unload problem on auto-attached mini filter.

NTFSD
1

Hi, all

I wrote a simple auto-attached mini filter.
It works with only load, unload, instance setup.
But, when i unload a driver, it hangs.
If i attach and detach it manually, unload works fine.
I have searched another threads in this forum, but i can’t find the problem.

Here is debug result.

THREAD 863b3b30 Cid 0004.0028 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f7ca3b18 SynchronizationEvent
Not impersonating
DeviceMap e10031c0
Owning Process 863b5660 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 19372 Ticks: 902 (0:00:00:14.093)
Context Switch Count 6900
UserTime 00:00:00.000
KernelTime 00:00:00.640
Start Address nt!ExpWorkerThread (0x804e42f1)
Stack Init f7ca4000 Current f7ca3aa4 Base f7ca4000 Limit f7ca1000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f7ca3abc 804e3bd2 863b3ba0 863b3b30 804e3c1e nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7ca3ac8 804e3c1e ffffffdb 00000000 851ae5a0 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f7ca3af0 f775ec1b 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f7ca3b30 f7750ff7 851e45a8 f7ca3b6c f7756a24 fltMgr!FltpExWaitForRundownProtectionReleaseCacheAware+0x83 (FPO: [0,7,0]) <<< ------------ I think this is a problem.
f7ca3b3c f7756a24 851e45a8 804de599 851ae5a0 fltMgr!FltpDrainPendingCallbacksForInstance+0x17 (FPO: [1,0,4])
f7ca3b6c f775d816 863534e8 00000004 85c99d58 fltMgr!FltpFreeInstance+0x74 (FPO: [2,6,4])
f7ca3b90 f0ee10a5 851e45dc 851ae500 00000000 fltMgr!FltUnregisterFilter+0x96 (FPO: [1,2,0])
f7ca3ba4 f7758e00 00000001 804de599 86373004 mydrv!MyDrv_Unload+0x95 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\work\src\mydrv\mydrv.cpp @ 265]
f7ca3d3c f7758fb3 851ae5a0 00000001 00000001 fltMgr!FltpDoUnloadFilter+0xf8 (FPO: [Non-Fpo])
f7ca3d60 805f38cc 00000000 f1806b84 8056c5fc fltMgr!FltpMiniFilterDriverUnload+0xab (FPO: [1,1,0])
f7ca3d7c 804e43b5 f1806b84 00000000 863b3b30 nt!IopLoadUnloadDriver+0x19 (FPO: [1,1,4])
f7ca3dac 80577723 f1806b84 00000000 00000000 nt!ExpWorkerThread+0xef (FPO: [1,6,0])
f7ca3ddc 804ee6d9 804e42f1 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

0: kd> !fltkd.filter 0x84d40d98

*** Extension DLL(6721 Free) does not match target system(2600 Free)

FLT_FILTER: 84d40d98 “mydrv” “141200”
FLT_OBJECT: 84d40d98 [02000000] Filter
RundownRef : 0x0000000e (7)
PointerCount : 0x00000002
PrimaryLink : [85e8905c-85e2b014]
Frame : 85e89000 “Frame 1”
Flags : [00000003] UnloadInProgress FilteringInitiated
DriverObject : 85790560
FilterLink : [85e8905c-85e2b014]
PreVolumeMount : 00000000 (null)
PostVolumeMount : 00000000 (null)
FilterUnload : f127e010 mydrv!MyDrv_Unload
InstanceSetup : baf02790 fltMgr!FltvInstanceSetup
InstanceQueryTeardown : baf027b4 fltMgr!FltvInstanceQueryTeardown
InstanceTeardownStart : 00000000 (null)
InstanceTeardownComplete : 00000000 (null)
ActiveOpens : (84d40e5c) mCount=0
Client Port List : (84d40e88) mCount=0
VerifierExtension : 85d313b0
Operations : 84d40eb8
OldDriverUnload : 00000000 (null)
SupportedContexts : (84d40e28)
VolumeContexts : (84d40e28)
InstanceContexts : (84d40e2c)
ALLOCATE_CONTEXT_NODE: 84bf8008 “mydrv” [01] LookasideList*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: CONTEXT_NODE ***
*** ***
*************************************************************************

Could not read field “NonPaged.L.Size” of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 84bf8008
FileContexts : (84d40e30)
StreamContexts : (84d40e34)
StreamHandleContexts : (84d40e38)
TransactionContext : (84d40e3c)
InstanceList : (84d40dc8)
FLT_INSTANCE: 84d3d008 “mydrv Instance” “141200”
FLT_INSTANCE: 84f33df8 “mydrv Instance” “141200”
FLT_INSTANCE: 85d30df8 “mydrv Instance” “141200”
FLT_INSTANCE: 84ddbb80 “mydrv Instance” “141200”
FLT_INSTANCE: 84bf3df8 “mydrv Instance” “141200”
FLT_INSTANCE: 84bf3650 “mydrv Instance” “141200”

I think RundownRef might be a problem, but i can’t know why it is not zero in unload function.

Any help is appreciated.

Regards.

Baker.

2

Looks like it is waiting for IO to your filter to be drained. Are you
sure your filter is not blocked in a post-operation callback with the
draining flag set?

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

xxxxx@gmail.com wrote:

Hi, all

I wrote a simple auto-attached mini filter.
It works with only load, unload, instance setup.
But, when i unload a driver, it hangs.
If i attach and detach it manually, unload works fine.
I have searched another threads in this forum, but i can’t find the problem.

Here is debug result.

THREAD 863b3b30 Cid 0004.0028 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f7ca3b18 SynchronizationEvent
Not impersonating
DeviceMap e10031c0
Owning Process 863b5660 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 19372 Ticks: 902 (0:00:00:14.093)
Context Switch Count 6900
UserTime 00:00:00.000
KernelTime 00:00:00.640
Start Address nt!ExpWorkerThread (0x804e42f1)
Stack Init f7ca4000 Current f7ca3aa4 Base f7ca4000 Limit f7ca1000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f7ca3abc 804e3bd2 863b3ba0 863b3b30 804e3c1e nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7ca3ac8 804e3c1e ffffffdb 00000000 851ae5a0 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f7ca3af0 f775ec1b 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f7ca3b30 f7750ff7 851e45a8 f7ca3b6c f7756a24 fltMgr!FltpExWaitForRundownProtectionReleaseCacheAware+0x83 (FPO: [0,7,0]) <<< ------------ I think this is a problem.
f7ca3b3c f7756a24 851e45a8 804de599 851ae5a0 fltMgr!FltpDrainPendingCallbacksForInstance+0x17 (FPO: [1,0,4])
f7ca3b6c f775d816 863534e8 00000004 85c99d58 fltMgr!FltpFreeInstance+0x74 (FPO: [2,6,4])
f7ca3b90 f0ee10a5 851e45dc 851ae500 00000000 fltMgr!FltUnregisterFilter+0x96 (FPO: [1,2,0])
f7ca3ba4 f7758e00 00000001 804de599 86373004 mydrv!MyDrv_Unload+0x95 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\work\src\mydrv\mydrv.cpp @ 265]
f7ca3d3c f7758fb3 851ae5a0 00000001 00000001 fltMgr!FltpDoUnloadFilter+0xf8 (FPO: [Non-Fpo])
f7ca3d60 805f38cc 00000000 f1806b84 8056c5fc fltMgr!FltpMiniFilterDriverUnload+0xab (FPO: [1,1,0])
f7ca3d7c 804e43b5 f1806b84 00000000 863b3b30 nt!IopLoadUnloadDriver+0x19 (FPO: [1,1,4])
f7ca3dac 80577723 f1806b84 00000000 00000000 nt!ExpWorkerThread+0xef (FPO: [1,6,0])
f7ca3ddc 804ee6d9 804e42f1 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

0: kd> !fltkd.filter 0x84d40d98

*** Extension DLL(6721 Free) does not match target system(2600 Free)

FLT_FILTER: 84d40d98 “mydrv” “141200”
FLT_OBJECT: 84d40d98 [02000000] Filter
RundownRef : 0x0000000e (7)
PointerCount : 0x00000002
PrimaryLink : [85e8905c-85e2b014]
Frame : 85e89000 “Frame 1”
Flags : [00000003] UnloadInProgress FilteringInitiated
DriverObject : 85790560
FilterLink : [85e8905c-85e2b014]
PreVolumeMount : 00000000 (null)
PostVolumeMount : 00000000 (null)
FilterUnload : f127e010 mydrv!MyDrv_Unload
InstanceSetup : baf02790 fltMgr!FltvInstanceSetup
InstanceQueryTeardown : baf027b4 fltMgr!FltvInstanceQueryTeardown
InstanceTeardownStart : 00000000 (null)
InstanceTeardownComplete : 00000000 (null)
ActiveOpens : (84d40e5c) mCount=0
Client Port List : (84d40e88) mCount=0
VerifierExtension : 85d313b0
Operations : 84d40eb8
OldDriverUnload : 00000000 (null)
SupportedContexts : (84d40e28)
VolumeContexts : (84d40e28)
InstanceContexts : (84d40e2c)
ALLOCATE_CONTEXT_NODE: 84bf8008 “mydrv” [01] LookasideList*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: CONTEXT_NODE ***
*** ***
*************************************************************************

Could not read field “NonPaged.L.Size” of FltMgr!_ALLOCATE_CONTEXT_LOOKASIDE from address: 84bf8008
FileContexts : (84d40e30)
StreamContexts : (84d40e34)
StreamHandleContexts : (84d40e38)
TransactionContext : (84d40e3c)
InstanceList : (84d40dc8)
FLT_INSTANCE: 84d3d008 “mydrv Instance” “141200”
FLT_INSTANCE: 84f33df8 “mydrv Instance” “141200”
FLT_INSTANCE: 85d30df8 “mydrv Instance” “141200”
FLT_INSTANCE: 84ddbb80 “mydrv Instance” “141200”
FLT_INSTANCE: 84bf3df8 “mydrv Instance” “141200”
FLT_INSTANCE: 84bf3650 “mydrv Instance” “141200”

I think RundownRef might be a problem, but i can’t know why it is not zero in unload function.

Any help is appreciated.

Regards.

Baker.

3

Thx for your reply, Sarosh.

I wrote draining code in a post callback as following.

if (FlagOn(Flags, FLTFL_POST_OPERATION_DRAINING))
return FLT_POSTOP_FINISHED_PROCESSING;

A Strange thing is that the driver has been unloaded successfully by manual attach/detach.
If i mistakes in a draining operation, i think that unload of the manual attached driver sholud be failed too, but it succeeds.

Any help is appreciated.

Regards.

Baker.