The best time to release FCB of file object created by IoCreateStreamFileObject

yu_shang · June 26, 2022, 6:17am

Hi dear all,
If I understand it correctly , the best time (maybe only?) to release FCB of an ordinary file object is in response to IRP_MJ_CLOSE. But for file object created from IoCreateStreamFileObject by FSD , the receiver of IRP_MJ_CLOSE is not FSD. So what’s the best time to release FCB in this case ?
I have the following use case

in response to IRP_MN_MOUNT_VOLUME
1. Fo=IoCreateStreamFileObject 
2. allocate and fill FsContext / SectionObjectPointer etc.
3. CcInitializeCacheMap
4. use cache
5. CcUninitializeCacheMap
6. ObDereferenceObject(Fo)
7. release FsContext / SectionObjectPointer allocated in step 2

In this scenario I am experiencing system crash. Because at step 7 there still exists active reference to Fo which is held by Cc. Cc will use FsContext later but it has been released.

Scott_Noone_OSR · June 29, 2022, 3:22pm

When you’re done with the stream file object you call ObDereferenceObject and this will send you an IRP_MJ_CLOSE. See how FAT deals with the VirtualVolumeFile:

https://github.com/microsoft/Windows-driver-samples/blob/main/filesys/fastfat/strucsup.c#L447

NB: You can build the source yourself and replace the version of FAT on your target system. Then you can set breakpoints and step the code. I personally find this more helpful than just trying to read source.