Hello, we spoke briefly in #hurd about a problem with wired memory I encountered during my work on the malleable syscall interface. I managed to create a more minimal test case. The attached program crashes stock Mach kernels as packaged by Debian.
Cheers, Justus
signature.asc
Description: PGP signature
#define _GNU_SOURCE
#include <assert.h>
#include <fcntl.h>
#include <hurd.h>
#include <device/device.h>
#include <errno.h>
#include <error.h>
#include <stdio.h>
#include <unistd.h>
/* Verbatim copy, s/VM_INHERIT_NONE/VM_INHERIT_SHARE/ */
error_t
maptime_map (int use_mach_dev, char *dev_name,
volatile struct mapped_time_value **mtime)
{
error_t err;
mach_port_t memobj;
if (use_mach_dev)
{
device_t device;
mach_port_t device_master;
err = get_privileged_ports (0, &device_master);
if (err)
return err;
err = device_open (device_master, 0, dev_name ?: "time", &device);
mach_port_deallocate (mach_task_self (), device_master);
if (err)
return err;
err = device_map (device, VM_PROT_READ, 0, sizeof *mtime, &memobj, 0);
/* Deallocate the device port. The mapping is independent of
this port. */
mach_port_deallocate (mach_task_self (), device);
}
else
{
mach_port_t wr_memobj;
file_t node = file_name_lookup (dev_name ?: "/dev/time", O_RDONLY, 0);
if (node == MACH_PORT_NULL)
return errno;
err = io_map (node, &memobj, &wr_memobj);
if (!err && wr_memobj != MACH_PORT_NULL)
mach_port_deallocate (mach_task_self (), wr_memobj);
mach_port_deallocate (mach_task_self (), node);
}
if (! err)
{
*mtime = 0;
err =
vm_map (mach_task_self (), (vm_address_t *)mtime, sizeof *mtime, 0, 1,
memobj, 0, 0, VM_PROT_READ, VM_PROT_READ, VM_INHERIT_SHARE);
mach_port_deallocate (mach_task_self (), memobj);
}
return err;
}
int
main ()
{
error_t err;
volatile struct mapped_time_value *mtime;
err = maptime_map (0, NULL, &mtime);
assert_perror (err);
fprintf (stderr, "%d\n", fork ());
return 0;
}
root@debian:~# ./pmap-assertion 681 panic: pmap_page_protect removing a wired page Debugger invoked: panic Kernel Breakpoint trap, eip 0xc1020314 Stopped at Debugger+0x13: int $3 Debugger(c10dfbec,0,f5cb8e2c,0,f9a3fbe0)+0x13 panic(c10e2380,f48439a0,f5cb8e4c,c101b47f,399c3)+0x79 pmap_page_protect(399d3000,0,f42db0b8,1,f40dfab8)+0x217 vm_object_pmap_remove(f9a3fbe0,0,1000,f5cb8ee0)+0x46 vm_map_entry_delete(f9a43510,f4843108,f5cb8f00,f5cb8f50,c1052466)+0x105 vm_map_delete(f9a43510,0,c0000000,f8c0c000,f54c2a90)+0x100 vm_map_deallocate.part.5(f5f80248,c1146920,f5cb8f6c,c102a73e,f9a43510)+0x1e vm_map_deallocate(f9a43510,f5f80248,803,f54c2a90,f54c2a90)+0x25 task_deallocate(f5f80248,f54c2a90,f5cb8f9c,c102b7e5)+0x4e thread_deallocate(f54c2a90,1,803,c102bcdd,1)+0x197 reaper_thread_continue(f99d0ce8,f99d2c00,f5cb8ec0,f5cb8ef8,f5f80248)+0x33 >>>>> user space <<<<<
