here is the code in gpuz 0x8000645C ioctl handler, which build a nonpaged mdl and lock it by MmBuildMdlForNonPagedPool(there also have an ioctl handler for unlocking) .
According to msdn doc, the nonpaged mdl shouldn't be locked/unlocked which may caused undefined behavior. In my tests, if you lock/unlock nonpaged mdl multiple times, this will caused a bsod.
[MmBuildMdlForNonPagedPool function (wdm.h) - Windows drivers | Microsoft Learn](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmbuildmdlfornonpagedpool)
C:
v8 = (PHYSICAL_ADDRESS*)irp->AssociatedIrp.SystemBuffer;
baseaddr = MmMapIoSpace(*v8, v8[1].LowPart, MmNonCached);
baseaddr_1 = (__int64)baseaddr;
if (!baseaddr)
goto LABEL_19;
index = 0;
mdl = IoAllocateMdl(baseaddr, v8[1].LowPart, 0, 0, 0i64);
mdl_1 = mdl;
if (!mdl)
goto LABEL_19;
MmBuildMdlForNonPagedPool(mdl);
map = MmMapLockedPagesSpecifyCache(mdl_1, 1, MmNonCached, 0i64, 0, 0x10u);
DbgPrint("map: %p, mdl:% p\n", (PVOID)map, (PMDL)mdl);
len = stacklocation->Parameters.Read.Length;
if (len == 4)
{
*(DWORD*)irp->AssociatedIrp.MasterIrp = (DWORD)map;
len = stacklocation->Parameters.DeviceIoControl.OutputBufferLength;
}
if (len == 8)
*(uint64_t*)irp->AssociatedIrp.SystemBuffer = (uint64_t)map;According to msdn doc, the nonpaged mdl shouldn't be locked/unlocked which may caused undefined behavior. In my tests, if you lock/unlock nonpaged mdl multiple times, this will caused a bsod.
[MmBuildMdlForNonPagedPool function (wdm.h) - Windows drivers | Microsoft Learn](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmbuildmdlfornonpagedpool)
