Stream context lifetime

Hi all,

I’m building a minifilter driver for windows 10 which uses stream contexts.
I noticed that most of my stream contexts are not freed until driver unload, or only after a few very long hours.

I’m releasing all of my references to the context, and everything seems to work fine in my end.
The IRP_MJ_CLEANUP callback is called, but the IRP_MJ_CLOSE is not called for every file object. I usually have 1/2 file objects not getting to IRP_MJ_CLOSE at a reasonable time.

I’ve read some posts here and I understand the reason for this is unreleased references to the stream by the cache manager or the memory manager.
I tried to purge the cache in cleanup (CcFlushCache, MmFlushImageSection, CcPurgeCacheSection), and it works most of the time, but I’m looking for a better solution, maybe one that does not involve messing with the CC/MM??

My stream context is pretty big in size (few KBs), and at some point it turns into a pretty big chunk of memory…

So…
The question is: Is there a way to rush the freeing of stream contexts?
I don’t want to wait hours for it to be released by the OS.

Best Regards,

You cannot force the Cc or Mm to release the reference to the File Object. The only component that can do that is the file system. If you are calling Cc/Mm APIs in your filter driver then that’s a serious bug as you don’t own any of the necessary locks (unless you’re an Isolation filter, which is another story).

Use paged pool and try to minimize the size of the structure. What are you storing in there that’s so large?

@“Scott_Noone_(OSR)” said:
You cannot force the Cc or Mm to release the reference to the File Object. The only component that can do that is the file system.

Fs does that in general or in some special cases ? Mm is a special client, but still a client. Is it ok to force it to yield it’s reference ?
I never wrote fs or isolation filter, so probably just misunderstanding something

@Sergey_Pisarev said:

@“Scott_Noone_(OSR)” said:
You cannot force the Cc or Mm to release the reference to the File Object. The only component that can do that is the file system.

Fs does that in general or in some special cases ? Mm is a special client, but still a client. Is it ok to force it to yield it’s reference ?
I never wrote fs or isolation filter, so probably just misunderstanding something

Mostly* in special cases. For example, when you try to delete a file the FS calls Mm to try and purge the Section. From FASTFAT:

    if (Buffer->DeleteFile) {

        //
        //  Check if the file is marked read only
        //

        if (FlagOn(Fcb->DirentFatFlags, FAT_DIRENT_ATTR_READ_ONLY)) {

            DebugTrace(-1, Dbg, "Cannot delete readonly file\n", 0);

            return STATUS_CANNOT_DELETE;
        }

        //
        //  Make sure there is no process mapping this file as an image.
        //

        if (!MmFlushImageSection( &Fcb->NonPaged->SectionObjectPointers,
                                  MmFlushForDelete )) {

            DebugTrace(-1, Dbg, "Cannot delete user mapped image\n", 0);

            return STATUS_CANNOT_DELETE;
        }

Even then it is simply the FS asking Mm to try and get rid of its reference. For example, the request could fail if the Section is in use.

*In later versions of Windows NTFS allows a kernel mode caller to request a purge attempt (IRP_MJ_FLUSH_BUFFERS/IRP_MN_FLUSH_AND_PURGE). FltMgr even conveniently exposes it via FltFlushBuffers2. Again it’s not a guarantee though and you’ll kill the user experience if you’re purging it all the time (caching is a good thing)

Thank you very much Scott !
Always love your explanations.

I really hope I can get osr mini filter seminar one day. Because of idiotic bureaucracy 2022 is earliest this can happen :frowning: