zwcreatefile fails in DRIVER_FS_NOTIFICATION routine

Hello everybody

Iam having problem in my upper volume filter driver code in opening
handle of a file in NTFS VOLUME using
zwcreatefile in file system filter driver’s notification routine .
The same code is running properly for FAT32
VOLUME.

******************************************************************************************
Please Tell me Whether this is the problem of the driver code or some
thing else.
********************************************************************************************
Also i checked the irql at which the Zwcreatefile function is called
and it comes to be irql=0; in the dbgprint before the zwcreatefile
function.

The program crashes when zwcreatefile function is called in case when
the OS is on NTFS VOLUME and the file is also present on the OS
Drive.

I am also sending the kind of error i am getting .

VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject,
IN BOOLEAN FsActive
)
{

NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2;
IO_STATUS_BLOCK IoStatusBlock2;

UNICODE_STRING uStr;
UNICODE_STRING uStr2;
KIRQL oldirql;

PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;

PWCHAR ExportKeyPrefix = L"\??\D:\tempdata.txt";
ULONG ExportKeyPrefixSize = sizeof(L"\??\D:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);

PAGED_CODE();

gpFileBuffer=ExAllocatePool(NonPagedPool,1024);

RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);

RtlInitUnicodeString(&uStr2, pFullPath);

DbgBreakPoint();

InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITIVE
| OBJ_KERNEL_HANDLE,NULL,NULL);

oldirql=KeGetCurrentIrql();
DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);

Status2 = ZwCreateFile( &FileHandle2,

SYNCHRONIZE|FILE_READ_DATA,

&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,

FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);

if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);
return Status2;
}
else
{
DbgPrint(“file opened successfully\n”);
}

Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);

if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;

ZwClose(FileHandle2);
}

ExFreePool (pFullPath);
}


Error I am getting

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8042d5b4, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8042c068 to 80452e70

STACK_TEXT:
ed4335b0 8042c068 00000003 00000000 8042d5b4
nt!MmMapLockedPagesSpecifyCache+0x48
ed433938 80464b1f 00000000 00000000 00000002 nt!IopWriteDriverList+0xa6
ed433954 8188aee8 ed4339e0 bff19f82 818896c8 nt!MiFlushRelease+0x3e5
WARNING: Frame IP not in any known module. Following frames may be wrong.
bff19fff 530cec83 56085d8b 144b8b57 a7bc15ff 0x8188aee8
ec8b55c3 00000000 00000000 00000000 00000000 0x530cec83

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!IopCreateSummaryDump+cf

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17

BUCKET_ID: 0xA_W_VRF_nt!IopCreateSummaryDump+cf

Followup: MachineOwner

I am really stuck at this point.
Thanking in advance

santosh k

Arg1: 00000000, memory referenced
Some how null pointer is getting dereference (written to).
Find out Arg4: 8042d5b4, address which referenced memory
What this address stands for and what it is doing.
-Kiran

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of santosh katvate
Sent: Tuesday, June 07, 2005 5:14 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] zwcreatefile fails in DRIVER_FS_NOTIFICATION routine

Hello everybody

Iam having problem in my upper volume filter driver code in opening handle
of a file in NTFS VOLUME using zwcreatefile in file system filter
driver’s notification routine .
The same code is running properly for FAT32 VOLUME.

****************************************************************************
**************
Please Tell me Whether this is the problem of the driver code or some thing
else.
****************************************************************************
****************
Also i checked the irql at which the Zwcreatefile function is called and it
comes to be irql=0; in the dbgprint before the zwcreatefile function.

The program crashes when zwcreatefile function is called in case when the OS
is on NTFS VOLUME and the file is also present on the OS Drive.

I am also sending the kind of error i am getting .

VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject, IN BOOLEAN FsActive
)
{

NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2; IO_STATUS_BLOCK IoStatusBlock2;

UNICODE_STRING uStr;
UNICODE_STRING uStr2;
KIRQL oldirql;

PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;

PWCHAR ExportKeyPrefix = L"\??\D:\tempdata.txt"; ULONG
ExportKeyPrefixSize = sizeof(L"\??\D:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);

PAGED_CODE();

gpFileBuffer=ExAllocatePool(NonPagedPool,1024);

RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);

RtlInitUnicodeString(&uStr2, pFullPath);

DbgBreakPoint();

InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITI
VE
| OBJ_KERNEL_HANDLE,NULL,NULL);

oldirql=KeGetCurrentIrql();
DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);

Status2 = ZwCreateFile( &FileHandle2,

SYNCHRONIZE|FILE_READ_DATA,

&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,

FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);

if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);
return Status2;
}
else
{
DbgPrint(“file opened successfully\n”);
}

Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);

if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;

ZwClose(FileHandle2);
}

ExFreePool (pFullPath);
}


Error I am getting

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an interrupt request level (IRQL) that is too high. This is usually caused
by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8042d5b4, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8042c068 to 80452e70

STACK_TEXT:
ed4335b0 8042c068 00000003 00000000 8042d5b4
nt!MmMapLockedPagesSpecifyCache+0x48
ed433938 80464b1f 00000000 00000000 00000002 nt!IopWriteDriverList+0xa6
ed433954 8188aee8 ed4339e0 bff19f82 818896c8 nt!MiFlushRelease+0x3e5
WARNING: Frame IP not in any known module. Following frames may be wrong.
bff19fff 530cec83 56085d8b 144b8b57 a7bc15ff 0x8188aee8
ec8b55c3 00000000 00000000 00000000 00000000 0x530cec83

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!IopCreateSummaryDump+cf

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17

BUCKET_ID: 0xA_W_VRF_nt!IopCreateSummaryDump+cf

Followup: MachineOwner

I am really stuck at this point.
Thanking in advance

santosh k


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

hi kiran

i think that the code that is derefrencing the null pointer is that of
zwcreatefile.

but i don,t know why the same code runs properly when i copy the full
code in another function and call that function using deviceiocontrol
routine (i.e when the OS has finished all its startup chores).

Is their some error in setting objectattributes. or in parameters of
zwcreatefile that
i am sending which internally may be causing such error.

code is

VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject,
IN BOOLEAN FsActive
)
{

NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2;
IO_STATUS_BLOCK IoStatusBlock2;

UNICODE_STRING uStr;
UNICODE_STRING uStr2;
KIRQL oldirql;

PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;

PWCHAR ExportKeyPrefix = L"\??\E:\tempdata.txt";
ULONG ExportKeyPrefixSize = sizeof(L"\??\E:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);

gpFileBuffer=ExAllocatePool(NonPagedPool,1024);

RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);

RtlInitUnicodeString(&uStr2, pFullPath);

InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITIVE
| OBJ_KERNEL_HANDLE,NULL,NULL);

oldirql=KeGetCurrentIrql();
DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);

DbgBreakPoint();

Status2 = ZwCreateFile( &FileHandle2,

SYNCHRONIZE|FILE_READ_DATA,

&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,

FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);

if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);

}
else
{
DbgPrint(“file opened successfully\n”);
}

Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);

if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;

ZwClose(FileHandle2);
}

ExFreePool (pFullPath);
}

Output got in windbg:

BEFORE ZwCreateFile IRQL:0
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
804e3b14 cc int 3
kd> p
nt!DbgBreakPoint+0x1:
804e3b15 c3 ret
kd> p
gfupper!DriverNotificationFunction+0xb7:
f94f3d07 6a00 push 0x0
kd> t
nt!ZwCreateFile:
804dcfa8 b825000000 mov eax,0x25
kd> p
nt!ZwCreateFile+0x5:
804dcfad 8d542404 lea edx,[esp+0x4]
kd> p
nt!ZwCreateFile+0x9:
804dcfb1 9c pushfd
kd> p
nt!ZwCreateFile+0xa:
804dcfb2 6a08 push 0x8
kd> p
nt!ZwCreateFile+0xc:
804dcfb4 e8ed1e0000 call nt!KiSystemService (804deea6)
kd> p

*** Fatal System Error: 0x0000000a
(0x00000000,0x00000002,0x00000001,0x804DC6CC)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading unloaded module list

Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 1, 804dc6cc}

Probably caused by : ntoskrnl.exe ( nt!KeWaitForSingleObject+186 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804e3b25 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804dc6cc, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!KeWaitForSingleObject+186
804dc6cc 8939 mov [ecx],edi

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 806f3a7f to 804dc6cc

TRAP_FRAME: f9698908 – (.trap fffffffff9698908)
ErrCode = 00000002
eax=f911d224 ebx=f911d21c ecx=00000000 edx=00000000 esi=813488b8 edi=81348928
eip=804dc6cc esp=f969897c ebp=f969899c iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KeWaitForSingleObject+0x186:
804dc6cc 8939 mov [ecx],edi
Resetting default scope

STACK_TEXT:
f969899c 806f3a7f 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
f96989bc f9149618 8134eef0 8134e738 8134e738 hal!ExAcquireFastMutex+0x27
f9698a18 f91495c7 81301730 000a0008 f91495d6 Ntfs!LfsOpenLogFile+0x34
f9698a64 f9146fc0 813017f8 8134e738 81369a98 Ntfs!NtfsStartLogFile+0x8d
f9698cb8 f9146392 8134eef0 81369a98 8134eef0 Ntfs!NtfsMountVolume+0xcb3
f9698ccc f91049a1 8134eef0 81369a98 8134eff0
Ntfs!NtfsCommonFileSystemControl+0x39
f9698d74 804e47fe 8134eef0 00000000 813488b8 Ntfs!NtfsFspDispatch+0x1ff
f9698dac 8057dfed 8134eef0 00000000 00000000 nt!ExpWorkerThread+0x100
f9698ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!KeWaitForSingleObject+186
804dc6cc 8939 mov [ecx],edi

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KeWaitForSingleObject+186

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41108004

STACK_COMMAND: .trap fffffffff9698908 ; kb

BUCKET_ID: 0xA_W_nt!KeWaitForSingleObject+186

Followup: MachineOwner

thanks
santosh k

On 6/7/05, Kiran Joshi wrote:
> Arg1: 00000000, memory referenced
> Some how null pointer is getting dereference (written to).
> Find out Arg4: 8042d5b4, address which referenced memory
> What this address stands for and what it is doing.
> -Kiran
>

Hello,
I did some NTFS.sys disassembly and found out that the event object which
LfsOpenLogFile refers, is a part of global fast mutex. This event object is
initialized after the call to IoRegisterFileSystem from NTFS. So what is
happening is when NTFS calls IoRegisterFileSystem, your filter’s
notification gets invoked. You call ZwCreateFile which triggers a mount
request to NTFS. The mount path calls LfsOpenLogFile which assumes that the
event has been initialized properly. But unfortunately it calls
KeWaitForSingleObject on an uninitialized event, hence causing a null
pointer deref.

So what this essentially means is that atleast for NTFS you should not call
ZwCreateFile from the notification routine, otherwise it will crash.

This raises couple of questions though:
Isnt this a bad practice to initialize data structures after invoking some
function which might result into a callback to your driver?
In this particular scenario its not just the question of callback, what
happens if some other component triggers a mount ?
Or is it always assumed that a mount request to the system volume will be
triggered by known components at known intervals only ?
Isnt this a bug in NTFS, although extremely tiny ?

-Kiran

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of santosh katvate
Sent: Tuesday, June 07, 2005 7:58 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] zwcreatefile fails in DRIVER_FS_NOTIFICATION routine

hi kiran

i think that the code that is derefrencing the null pointer is that of
zwcreatefile.

but i don,t know why the same code runs properly when i copy the full code
in another function and call that function using deviceiocontrol routine
(i.e when the OS has finished all its startup chores).

Is their some error in setting objectattributes. or in parameters of
zwcreatefile that i am sending which internally may be causing such error.

code is

VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject, IN BOOLEAN FsActive
)
{

NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2; IO_STATUS_BLOCK IoStatusBlock2;

UNICODE_STRING uStr;
UNICODE_STRING uStr2;
KIRQL oldirql;

PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;

PWCHAR ExportKeyPrefix = L"\??\E:\tempdata.txt"; ULONG
ExportKeyPrefixSize = sizeof(L"\??\E:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);

gpFileBuffer=ExAllocatePool(NonPagedPool,1024);

RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);

RtlInitUnicodeString(&uStr2, pFullPath);

InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITI
VE
| OBJ_KERNEL_HANDLE,NULL,NULL);

oldirql=KeGetCurrentIrql();
DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);

DbgBreakPoint();

Status2 = ZwCreateFile( &FileHandle2,

SYNCHRONIZE|FILE_READ_DATA,

&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,

FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);

if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);

}
else
{
DbgPrint(“file opened successfully\n”);
}

Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);

if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;

ZwClose(FileHandle2);
}

ExFreePool (pFullPath);
}

Output got in windbg:

BEFORE ZwCreateFile IRQL:0
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
804e3b14 cc int 3
kd> p
nt!DbgBreakPoint+0x1:
804e3b15 c3 ret
kd> p
gfupper!DriverNotificationFunction+0xb7:
f94f3d07 6a00 push 0x0
kd> t
nt!ZwCreateFile:
804dcfa8 b825000000 mov eax,0x25
kd> p
nt!ZwCreateFile+0x5:
804dcfad 8d542404 lea edx,[esp+0x4]
kd> p
nt!ZwCreateFile+0x9:
804dcfb1 9c pushfd
kd> p
nt!ZwCreateFile+0xa:
804dcfb2 6a08 push 0x8
kd> p
nt!ZwCreateFile+0xc:
804dcfb4 e8ed1e0000 call nt!KiSystemService (804deea6)
kd> p

*** Fatal System Error: 0x0000000a
(0x00000000,0x00000002,0x00000001,0x804DC6CC)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading
Kernel Symbols …
Loading unloaded module list

Loading User Symbols
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 1, 804dc6cc}

Probably caused by : ntoskrnl.exe ( nt!KeWaitForSingleObject+186 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804e3b25 cc int 3
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an interrupt request level (IRQL) that is too high. This is usually caused
by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804dc6cc, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!KeWaitForSingleObject+186
804dc6cc 8939 mov [ecx],edi

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 806f3a7f to 804dc6cc

TRAP_FRAME: f9698908 – (.trap fffffffff9698908) ErrCode = 00000002
eax=f911d224 ebx=f911d21c ecx=00000000 edx=00000000 esi=813488b8
edi=81348928
eip=804dc6cc esp=f969897c ebp=f969899c iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!KeWaitForSingleObject+0x186:
804dc6cc 8939 mov [ecx],edi
Resetting default scope

STACK_TEXT:
f969899c 806f3a7f 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
f96989bc f9149618 8134eef0 8134e738 8134e738 hal!ExAcquireFastMutex+0x27
f9698a18 f91495c7 81301730 000a0008 f91495d6 Ntfs!LfsOpenLogFile+0x34
f9698a64 f9146fc0 813017f8 8134e738 81369a98 Ntfs!NtfsStartLogFile+0x8d
f9698cb8 f9146392 8134eef0 81369a98 8134eef0 Ntfs!NtfsMountVolume+0xcb3
f9698ccc f91049a1 8134eef0 81369a98 8134eff0
Ntfs!NtfsCommonFileSystemControl+0x39
f9698d74 804e47fe 8134eef0 00000000 813488b8 Ntfs!NtfsFspDispatch+0x1ff
f9698dac 8057dfed 8134eef0 00000000 00000000 nt!ExpWorkerThread+0x100
f9698ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!KeWaitForSingleObject+186
804dc6cc 8939 mov [ecx],edi

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KeWaitForSingleObject+186

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41108004

STACK_COMMAND: .trap fffffffff9698908 ; kb

BUCKET_ID: 0xA_W_nt!KeWaitForSingleObject+186

Followup: MachineOwner

thanks
santosh k

On 6/7/05, Kiran Joshi wrote:
> Arg1: 00000000, memory referenced
> Some how null pointer is getting dereference (written to).
> Find out Arg4: 8042d5b4, address which referenced memory
> What this address stands for and what it is doing.
> -Kiran
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do you ZwCreateFile in the filter’s MJ_CREATE path when the first CREATE is
called, not in the mount path.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Kiran Joshi”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, June 08, 2005 1:26 PM
Subject: RE: [ntfsd] zwcreatefile fails in DRIVER_FS_NOTIFICATION routine

> Hello,
> I did some NTFS.sys disassembly and found out that the event object which
> LfsOpenLogFile refers, is a part of global fast mutex. This event object is
> initialized after the call to IoRegisterFileSystem from NTFS. So what is
> happening is when NTFS calls IoRegisterFileSystem, your filter’s
> notification gets invoked. You call ZwCreateFile which triggers a mount
> request to NTFS. The mount path calls LfsOpenLogFile which assumes that the
> event has been initialized properly. But unfortunately it calls
> KeWaitForSingleObject on an uninitialized event, hence causing a null
> pointer deref.
>
> So what this essentially means is that atleast for NTFS you should not call
> ZwCreateFile from the notification routine, otherwise it will crash.
>
> This raises couple of questions though:
> Isnt this a bad practice to initialize data structures after invoking some
> function which might result into a callback to your driver?
> In this particular scenario its not just the question of callback, what
> happens if some other component triggers a mount ?
> Or is it always assumed that a mount request to the system volume will be
> triggered by known components at known intervals only ?
> Isnt this a bug in NTFS, although extremely tiny ?
>
> -Kiran
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of santosh katvate
> Sent: Tuesday, June 07, 2005 7:58 PM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] zwcreatefile fails in DRIVER_FS_NOTIFICATION routine
>
> hi kiran
>
> i think that the code that is derefrencing the null pointer is that of
> zwcreatefile.
>
> but i don,t know why the same code runs properly when i copy the full code
> in another function and call that function using deviceiocontrol routine
> (i.e when the OS has finished all its startup chores).
>
>
> Is their some error in setting objectattributes. or in parameters of
> zwcreatefile that i am sending which internally may be causing such error.
>
>
>
>
>
>
>
> code is
>
> VOID DriverNotificationFunction (
> IN struct _DEVICE_OBJECT DeviceObject, IN BOOLEAN FsActive
> )
> {
>
>
> NTSTATUS Status2 ;
> NTSTATUS Status ;
> HANDLE FileHandle2;
> OBJECT_ATTRIBUTES InitializedAttributes2; IO_STATUS_BLOCK IoStatusBlock2;
>
>
> UNICODE_STRING uStr;
> UNICODE_STRING uStr2;
> KIRQL oldirql;
>
>
> PDEVICE_EXTENSION deviceExtension;
> PIRP pIrp=NULL;
>
> PWCHAR ExportKeyPrefix = L"\??\E:\tempdata.txt"; ULONG
> ExportKeyPrefixSize = sizeof(L"\??\E:\tempdata.txt");
> PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);
>
>
>
> gpFileBuffer=ExAllocatePool(NonPagedPool,1024);
>
> RtlCopyMemory(pFullPath,
> ExportKeyPrefix,
> ExportKeyPrefixSize);
>
>
>
>
> RtlInitUnicodeString(&uStr2, pFullPath);
>
>
>
>
>
>
>
> InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITI
> VE
> | OBJ_KERNEL_HANDLE,NULL,NULL);
>
> oldirql=KeGetCurrentIrql();
> DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);
>
> DbgBreakPoint();
>
>
> Status2 = ZwCreateFile( &FileHandle2,
>
> SYNCHRONIZE|FILE_READ_DATA,
>
> &InitializedAttributes2,
> &IoStatusBlock2,
> NULL,
> 0,
> 0,
> FILE_OPEN,
>
> FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
> NULL,
> 0);
>
>
> if (Status2!=STATUS_SUCCESS)
> {
> DbgPrint(“Error in opening file \n”);
>
> }
> else
> {
> DbgPrint(“file opened successfully\n”);
> }
>
>
>
>
>
> Status= ZwReadFile(
> FileHandle2,
> NULL,
> NULL,
> NULL,
> &IoStatusBlock2,
> gpFileBuffer,
> 1024,
> 0,
> NULL
> );
>
>
>
> if(NT_SUCCESS(Status2))
> {
> gFileOpenFlag=1;
> gFileHandle=FileHandle2;
>
> ZwClose(FileHandle2);
> }
>
> ExFreePool (pFullPath);
> }
>
>
>
>
> Output got in windbg:
> --------------------------------------
>
> BEFORE ZwCreateFile IRQL:0
> Break instruction exception - code 80000003 (first chance)
> nt!DbgBreakPoint:
> 804e3b14 cc int 3
> kd> p
> nt!DbgBreakPoint+0x1:
> 804e3b15 c3 ret
> kd> p
> gfupper!DriverNotificationFunction+0xb7:
> f94f3d07 6a00 push 0x0
> kd> t
> nt!ZwCreateFile:
> 804dcfa8 b825000000 mov eax,0x25
> kd> p
> nt!ZwCreateFile+0x5:
> 804dcfad 8d542404 lea edx,[esp+0x4]
> kd> p
> nt!ZwCreateFile+0x9:
> 804dcfb1 9c pushfd
> kd> p
> nt!ZwCreateFile+0xa:
> 804dcfb2 6a08 push 0x8
> kd> p
> nt!ZwCreateFile+0xc:
> 804dcfb4 e8ed1e0000 call nt!KiSystemService (804deea6)
> kd> p
>
> Fatal System Error: 0x0000000a
> (0x00000000,0x00000002,0x00000001,0x804DC6CC)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading
> Kernel Symbols …
> Loading unloaded module list
>
> Loading User Symbols
>

>
>
>
> * Bugcheck Analysis
>
>
>
>

>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck A, {0, 2, 1, 804dc6cc}
>
> Probably caused by : ntoskrnl.exe ( nt!KeWaitForSingleObject+186 )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 804e3b25 cc int 3
> kd> !analyze -v
>
*
>
>
>
> * Bugcheck Analysis
>
>
>
>

> ***
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address at
> an interrupt request level (IRQL) that is too high. This is usually caused
> by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000001, value 0 = read operation, 1 = write operation
> Arg4: 804dc6cc, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> WRITE_ADDRESS: 00000000
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!KeWaitForSingleObject+186
> 804dc6cc 8939 mov [ecx],edi
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> LAST_CONTROL_TRANSFER: from 806f3a7f to 804dc6cc
>
> TRAP_FRAME: f9698908 – (.trap fffffffff9698908) ErrCode = 00000002
> eax=f911d224 ebx=f911d21c ecx=00000000 edx=00000000 esi=813488b8
> edi=81348928
> eip=804dc6cc esp=f969897c ebp=f969899c iopl=0 nv up ei pl zr na po
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010246
> nt!KeWaitForSingleObject+0x186:
> 804dc6cc 8939 mov [ecx],edi
> Resetting default scope
>
> STACK_TEXT:
> f969899c 806f3a7f 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
> f96989bc f9149618 8134eef0 8134e738 8134e738 hal!ExAcquireFastMutex+0x27
> f9698a18 f91495c7 81301730 000a0008 f91495d6 Ntfs!LfsOpenLogFile+0x34
> f9698a64 f9146fc0 813017f8 8134e738 81369a98 Ntfs!NtfsStartLogFile+0x8d
> f9698cb8 f9146392 8134eef0 81369a98 8134eef0 Ntfs!NtfsMountVolume+0xcb3
> f9698ccc f91049a1 8134eef0 81369a98 8134eff0
> Ntfs!NtfsCommonFileSystemControl+0x39
> f9698d74 804e47fe 8134eef0 00000000 813488b8 Ntfs!NtfsFspDispatch+0x1ff
> f9698dac 8057dfed 8134eef0 00000000 00000000 nt!ExpWorkerThread+0x100
> f9698ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> nt!KeWaitForSingleObject+186
> 804dc6cc 8939 mov [ecx],edi
>
> SYMBOL_STACK_INDEX: 0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!KeWaitForSingleObject+186
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 41108004
>
> STACK_COMMAND: .trap fffffffff9698908 ; kb
>
> BUCKET_ID: 0xA_W_nt!KeWaitForSingleObject+186
>
> Followup: MachineOwner
> ---------
>
>
> thanks
> santosh k
>
>
>
>
>
>
> On 6/7/05, Kiran Joshi wrote:
> > Arg1: 00000000, memory referenced
> > Some how null pointer is getting dereference (written to).
> > Find out Arg4: 8042d5b4, address which referenced memory
> > What this address stands for and what it is doing.
> > -Kiran
> >
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello Santosh,

Going back to the original problem, why is that you require to call
ZwCreateFile from the notification rouine ?

Thanks
-Kiran

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of santosh katvate
Sent: Tuesday, June 07, 2005 7:58 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] zwcreatefile fails in DRIVER_FS_NOTIFICATION routine

hi kiran

i think that the code that is derefrencing the null pointer is that of
zwcreatefile.

but i don,t know why the same code runs properly when i copy the full code
in another function and call that function using deviceiocontrol routine
(i.e when the OS has finished all its startup chores).

Is their some error in setting objectattributes. or in parameters of
zwcreatefile that i am sending which internally may be causing such error.

code is

VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject, IN BOOLEAN FsActive
)
{

NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2; IO_STATUS_BLOCK IoStatusBlock2;

UNICODE_STRING uStr;
UNICODE_STRING uStr2;
KIRQL oldirql;

PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;

PWCHAR ExportKeyPrefix = L"\??\E:\tempdata.txt"; ULONG
ExportKeyPrefixSize = sizeof(L"\??\E:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);

gpFileBuffer=ExAllocatePool(NonPagedPool,1024);

RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);

RtlInitUnicodeString(&uStr2, pFullPath);

InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITI
VE
| OBJ_KERNEL_HANDLE,NULL,NULL);

oldirql=KeGetCurrentIrql();
DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);

DbgBreakPoint();

Status2 = ZwCreateFile( &FileHandle2,

SYNCHRONIZE|FILE_READ_DATA,

&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,

FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);

if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);

}
else
{
DbgPrint(“file opened successfully\n”);
}

Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);

if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;

ZwClose(FileHandle2);
}

ExFreePool (pFullPath);
}

Output got in windbg:

BEFORE ZwCreateFile IRQL:0
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
804e3b14 cc int 3
kd> p
nt!DbgBreakPoint+0x1:
804e3b15 c3 ret
kd> p
gfupper!DriverNotificationFunction+0xb7:
f94f3d07 6a00 push 0x0
kd> t
nt!ZwCreateFile:
804dcfa8 b825000000 mov eax,0x25
kd> p
nt!ZwCreateFile+0x5:
804dcfad 8d542404 lea edx,[esp+0x4]
kd> p
nt!ZwCreateFile+0x9:
804dcfb1 9c pushfd
kd> p
nt!ZwCreateFile+0xa:
804dcfb2 6a08 push 0x8
kd> p
nt!ZwCreateFile+0xc:
804dcfb4 e8ed1e0000 call nt!KiSystemService (804deea6)
kd> p

*** Fatal System Error: 0x0000000a
(0x00000000,0x00000002,0x00000001,0x804DC6CC)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading
Kernel Symbols …
Loading unloaded module list

Loading User Symbols
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 1, 804dc6cc}

Probably caused by : ntoskrnl.exe ( nt!KeWaitForSingleObject+186 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
804e3b25 cc int 3
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an interrupt request level (IRQL) that is too high. This is usually caused
by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804dc6cc, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!KeWaitForSingleObject+186
804dc6cc 8939 mov [ecx],edi

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 806f3a7f to 804dc6cc

TRAP_FRAME: f9698908 – (.trap fffffffff9698908) ErrCode = 00000002
eax=f911d224 ebx=f911d21c ecx=00000000 edx=00000000 esi=813488b8
edi=81348928
eip=804dc6cc esp=f969897c ebp=f969899c iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!KeWaitForSingleObject+0x186:
804dc6cc 8939 mov [ecx],edi
Resetting default scope

STACK_TEXT:
f969899c 806f3a7f 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
f96989bc f9149618 8134eef0 8134e738 8134e738 hal!ExAcquireFastMutex+0x27
f9698a18 f91495c7 81301730 000a0008 f91495d6 Ntfs!LfsOpenLogFile+0x34
f9698a64 f9146fc0 813017f8 8134e738 81369a98 Ntfs!NtfsStartLogFile+0x8d
f9698cb8 f9146392 8134eef0 81369a98 8134eef0 Ntfs!NtfsMountVolume+0xcb3
f9698ccc f91049a1 8134eef0 81369a98 8134eff0
Ntfs!NtfsCommonFileSystemControl+0x39
f9698d74 804e47fe 8134eef0 00000000 813488b8 Ntfs!NtfsFspDispatch+0x1ff
f9698dac 8057dfed 8134eef0 00000000 00000000 nt!ExpWorkerThread+0x100
f9698ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!KeWaitForSingleObject+186
804dc6cc 8939 mov [ecx],edi

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KeWaitForSingleObject+186

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41108004

STACK_COMMAND: .trap fffffffff9698908 ; kb

BUCKET_ID: 0xA_W_nt!KeWaitForSingleObject+186

Followup: MachineOwner

thanks
santosh k

On 6/7/05, Kiran Joshi wrote:
> Arg1: 00000000, memory referenced
> Some how null pointer is getting dereference (written to).
> Find out Arg4: 8042d5b4, address which referenced memory
> What this address stands for and what it is doing.
> -Kiran
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello Kiran and Maxim

First of all Thanks kiran for really providing detailed description of
working of ntfs.sys . I think this was one of the good explanation
that i got.

and thanks maxim for giving us the correct location for calling
zwcreatefile for ntfs case.

Kiran : We wanted to call zwcreatefile in drivernotification so that
we can read our config data file as early as possible for setting the
internal variables.

We are now calling zwcreatefile in the IRP_MJ_CREATE routine and its
working fine.(i.e system doesn’t crashes)

once again thanks.

santosh k

On 6/8/05, Kiran Joshi wrote:
> Hello Santosh,
>
> Going back to the original problem, why is that you require to call
> ZwCreateFile from the notification rouine ?
>
> Thanks
> -Kiran
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of santosh katvate
> Sent: Tuesday, June 07, 2005 7:58 PM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] zwcreatefile fails in DRIVER_FS_NOTIFICATION routine
>
> hi kiran
>
> i think that the code that is derefrencing the null pointer is that of
> zwcreatefile.
>
> but i don,t know why the same code runs properly when i copy the full code
> in another function and call that function using deviceiocontrol routine
> (i.e when the OS has finished all its startup chores).
>
>
> Is their some error in setting objectattributes. or in parameters of
> zwcreatefile that i am sending which internally may be causing such error.
>
>
>
>
>
>
>
> code is
>
> VOID DriverNotificationFunction (
> IN struct _DEVICE_OBJECT DeviceObject, IN BOOLEAN FsActive
> )
> {
>
>
> NTSTATUS Status2 ;
> NTSTATUS Status ;
> HANDLE FileHandle2;
> OBJECT_ATTRIBUTES InitializedAttributes2; IO_STATUS_BLOCK IoStatusBlock2;
>
>
> UNICODE_STRING uStr;
> UNICODE_STRING uStr2;
> KIRQL oldirql;
>
>
> PDEVICE_EXTENSION deviceExtension;
> PIRP pIrp=NULL;
>
> PWCHAR ExportKeyPrefix = L"\??\E:\tempdata.txt"; ULONG
> ExportKeyPrefixSize = sizeof(L"\??\E:\tempdata.txt");
> PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);
>
>
>
> gpFileBuffer=ExAllocatePool(NonPagedPool,1024);
>
> RtlCopyMemory(pFullPath,
> ExportKeyPrefix,
> ExportKeyPrefixSize);
>
>
>
>
> RtlInitUnicodeString(&uStr2, pFullPath);
>
>
>
>
>
>
>
> InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITI
> VE
> | OBJ_KERNEL_HANDLE,NULL,NULL);
>
> oldirql=KeGetCurrentIrql();
> DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);
>
> DbgBreakPoint();
>
>
> Status2 = ZwCreateFile( &FileHandle2,
>
> SYNCHRONIZE|FILE_READ_DATA,
>
> &InitializedAttributes2,
> &IoStatusBlock2,
> NULL,
> 0,
> 0,
> FILE_OPEN,
>
> FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
> NULL,
> 0);
>
>
> if (Status2!=STATUS_SUCCESS)
> {
> DbgPrint(“Error in opening file \n”);
>
> }
> else
> {
> DbgPrint(“file opened successfully\n”);
> }
>
>
>
>
>
> Status= ZwReadFile(
> FileHandle2,
> NULL,
> NULL,
> NULL,
> &IoStatusBlock2,
> gpFileBuffer,
> 1024,
> 0,
> NULL
> );
>
>
>
> if(NT_SUCCESS(Status2))
> {
> gFileOpenFlag=1;
> gFileHandle=FileHandle2;
>
> ZwClose(FileHandle2);
> }
>
> ExFreePool (pFullPath);
> }
>
>
>
>
> Output got in windbg:
> --------------------------------------
>
> BEFORE ZwCreateFile IRQL:0
> Break instruction exception - code 80000003 (first chance)
> nt!DbgBreakPoint:
> 804e3b14 cc int 3
> kd> p
> nt!DbgBreakPoint+0x1:
> 804e3b15 c3 ret
> kd> p
> gfupper!DriverNotificationFunction+0xb7:
> f94f3d07 6a00 push 0x0
> kd> t
> nt!ZwCreateFile:
> 804dcfa8 b825000000 mov eax,0x25
> kd> p
> nt!ZwCreateFile+0x5:
> 804dcfad 8d542404 lea edx,[esp+0x4]
> kd> p
> nt!ZwCreateFile+0x9:
> 804dcfb1 9c pushfd
> kd> p
> nt!ZwCreateFile+0xa:
> 804dcfb2 6a08 push 0x8
> kd> p
> nt!ZwCreateFile+0xc:
> 804dcfb4 e8ed1e0000 call nt!KiSystemService (804deea6)
> kd> p
>
> Fatal System Error: 0x0000000a
> (0x00000000,0x00000002,0x00000001,0x804DC6CC)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading
> Kernel Symbols …
> Loading unloaded module list
>
> Loading User Symbols
>

>
>
>
> * Bugcheck Analysis
>
>
>
>

>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck A, {0, 2, 1, 804dc6cc}
>
> Probably caused by : ntoskrnl.exe ( nt!KeWaitForSingleObject+186 )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 804e3b25 cc int 3
> kd> !analyze -v
>
*
>
>
>
> * Bugcheck Analysis
>
>
>
>

> ***
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address at
> an interrupt request level (IRQL) that is too high. This is usually caused
> by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000001, value 0 = read operation, 1 = write operation
> Arg4: 804dc6cc, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> WRITE_ADDRESS: 00000000
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!KeWaitForSingleObject+186
> 804dc6cc 8939 mov [ecx],edi
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> LAST_CONTROL_TRANSFER: from 806f3a7f to 804dc6cc
>
> TRAP_FRAME: f9698908 – (.trap fffffffff9698908) ErrCode = 00000002
> eax=f911d224 ebx=f911d21c ecx=00000000 edx=00000000 esi=813488b8
> edi=81348928
> eip=804dc6cc esp=f969897c ebp=f969899c iopl=0 nv up ei pl zr na po
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010246
> nt!KeWaitForSingleObject+0x186:
> 804dc6cc 8939 mov [ecx],edi
> Resetting default scope
>
> STACK_TEXT:
> f969899c 806f3a7f 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
> f96989bc f9149618 8134eef0 8134e738 8134e738 hal!ExAcquireFastMutex+0x27
> f9698a18 f91495c7 81301730 000a0008 f91495d6 Ntfs!LfsOpenLogFile+0x34
> f9698a64 f9146fc0 813017f8 8134e738 81369a98 Ntfs!NtfsStartLogFile+0x8d
> f9698cb8 f9146392 8134eef0 81369a98 8134eef0 Ntfs!NtfsMountVolume+0xcb3
> f9698ccc f91049a1 8134eef0 81369a98 8134eff0
> Ntfs!NtfsCommonFileSystemControl+0x39
> f9698d74 804e47fe 8134eef0 00000000 813488b8 Ntfs!NtfsFspDispatch+0x1ff
> f9698dac 8057dfed 8134eef0 00000000 00000000 nt!ExpWorkerThread+0x100
> f9698ddc 804fa477 804e4729 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> nt!KeWaitForSingleObject+186
> 804dc6cc 8939 mov [ecx],edi
>
> SYMBOL_STACK_INDEX: 0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!KeWaitForSingleObject+186
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 41108004
>
> STACK_COMMAND: .trap fffffffff9698908 ; kb
>
> BUCKET_ID: 0xA_W_nt!KeWaitForSingleObject+186
>
> Followup: MachineOwner
> ---------
>
>
> thanks
> santosh k
>
>
>
>
>
>
> On 6/7/05, Kiran Joshi wrote:
> > Arg1: 00000000, memory referenced
> > Some how null pointer is getting dereference (written to).
> > Find out Arg4: 8042d5b4, address which referenced memory
> > What this address stands for and what it is doing.
> > -Kiran
> >
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>