Major Description
This is what happens:
- usetup formats the volume
- usetup closes the volume (calls NtClose)
- the kernel closes the handle and calls IopCloseFile
- IopCloseFile sends an IRP to vfat, calling VfatCleanup
- VfatCleanup acquires the resource DeviceExt->DirResource
- VfatCleanup calls VfatCleanupFile
- VfatCleanupFile calls VfatCheckForDismount
- VfatCheckForDismount calls IoDeleteDevice(DeviceExt->VolumeDevice);
- IoDeleteDevice calls IopUnloadDevice
- IopUnloadDevice deletes the device and frees the device extension
- back to VfatCleanup, the resource is released, but it has already been freed
The issue could be related to the "UnCleanCount hack in VfatCheckForDismount, where a reference count of 3 prevents the device from being deleted.