Hi all,
while testing my file system filter driver, I found that sometimes
my IRP_MJ_CLOSE dispatch routine has called with FileObject reference
PointerCount != 0.
As I know Object Manager is the only one who can call IRP_MJ_CLOSE for
FileObject
via IopDeleteFile() and it does that on ObDereferenceObject() when
(HandleCont + PointerCount) == 0 ?!
Can someone tell me what is wrong?
My test is simple :
- Set a breakpoint into the FSF close dispatch routine
- From user mode test application call API GetFileAttributes()
kd> kv
ChildEBP RetAddr Args to Child
f884d9a8 804eca36 81492020 820d4e00 806c8214 TESTFSF!TESTfsfClose+0xbd (FPO:
[Non-Fpo])
f884d9b8 80647111 820d4e10 820d4e00 f884dc20 nt!IopfCallDriver+0x31 (FPO:
[0,0,1])
f884d9dc 805870ad f884dcd0 00000000 f884dc20 nt!IovCallDriver+0x9e (FPO:
[Non-Fpo])
f884da14 805c0b94 0084dc20 81900ba0 8178d954 nt!IopDeleteFile+0x159 (FPO:
[Non-Fpo])
f884dafc 8057f6f0 81900bb8 00000000 8178d8b0 nt!IopParseDevice+0xe62
f884db80 80581aba 00000000 f884dbc0 00000040 nt!ObpLookupObjectName+0x56a
(FPO: [Non-Fpo])
f884dbd4 8058d9d1 00000000 00000000 f884dc01 nt!ObOpenObjectByName+0xe9
(FPO: [Non-Fpo])
f884dd54 804da140 0012fcd0 0012fca8 00000000 nt!NtQueryAttributesFile+0xe9
(FPO: [Non-Fpo])
f884dd54 7ffe0304 0012fcd0 0012fca8 00000000 nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ f884dd64)
0012fc88 77f75f60 77e7e722 0012fcd0 0012fca8
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0012fc8c 77e7e722 0012fcd0 0012fca8 0012ff80 ntdll!ZwQueryAttributesFile+0xc
(FPO: [2,0,0])
kd> !object f884dc20
Object: f884dc20 Type: (8194d358) File
ObjectHeader: f884dc08
HandleCount: 0 PointerCount: 1
Directory Object: 00000000 Name: \test.dat {HarddiskVolume3}