From owner-freebsd-bugs@FreeBSD.ORG Sat Jul 12 13:10:15 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0D3637B401 for ; Sat, 12 Jul 2003 13:10:14 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05FF243FAF for ; Sat, 12 Jul 2003 13:10:14 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6CKADUp096374 for ; Sat, 12 Jul 2003 13:10:13 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6CKAD8L096373; Sat, 12 Jul 2003 13:10:13 -0700 (PDT) Resent-Date: Sat, 12 Jul 2003 13:10:13 -0700 (PDT) Resent-Message-Id: <200307122010.h6CKAD8L096373@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Pawel Jakub Dawidek Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 882F137B401; Sat, 12 Jul 2003 13:05:54 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F24043F93; Sat, 12 Jul 2003 13:05:52 -0700 (PDT) (envelope-from root@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 0) id 87A7E3ABB53; Sat, 12 Jul 2003 22:11:12 +0200 (CEST) Message-Id: <20030712201112.87A7E3ABB53@milla.ask33.net> Date: Sat, 12 Jul 2003 22:11:12 +0200 (CEST) From: Pawel Jakub Dawidek To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: Alan Cox Subject: kern/54418: Bug in VM page protection handling. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pawel Jakub Dawidek List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 20:10:15 -0000 >Number: 54418 >Category: kern >Synopsis: Bug in VM page protection handling. >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jul 12 13:10:13 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Pawel Jakub Dawidek >Release: FreeBSD 4.x, FreeBSD 5.x. >Organization: Pawel Jakub Dawidek >Environment: System: FreeBSD milla.ask33.net 4.8-RELEASE FreeBSD 4.8-RELEASE #1: Mon Apr 7 09:37:03 CEST 2003 root@milla.ask33.net:/usr/obj/usr/src/sys/MILLA i386 All versions of FreeBSD 4.x and FreeBSD 5.x. >Description: There is a problem in setting page protection in function vm_map_protect(). When we set for example max_protection to VM_PROT_READ and after that we will try do change max_protection to VM_PROT_ALL there is no chance to do that, because of bogus check. This 'if' doesn't check if we set max_protection or just protection and denieds all increasing max_protection tries. Problem doesn't affect FreeBSD directly, because such situation never occurs, but for 3rd-party kernel modules this could be importent. For example, for my module - cerb - where I need to do operations on VM pages, it is very important and this bug provoke 'Bus error's in some situations. >How-To-Repeat: This sample kernel module shows the problem. It is for FreeBSD 4.x, but simlar could be prepared for 5.x. #include #include #include #include #include #include #include #include #include static int mod(struct module *module, int cmd, void *arg) { vm_map_t map = &curproc->p_vmspace->vm_map; vm_offset_t start, end; int error = 0; switch (cmd) { case MOD_LOAD: end = start = (vm_offset_t)curproc->p_vmspace->vm_daddr + ctob(curproc->p_vmspace->vm_dsize); start--; error = vm_map_protect(map, start, end, VM_PROT_READ, TRUE); printf("ERROR1: %d\n", error); error = vm_map_protect(map, start, end, VM_PROT_ALL, TRUE); /* Here should be 2 which means KERN_PROTECTION_FAILURE. */ printf("ERROR2: %d\n", error); error = 0; printf("testmod loaded.\n"); break; case MOD_UNLOAD: printf("testmod unloaded.\n"); break; default: error = EINVAL; break; } return (error); } static moduledata_t testmod_mod = { "testmod", mod, NULL }; DECLARE_MODULE(testmod, testmod_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); >Fix: This patch fix this. diff -upr /usr/src/sys/vm/vm_map.c src/sys/vm/vm_map.c --- /usr/src/sys/vm/vm_map.c Fri Jul 4 00:38:04 2003 +++ src/sys/vm/vm_map.c Sat Jul 12 21:15:25 2003 @@ -1393,7 +1393,8 @@ vm_map_protect(vm_map_t map, vm_offset_t vm_map_unlock(map); return (KERN_INVALID_ARGUMENT); } - if ((new_prot & current->max_protection) != new_prot) { + if (!set_max && + (new_prot & current->max_protection) != new_prot) { vm_map_unlock(map); return (KERN_PROTECTION_FAILURE); } >Release-Note: >Audit-Trail: >Unformatted: