Edit

Share via

IrqlZwPassive rule (wdm)

  • Article

The IrqlZwPassive rule specifies that the driver calls ZwClose only when it is executing at IRQL = PASSIVE_LEVEL.

Driver model: WDM

Bug check(s) found with this rule: Bug Check 0xC4: DRIVER_VERIFIER_DETECTED_VIOLATION (0x2001F)

Example

The following code violates this rule:

NTSTATUS 
DriverCloseResources (
    _In_ PDRIVER_CONTEXT Context
    )
{
    …

    NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);

    //
    // ExAcquireFastMutex sets the IRQL to APC_LEVEL, and the caller continues 
    // to run at APC_LEVEL after ExAcquireFastMutex returns.
    //
  
    ExAcquireFastMutex(&Context->FastMutex);
    
    ....
    
    if (NULL != Context->Handle) {

            //
            // RULE VIOLATION! - ZwClose can be called only at PASSIVE_LEVEL 
            //
            
            ZwClose(Context->Handle);      
            Context->Handle = NULL;
    }
    
    ....

    //
    // N.B. ExReleaseFastMutex restores the original IRQL.
    //
     
    ExReleaseFastMutex(&Context->FastMutex);
    
    ....
}

How to test

At compile time

Run Static Driver Verifier and specify the IrqlZwPassive rule.

Use the following steps to run an analysis of your code:
  1. Prepare your code (use role type declarations).
  2. Run Static Driver Verifier.
  3. View and analyze the results.

For more information, see Using Static Driver Verifier to Find Defects in Drivers.
At run time

Run Driver Verifier and select the DDI compliance checking option.

Applies to

ZwClose ZwCreateKey ZwDeleteKey ZwEnumerateKey ZwEnumerateValueKey ZwFlushKey ZwOpenKey ZwQueryKey ZwQueryValueKey ZwSetValueKey