I'm running with verifier /rc 1 2 4 5 6 8 9 12 18 20 24 26 35 /driver <mydriver.sys>. I got bugcheck DRIVER_IRQL_NOT_LESS_OR_EQUAL and the memory referenced is allocated with ExAllocatePool2(POOL_FLAG_NON_PAGED | POOL_FLAG_USE_QUOTA, ...). But Windbg shows it belonging to special pool:
0: kd> !pool ffffd982510c8ff8
Pool page ffffd982510c8ff8 region is Special pool
ffffd982510c8000: Unable to get contents of special pool block
0: kd>
Is driver verifier causing the allocation to come from special pool? If so, is special pool using paged memory which causes the bugcheck?
Yes, Verifier puts the allocations in special pool. Special pool allocations have additional validation applied to them to check for things like use after free, buffer overruns, double frees, etc.
it’s likely you’ve freed this allocation and then used the invalid pointer at an elevated IRQL. You can see if there’s an entry in the verification log:
I believe you are correct. !verifier 80 address shows 3 entries. The bottom entry is the allocation but it looks to me the top 2 entries are for a single free and it's split across 2 entries due to stack frame count limits. Does that sound right?
0: kd> !verifier 80 ffffc80a65faafe0
Log of recent kernel pool Allocate and Free operations:
There are up to 0x10000 entries in the log.
Parsing 0x0000000000010000 log entries, searching for address 0xffffc80a65faafe0.
======================================================================
Pool block ffffc80a65faafe0, Size 0000000000000020, Thread ffffc80a64c92080
fffff805481e70e2 nt!VfFreePoolNotification+0x5e
fffff80547c6c5cc nt!ExpFreePoolChecks+0x169010
fffff80547dc0ca6 nt!ExpFreeHeapSpecialPool+0x56
fffff80547c2de52 nt!ExFreeHeapPool+0x202a12
fffff805481bb0b9 nt!ExFreePool+0x9
fffff80548ed8a80 VerifierExt!ExFreePoolWithTag_wrapper+0x140
fffff805481dc286 nt!VerifierExFreePoolWithTag+0x56
fffff8054f871519 MyDriver!Qux+0xbd
fffff8054f871381 MyDriver!Baz+0x29
fffff8054f87172e MyDriver!Bar+0x6a
fffff8054f871f54 MyDriver!Foo+0x174
fffff80548edde7c VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0x16c
fffff80547b759d7 nt!IopfCallDriver+0x53
======================================================================
Pool block ffffc80a65faafe0, Size 0000000000000010, Thread ffffc80a64c92080
fffff805481e70cd nt!VfFreePoolNotification+0x49
fffff805481dc246 nt!VerifierExFreePoolWithTag+0x16
fffff8054f871519 MyDriver!Qux+0xbd
fffff8054f871381 MyDriver!Baz+0x29
fffff8054f87172e MyDriver!Bar+0x6a
fffff8054f871f54 MyDriver!Foo+0x174
fffff80548edde7c VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0x16c
fffff80547b759d7 nt!IopfCallDriver+0x53
fffff805481cbf2a nt!IovCallDriver+0x266
fffff80547c2c49b nt!IofCallDriver+0x20740b
fffff80547e0cc91 nt!IopSynchronousServiceTail+0x361
fffff80547e0c8ca nt!IopXxxControlFile+0xd0a
fffff80547e0bba6 nt!NtDeviceIoControlFile+0x56
======================================================================
Pool block ffffc80a65faafe0, Size 0000000000000020, Thread ffffc80a6c2eb080
fffff805481e6ff5 nt!VfAllocPoolNotification+0x31
fffff805481db8af nt!VeAllocatePoolWithTagPriority+0x2cf
fffff80548edaa2b VerifierExt!ExAllocatePool2_internal_wrapper+0x17b
fffff805481dbaee nt!VerifierExAllocatePool2+0xfe
fffff8054f8715d4 MyDriver!Cherry+0x48
fffff8054f8719e9 MyDriver!Banana+0x12d
fffff8054f872163 MyDriver!Apple+0x1b3
fffff80547f07ad5 nt!PsCallImageNotifyRoutines+0x165
fffff80547f01ce3 nt!DbgkCreateThread+0x16f
fffff80547f01a4b nt!PspUserThreadStartup+0xbb
fffff80547c0d2b8 nt!KiStartUserThread+0x28
fffff80547c0d220 nt!KiStartUserThreadReturn+0
Parsed entry 0000000000010000/0000000000010000...
Finished parsing all pool tracking information.
Weird that it's there twice, but definitely looks like an artifact of the logging and not a double free. I don't think it's a stack thing but that VfFreePoolNotification is being called twice for some reason.