From root@milla.ask33.net  Sat Jul 12 13:05:54 2003
Return-Path: <root@milla.ask33.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 882F137B401; Sat, 12 Jul 2003 13:05:54 -0700 (PDT)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5F24043F93; Sat, 12 Jul 2003 13:05:52 -0700 (PDT)
	(envelope-from root@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 0)
	id 87A7E3ABB53; Sat, 12 Jul 2003 22:11:12 +0200 (CEST)
Message-Id: <20030712201112.87A7E3ABB53@milla.ask33.net>
Date: Sat, 12 Jul 2003 22:11:12 +0200 (CEST)
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Reply-To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Alan Cox <alc@FreeBSD.org>
Subject: Bug in VM page protection handling.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         54418
>Category:       kern
>Synopsis:       Bug in VM page protection handling.
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 12 13:10:13 PDT 2003
>Closed-Date:    Sun Jul 13 03:13:20 PDT 2003
>Last-Modified:  Sun Jul 13 05:10:21 PDT 2003
>Originator:     Pawel Jakub Dawidek
>Release:        FreeBSD 4.x, FreeBSD 5.x.
>Organization:
Pawel Jakub Dawidek
>Environment:
System: FreeBSD milla.ask33.net 4.8-RELEASE FreeBSD 4.8-RELEASE #1: Mon Apr 7 09:37:03 CEST 2003 root@milla.ask33.net:/usr/obj/usr/src/sys/MILLA i386
All versions of FreeBSD 4.x and FreeBSD 5.x.

	
>Description:
	There is a problem in setting page protection in function
	vm_map_protect().
	When we set for example max_protection to VM_PROT_READ and
	after that we will try do change max_protection to VM_PROT_ALL
	there is no chance to do that, because of bogus check. This 'if'
	doesn't check if we set max_protection or just protection and
	denieds all increasing max_protection tries.
	Problem doesn't affect FreeBSD directly, because such situation
	never occurs, but for 3rd-party kernel modules this could be importent.
	For example, for my module - cerb - where I need to do operations
	on VM pages, it is very important and this bug provoke 'Bus error's
	in some situations.
>How-To-Repeat:
	This sample kernel module shows the problem. It is for FreeBSD 4.x,
	but simlar could be prepared for 5.x.

#include <sys/param.h>

#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/systm.h>

#include <sys/lock.h>
#include <vm/vm.h>
#include <vm/pmap.h>
#include <vm/vm_map.h>

static int
mod(struct module *module, int cmd, void *arg)
{
	vm_map_t map = &curproc->p_vmspace->vm_map;
	vm_offset_t start, end;
	int error = 0;

	switch (cmd) {
	case MOD_LOAD:
		end = start = (vm_offset_t)curproc->p_vmspace->vm_daddr +
		    ctob(curproc->p_vmspace->vm_dsize);
		start--;
		error = vm_map_protect(map, start, end, VM_PROT_READ, TRUE);
		printf("ERROR1: %d\n", error);
		error = vm_map_protect(map, start, end, VM_PROT_ALL, TRUE);
		/* Here should be 2 which means KERN_PROTECTION_FAILURE. */
		printf("ERROR2: %d\n", error);
		error = 0;
		printf("testmod loaded.\n");
		break;
	case MOD_UNLOAD:
		printf("testmod unloaded.\n");
		break;
	default:
		error = EINVAL;
		break;
	}

	return (error);
}

static moduledata_t testmod_mod =
{
	"testmod",
	mod,
	NULL
};

DECLARE_MODULE(testmod, testmod_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);

>Fix:
	This patch fix this.

diff -upr /usr/src/sys/vm/vm_map.c src/sys/vm/vm_map.c
--- /usr/src/sys/vm/vm_map.c	Fri Jul  4 00:38:04 2003
+++ src/sys/vm/vm_map.c	Sat Jul 12 21:15:25 2003
@@ -1393,7 +1393,8 @@ vm_map_protect(vm_map_t map, vm_offset_t
 			vm_map_unlock(map);
 			return (KERN_INVALID_ARGUMENT);
 		}
-		if ((new_prot & current->max_protection) != new_prot) {
+		if (!set_max &&
+		    (new_prot & current->max_protection) != new_prot) {
 			vm_map_unlock(map);
 			return (KERN_PROTECTION_FAILURE);
 		}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sun Jul 13 03:11:26 PDT 2003 
State-Changed-Why:  
As alc@ said it is not a bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=54418 

From: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: kern/54418: Bug in VM page protection handling.
Date: Sun, 13 Jul 2003 13:03:47 +0100

 Adding to audit trail, from misfiled PR kern/54420:
 
 Date: Sat, 12 Jul 2003 15:36:27 -0500
 From: "Alan L. Cox" <alc@imimic.com>
 Message-Id: <3F10714B.44FAD294@imimic.com>
 References: <20030712201112.87A7E3ABB53@milla.ask33.net>
 
  Never mind the comment about the breakage.  That is not correct.
  
  Regards,
  Alan
 
>Unformatted:
