Two possibilities here that I can think of:
(1) You are replacing Irp->MdlAddress but not updating Irp->UserBuffer;
I’ve seen that cause hangs of this type.
(2) The stuck thread is waiting at APC_LEVEL or with special kernel APCs
disabled, so the I/O is complete, but the I/O completion APC cannot run.
To check condition (2), use "dt nt!_KTHREAD
-b" toget a complete dump of the KTHREAD structure. In that information it
will tell you the wait irql and whether or not special kernel APCs are
disabled. The "!apc" command will show you if there are APCs sitting on
the queue waiting to run.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kedar
Sent: Friday, June 03, 2005 7:12 AM
To: ntfsd redirect
Subject: [ntfsd] Problems when IRP is pend from Filter driver with Anti
Virus real time protection
Hi,
The following the is the output of !locks !irpfind and !thread commands
in
windbg when I pend the IRP with symantec anti virus real time protection
on.
And I see the IRP that we pened in the IRP list of the lock and in the
stack
I see both symatec driver and our filter driver.
Could any one give me more understanding of this windbg results.
kd> !locks
****DUMP OF ALL RESOURCE OBJECTS****
KD: Scanning for held
locks...........................................................
Resource @ savrt (0xf0094040) Shared 1 owning threads
Threads: 82026300-01<*>
KD: Scanning for held locks...................................
Resource @ 0x81fe6aa8 Shared 1 owning threads
Threads: 822cb663-01<*> ***Actual Thread 822cb660
Resource @ 0x81f93040 Shared 1 owning threads
Threads: 822cb663-01<*>*** Actual Thread 822cb660
KD: Scanning for held locks.
Resource @ 0x82000730 Shared 1 owning threads
Threads: 822ca023-01<*> *** Actual Thread 822ca020
3002 total locks, 4 locks currently held
kd> !locks -v f0094040
Resource @ savrt (0xf0094040) Shared 1 owning threads
Threads: 82026300-01<*>
THREAD 82026300 Cid 08c4.08f0 Teb: 7ffd6000 Win32Thread: 00000000
WAIT: (Executive) KernelMode Non-Alertable
82002fec NotificationEvent
IRP List:
82880e28: (0006,01d8) Flags: 40000900 Mdl: 81f87240
82ac6e28: (0006,01d8) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e2fb1df0
Owning Process 81b7c630 Image:
wmplayer.exe
Wait Start TickCount 8513 Ticks: 3785
(0:00:00:59.140)
Context Switch Count 4
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Start Address 0x7c810856
Win32 Start Address 0x77c3a341
Stack Init eed86000 Current eed854ec Base eed86000 Limit eed83000
Call
0
Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16
ChildEBP RetAddr
eed85504 804dc6a6 nt!KiSwapContext+0x2e (FPO: [EBP 0xeed85538]
[0,0,4])
eed85510 804dc6f2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
eed85538 8057e0b3 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
eed85560 80571dc2 nt!IopSynchronousServiceTail+0xc6 (FPO:
[Non-Fpo])
eed85608 804df06b nt!NtReadFile+0x580 (FPO: [Non-Fpo])
eed85608 804ddcb2 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
eed85634)
eed856a4 f00cbc43 nt!ZwReadFile+0x11 (FPO: [9,0,0])
WARNING: Stack unwind information not available. Following frames may be
wrong.
eed856ec f009a0f6 savrt+0x3dc43
eed85740 f009a55e savrt+0xc0f6
e1772e40 e1879268 savrt+0xc55e
f007b86c f0080d00 0xe1879268
f0082150 ffffeb28 SYMEVENT!SYMEvent_GetVMDataPtr+0x4560
e8f18b56 00000000 0xffffeb28
1 total locks, 1 locks currently held
kd> !irp 82ac628
082ac628: Could not read Irp
kd> !irp 82ac6e28
Irp is active with 10 stacks 9 is current (= 0x82ac6fb8)
No Mdl Thread 82026300: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[0, 0] 0 10 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[0, 0] 0 e0 81f741f8 82040cd8 f84e6190-81ad4410 Success Error
Cancel
\Driver\SymEvent fsfd!CompletionRoutine
Args: eed85a88 01000064 00070080 00000000
[0, 0] 0 0 8210f478 82040cd8 00000000-00000000
\FileSystem\fsfd
Args: eed85a88 01000064 00070080 00000000
kd> !thread 82026300
THREAD 82026300 Cid 08c4.08f0 Teb: 7ffd6000 Win32Thread: 00000000
WAIT:
(Executive) KernelMode Non-Alertable
82002fec NotificationEvent
IRP List:
82880e28: (0006,01d8) Flags: 40000900 Mdl: 81f87240
82ac6e28: (0006,01d8) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e2fb1df0
Owning Process 81b7c630 Image: wmplayer.exe
Wait Start TickCount 8513 Ticks: 3785 (0:00:00:59.140)
Context Switch Count 4
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Start Address 0x7c810856
Win32 Start Address 0x77c3a341
Stack Init eed86000 Current eed854ec Base eed86000 Limit eed83000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16
ChildEBP RetAddr Args to Child
eed85504 804dc6a6 82026370 82026300 804dc6f2 nt!KiSwapContext+0x2e (FPO:
[EBP 0xeed85538] [0,0,4])
eed85510 804dc6f2 00000103 00000000 82880e28 nt!KiSwapThread+0x46 (FPO:
[0,0,0])
eed85538 8057e0b3 00000000 00000000 00000200
nt!KeWaitForSingleObject+0x1c2
(FPO: [Non-Fpo])
eed85560 80571dc2 8210f478 00000103 82002f90
nt!IopSynchronousServiceTail+0xc6 (FPO: [Non-Fpo])
eed85608 804df06b 00000298 00000000 00000000 nt!NtReadFile+0x580 (FPO:
[Non-Fpo])
eed85608 804ddcb2 00000298 00000000 00000000 nt!KiFastCallEntry+0xf8
(FPO:
[0,0] TrapFrame @ eed85634)
eed856a4 f00cbc43 00000298 00000000 00000000 nt!ZwReadFile+0x11 (FPO:
[9,0,0])
WARNING: Stack unwind information not available. Following frames may be
wrong.
eed856ec f009a0f6 81b90f80 f009a070 eed8575c savrt+0x3dc43
eed85740 f009a55e 81b90f80 00003f80 f009a070 savrt+0xc0f6
e1772e40 e1879268 f007b420 e1b69160 f007b424 savrt+0xc55e
f007b86c f0080d00 f0080da0 f007c7a0 f0080df0 0xe1879268
f0082150 ffffeb28 082444f6 56097401 00296be8
SYMEVENT!SYMEvent_GetVMDataPtr+0x4560
e8f18b56 00000000 00000000 00000000 00000000 0xffffeb28
Thanks,
Kedar.
---
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com