Problems when IRP is pend from Filter driver with Anti Virus real time protection

Two possibilities here that I can think of:

(1) You are replacing Irp->MdlAddress but not updating Irp->UserBuffer;
I’ve seen that cause hangs of this type.
(2) The stuck thread is waiting at APC_LEVEL or with special kernel APCs
disabled, so the I/O is complete, but the I/O completion APC cannot run.

To check condition (2), use "dt nt!_KTHREAD

-b" to
get a complete dump of the KTHREAD structure. In that information it
will tell you the wait irql and whether or not special kernel APCs are
disabled. The "!apc" command will show you if there are APCs sitting on
the queue waiting to run.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kedar
Sent: Friday, June 03, 2005 7:12 AM
To: ntfsd redirect
Subject: [ntfsd] Problems when IRP is pend from Filter driver with Anti
Virus real time protection

Hi,

The following the is the output of !locks !irpfind and !thread commands
in
windbg when I pend the IRP with symantec anti virus real time protection
on.

And I see the IRP that we pened in the IRP list of the lock and in the
stack
I see both symatec driver and our filter driver.

Could any one give me more understanding of this windbg results.

kd> !locks

****DUMP OF ALL RESOURCE OBJECTS****

KD: Scanning for held
locks...........................................................

Resource @ savrt (0xf0094040) Shared 1 owning threads

Threads: 82026300-01<*>

KD: Scanning for held locks...................................

Resource @ 0x81fe6aa8 Shared 1 owning threads

Threads: 822cb663-01<*> ***Actual Thread 822cb660

Resource @ 0x81f93040 Shared 1 owning threads

Threads: 822cb663-01<*>*** Actual Thread 822cb660

KD: Scanning for held locks.

Resource @ 0x82000730 Shared 1 owning threads

Threads: 822ca023-01<*> *** Actual Thread 822ca020

3002 total locks, 4 locks currently held

kd> !locks -v f0094040

Resource @ savrt (0xf0094040) Shared 1 owning threads

Threads: 82026300-01<*>

THREAD 82026300 Cid 08c4.08f0 Teb: 7ffd6000 Win32Thread: 00000000

WAIT: (Executive) KernelMode Non-Alertable

82002fec NotificationEvent

IRP List:

82880e28: (0006,01d8) Flags: 40000900 Mdl: 81f87240

82ac6e28: (0006,01d8) Flags: 40000884 Mdl: 00000000

Not impersonating

DeviceMap e2fb1df0

Owning Process 81b7c630 Image:
wmplayer.exe

Wait Start TickCount 8513 Ticks: 3785
(0:00:00:59.140)

Context Switch Count 4

UserTime 00:00:00.0000

KernelTime 00:00:00.0000

Start Address 0x7c810856

Win32 Start Address 0x77c3a341

Stack Init eed86000 Current eed854ec Base eed86000 Limit eed83000
Call
0

Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16

ChildEBP RetAddr

eed85504 804dc6a6 nt!KiSwapContext+0x2e (FPO: [EBP 0xeed85538]
[0,0,4])

eed85510 804dc6f2 nt!KiSwapThread+0x46 (FPO: [0,0,0])

eed85538 8057e0b3 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])

eed85560 80571dc2 nt!IopSynchronousServiceTail+0xc6 (FPO:
[Non-Fpo])

eed85608 804df06b nt!NtReadFile+0x580 (FPO: [Non-Fpo])

eed85608 804ddcb2 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @
eed85634)

eed856a4 f00cbc43 nt!ZwReadFile+0x11 (FPO: [9,0,0])

WARNING: Stack unwind information not available. Following frames may be

wrong.

eed856ec f009a0f6 savrt+0x3dc43

eed85740 f009a55e savrt+0xc0f6

e1772e40 e1879268 savrt+0xc55e

f007b86c f0080d00 0xe1879268

f0082150 ffffeb28 SYMEVENT!SYMEvent_GetVMDataPtr+0x4560

e8f18b56 00000000 0xffffeb28

1 total locks, 1 locks currently held

kd> !irp 82ac628

082ac628: Could not read Irp

kd> !irp 82ac6e28

Irp is active with 10 stacks 9 is current (= 0x82ac6fb8)

No Mdl Thread 82026300: Irp stack trace.

cmd flg cl Device File Completion-Context

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 10 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

>[0, 0] 0 e0 81f741f8 82040cd8 f84e6190-81ad4410 Success Error
Cancel

\Driver\SymEvent fsfd!CompletionRoutine

Args: eed85a88 01000064 00070080 00000000

[0, 0] 0 0 8210f478 82040cd8 00000000-00000000

\FileSystem\fsfd

Args: eed85a88 01000064 00070080 00000000

kd> !thread 82026300

THREAD 82026300 Cid 08c4.08f0 Teb: 7ffd6000 Win32Thread: 00000000
WAIT:
(Executive) KernelMode Non-Alertable

82002fec NotificationEvent

IRP List:

82880e28: (0006,01d8) Flags: 40000900 Mdl: 81f87240

82ac6e28: (0006,01d8) Flags: 40000884 Mdl: 00000000

Not impersonating

DeviceMap e2fb1df0

Owning Process 81b7c630 Image: wmplayer.exe

Wait Start TickCount 8513 Ticks: 3785 (0:00:00:59.140)

Context Switch Count 4

UserTime 00:00:00.0000

KernelTime 00:00:00.0000

Start Address 0x7c810856

Win32 Start Address 0x77c3a341

Stack Init eed86000 Current eed854ec Base eed86000 Limit eed83000 Call 0

Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16

ChildEBP RetAddr Args to Child

eed85504 804dc6a6 82026370 82026300 804dc6f2 nt!KiSwapContext+0x2e (FPO:

[EBP 0xeed85538] [0,0,4])

eed85510 804dc6f2 00000103 00000000 82880e28 nt!KiSwapThread+0x46 (FPO:
[0,0,0])

eed85538 8057e0b3 00000000 00000000 00000200
nt!KeWaitForSingleObject+0x1c2
(FPO: [Non-Fpo])

eed85560 80571dc2 8210f478 00000103 82002f90
nt!IopSynchronousServiceTail+0xc6 (FPO: [Non-Fpo])

eed85608 804df06b 00000298 00000000 00000000 nt!NtReadFile+0x580 (FPO:
[Non-Fpo])

eed85608 804ddcb2 00000298 00000000 00000000 nt!KiFastCallEntry+0xf8
(FPO:
[0,0] TrapFrame @ eed85634)

eed856a4 f00cbc43 00000298 00000000 00000000 nt!ZwReadFile+0x11 (FPO:
[9,0,0])

WARNING: Stack unwind information not available. Following frames may be

wrong.

eed856ec f009a0f6 81b90f80 f009a070 eed8575c savrt+0x3dc43

eed85740 f009a55e 81b90f80 00003f80 f009a070 savrt+0xc0f6

e1772e40 e1879268 f007b420 e1b69160 f007b424 savrt+0xc55e

f007b86c f0080d00 f0080da0 f007c7a0 f0080df0 0xe1879268

f0082150 ffffeb28 082444f6 56097401 00296be8
SYMEVENT!SYMEvent_GetVMDataPtr+0x4560

e8f18b56 00000000 00000000 00000000 00000000 0xffffeb28

Thanks,

Kedar.

---
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com