I wonder if someone could shed some of their knowledge/insight onto this question regarding protected list insertions and APCs:
I have a mini-filter driver, the skeleton of which is pretty much based on the WDK filespy sample.
When the post processing callback gets an IRP it’s interested in (e.g. a file deletion, rename etc.) it creates a log record (a driver-supplied structure), acquires a spin lock (using KeAcquireSpinLock()), and adds the record to a list (using InsertTailList()). (A separate thread reads/clears the list as necessary)
This works just fine, except in some circumstances, the IRPs come in recursively (e.g. during a full directory with subdirectories deletion). This means that APCs are disabled for [some of] the subsequent calls. To ensure correct operation of the FS stack, the driver’s logging function checks for APCs disabled before acquiring the spin lock, and doesn’t perform the list insertion if APCs are disabled, as it’s not allowed. This of course means those events are not captured.
So, the question is, what is the best way to handle protected list insertions when APCs are disabled?
Having APCs enabled or not when you acquire a spinlock has no effect.
You are fine grabbing a spinlock while APCs are disabled. Where did you
find that you cannot acquire a spinlock if APCs are disabled?
I wonder if someone could shed some of their knowledge/insight onto this question regarding protected list insertions and APCs:
I have a mini-filter driver, the skeleton of which is pretty much based on the WDK filespy sample.
When the post processing callback gets an IRP it’s interested in (e.g. a file deletion, rename etc.) it creates a log record (a driver-supplied structure), acquires a spin lock (using KeAcquireSpinLock()), and adds the record to a list (using InsertTailList()). (A separate thread reads/clears the list as necessary)
This works just fine, except in some circumstances, the IRPs come in recursively (e.g. during a full directory with subdirectories deletion). This means that APCs are disabled for [some of] the subsequent calls. To ensure correct operation of the FS stack, the driver’s logging function checks for APCs disabled before acquiring the spin lock, and doesn’t perform the list insertion if APCs are disabled, as it’s not allowed. This of course means those events are not captured.
So, the question is, what is the best way to handle protected list insertions when APCs are disabled?