FS Minifilter - Pending read op

St1 · October 7, 2015, 8:07pm

Hi,

I am working on a file system minifilter driver.
I am using FltQueueDeferredIoWorkItem to process data from my IRP_MJ_READ preop routine at a later time. But it keeps crashing for some reason. This is my code, I removed most of it for testing.

FLT_PREOP_CALLBACK_STATUS __stdcall PreRead(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Out PVOID *CompletionContext
)
{
NTSTATUS status;

if (FLT_IS_FASTIO_OPERATION(Data))
return FLT_PREOP_DISALLOW_FASTIO;

if (!FLT_IS_IRP_OPERATION(Data))
return FLT_PREOP_SUCCESS_NO_CALLBACK;

PFLT_DEFERRED_IO_WORKITEM item = FltAllocateDeferredIoWorkItem();
if (!item)
KdBreakPoint();

status = FltQueueDeferredIoWorkItem(item, Data, DataWorkingThread, DelayedWorkQueue, 0);
if (status != STATUS_SUCCESS)
KdBreakPoint();

return FLT_PREOP_PENDING;
}

VOID __stdcall DataWorkingThread(
In PFLT_DEFERRED_IO_WORKITEM FltWorkItem,
In PFLT_CALLBACK_DATA CallbackData,
In_opt PVOID Context
)
{
FltCompletePendedPreOperation(CallbackData, FLT_PREOP_SUCCESS_NO_CALLBACK, nullptr);
FltFreeDeferredIoWorkItem(FltWorkItem);
}

The result is a bug check with:
MEMORY_MANAGEMENT (1a)
Arguments:
Arg1: 0000000000004477, The subtype of the bugcheck.
Arg2: 000000c4100600a0
Arg3: 0000000000000000
Arg4: 0000000000000000

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak + 0x12
nt!KeBugCheck2 + 0x93e
nt!KeBugCheckEx + 0x104
nt!? ? ::FNODOBFM::`string’+0xffc8
nt!MmAccessFault + 0x245
nt!KiPageFault + 0x13d
nt!memcpy + 0xaf
nt!CcCopyBytesToUserBuffer + 0x4a
nt!CcMapAndCopyFromCache + 0x10d
nt!CcCopyReadEx + 0xfe
NTFS!NtfsCachedRead + 0x170
NTFS!NtfsCommonRead + 0xb38
NTFS!NtfsFsdRead + 0x1f2
nt!IovCallDriver + 0x3d8
nt!IofCallDriver + 0x72
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted + 0x2a4
FLTMGR!FltCompletePendedPreOperation + 0x1ec
FLTMGR!FltvCompletePendedPreOperation + 0x1c5
----> MYDRIVER!DataWorkingThread + 0xa0
FLTMGR!FltpProcessDeferredIoWorkItem + 0xc3
nt!ExpWorkerThread + 0xe9
nt!PspSystemThreadStartup + 0x58
nt!KiStartSystemThread + 0x16

I also tried to use a cancel-safe queue (FltCbdqInitialize). The result is the same.

I am using a VM with Windows10 x64
Please tell me if you need more information.

Does anybody have an idea whats wrong?
Thank you!

harald_brown · October 7, 2015, 8:28pm

you need call FltLockUserBuffer before FltQueueDeferredIoWorkItem. but you not do this. as result was crash why accessing user mode buffer in context of system process:
nt!CcCopyBytesToUserBuffer + 0x4a - but address of user buffer not valid in WorkItem

St1 · October 7, 2015, 10:04pm

Problem solved.
Thank you!

I thought it could be something like that because CcCopyBytesToUserBuffer failed, but I did not know I have to lock the buffer. I read the documentation about FltQueueDeferredIoWorkItem and pending IO operations but I did not find anything about FltLockUserBuffer…
I guess an answer why I need to call FltLockUserBuffer only when using worker threads would be way too complex
But its working now and thats everything I need at the moment, thank you!

harald_brown · October 8, 2015, 4:26am

FltLockUserBuffer - create MDL for user buffer. this need for access it in arbitrary process context (in worked thread or in post operation)

Peter_Viscarola_OSR · October 8, 2015, 9:39am

Mr. St: While we’re happy to have you post in NTDEV, in the future it’s probably best to handle FS Filter topics on the NTFSD list, which is where all the cool file system guys hang out.

Peter
OSR
@OSRDrivers

St1 · October 8, 2015, 11:28am

Oh… I know about NTFSD and was about to post it in there… but I guess I simply chose the wrong link and did not double check. Sorry about that, wont happen again!