I have encountered a repeatable sequence that leads to our driver receiving only IRP_MJ_CLOSE for a file object for which we have just processed IRP_MJ_CREATE and returned a success code. This is happening when saving a document in Word 2007 if we delay the processing of the IRP_MJ_CREATE request that asks for access 0x01130089.
If we delay this IRP_MJ_CREATE a bit, then (I’m guessing) some filter driver or the OS or Word decides to cancel the request. The problem is that in our FSD (full FSD, not filter), we have already processed IRP_MJ_CREATE and returned a success code. In FileMon, I see that the IRP_MJ_CREATE request appears with the SUCCESS return value. Of course, while processing IRP_MJ_CREATE, we have called IoSetShareAccess or IoCheckShareAccess and updated the relevant ShareAccess.
Now that our driver has updated ShareAccess and completed IRP_MJ_CREATE with a success code, we get into trouble when we don’t get IRP_MJ_CLEANUP (ShareAccess doesn’t get undone). We see only IRP_MJ_CLOSE in FileMon output in this case. In FileMon, the IRP_MJ_CLOSE that appears after the successful IRP_MJ_CREATE appears to be invoked by System.
I have verified with various methods that the IRP_MJ_CREATE and IRP_MJ_CLOSE that I am talking about are really for the same CCB / FileObject and that really there is no IRP_MJ_CLEANUP in between. Actually, I am not yet even sure if that IRP_MJ_CLOSE gets into our driver either, but in FileMon I can see it.
I can consistently reproduce this problem on two machines (identical HP laptops). I cannot reproduce it on many other machines. Reproducing the problem also seems to require that I have F-Secure Anti-Virus 8.0 enabled, but even with F-Secure Anti-Virus enabled, I cannot reproduce the problem on other machines than these HP laptops.
To me, it seems likely that one of the filter drivers on the machines could be misbehaving. Looking at IoCancelFileOpen documentation it seems that maybe some filter driver is incorrectly cancelling a request even though a handle has already been created. But I need to know this for sure.
Or, is the fault in the end in our FSD after all? Should we be prepared for this kind of situation (= not receiving IRP_MJ_CLEANUP for a handle we have opened with a successful IRP_MJ_CREATE)? Are we expected to revoke ShareAccess in IRP_MJ_CLOSE if IRP_MJ_CLEANUP is missing?
Best regards,
Antti Nivala