thread deadlock due to fltmgr and legacy driver

NTFSD
1

Hi,

This is regarding the deadlock occured due to the presence of a minifilter driver (MiniFilterFSFD) and a legacy file system driver (LefacyFSFD). The OS is Windows 2000 sp4.

The device stack as shown by DeviceTree is,

FltMgr
LegacyFSFD
Ntfs

After both the drivers are installed and running on machine M1, a share is created on it and is accessed from another machine M2. M2, showing hourglass for a few seconds, finally throws error - “the network path is inaccessible”. Connecting windbg to M1 showed that there is a thread which deadlocks itself. Following is the stack:

kd> !thread 81e6ada0
THREAD 81e6ada0 Cid 8.810 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f24c2224 NotificationEvent
IRP List:
8242f488: (0006,01b4) Flags: 00000884 Mdl: 00000000
81e73128: (0006,0190) Flags: 00000884 Mdl: 00000000
82402668: (0006,01b4) Flags: 00000884 Mdl: 00000000
Impersonation token: e2077030 (Level Impersonation)
Owning Process 8277a300
Wait Start TickCount 12500 Elapsed Ticks: 2423
Context Switch Count 307
UserTime 0:00:00.0000
KernelTime 0:00:00.0046
Start Address srv!SrvOemStringTo8dot3 (0xf5dc3038)
Stack Init f24c4000 Current f24c21ac Base f24c4000 Limit f24c1000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
f24c21c4 8042c2ad 00000000 00000000 f78f7db8 nt!KiSwapThread+0xc5 (FPO: [Uses EBP] [0,0,4])
f24c21ec f7900a3a f24c2224 00000000 00000000 nt!KeWaitForSingleObject+0x1a1 (FPO: [Non-Fpo])
f24c2238 f79042bf f79042e0 82444568 82444568 fltmgr!FltpPostSyncOperation+0x4a (FPO: [Non-Fpo])
f24c2258 f79028c4 82444568 00000000 82444568 fltmgr!FltpGetNormalizedFileName+0x59 (FPO: [Non-Fpo]) ********** 2nd call
f24c2270 f7901e12 8046ca84 00000000 82444568 fltmgr!FltpCreateFileNameInformation+0xc4 (FPO: [Non-Fpo])
f24c2280 f78f30f7 82444568 825b0064 00000000 fltmgr!CreateTemporaryFileNameInformation+0xc (FPO: [1,0,2])
f24c22b0 f78f3299 82444568 825b0064 804149e8 fltmgr!FltpGetFileNameInformation+0x54f (FPO: [Non-Fpo])
f24c22dc f23c9c19 825b0000 00000401 f24c232c fltmgr!FltGetFileNameInformation+0x127 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f24c2554 f78ec941 825b0064 f24c2574 f24c2590 MiniFilterFSFD+0x1c19
f24c25b8 f78f0162 f24c2500 f24c25f8 825b0008 fltmgr!FltpPerformPreCallbacks+0x24c (FPO: [Non-Fpo])
f24c25cc f78fbec5 f24c25f8 f78fbf67 00000000 fltmgr!FltpPassThroughInternal+0x30 (FPO: [2,0,3])
f24c25e0 f78fbe4d f24c25f8 823ffac0 8242f488 fltmgr!FltpCreateInternal+0x5f (FPO: [1,0,2])
f24c2614 8041dded 823ffac0 8242f618 8242f498 fltmgr!FltpCreate+0x28b (FPO: [Non-Fpo])
f24c2628 804bf978 804824e0 804beeba f24c292c nt!IopfCallDriver+0x35 (FPO: [0,0,2])
f24c27b8 80450893 827268b0 00000000 f24c2870 nt!IopParseDevice+0xabe (FPO: [Non-Fpo])
f24c2830 804d59a0 00000000 82755e00 00000040 nt!ObpLookupObjectName+0x4e7 (FPO: [Non-Fpo])
f24c2940 8049f9f1 00000000 00000000 00000000 nt!ObOpenObjectByName+0xc8 (FPO: [Non-Fpo])
f24c2a1c 8049f596 f24c2bcc 00000080 f24c2b70 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f24c2a64 804a8279 f24c2bcc 00000080 f24c2b70 nt!IoCreateFile+0x36 (FPO: [Non-Fpo])
f24c2aa4 80464f84 f24c2bcc 00000080 f24c2b70 nt!NtOpenFile+0x25 (FPO: [Non-Fpo])
f24c2aa4 8042fe9f f24c2bcc 00000080 f24c2b70 nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ f24c2ac4)
f24c2b34 f62834cc f24c2bcc 00000080 f24c2b70 nt!ZwOpenFile+0xb (FPO: [6,0,0])
f24c2bc4 f626e67d e1ffac08 e1f7d7e8 8042c301 LegacyFSFD!F3+0xac (FPO: [Uses EBP] [9,28,4]) (CONV: stdcall)
f24c2c4c f626e414 82577918 82578538 e1e3afb4 LegacyFSFD!F2+0xcd (FPO: [Non-Fpo]) (CONV: stdcall)
f24c2cdc f626dcbd 82577918 82578538 e1e3afb4 LegacyFSFD!F1+0x324 (FPO: [Non-Fpo]) (CONV: stdcall)
f24c2d8c f626d930 82577860 81e73128 82578538 LegacyFSFD!PostCreate+0x19d (FPO: [Non-Fpo]) (CONV: stdcall)
f24c2dc4 f62788eb 82577860 81e73128 82578500 LegacyFSFD!Create+0x3a4 (FPO: [Uses EBP] [3,6,4]) (CONV: stdcall)
f24c2e14 f626cd40 82577860 81e73128 f626d58c LegacyFSFD!FsdDispatch+0xdb (FPO: [Non-Fpo]) (CONV: stdcall)
f24c2e2c 8041dded 82577860 81e73128 81e73138 LegacyFSFD!EPCreate+0x1b (FPO: [2,0,0]) (CONV: stdcall)
f24c2e40 804bf978 804824e0 804beeba f24c3144 nt!IopfCallDriver+0x35 (FPO: [0,0,2])
f24c2fd0 80450893 827268b0 00000000 f24c3088 nt!IopParseDevice+0xabe (FPO: [Non-Fpo])
f24c3048 804d59a0 00000000 82755e00 00000240 nt!ObpLookupObjectName+0x4e7 (FPO: [Non-Fpo])
f24c3158 8049f9f1 00000000 00000000 f24c3100 nt!ObOpenObjectByName+0xc8 (FPO: [Non-Fpo])
f24c3234 8049f5e6 f24c32ec 00100001 f24c32cc nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f24c327c f79041b0 f24c32ec 00100001 f24c32cc nt!IoCreateFileSpecifyDeviceObjectHint+0x4c (FPO: [Non-Fpo])
f24c32f0 f7904d65 824425a8 f7903991 824425a8 fltmgr!FltpNormalizeNameComponent+0x70 (FPO: [Non-Fpo])
f24c32f8 f7903991 824425a8 00000000 824425a8 fltmgr!FltpCallNormalizeNameComponentHandler+0x39 (FPO: [1,0,0])
f24c3324 f79043fd 00000028 00000000 824425a8 fltmgr!FltpExpandShortNames+0x10f (FPO: [Non-Fpo])
f24c3340 f790427d 82440000 00000000 000000fe fltmgr!FltpGetNormalizedFileNameWorker+0xb1 (FPO: [Non-Fpo])
f24c3358 f79028c4 824425a8 00000000 824425a8 fltmgr!FltpGetNormalizedFileName+0x17 (FPO: [Non-Fpo]) ********** 1st call
f24c3370 f7901e12 8046ca84 00000000 824425a8 fltmgr!FltpCreateFileNameInformation+0xc4 (FPO: [Non-Fpo])
f24c3380 f78f30f7 824425a8 824009c4 00000000 fltmgr!CreateTemporaryFileNameInformation+0xc (FPO: [1,0,2])
f24c33b0 f78f3299 824425a8 824009c4 804149e8 fltmgr!FltpGetFileNameInformation+0x54f (FPO: [Non-Fpo])
f24c33dc f23c9c19 82400900 00000401 f24c342c fltmgr!FltGetFileNameInformation+0x127 (FPO: [Non-Fpo])
f24c3654 f78ec941 824009c4 f24c3674 f24c3690 MiniFilterFSFD+0x1c19
f24c36b8 f78f0162 f24c3600 f24c36f8 82400968 fltmgr!FltpPerformPreCallbacks+0x24c (FPO: [Non-Fpo])
f24c36cc f78fbec5 f24c36f8 f78fbf67 00000000 fltmgr!FltpPassThroughInternal+0x30 (FPO: [2,0,3])
f24c36e0 f78fbe4d f24c36f8 823ffac0 82402668 fltmgr!FltpCreateInternal+0x5f (FPO: [1,0,2])
f24c3714 8041dded 823ffac0 824027f8 82402678 fltmgr!FltpCreate+0x28b (FPO: [Non-Fpo])
f24c3728 804bf978 824707c8 f24c3ae0 f24c3a64 nt!IopfCallDriver+0x35 (FPO: [0,0,2])
f24c38b8 804bfeb8 823ffac0 00000000 f24c39a8 nt!IopParseDevice+0xabe (FPO: [Non-Fpo])
f24c38f0 8045049d 824707c8 00000000 f24c39a8 nt!IopParseFile+0x44 (FPO: [Non-Fpo])
f24c3968 804d59a0 00000304 f24c3a64 00000040 nt!ObpLookupObjectName+0xf1 (FPO: [Non-Fpo])
f24c3a78 8049f9f1 00000000 00000000 82752600 nt!ObOpenObjectByName+0xc8 (FPO: [Non-Fpo])
f24c3b54 8049f596 f24c3cc4 00000080 f24c3c98 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
f24c3b9c f5dc7175 f24c3cc4 00000080 f24c3c98 nt!IoCreateFile+0x36 (FPO: [Non-Fpo])
f24c3c74 f5db5469 00000010 82449da0 f24c3cb0 srv!SrvCreateFile+0x23 (FPO: [Non-Fpo])
f24c3cd8 f5dc4094 821f59e0 821f59e0 80460840 srv!ScavengerTimerRoutine+0x109 (FPO: [Non-Fpo])
f24c3e14 00000000 00000000 00000000 00000000 srv!SrvSmbSearch+0xd38 (FPO: [Non-Fpo])

It seems that the ZwOpenFile call from the LegacyFSFD made the thread to re-enter the fltmgr functions where it deadlocked itself. Is calling of ZwOpenFile by a legacy driver in such a fashion not supported when fltmgr is installed? Is it some defect in fltmgr that causes this deadlock, which(the defect), if not present would not result in a deadlock?

Thanks for any help extended.

Amol

2

If you check the archives of this group you will see a lot of discussion of
the problems of calling ZwCreateFile or ZeOpenFile from a filter. This is
not a case of mini-filter versus legacy so much as recursion in the stack.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> Hi,
>
> This is regarding the deadlock occured due to the presence of a
> minifilter driver (MiniFilterFSFD) and a legacy file system driver
> (LefacyFSFD). The OS is Windows 2000 sp4.
>
> The device stack as shown by DeviceTree is,
>
> FltMgr
> LegacyFSFD
> Ntfs
>
> After both the drivers are installed and running on machine M1, a share
> is created on it and is accessed from another machine M2. M2, showing
> hourglass for a few seconds, finally throws error - “the network path is
> inaccessible”. Connecting windbg to M1 showed that there is a thread
> which deadlocks itself. Following is the stack:
>
> kd> !thread 81e6ada0
> THREAD 81e6ada0 Cid 8.810 Teb: 00000000 Win32Thread: 00000000 WAIT:
> (Executive) KernelMode Non-Alertable
> f24c2224 NotificationEvent
> IRP List:
> 8242f488: (0006,01b4) Flags: 00000884 Mdl: 00000000
> 81e73128: (0006,0190) Flags: 00000884 Mdl: 00000000
> 82402668: (0006,01b4) Flags: 00000884 Mdl: 00000000
> Impersonation token: e2077030 (Level Impersonation)
> Owning Process 8277a300
> Wait Start TickCount 12500 Elapsed Ticks: 2423
> Context Switch Count 307
> UserTime 0:00:00.0000
> KernelTime 0:00:00.0046
> Start Address srv!SrvOemStringTo8dot3 (0xf5dc3038)
> Stack Init f24c4000 Current f24c21ac Base f24c4000 Limit f24c1000 Call 0
> Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
>
> ChildEBP RetAddr Args to Child
> f24c21c4 8042c2ad 00000000 00000000 f78f7db8 nt!KiSwapThread+0xc5 (FPO:
> [Uses EBP] [0,0,4])
> f24c21ec f7900a3a f24c2224 00000000 00000000
> nt!KeWaitForSingleObject+0x1a1 (FPO: [Non-Fpo])
> f24c2238 f79042bf f79042e0 82444568 82444568
> fltmgr!FltpPostSyncOperation+0x4a (FPO: [Non-Fpo])
> f24c2258 f79028c4 82444568 00000000 82444568
> fltmgr!FltpGetNormalizedFileName+0x59 (FPO: [Non-Fpo]) 2nd
> call
> f24c2270 f7901e12 8046ca84 00000000 82444568
> fltmgr!FltpCreateFileNameInformation+0xc4 (FPO: [Non-Fpo])
> f24c2280 f78f30f7 82444568 825b0064 00000000
> fltmgr!CreateTemporaryFileNameInformation+0xc (FPO: [1,0,2])
> f24c22b0 f78f3299 82444568 825b0064 804149e8
> fltmgr!FltpGetFileNameInformation+0x54f (FPO: [Non-Fpo])
> f24c22dc f23c9c19 825b0000 00000401 f24c232c
> fltmgr!FltGetFileNameInformation+0x127 (FPO: [Non-Fpo])
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> f24c2554 f78ec941 825b0064 f24c2574 f24c2590 MiniFilterFSFD+0x1c19
> f24c25b8 f78f0162 f24c2500 f24c25f8 825b0008
> fltmgr!FltpPerformPreCallbacks+0x24c (FPO: [Non-Fpo])
> f24c25cc f78fbec5 f24c25f8 f78fbf67 00000000
> fltmgr!FltpPassThroughInternal+0x30 (FPO: [2,0,3])
> f24c25e0 f78fbe4d f24c25f8 823ffac0 8242f488
> fltmgr!FltpCreateInternal+0x5f (FPO: [1,0,2])
> f24c2614 8041dded 823ffac0 8242f618 8242f498 fltmgr!FltpCreate+0x28b
> (FPO: [Non-Fpo])
> f24c2628 804bf978 804824e0 804beeba f24c292c nt!IopfCallDriver+0x35 (FPO:
> [0,0,2])
> f24c27b8 80450893 827268b0 00000000 f24c2870 nt!IopParseDevice+0xabe
> (FPO: [Non-Fpo])
> f24c2830 804d59a0 00000000 82755e00 00000040 nt!ObpLookupObjectName+0x4e7
> (FPO: [Non-Fpo])
> f24c2940 8049f9f1 00000000 00000000 00000000 nt!ObOpenObjectByName+0xc8
> (FPO: [Non-Fpo])
> f24c2a1c 8049f596 f24c2bcc 00000080 f24c2b70 nt!IopCreateFile+0x407 (FPO:
> [Non-Fpo])
> f24c2a64 804a8279 f24c2bcc 00000080 f24c2b70 nt!IoCreateFile+0x36 (FPO:
> [Non-Fpo])
> f24c2aa4 80464f84 f24c2bcc 00000080 f24c2b70 nt!NtOpenFile+0x25 (FPO:
> [Non-Fpo])
> f24c2aa4 8042fe9f f24c2bcc 00000080 f24c2b70 nt!KiSystemService+0xc4
> (FPO: [0,0] TrapFrame @ f24c2ac4)
> f24c2b34 f62834cc f24c2bcc 00000080 f24c2b70 nt!ZwOpenFile+0xb (FPO:
> [6,0,0])
> f24c2bc4 f626e67d e1ffac08 e1f7d7e8 8042c301 LegacyFSFD!F3+0xac (FPO:
> [Uses EBP] [9,28,4]) (CONV: stdcall)
> f24c2c4c f626e414 82577918 82578538 e1e3afb4 LegacyFSFD!F2+0xcd (FPO:
> [Non-Fpo]) (CONV: stdcall)
> f24c2cdc f626dcbd 82577918 82578538 e1e3afb4 LegacyFSFD!F1+0x324 (FPO:
> [Non-Fpo]) (CONV: stdcall)
> f24c2d8c f626d930 82577860 81e73128 82578538 LegacyFSFD!PostCreate+0x19d
> (FPO: [Non-Fpo]) (CONV: stdcall)
> f24c2dc4 f62788eb 82577860 81e73128 82578500 LegacyFSFD!Create+0x3a4
> (FPO: [Uses EBP] [3,6,4]) (CONV: stdcall)
> f24c2e14 f626cd40 82577860 81e73128 f626d58c LegacyFSFD!FsdDispatch+0xdb
> (FPO: [Non-Fpo]) (CONV: stdcall)
> f24c2e2c 8041dded 82577860 81e73128 81e73138 LegacyFSFD!EPCreate+0x1b
> (FPO: [2,0,0]) (CONV: stdcall)
> f24c2e40 804bf978 804824e0 804beeba f24c3144 nt!IopfCallDriver+0x35 (FPO:
> [0,0,2])
> f24c2fd0 80450893 827268b0 00000000 f24c3088 nt!IopParseDevice+0xabe
> (FPO: [Non-Fpo])
> f24c3048 804d59a0 00000000 82755e00 00000240 nt!ObpLookupObjectName+0x4e7
> (FPO: [Non-Fpo])
> f24c3158 8049f9f1 00000000 00000000 f24c3100 nt!ObOpenObjectByName+0xc8
> (FPO: [Non-Fpo])
> f24c3234 8049f5e6 f24c32ec 00100001 f24c32cc nt!IopCreateFile+0x407 (FPO:
> [Non-Fpo])
> f24c327c f79041b0 f24c32ec 00100001 f24c32cc
> nt!IoCreateFileSpecifyDeviceObjectHint+0x4c (FPO: [Non-Fpo])
> f24c32f0 f7904d65 824425a8 f7903991 824425a8
> fltmgr!FltpNormalizeNameComponent+0x70 (FPO: [Non-Fpo])
> f24c32f8 f7903991 824425a8 00000000 824425a8
> fltmgr!FltpCallNormalizeNameComponentHandler+0x39 (FPO: [1,0,0])
> f24c3324 f79043fd 00000028 00000000 824425a8
> fltmgr!FltpExpandShortNames+0x10f (FPO: [Non-Fpo])
> f24c3340 f790427d 82440000 00000000 000000fe
> fltmgr!FltpGetNormalizedFileNameWorker+0xb1 (FPO: [Non-Fpo])
> f24c3358 f79028c4 824425a8 00000000 824425a8
> fltmgr!FltpGetNormalizedFileName+0x17 (FPO: [Non-Fpo]) 1st
> call
> f24c3370 f7901e12 8046ca84 00000000 824425a8
> fltmgr!FltpCreateFileNameInformation+0xc4 (FPO: [Non-Fpo])
> f24c3380 f78f30f7 824425a8 824009c4 00000000
> fltmgr!CreateTemporaryFileNameInformation+0xc (FPO: [1,0,2])
> f24c33b0 f78f3299 824425a8 824009c4 804149e8
> fltmgr!FltpGetFileNameInformation+0x54f (FPO: [Non-Fpo])
> f24c33dc f23c9c19 82400900 00000401 f24c342c
> fltmgr!FltGetFileNameInformation+0x127 (FPO: [Non-Fpo])
> f24c3654 f78ec941 824009c4 f24c3674 f24c3690 MiniFilterFSFD+0x1c19
> f24c36b8 f78f0162 f24c3600 f24c36f8 82400968
> fltmgr!FltpPerformPreCallbacks+0x24c (FPO: [Non-Fpo])
> f24c36cc f78fbec5 f24c36f8 f78fbf67 00000000
> fltmgr!FltpPassThroughInternal+0x30 (FPO: [2,0,3])
> f24c36e0 f78fbe4d f24c36f8 823ffac0 82402668
> fltmgr!FltpCreateInternal+0x5f (FPO: [1,0,2])
> f24c3714 8041dded 823ffac0 824027f8 82402678 fltmgr!FltpCreate+0x28b
> (FPO: [Non-Fpo])
> f24c3728 804bf978 824707c8 f24c3ae0 f24c3a64 nt!IopfCallDriver+0x35 (FPO:
> [0,0,2])
> f24c38b8 804bfeb8 823ffac0 00000000 f24c39a8 nt!IopParseDevice+0xabe
> (FPO: [Non-Fpo])
> f24c38f0 8045049d 824707c8 00000000 f24c39a8 nt!IopParseFile+0x44 (FPO:
> [Non-Fpo])
> f24c3968 804d59a0 00000304 f24c3a64 00000040 nt!ObpLookupObjectName+0xf1
> (FPO: [Non-Fpo])
> f24c3a78 8049f9f1 00000000 00000000 82752600 nt!ObOpenObjectByName+0xc8
> (FPO: [Non-Fpo])
> f24c3b54 8049f596 f24c3cc4 00000080 f24c3c98 nt!IopCreateFile+0x407 (FPO:
> [Non-Fpo])
> f24c3b9c f5dc7175 f24c3cc4 00000080 f24c3c98 nt!IoCreateFile+0x36 (FPO:
> [Non-Fpo])
> f24c3c74 f5db5469 00000010 82449da0 f24c3cb0 srv!SrvCreateFile+0x23 (FPO:
> [Non-Fpo])
> f24c3cd8 f5dc4094 821f59e0 821f59e0 80460840
> srv!ScavengerTimerRoutine+0x109 (FPO: [Non-Fpo])
> f24c3e14 00000000 00000000 00000000 00000000 srv!SrvSmbSearch+0xd38 (FPO:
> [Non-Fpo])
>
> It seems that the ZwOpenFile call from the LegacyFSFD made the thread to
> re-enter the fltmgr functions where it deadlocked itself. Is calling of
> ZwOpenFile by a legacy driver in such a fashion not supported when fltmgr
> is installed? Is it some defect in fltmgr that causes this deadlock,
> which(the defect), if not present would not result in a deadlock?
>
> Thanks for any help extended.
>
> Amol
>
>

3

Don, why did you not just say that the guy should look at roll your own IRP available at OSR, and unless the bug has not yet been repaired, the example has a flaw (it is obvious) and he should just be carefult with it.

4

Because there are times it is justified to use ZwCreateFile. Also, RYOing
IRP_MJ_CREATE can be a PITA.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> Don, why did you not just say that the guy should look at roll your own
> IRP available at OSR, and unless the bug has not yet been repaired, the
> example has a flaw (it is obvious) and he should just be carefult with
> it.
>