pFBDInfo = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)pFBDInfo +
pFBDInfo->NextEntryOffset);
}

if ( Check for the specified files )
{
pFBDInfo->EndOfFile.HighPart = newFileLengthHigh;
pFBDInfo->EndOfFile.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.LowPart = newFileLengthLow;
pFBDInfo->AllocationSize.HighPart = newFileLengthHigh;
}
…
…

return TRUE;
break;

Would anybody here help me to sort out the problem. A more comprehensive
sample is greatly appreciated.

Thanks in advance.

– Philip

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 13, 2003, 10:03am

Quoting Tony Mason :

> You don’t mention which file sytem, nor do you provide a stack trace or
> other diagnostic information. Is it possible, for instance, that you have
> started filtering some file system that is using the DO_DIRECT_IO or
> DO_BUFFERED_IO bit in their device object’s Flags field?

I would like the routine to run on FAT32 and NTFS. How to manage the Irp-
>UserBuffer under these two situations ? Is it legal to modify the content of
the UserBuffer as shown in the source list ?

> Do you validate that the buffer is OK? The I/O Manager is not doing so for
> neither I/O and I don’t see any validation code here - neither a check to
> ensure the address is in user mode (if this is a user mode call), nor a
> try/except.

Thank you for your advices. This is only a simplified routine, I’ve done all
buffer validation and checking, e.g. try/except, MmGetSystemAddressForMdl(Irp-
>MdlAddress) … .

Thanks you very much.

– Philip

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

OSR_Community_User · January 13, 2003, 10:27am

The problem with the original issue (as described) is that page fault in
nonpaged pool doesn’t happen for user addresses - only kernel addresses.
The stack trace might give a hint as to the origin of the caller (e.g., is
it a kernel caller.) At the point of the crash, what are the values of
Irp->UserBuffer, Irp->MdlAddress, Irp->AssociatedIrp.SystemBuffer and
IoStackLocation->Parameters.QueryDirectory.Length?

For FAT and NTFS, they will both use neither I/O, so it should be in the
system buffer. But without more context it is difficult to suggest what to
look for here.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Philip Hong [mailto:xxxxx@issl.com.hk]
Sent: Monday, January 13, 2003 9:54 AM
To: File Systems Developers
Subject: [ntfsd] RE: Page Fault for Filesize Modification under Win XP

Quoting Tony Mason :

> You don’t mention which file sytem, nor do you provide a stack trace or
> other diagnostic information. Is it possible, for instance, that you have
> started filtering some file system that is using the DO_DIRECT_IO or
> DO_BUFFERED_IO bit in their device object’s Flags field?

I would like the routine to run on FAT32 and NTFS. How to manage the Irp-
>UserBuffer under these two situations ? Is it legal to modify the content
of
the UserBuffer as shown in the source list ?

> Do you validate that the buffer is OK? The I/O Manager is not doing so
for
> neither I/O and I don’t see any validation code here - neither a check to
> ensure the address is in user mode (if this is a user mode call), nor a
> try/except.

Thank you for your advices. This is only a simplified routine, I’ve done all

buffer validation and checking, e.g. try/except,
MmGetSystemAddressForMdl(Irp-
>MdlAddress) … .

Thanks you very much.

– Philip

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 13, 2003, 10:43am

Quoting Tony Mason :

> The problem with the original issue (as described) is that page fault in
> nonpaged pool doesn’t happen for user addresses - only kernel addresses.
> The stack trace might give a hint as to the origin of the caller (e.g., is
> it a kernel caller.) At the point of the crash, what are the values of
> Irp->UserBuffer, Irp->MdlAddress, Irp->AssociatedIrp.SystemBuffer and
> IoStackLocation->Parameters.QueryDirectory.Length?

I always receive NULL for Irp->MdlAddress, Irp->AssociatedIrp.SystemBuffer, and
an allocated address for Irp->UserBuffer. With mentioned casting, I can get
back valid information under Win NT and Win 2K.

> For FAT and NTFS, they will both use neither I/O, so it should be in the
> system buffer. But without more context it is difficult to suggest what to
> look for here.

Actually, my objective is to get the directory information and try to modify
the file size of certain files. Can you suggest me a better way to accomplish
this task ?

Thanks.

– Philip

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

OSR_Community_User · January 13, 2003, 11:16am

QueryDirectory call will use UserBuffer in both FAT and NTFS (at least in
NT, 2K and XP).

For FAT and NTFS, they will both use neither I/O, so it should be in the
system buffer. But without more context it is difficult to suggest what to
look for here.

–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.

OSR_Community_User · January 13, 2003, 11:10pm

Dejan Maksimovic wrote:

QueryDirectory call will use UserBuffer in both FAT and NTFS (at least in
NT, 2K and XP).

> For FAT and NTFS, they will both use neither I/O, so it should be in the
> system buffer. But without more context it is difficult to suggest what to
> look for here.

Assuming that the routine will use UserBuffer, how can I safely get and set the
content of buffer pointed by UserBuffer ? Since, direct manipulate the UserBuffer
seems to cause “page fault in nonpage area” on Win XP only.

Thanks a lot.

– Philip

Alexey_Logachyov · January 14, 2003, 3:15am

See if there is SL_RETURN_SINGLE_ENTRY flag set in IrpSp->Flags. If it is
modify only first FILE_BOTH_DIR_INFORMATION structure. It’s just a guess,
can’t tell anything more from the information you provided. Give it a try
and please don’t forget to tell us if it helps.

----- Original Message -----
From: “Philip Hong”
To: “File Systems Developers”
Sent: Tuesday, January 14, 2003 6:08 AM
Subject: [ntfsd] RE: Page Fault for Filesize Modification under Win XP

> Dejan Maksimovic wrote:
>
> > QueryDirectory call will use UserBuffer in both FAT and NTFS (at
least in
> > NT, 2K and XP).
> >
> > > For FAT and NTFS, they will both use neither I/O, so it should be in
the
> > > system buffer. But without more context it is difficult to suggest
what to
> > > look for here.
>
> Assuming that the routine will use UserBuffer, how can I safely get and
set the
> content of buffer pointed by UserBuffer ? Since, direct manipulate the
UserBuffer
> seems to cause “page fault in nonpage area” on Win XP only.
>
> Thanks a lot.
>
> – Philip
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · January 14, 2003, 7:36am

Well, you can safely set it, assuming try/except handler.
The problem is probably that of mathematical nature - incorrect byte written. Are
you checking that indeed a FileBothDirectoryInformation is requested and not one of
the other 5 possible values? This is not as unusual in XP as it was in earlier
versions.
Start Driver Verifier and see if that helps. I suggest stepping through debugger
to make sure the values are what you intended them to be.

Assuming that the routine will use UserBuffer, how can I safely get and set the
content of buffer pointed by UserBuffer ? Since, direct manipulate the UserBuffer
seems to cause “page fault in nonpage area” on Win XP only.

–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.