We know,there are two situation for paging SetEOF:
1.Cache Manager issues this call if the ValidDataLength for the file stream has
been extended.This call can be distinguished by the fact that the AdvanceOnly field will be set to TRUE.
2.The calls can and do originate in the NT VMM when a process tries to create a section
object for a file stream to prepare to map-in views for the file.
two question for my filter:
1.if (Paging && AdvanceOnly),I don’t need trace the filesize.Because the calls is due to a user writing beyond the current valid data length(and in the calls I have traced the filesize).
2.I call IoGetTopLevelIrp in paging SetEOF should be FSRTL_FSP_TOP_LEVEL_IRP or FSRTL_CACHE_TOP_LEVEL_IRP.But I have seen this situation: is Paging,AdvanceOnly is False,and IoGetTopLevelIrp is NULL.Why?
thanks for any advice.
>> We know,there are two situation for paging SetEOF:
There is a third situation, when the already created section is extended.
2.I call IoGetTopLevelIrp in paging SetEOF should be
FSRTL_FSP_TOP_LEVEL_IRP or FSRTL_CACHE_TOP_LEVEL_IRP.But I have seen this
situation: is Paging,AdvanceOnly is False,and >IoGetTopLevelIrp is
NULL.Why?
The system doesn’t acquire any FSD or file’s resources if the call comes
from the trusted subsystem such as FSD or the cache manager, because they
have already acquired resources and set the TopLevelIrp value( it might be
any! ), in other cases FSRTL_FSP_TOP_LEVEL_IRP is set as TopLevelIrp except
the case when a section is extended( an internal system resource is acquired
in this case), so I think that you described the section extension beyond
the file size.
It would be better if you provide us with a call stack.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> We know,there are two situation for paging SetEOF:
> 1.Cache Manager issues this call if the ValidDataLength for the file
> stream has
> been extended.This call can be distinguished by the fact that the
> AdvanceOnly field will be set to TRUE.
> 2.The calls can and do originate in the NT VMM when a process tries to
> create a section
> object for a file stream to prepare to map-in views for the file.
>
> two question for my filter:
> 1.if (Paging && AdvanceOnly),I don’t need trace the filesize.Because the
> calls is due to a user writing beyond the current valid data length(and
> in the calls I have traced the filesize).
> 2.I call IoGetTopLevelIrp in paging SetEOF should be
> FSRTL_FSP_TOP_LEVEL_IRP or FSRTL_CACHE_TOP_LEVEL_IRP.But I have seen this
> situation: is Paging,AdvanceOnly is False,and IoGetTopLevelIrp is
> NULL.Why?
>
> thanks for any advice.
>
>
>
>>We know,there are two situation for paging SetEOF:
There is a third situation, when the already created section is extended.
Is this the third situation?I Know a already created section can’t extend by user(Memory Mapped file). So,what is you means?
> 2.I call IoGetTopLevelIrp in paging SetEOF should be
> FSRTL_FSP_TOP_LEVEL_IRP or FSRTL_CACHE_TOP_LEVEL_IRP.But I have seen this
> situation: is Paging,AdvanceOnly is False,and >IoGetTopLevelIrp is
> NULL.Why?
The system doesn’t acquire any FSD or file’s resources if the call comes
from the trusted subsystem such as FSD or the cache manager, because they
have already acquired resources and set the TopLevelIrp value( it might be
any! ), in other cases FSRTL_FSP_TOP_LEVEL_IRP is set as TopLevelIrp except
the case when a section is extended( an internal system resource is acquired
in this case), so I think that you described the section extension beyond
the file size.
It would be better if you provide us with a call stack.
Yes,the FSRTL_FSP_TOP_LEVEL_IRP is set when a section is extended(my test uses memory mapped file).
I don’t see other TopLevelIrp setted when a section is extended for MMF.But I do see other TopLevelIrp setted in other situations.What situation?sorry,I don’t know,I just DbgPrint all information in my Paging SetEOF routine.
> Is this the third situation?
Yes, it is the fird situation. It is produced by MmExtendSection. For
example, an already created section for a pagefile
is extended when VA space is allocated on a boundary with another VA space
with the same properties.
Yes,the FSRTL_FSP_TOP_LEVEL_IRP is set when a section is extended(my test
uses memory mapped file).
Did you see MmExtendSection in a call stack for this case? I think this is a
request to extend the file before creating the section.
There is a situation when MmExtendSection is called from NtCreateSection(
called by a user thread ) after extending the file size and creating the
section. I’ll try to describe it. The first check for a file size is made
before creating a section and SetEOF request is sent with FSD resources
acquired( so TopLevelIrp is not NULL ). The second check is made after
creating the section and releasing all FSD resources( so TopLevelIrp is
NULL ), but now the sizes of the section and the segment are compared. The
size of the segment determines how many ProtoPTEs are assigned to a segment
that supports all sections for a file. If the size of the segment is smaller
then the size of the section MmExtendSection is called to enlarge the
segment size. MmExtendSection again checks the file size against the section
size, if some thread sneaked in before calling MmExtendSection and after
releasing the FSD resources and reduced the file size then SetEOF request is
sent from MmExtendSection. MmCanFileBeTruncated doesn’t stop this thread
from file truncation, because MmCanFileBeTruncated compares new file size
against segment size.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
>>>We know,there are two situation for paging SetEOF:
>
>>There is a third situation, when the already created section is extended.
> Is this the third situation?I Know a already created section can’t extend
> by user(Memory Mapped file). So,what is you means?
>
>>> 2.I call IoGetTopLevelIrp in paging SetEOF should be
>>> FSRTL_FSP_TOP_LEVEL_IRP or FSRTL_CACHE_TOP_LEVEL_IRP.But I have seen
>>> this
>>> situation: is Paging,AdvanceOnly is False,and >IoGetTopLevelIrp is
>>> NULL.Why?
>
>>The system doesn’t acquire any FSD or file’s resources if the call comes
>>from the trusted subsystem such as FSD or the cache manager, because they
>>have already acquired resources and set the TopLevelIrp value( it might be
>>any! ), in other cases FSRTL_FSP_TOP_LEVEL_IRP is set as TopLevelIrp
>>except
>>the case when a section is extended( an internal system resource is
>>acquired
>>in this case), so I think that you described the section extension beyond
>>the file size.
>> It would be better if you provide us with a call stack.
> Yes,the FSRTL_FSP_TOP_LEVEL_IRP is set when a section is extended(my test
> uses memory mapped file).
> I don’t see other TopLevelIrp setted when a section is extended for
> MMF.But I do see other TopLevelIrp setted in other situations.What
> situation?sorry,I don’t know,I just DbgPrint all information in my Paging
> SetEOF routine.
>
>
thanks,Slava.
According to my reading and your descriptions,I can say:
If AdvanceOnly==TRUE ,then this paging setEOF is just for allocation.So,I don’t care it for filesize.Right?
If AdvanceOnly!=TRUE,then this paging SetEOF will set filesize.So,I must take its’ size as the filesize.Right?
I have checked the FastFat,I think the above is right.
> If AdvanceOnly==TRUE ,then this paging setEOF is just for allocation.So,I
don’t care it for filesize.Right?
I think yes. If FSD behaves correctly this request can’t increase the file
size because the file can’t be truncated below cache managers’s valid data
length, MmCanFileBeTruncated returns FALSE for this case. This request
advances FSD’s valid data length to cache managers’s valid data length.
If AdvanceOnly!=TRUE,then this paging SetEOF will set filesize.So,I must
take its’ size as the filesize.Right?
Yes, this is definitely the file size changing.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> thanks,Slava.
>
> According to my reading and your descriptions,I can say:
> If AdvanceOnly==TRUE ,then this paging setEOF is just for allocation.So,I
> don’t care it for filesize.Right?
> If AdvanceOnly!=TRUE,then this paging SetEOF will set filesize.So,I must
> take its’ size as the filesize.Right?
>
> I have checked the FastFat,I think the above is right.
>