Hi,
While debugging my driver I’ve figured out that the
AcquireForReadAhead() and AcquireForLazyWrite() callback routines are
called without being in critical region or at APC_LEVEL. Is it normal?
The thing is that these callback routines acquire an Fcb resource using
the ExAcquireResourceXxxLite() routine which requires calling in
critical region or at APC_LEVEL. I looked thru FastFAT and CDFS samples
but there’s no FsRtlEnterFileSystem() calls in these callback routines.
Also as I noticed, the AcquireForModWrite() callback routine is called
not being in critical region, but the AcquireFileForNtCreateSection()
and AcquireForCcFlush() callbacks are OK.
Any comments will be highly appreciated.
Konstantin Manurin
Hi Konstantin,
I think this is because AcquireForReadAhead(…) and AcquireForLazyWrite( … ) are called from the WorkQueue( i.e. ExpWorkerThread ) thread which is a system thread. For the system thread a malicious user application can’t insert APC or create a request which results in an APC delivering into the system thread. That is - only trusted code is called from the WorkQueue threads.
AcquireForCcFlush may be called in the context of the user thread.
–
Slava Imameyev, xxxxx@hotmail.com
“Konstantin Manurin” wrote in message news:xxxxx@ntfsd…
Hi,
While debugging my driver I’ve figured out that the AcquireForReadAhead() and AcquireForLazyWrite() callback routines are called without being in critical region or at APC_LEVEL. Is it normal? The thing is that these callback routines acquire an Fcb resource using the ExAcquireResourceXxxLite() routine which requires calling in critical region or at APC_LEVEL. I looked thru FastFAT and CDFS samples but there’s no FsRtlEnterFileSystem() calls in these callback routines. Also as I noticed, the AcquireForModWrite() callback routine is called not being in critical region, but the AcquireFileForNtCreateSection() and AcquireForCcFlush() callbacks are OK.
Any comments will be highly appreciated.
Konstantin Manurin