Possibly is present in newer SFILTER samples (if they exist and MS have not
moved to FltMgr completely).
Bug is: FastIoDetachDevice destroys the device object unconditionally.
Recenlty I observed some behavior on w2k SP4: a CLOSE IRP sent down thru
SFILTER-based filter to NTFS VolDo, and this NTFS VolDo was deleted during
this.
I dunno whether this delete is called as a part of some complex logic in
CLOSE path in NTFS, or it is a race and IoDeleteDevice was called by some
another NTFS path on another thread (remount with killing the stale VolDos or
such?) - but it was called. Probably this is NTFS bug.
Results: our SFILTER-based code sets completion routines to IRPs going down
to VolDo, and, due to this interesting NTFS behavior, FastIoDetachDevice can
fire before the completion routine for this IRP, so the completion routine will
touch the junked device extension of the killed device and BSOD.
Surely it is easy to work this around, but a) SFILTER sample is vulnerable
in this place b) NTFS behaves really strange.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com