MmMapLockedPagesSpecifyCache bugcheck in verifier when bugcheck parameter is FALSE

trindflo

I'm testing "Randomized low resources simulation" with the verifier, so random API errors are expected. I don't understand why a bugcheck is happening however. Note: the code is working without the verifier - it is a verifier induced API fault that is causing issues. Is this just something I need to expect from this test?

`
mdl = MmAllocatePagesForMdl(lowAddress, highAddress, lowAddress, totalBytes);

if (NULL == mdl) {
    return STATUS_INSUFFICIENT_RESOURCES;
}

//
// The preferred way to map the buffer into user space
//
userVAToReturn =   // Line 110; error reported here <---------
    MmMapLockedPagesSpecifyCache(mdl,          // MDL
        UserMode,     // Mode
        MmCached,     // Caching
        NULL,         // Address
        FALSE,        // Do NOT Bugcheck on error; instead return NULL
        NormalPagePriority | MdlMappingNoExecute); // Priority (and of course no execute)

//
// If we get NULL back, the request didn't work.
//
    if (NULL == userVAToReturn) {
        MmFreePagesFromMdl(mdl);
        IoFreeMdl(mdl);
        return STATUS_INSUFFICIENT_RESOURCES;
    }

`

Resulting stack after it bugchecks anyway:

STACK_TEXT:  
ffff8585`29eecf10 fffff804`32b5ec25 : ffff9a0a`99be19a0 00000000`00000000 00000000`7fffffff 00000000`000bf000 : nt!RtlRaiseStatus+0x18
ffff8585`29eed4b0 fffff802`a9cee313 : ffff9a0a`92af9550 ffff9a0a`995b47d0 ffff9a0a`8dadf060 fffff804`32b4e3a9 : nt!VerifierMmMapLockedPagesSpecifyCache+0x115
ffff8585`29eed500 fffff802`a9cee3fd : ffff9a0a`000bf000 ffff9a0a`9b008808 ffff9a0a`9b008810 ffff9a0a`9b008818 : DMC9054!CreateAndMapVLCB+0x83 [...\Dispatch.c @ 110] 
ffff8585`29eed570 fffff802`a9cf3340 : ffff9a0a`000bf000 ffff9a0a`9b008808 fffff802`a9d2de50 00000000`00000001 : DMC9054!CreateMMSA+0x3d [...\Dispatch.c @ 222] 
ffff8585`29eed5b0 fffff802`a5faa063 : ffff9a0a`995b47d0 ffff9a0a`8dadf060 ffff9a0a`8dadf060 fffff802`a9cf31d0 : DMC9054!DriverAddDevice+0x170 [...\Driver.c @ 417] 
ffff8585`29eed6a0 fffff804`32b5c861 : fffff804`32b5c830 00000000`00000004 ffff9a0a`92af9550 ffff9a0a`8dadf060 : VerifierExt!xdv_AddDevice_wrapper+0x73
ffff8585`29eed6d0 fffff804`32470d21 : fffff804`32b5c830 ffff8585`29eed860 00000000`00000000 fffff804`32571480 : nt!ViGenericAddDevice+0x31
ffff8585`29eed710 fffff804`32923c06 : 00000000`00000000 00000000`00000003 ffff9a0a`8dade920 ffffab8d`5b4031f0 : nt!PpvUtilCallAddDevice+0xec9dd
ffff8585`29eed750 fffff804`32901fdb : 00000000`00000003 00000000`00000000 ffff8585`29eed8e0 00000000`40000000 : nt!PnpCallAddDevice+0x56
ffff8585`29eed7e0 fffff804`32900e6b : ffff9a0a`8dade920 ffff8585`29eeda18 ffff9a0a`8dade920 00000000`00000000 : nt!PipCallDriverAddDevice+0xc2f
ffff8585`29eed9a0 fffff804`3297995f : ffff9a0a`8dade900 ffff9a0a`8dc88c01 ffff8585`29eedab0 ffff9a0a`00000000 : nt!PipProcessDevNodeTree+0x1af
ffff8585`29eeda60 fffff804`323748d1 : ffff9a01`00000003 ffff9a0a`8dade920 fffff804`00000000 00000000`00000000 : nt!PiRestartDevice+0xab
ffff8585`29eedab0 fffff804`322cb49a : ffff9a0a`98a36040 fffff804`3264c460 ffff9a0a`8d913c50 ffff9a0a`00000000 : nt!PnpDeviceActionWorker+0x421
ffff8585`29eedb70 fffff804`3234d1d5 : ffff9a0a`98a36040 ffff9a0a`8d863040 ffff9a0a`98a36040 00002425`bd9bbfff : nt!ExpWorkerThread+0x16a
ffff8585`29eedc10 fffff804`323db8dc : ffffc181`353e0180 ffff9a0a`98a36040 fffff804`3234d180 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffff8585`29eedc60 00000000`00000000 : ffff8585`29eee000 ffff8585`29ee8000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x1c

Scott_Noone_(OSR)

Check the docs for MmMapLockedPagesSpecifyCache:

If the specified pages cannot be mapped, the routine raises an exception. Callers that specify UserMode must wrap the call to MmMapLockedPagesSpecifyCache in a try/except block. For more information, see Handling Exceptions.

https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmmaplockedpagesspecifycache

So, this is a legit bug in your code. Are you using Code Analysis? It should have caught this...