From owner-freebsd-hackers@FreeBSD.ORG  Sun May 10 12:53:53 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 453F2106566C
	for <freebsd-hackers@freebsd.org>; Sun, 10 May 2009 12:53:53 +0000 (UTC)
	(envelope-from raykinsella78@gmail.com)
Received: from mail-bw0-f165.google.com (mail-bw0-f165.google.com
	[209.85.218.165])
	by mx1.freebsd.org (Postfix) with ESMTP id B6B428FC08
	for <freebsd-hackers@freebsd.org>; Sun, 10 May 2009 12:53:52 +0000 (UTC)
	(envelope-from raykinsella78@gmail.com)
Received: by bwz9 with SMTP id 9so2162862bwz.43
	for <freebsd-hackers@freebsd.org>; Sun, 10 May 2009 05:53:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:message-id:subject
	:from:to:content-type:content-transfer-encoding;
	bh=VTX6f9PjUZFL0WAkCH5mUkNtrTl8MT7aDmBHnL75hc8=;
	b=evLvi7xaHLV41x67JzmFZIM4BG8bNFwYg/I9+kPm8TS9SKpqr+LMNr8myeUqH3/3cN
	QonREWy0k00iVh8Ma03wwnXyTM/iay1xJzObMomFOuJdj09eTSbURzTWLFc8+WdSXAUX
	R+sQW//IgTg7ybRdgrEdxMY6ycHUVtod/CX/w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	b=X6UBW+5HltglxJaaw5v79nLZNm0Q5GZNg2aAXVCYAEtUC9xvfneskU7u+USZh6UH+7
	860MOO7WNrnycjibvAb7BNj/rWCVIu7dHD+Xfmh9oaW1RgIG1FdzqvPieK7uBfPvshk8
	AHoff+T3mG9U4zHwdN7IkvcEUxUpLtsr4ujNg=
MIME-Version: 1.0
Received: by 10.239.143.138 with SMTP id k10mr346636hba.5.1241958777273; Sun, 
	10 May 2009 05:32:57 -0700 (PDT)
Date: Sun, 10 May 2009 13:32:57 +0100
Message-ID: <584ec6bb0905100532n36ae97b1rc5e6e31c23bdb44b@mail.gmail.com>
From: Ray Kinsella <raykinsella78@gmail.com>
To: freebsd-hackers@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: contigmalloc & access protection failure
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2009 12:53:53 -0000

Hi all,

I am trying to create a kernel panic with a memory access volition,
the memory I am allocating is physically contiguous and is 2 pages in size,
I then try to use vm_map_protect to set the access flags of the 2nd
page to disables writes,
vm_map_protect returns successful but when I write to the page no
access volition occurs, what am I missing?

My attempt in source code to create the volition is below.

Also a question about the FreeBSD memory manager,
I am a bit confused, I read the source code of the vm_map_protect
function and I see it sets the protection on a vm_map_entry_t,
my expectation was protection would be set on vm_page_t, my
understanding was this:-

each vm_map_t contains 1 or more vm_map_entry_t
each  vm_map_entry_t contains 1 vm_object_t
each vm_object_t contains 1 or more vm_page_t

so does this mean that because protection is getting set at vm_map_entry,
am I actually protecting more than one page of memory?

Thanks

Ray Kinsella


--------------------------------------------- cut here
---------------------------------------------
#include <sys/param.h>
#include <sys/module.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/types.h>
#include <sys/malloc.h>
#include <sys/pcpu.h>
#include <sys/proc.h>

#include <vm/vm.h>
#include <vm/vm_page.h>
#include <vm/vm_map.h>
#include <vm/vm_kern.h>

vm_offset_t palloc_wr;
vm_offset_t palloc_r;

void _alloc(void);
void _free(void);

void _alloc(void)
{
=A0=A0=A0 uint32_t retval =3D 0;

=A0=A0=A0=A0 =A0=A0=A0 palloc_wr =3D (vm_offset_t) contigmalloc(2 * PAGE_SI=
ZE,
=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 M_DEVBUF, 0, 0, (1L << 31),
=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 4096, 1024 * 1024);

=A0=A0=A0 printf("contigmalloc : 0x%.08x\n", palloc_wr);

=A0=A0=A0 palloc_r =3D palloc_wr + PAGE_SIZE;

=A0=A0=A0 //kernel_map
=A0=A0=A0 retval =3D vm_map_protect(&curthread->td_proc->p_vmspace->vm_map
=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 , palloc_r, palloc_r + PAGE_SIZE,
=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 VM_PROT_ALL, 0);

=A0=A0=A0 printf("vm_map_protect : %d\n", retval);

=A0=A0=A0 memset((void *)palloc_r,0xFF, PAGE_SIZE);
}

void _free(void)
{
=A0=A0=A0 contigfree((void *) palloc_wr, 2 * PAGE_SIZE, M_DEVBUF);
}

/* The function called at load/unload. */
static int event_handler(struct module *module, int event, void *arg) {
=A0=A0=A0=A0=A0=A0=A0 int e =3D 0; /* Error, 0 for normal return status */
=A0=A0=A0=A0=A0=A0=A0 switch (event) {
=A0=A0=A0=A0=A0=A0=A0 case MOD_LOAD:
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 _alloc();
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 break;
=A0=A0=A0=A0=A0=A0=A0 case MOD_UNLOAD:
=A0=A0=A0 =A0=A0=A0 _free();
=A0=A0=A0 =A0=A0=A0 break;
=A0=A0=A0=A0=A0=A0=A0 default:
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 e =3D EOPNOTSUPP; /* Error, O=
peration Not Supported */
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 break;
=A0=A0=A0=A0=A0=A0=A0 }

=A0=A0=A0=A0=A0=A0=A0 return(e);
}

/* The second argument of DECLARE_MODULE. */
static moduledata_t mod_conf =3D {
=A0=A0=A0 "mod",=A0=A0=A0 /* module name */
=A0=A0=A0=A0 event_handler,=A0 /* event handler */
=A0=A0=A0=A0 NULL=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 /* extra data */
};

DECLARE_MODULE(mod, mod_conf, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);