IrqlZwPassive rule (wdm)

The IrqlZwPassive rule specifies that the driver calls ZwClose only when it is executing at IRQL = PASSIVE_LEVEL.

Driver modelWDM
Bug check(s) found with this rule Bug Check 0xC4: DRIVER_VERIFIER_DETECTED_VIOLATION (0x2001F)

Example

The following code violates this rule:

NTSTATUS 
DriverCloseResources (
    _In_ PDRIVER_CONTEXT Context
    )
{
    …

    NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);

    //
    // ExAcquireFastMutex sets the IRQL to APC_LEVEL, and the caller continues 
    // to run at APC_LEVEL after ExAcquireFastMutex returns.
    //
  
    ExAcquireFastMutex(&Context->FastMutex);
    
    ....
    
    if (NULL != Context->Handle) {

            //
            // RULE VIOLATION! - ZwClose can be called only at PASSIVE_LEVEL 
            //
            
            ZwClose(Context->Handle);      
            Context->Handle = NULL;
    }
    
    ....

    //
    // N.B. ExReleaseFastMutex restores the original IRQL.
    //
     
    ExReleaseFastMutex(&Context->FastMutex);
    
    ....
}

How to test

At compile time

Run Static Driver Verifier and specify the IrqlZwPassive rule.

Use the following steps to run an analysis of your code:
  1. Prepare your code (use role type declarations).
  2. Run Static Driver Verifier.
  3. View and analyze the results.

For more information, see Using Static Driver Verifier to Find Defects in Drivers.

At run time

Run Driver Verifier and select the DDI compliance checking option.

 

Applies to

ZwClose
ZwCreateKey
ZwDeleteKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwOpenKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft