bluescreen in fltmgr.sys

Hi,

We (in NCR) are having a problem with fltmgr.sys by one of device drivers
in Teradata Database software and the device driver uses raw I/O access to
disks. We have not seen this problem on Windows platforms (e.g. W2K, XP,
WS2003) until recently when we tried on 32-bit WS2003 SP1 and 64-bit WS2003
on Intel-EM64 or AMD64 platforms. I think the very first raw I/O caused
the blue-screen with STATUS_ACCESS_VIOLATION (0xc0000005).

Kernel APIs call sequence is as follows:

x. IoBuildAsynchronousFsdRequest() ; build the IRP for an Asynchronous I/O

x. IoSetCompletionRoutine() ; register a call-back

x. IoCallDriver() ; issue I/O

Has anyone seen this problem or how to correct this problem ? I am also
wondering whether there is a way to bypass fltmgr.sys for raw I/O access ?

Below is the kernel stack trace from the memory dump.

Thanks in advance,

Moo Kim

3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8083f9cc, The address that the exception occurred at
Arg3: b90204d8, Trap Frame
Arg4: 00000000

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!IofCallDriver+41
8083f9cc ff548638 call dword ptr [esi+eax*4+0x38]

TRAP_FRAME: b90204d8 – (.trap ffffffffb90204d8)
ErrCode = 00000000
eax=00000003 ebx=b840b1c0 ecx=89f8a400 edx=898de538 esi=4794e60b edi=89c52438
eip=8083f9cc esp=b902054c ebp=b9020558 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!IofCallDriver+0x41:
8083f9cc ff548638 call dword ptr [esi+eax*4+0x38] ds:0023:4794e64f=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from f7317c53 to 8083f9cc

STACK_TEXT:
b9020558 f7317c53 8a6fe990 8908aee0 88d53050 nt!IofCallDriver+0x41
b9020580 8083f9d0 89c52438 898de538 88edb5d8 fltmgr!FltpDispatch+0x6f
b9020594 b829285f 898de6a4 0000004d b825cf73 nt!IofCallDriver+0x45
b90205e4 b8287c8c 88d25bb0 0000000b 00000006 pdesys!fsgdodiskio+0x21f [g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsgdiskio.c @ 394]
b902064c b8277d65 8908ae64 88056f9c 88d25bb0 pdesys!fsgdoio+0x69c [g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsgio.c @ 481]
b9020a24 b825eae5 88056f9c b9020b54 8908ae64 pdesys!fsgsub_create+0x3d55 [g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsgops.c @ 438]
b9020bac b8199656 88d25bb0 b9020bf8 8983e9b0 pdesys!fsgacquire+0xb35 [g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsguser.c @ 317]
b9020c58 8092e6a2 8a0d6790 00000001 0012f768 pdesys!PdeDispatchFastDeviceControl+0x2f6 [g:\views2\tnt_6.x.32_snap\opnpde\src\base\pde\pdedispatch.c @ 944]
b9020d00 80940844 00000078 00000000 00000000 nt!IopXxxControlFile+0x255
b9020d34 80834d3f 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b9020d34 7c82ed54 00000078 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f6b4 00000000 00000000 00000000 00000000 0x7c82ed54

FOLLOWUP_IP:
fltmgr!FltpDispatch+6f
f7317c53 e9df000000 jmp fltmgr!FltpDispatch+0x153 (f7317d37)

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: fltmgr!FltpDispatch+6f

MODULE_NAME: fltmgr

IMAGE_NAME: fltmgr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 42435ba1

STACK_COMMAND: .trap ffffffffb90204d8 ; kb

BUCKET_ID: 0x8E_fltmgr!FltpDispatch+6f

Followup: MachineOwner

I too had been trying to bypass my filter driver for raw writes. I
still could not figure a way to bypass it. Any suggestions to do so
are most welcome.

Regards,

• Saurabh

Subject: bluescreen in fltmgr.sys
From: Moo Kim
Date: Wed, 6 Apr 2005 09:44:50 -0700
X-Message-Number: 16

Hi,

We (in NCR) are having a problem with fltmgr.sys by one of device drivers
in Teradata Database software and the device driver uses raw I/O access to
disks. We have not seen this problem on Windows platforms (e.g. W2K, XP,
WS2003) until recently when we tried on 32-bit WS2003 SP1 and 64-bit WS2003
on Intel-EM64 or AMD64 platforms. I think the very first raw I/O caused
the blue-screen with STATUS_ACCESS_VIOLATION (0xc0000005).

Kernel APIs call sequence is as follows:

x. IoBuildAsynchronousFsdRequest() ; build the IRP for an Asynchronous I/O

x. IoSetCompletionRoutine() ; register a call-back

x. IoCallDriver() ; issue I/O

Has anyone seen this problem or how to correct this problem ? I am also
wondering whether there is a way to bypass fltmgr.sys for raw I/O access ?

Below is the kernel stack trace from the memory dump.

Thanks in advance,

Moo Kim

Neal will be interested in this, but it seems that there
is either wrong device object passed to
the IoCallDriver, or the DeviceObject->DriverObject
is wrong. The pointer to driver object in ESI
(esi=4794e60b) is obviously wrong.

L.

This should not be happening and we would like to figure out what is
going on. Can you please provide a full memory dump of this failure?
If so I will contact you directly for details on how to send me the
dump.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
Rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moo Kim
Sent: Wednesday, April 06, 2005 9:45 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] bluescreen in fltmgr.sys

Hi,

We (in NCR) are having a problem with fltmgr.sys by one of device
drivers
in Teradata Database software and the device driver uses raw I/O access
to
disks. We have not seen this problem on Windows platforms (e.g. W2K,
XP,
WS2003) until recently when we tried on 32-bit WS2003 SP1 and 64-bit
WS2003
on Intel-EM64 or AMD64 platforms. I think the very first raw I/O caused

the blue-screen with STATUS_ACCESS_VIOLATION (0xc0000005).

Kernel APIs call sequence is as follows:

x. IoBuildAsynchronousFsdRequest() ; build the IRP for an
Asynchronous I/O

x. IoSetCompletionRoutine() ; register a call-back

x. IoCallDriver() ; issue I/O

Has anyone seen this problem or how to correct this problem ? I am also

wondering whether there is a way to bypass fltmgr.sys for raw I/O access
?

Below is the kernel stack trace from the memory dump.

Thanks in advance,

Moo Kim

3: kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never
have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8083f9cc, The address that the exception occurred at
Arg3: b90204d8, Trap Frame
Arg4: 00000000

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!IofCallDriver+41
8083f9cc ff548638 call dword ptr [esi+eax*4+0x38]

TRAP_FRAME: b90204d8 – (.trap ffffffffb90204d8)
ErrCode = 00000000
eax=00000003 ebx=b840b1c0 ecx=89f8a400 edx=898de538 esi=4794e60b
edi=89c52438
eip=8083f9cc esp=b902054c ebp=b9020558 iopl=0 nv up ei ng nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
nt!IofCallDriver+0x41:
8083f9cc ff548638 call dword ptr [esi+eax*4+0x38]
ds:0023:4794e64f=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from f7317c53 to 8083f9cc

STACK_TEXT:
b9020558 f7317c53 8a6fe990 8908aee0 88d53050 nt!IofCallDriver+0x41
b9020580 8083f9d0 89c52438 898de538 88edb5d8 fltmgr!FltpDispatch+0x6f
b9020594 b829285f 898de6a4 0000004d b825cf73 nt!IofCallDriver+0x45
b90205e4 b8287c8c 88d25bb0 0000000b 00000006 pdesys!fsgdodiskio+0x21f
[g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsgdiskio.c @ 394]
b902064c b8277d65 8908ae64 88056f9c 88d25bb0 pdesys!fsgdoio+0x69c
[g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsgio.c @ 481]
b9020a24 b825eae5 88056f9c b9020b54 8908ae64 pdesys!fsgsub_create+0x3d55
[g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsgops.c @ 438]
b9020bac b8199656 88d25bb0 b9020bf8 8983e9b0 pdesys!fsgacquire+0xb35
[g:\views2\tnt_6.x.32_snap\opnpde\src\base\fsg\fsguser.c @ 317]
b9020c58 8092e6a2 8a0d6790 00000001 0012f768
pdesys!PdeDispatchFastDeviceControl+0x2f6
[g:\views2\tnt_6.x.32_snap\opnpde\src\base\pde\pdedispatch.c @ 944]
b9020d00 80940844 00000078 00000000 00000000 nt!IopXxxControlFile+0x255
b9020d34 80834d3f 00000078 00000000 00000000
nt!NtDeviceIoControlFile+0x2a
b9020d34 7c82ed54 00000078 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0012f6b4 00000000 00000000 00000000 00000000 0x7c82ed54

FOLLOWUP_IP:
fltmgr!FltpDispatch+6f
f7317c53 e9df000000 jmp fltmgr!FltpDispatch+0x153 (f7317d37)

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: fltmgr!FltpDispatch+6f

MODULE_NAME: fltmgr

IMAGE_NAME: fltmgr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 42435ba1

STACK_COMMAND: .trap ffffffffb90204d8 ; kb

BUCKET_ID: 0x8E_fltmgr!FltpDispatch+6f

Followup: MachineOwner

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com