1 /* $NetBSD: kern_malloc.c,v 1.131 2010/05/05 02:20:42 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1987, 1991, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * @(#)kern_malloc.c 8.4 (Berkeley) 5/20/95 32 */ 33 34 /* 35 * Copyright (c) 1996 Christopher G. Demetriou. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. All advertising materials mentioning features or use of this software 46 * must display the following acknowledgement: 47 * This product includes software developed by the University of 48 * California, Berkeley and its contributors. 49 * 4. Neither the name of the University nor the names of its contributors 50 * may be used to endorse or promote products derived from this software 51 * without specific prior written permission. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * @(#)kern_malloc.c 8.4 (Berkeley) 5/20/95 66 */ 67 68 #include <sys/cdefs.h> 69 __KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.131 2010/05/05 02:20:42 christos Exp $"); 70 71 #include <sys/param.h> 72 #include <sys/proc.h> 73 #include <sys/kernel.h> 74 #include <sys/malloc.h> 75 #include <sys/systm.h> 76 #include <sys/debug.h> 77 #include <sys/mutex.h> 78 #include <sys/lockdebug.h> 79 80 #include <uvm/uvm_extern.h> 81 82 static struct vm_map_kernel kmem_map_store; 83 struct vm_map *kmem_map = NULL; 84 85 #include "opt_kmempages.h" 86 87 #ifdef NKMEMCLUSTERS 88 #error NKMEMCLUSTERS is obsolete; remove it from your kernel config file and use NKMEMPAGES instead or let the kernel auto-size 89 #endif 90 91 /* 92 * Default number of pages in kmem_map. We attempt to calculate this 93 * at run-time, but allow it to be either patched or set in the kernel 94 * config file. 95 */ 96 #ifndef NKMEMPAGES 97 #define NKMEMPAGES 0 98 #endif 99 int nkmempages = NKMEMPAGES; 100 101 /* 102 * Defaults for lower- and upper-bounds for the kmem_map page count. 103 * Can be overridden by kernel config options. 104 */ 105 #ifndef NKMEMPAGES_MIN 106 #define NKMEMPAGES_MIN NKMEMPAGES_MIN_DEFAULT 107 #endif 108 109 #ifndef NKMEMPAGES_MAX 110 #define NKMEMPAGES_MAX NKMEMPAGES_MAX_DEFAULT 111 #endif 112 113 #include "opt_kmemstats.h" 114 #include "opt_malloclog.h" 115 #include "opt_malloc_debug.h" 116 117 #define MINALLOCSIZE (1 << MINBUCKET) 118 #define BUCKETINDX(size) \ 119 ((size) <= (MINALLOCSIZE * 128) \ 120 ? (size) <= (MINALLOCSIZE * 8) \ 121 ? (size) <= (MINALLOCSIZE * 2) \ 122 ? (size) <= (MINALLOCSIZE * 1) \ 123 ? (MINBUCKET + 0) \ 124 : (MINBUCKET + 1) \ 125 : (size) <= (MINALLOCSIZE * 4) \ 126 ? (MINBUCKET + 2) \ 127 : (MINBUCKET + 3) \ 128 : (size) <= (MINALLOCSIZE* 32) \ 129 ? (size) <= (MINALLOCSIZE * 16) \ 130 ? (MINBUCKET + 4) \ 131 : (MINBUCKET + 5) \ 132 : (size) <= (MINALLOCSIZE * 64) \ 133 ? (MINBUCKET + 6) \ 134 : (MINBUCKET + 7) \ 135 : (size) <= (MINALLOCSIZE * 2048) \ 136 ? (size) <= (MINALLOCSIZE * 512) \ 137 ? (size) <= (MINALLOCSIZE * 256) \ 138 ? (MINBUCKET + 8) \ 139 : (MINBUCKET + 9) \ 140 : (size) <= (MINALLOCSIZE * 1024) \ 141 ? (MINBUCKET + 10) \ 142 : (MINBUCKET + 11) \ 143 : (size) <= (MINALLOCSIZE * 8192) \ 144 ? (size) <= (MINALLOCSIZE * 4096) \ 145 ? (MINBUCKET + 12) \ 146 : (MINBUCKET + 13) \ 147 : (size) <= (MINALLOCSIZE * 16384) \ 148 ? (MINBUCKET + 14) \ 149 : (MINBUCKET + 15)) 150 151 /* 152 * Array of descriptors that describe the contents of each page 153 */ 154 struct kmemusage { 155 short ku_indx; /* bucket index */ 156 union { 157 u_short freecnt;/* for small allocations, free pieces in page */ 158 u_short pagecnt;/* for large allocations, pages alloced */ 159 } ku_un; 160 }; 161 #define ku_freecnt ku_un.freecnt 162 #define ku_pagecnt ku_un.pagecnt 163 164 struct kmembuckets kmembuckets[MINBUCKET + 16]; 165 struct kmemusage *kmemusage; 166 char *kmembase, *kmemlimit; 167 168 #ifdef DEBUG 169 static void *malloc_freecheck; 170 #endif 171 172 /* 173 * Turn virtual addresses into kmem map indicies 174 */ 175 #define btokup(addr) (&kmemusage[((char *)(addr) - kmembase) >> PGSHIFT]) 176 177 struct malloc_type *kmemstatistics; 178 179 #ifdef MALLOCLOG 180 #ifndef MALLOCLOGSIZE 181 #define MALLOCLOGSIZE 100000 182 #endif 183 184 struct malloclog { 185 void *addr; 186 long size; 187 struct malloc_type *type; 188 int action; 189 const char *file; 190 long line; 191 } malloclog[MALLOCLOGSIZE]; 192 193 long malloclogptr; 194 195 /* 196 * Fuzz factor for neighbour address match this must be a mask of the lower 197 * bits we wish to ignore when comparing addresses 198 */ 199 __uintptr_t malloclog_fuzz = 0x7FL; 200 201 202 static void 203 domlog(void *a, long size, struct malloc_type *type, int action, 204 const char *file, long line) 205 { 206 207 malloclog[malloclogptr].addr = a; 208 malloclog[malloclogptr].size = size; 209 malloclog[malloclogptr].type = type; 210 malloclog[malloclogptr].action = action; 211 malloclog[malloclogptr].file = file; 212 malloclog[malloclogptr].line = line; 213 malloclogptr++; 214 if (malloclogptr >= MALLOCLOGSIZE) 215 malloclogptr = 0; 216 } 217 218 #ifdef DIAGNOSTIC 219 static void 220 hitmlog(void *a) 221 { 222 struct malloclog *lp; 223 long l; 224 225 #define PRT do { \ 226 lp = &malloclog[l]; \ 227 if (lp->addr == a && lp->action) { \ 228 printf("malloc log entry %ld:\n", l); \ 229 printf("\taddr = %p\n", lp->addr); \ 230 printf("\tsize = %ld\n", lp->size); \ 231 printf("\ttype = %s\n", lp->type->ks_shortdesc); \ 232 printf("\taction = %s\n", lp->action == 1 ? "alloc" : "free"); \ 233 printf("\tfile = %s\n", lp->file); \ 234 printf("\tline = %ld\n", lp->line); \ 235 } \ 236 } while (/* CONSTCOND */0) 237 238 /* 239 * Print fuzzy matched "neighbour" - look for the memory block that has 240 * been allocated below the address we are interested in. We look for a 241 * base address + size that is within malloclog_fuzz of our target 242 * address. If the base address and target address are the same then it is 243 * likely we have found a free (size is 0 in this case) so we won't report 244 * those, they will get reported by PRT anyway. 245 */ 246 #define NPRT do { \ 247 __uintptr_t fuzz_mask = ~(malloclog_fuzz); \ 248 lp = &malloclog[l]; \ 249 if ((__uintptr_t)lp->addr != (__uintptr_t)a && \ 250 (((__uintptr_t)lp->addr + lp->size + malloclog_fuzz) & fuzz_mask) \ 251 == ((__uintptr_t)a & fuzz_mask) && lp->action) { \ 252 printf("neighbour malloc log entry %ld:\n", l); \ 253 printf("\taddr = %p\n", lp->addr); \ 254 printf("\tsize = %ld\n", lp->size); \ 255 printf("\ttype = %s\n", lp->type->ks_shortdesc); \ 256 printf("\taction = %s\n", lp->action == 1 ? "alloc" : "free"); \ 257 printf("\tfile = %s\n", lp->file); \ 258 printf("\tline = %ld\n", lp->line); \ 259 } \ 260 } while (/* CONSTCOND */0) 261 262 for (l = malloclogptr; l < MALLOCLOGSIZE; l++) { 263 PRT; 264 NPRT; 265 } 266 267 268 for (l = 0; l < malloclogptr; l++) { 269 PRT; 270 NPRT; 271 } 272 273 #undef PRT 274 } 275 #endif /* DIAGNOSTIC */ 276 #endif /* MALLOCLOG */ 277 278 #ifdef DIAGNOSTIC 279 /* 280 * This structure provides a set of masks to catch unaligned frees. 281 */ 282 const long addrmask[] = { 0, 283 0x00000001, 0x00000003, 0x00000007, 0x0000000f, 284 0x0000001f, 0x0000003f, 0x0000007f, 0x000000ff, 285 0x000001ff, 0x000003ff, 0x000007ff, 0x00000fff, 286 0x00001fff, 0x00003fff, 0x00007fff, 0x0000ffff, 287 }; 288 289 /* 290 * The WEIRD_ADDR is used as known text to copy into free objects so 291 * that modifications after frees can be detected. 292 */ 293 #define WEIRD_ADDR ((uint32_t) 0xdeadbeef) 294 #ifdef DEBUG 295 #define MAX_COPY PAGE_SIZE 296 #else 297 #define MAX_COPY 32 298 #endif 299 300 /* 301 * Normally the freelist structure is used only to hold the list pointer 302 * for free objects. However, when running with diagnostics, the first 303 * 8/16 bytes of the structure is unused except for diagnostic information, 304 * and the free list pointer is at offset 8/16 in the structure. Since the 305 * first 8 bytes is the portion of the structure most often modified, this 306 * helps to detect memory reuse problems and avoid free list corruption. 307 */ 308 struct freelist { 309 uint32_t spare0; 310 #ifdef _LP64 311 uint32_t spare1; /* explicit padding */ 312 #endif 313 struct malloc_type *type; 314 void * next; 315 }; 316 #else /* !DIAGNOSTIC */ 317 struct freelist { 318 void * next; 319 }; 320 #endif /* DIAGNOSTIC */ 321 322 kmutex_t malloc_lock; 323 324 /* 325 * Allocate a block of memory 326 */ 327 #ifdef MALLOCLOG 328 void * 329 _kern_malloc(unsigned long size, struct malloc_type *ksp, int flags, 330 const char *file, long line) 331 #else 332 void * 333 kern_malloc(unsigned long size, struct malloc_type *ksp, int flags) 334 #endif /* MALLOCLOG */ 335 { 336 struct kmembuckets *kbp; 337 struct kmemusage *kup; 338 struct freelist *freep; 339 long indx, npg, allocsize; 340 char *va, *cp, *savedlist; 341 #ifdef DIAGNOSTIC 342 uint32_t *end, *lp; 343 int copysize; 344 #endif 345 346 #ifdef LOCKDEBUG 347 if ((flags & M_NOWAIT) == 0) { 348 ASSERT_SLEEPABLE(); 349 } 350 #endif 351 #ifdef MALLOC_DEBUG 352 if (debug_malloc(size, ksp, flags, (void *) &va)) { 353 if (va != 0) { 354 FREECHECK_OUT(&malloc_freecheck, (void *)va); 355 } 356 return ((void *) va); 357 } 358 #endif 359 indx = BUCKETINDX(size); 360 kbp = &kmembuckets[indx]; 361 mutex_spin_enter(&malloc_lock); 362 #ifdef KMEMSTATS 363 while (ksp->ks_memuse >= ksp->ks_limit) { 364 if (flags & M_NOWAIT) { 365 mutex_spin_exit(&malloc_lock); 366 return ((void *) NULL); 367 } 368 if (ksp->ks_limblocks < 65535) 369 ksp->ks_limblocks++; 370 mtsleep((void *)ksp, PSWP+2, ksp->ks_shortdesc, 0, 371 &malloc_lock); 372 } 373 ksp->ks_size |= 1 << indx; 374 #ifdef DIAGNOSTIC 375 if (ksp->ks_active[indx - MINBUCKET] == USHRT_MAX) 376 panic("too many allocations in bucket"); 377 #endif 378 ksp->ks_active[indx - MINBUCKET]++; 379 #endif 380 #ifdef DIAGNOSTIC 381 copysize = 1 << indx < MAX_COPY ? 1 << indx : MAX_COPY; 382 #endif 383 if (kbp->kb_next == NULL) { 384 int s; 385 kbp->kb_last = NULL; 386 if (size > MAXALLOCSAVE) 387 allocsize = round_page(size); 388 else 389 allocsize = 1 << indx; 390 npg = btoc(allocsize); 391 mutex_spin_exit(&malloc_lock); 392 s = splvm(); 393 va = (void *) uvm_km_alloc(kmem_map, 394 (vsize_t)ctob(npg), 0, 395 ((flags & M_NOWAIT) ? UVM_KMF_NOWAIT : 0) | 396 ((flags & M_CANFAIL) ? UVM_KMF_CANFAIL : 0) | 397 UVM_KMF_WIRED); 398 splx(s); 399 if (__predict_false(va == NULL)) { 400 /* 401 * Kmem_malloc() can return NULL, even if it can 402 * wait, if there is no map space available, because 403 * it can't fix that problem. Neither can we, 404 * right now. (We should release pages which 405 * are completely free and which are in kmembuckets 406 * with too many free elements.) 407 */ 408 if ((flags & (M_NOWAIT|M_CANFAIL)) == 0) 409 panic("malloc: out of space in kmem_map"); 410 return (NULL); 411 } 412 mutex_spin_enter(&malloc_lock); 413 #ifdef KMEMSTATS 414 kbp->kb_total += kbp->kb_elmpercl; 415 #endif 416 kup = btokup(va); 417 kup->ku_indx = indx; 418 if (allocsize > MAXALLOCSAVE) { 419 if (npg > 65535) 420 panic("malloc: allocation too large"); 421 kup->ku_pagecnt = npg; 422 #ifdef KMEMSTATS 423 ksp->ks_memuse += allocsize; 424 #endif 425 goto out; 426 } 427 #ifdef KMEMSTATS 428 kup->ku_freecnt = kbp->kb_elmpercl; 429 kbp->kb_totalfree += kbp->kb_elmpercl; 430 #endif 431 /* 432 * Just in case we blocked while allocating memory, 433 * and someone else also allocated memory for this 434 * kmembucket, don't assume the list is still empty. 435 */ 436 savedlist = kbp->kb_next; 437 kbp->kb_next = cp = va + (npg << PAGE_SHIFT) - allocsize; 438 for (;;) { 439 freep = (struct freelist *)cp; 440 #ifdef DIAGNOSTIC 441 /* 442 * Copy in known text to detect modification 443 * after freeing. 444 */ 445 end = (uint32_t *)&cp[copysize]; 446 for (lp = (uint32_t *)cp; lp < end; lp++) 447 *lp = WEIRD_ADDR; 448 freep->type = M_FREE; 449 #endif /* DIAGNOSTIC */ 450 if (cp <= va) 451 break; 452 cp -= allocsize; 453 freep->next = cp; 454 } 455 freep->next = savedlist; 456 if (savedlist == NULL) 457 kbp->kb_last = (void *)freep; 458 } 459 va = kbp->kb_next; 460 kbp->kb_next = ((struct freelist *)va)->next; 461 #ifdef DIAGNOSTIC 462 freep = (struct freelist *)va; 463 /* XXX potential to get garbage pointer here. */ 464 if (kbp->kb_next) { 465 int rv; 466 vaddr_t addr = (vaddr_t)kbp->kb_next; 467 468 vm_map_lock(kmem_map); 469 rv = uvm_map_checkprot(kmem_map, addr, 470 addr + sizeof(struct freelist), VM_PROT_WRITE); 471 vm_map_unlock(kmem_map); 472 473 if (__predict_false(rv == 0)) { 474 printf("Data modified on freelist: " 475 "word %ld of object %p size %ld previous type %s " 476 "(invalid addr %p)\n", 477 (long)((int32_t *)&kbp->kb_next - (int32_t *)kbp), 478 va, size, "foo", kbp->kb_next); 479 #ifdef MALLOCLOG 480 hitmlog(va); 481 #endif 482 kbp->kb_next = NULL; 483 } 484 } 485 486 /* Fill the fields that we've used with WEIRD_ADDR */ 487 #ifdef _LP64 488 freep->type = (struct malloc_type *) 489 (WEIRD_ADDR | (((u_long) WEIRD_ADDR) << 32)); 490 #else 491 freep->type = (struct malloc_type *) WEIRD_ADDR; 492 #endif 493 end = (uint32_t *)&freep->next + 494 (sizeof(freep->next) / sizeof(int32_t)); 495 for (lp = (uint32_t *)&freep->next; lp < end; lp++) 496 *lp = WEIRD_ADDR; 497 498 /* and check that the data hasn't been modified. */ 499 end = (uint32_t *)&va[copysize]; 500 for (lp = (uint32_t *)va; lp < end; lp++) { 501 if (__predict_true(*lp == WEIRD_ADDR)) 502 continue; 503 printf("Data modified on freelist: " 504 "word %ld of object %p size %ld previous type %s " 505 "(0x%x != 0x%x)\n", 506 (long)(lp - (uint32_t *)va), va, size, 507 "bar", *lp, WEIRD_ADDR); 508 #ifdef MALLOCLOG 509 hitmlog(va); 510 #endif 511 break; 512 } 513 514 freep->spare0 = 0; 515 #endif /* DIAGNOSTIC */ 516 #ifdef KMEMSTATS 517 kup = btokup(va); 518 if (kup->ku_indx != indx) 519 panic("malloc: wrong bucket"); 520 if (kup->ku_freecnt == 0) 521 panic("malloc: lost data"); 522 kup->ku_freecnt--; 523 kbp->kb_totalfree--; 524 ksp->ks_memuse += 1 << indx; 525 out: 526 kbp->kb_calls++; 527 ksp->ks_inuse++; 528 ksp->ks_calls++; 529 if (ksp->ks_memuse > ksp->ks_maxused) 530 ksp->ks_maxused = ksp->ks_memuse; 531 #else 532 out: 533 #endif 534 #ifdef MALLOCLOG 535 domlog(va, size, ksp, 1, file, line); 536 #endif 537 mutex_spin_exit(&malloc_lock); 538 if ((flags & M_ZERO) != 0) 539 memset(va, 0, size); 540 FREECHECK_OUT(&malloc_freecheck, (void *)va); 541 return ((void *) va); 542 } 543 544 /* 545 * Free a block of memory allocated by malloc. 546 */ 547 #ifdef MALLOCLOG 548 void 549 _kern_free(void *addr, struct malloc_type *ksp, const char *file, long line) 550 #else 551 void 552 kern_free(void *addr, struct malloc_type *ksp) 553 #endif /* MALLOCLOG */ 554 { 555 struct kmembuckets *kbp; 556 struct kmemusage *kup; 557 struct freelist *freep; 558 long size; 559 #ifdef DIAGNOSTIC 560 void *cp; 561 int32_t *end, *lp; 562 long alloc, copysize; 563 #endif 564 565 FREECHECK_IN(&malloc_freecheck, addr); 566 #ifdef MALLOC_DEBUG 567 if (debug_free(addr, ksp)) 568 return; 569 #endif 570 571 #ifdef DIAGNOSTIC 572 /* 573 * Ensure that we're free'ing something that we could 574 * have allocated in the first place. That is, check 575 * to see that the address is within kmem_map. 576 */ 577 if (__predict_false((vaddr_t)addr < vm_map_min(kmem_map) || 578 (vaddr_t)addr >= vm_map_max(kmem_map))) 579 panic("free: addr %p not within kmem_map", addr); 580 #endif 581 582 kup = btokup(addr); 583 size = 1 << kup->ku_indx; 584 kbp = &kmembuckets[kup->ku_indx]; 585 586 LOCKDEBUG_MEM_CHECK(addr, 587 size <= MAXALLOCSAVE ? size : ctob(kup->ku_pagecnt)); 588 589 mutex_spin_enter(&malloc_lock); 590 #ifdef MALLOCLOG 591 domlog(addr, 0, ksp, 2, file, line); 592 #endif 593 #ifdef DIAGNOSTIC 594 /* 595 * Check for returns of data that do not point to the 596 * beginning of the allocation. 597 */ 598 if (size > PAGE_SIZE) 599 alloc = addrmask[BUCKETINDX(PAGE_SIZE)]; 600 else 601 alloc = addrmask[kup->ku_indx]; 602 if (((u_long)addr & alloc) != 0) 603 panic("free: unaligned addr %p, size %ld, type %s, mask %ld", 604 addr, size, ksp->ks_shortdesc, alloc); 605 #endif /* DIAGNOSTIC */ 606 if (size > MAXALLOCSAVE) { 607 uvm_km_free(kmem_map, (vaddr_t)addr, ctob(kup->ku_pagecnt), 608 UVM_KMF_WIRED); 609 #ifdef KMEMSTATS 610 size = kup->ku_pagecnt << PGSHIFT; 611 ksp->ks_memuse -= size; 612 #ifdef DIAGNOSTIC 613 if (ksp->ks_active[kup->ku_indx - MINBUCKET] == 0) 614 panic("no active allocation(1), probably double free"); 615 #endif 616 ksp->ks_active[kup->ku_indx - MINBUCKET]--; 617 kup->ku_indx = 0; 618 kup->ku_pagecnt = 0; 619 if (ksp->ks_memuse + size >= ksp->ks_limit && 620 ksp->ks_memuse < ksp->ks_limit) 621 wakeup((void *)ksp); 622 #ifdef DIAGNOSTIC 623 if (ksp->ks_inuse == 0) 624 panic("free 1: inuse 0, probable double free"); 625 #endif 626 ksp->ks_inuse--; 627 kbp->kb_total -= 1; 628 #endif 629 mutex_spin_exit(&malloc_lock); 630 return; 631 } 632 freep = (struct freelist *)addr; 633 #ifdef DIAGNOSTIC 634 /* 635 * Check for multiple frees. Use a quick check to see if 636 * it looks free before laboriously searching the freelist. 637 */ 638 if (__predict_false(freep->spare0 == WEIRD_ADDR)) { 639 for (cp = kbp->kb_next; cp; 640 cp = ((struct freelist *)cp)->next) { 641 if (addr != cp) 642 continue; 643 printf("multiply freed item %p\n", addr); 644 #ifdef MALLOCLOG 645 hitmlog(addr); 646 #endif 647 panic("free: duplicated free"); 648 } 649 } 650 651 /* 652 * Copy in known text to detect modification after freeing 653 * and to make it look free. Also, save the type being freed 654 * so we can list likely culprit if modification is detected 655 * when the object is reallocated. 656 */ 657 copysize = size < MAX_COPY ? size : MAX_COPY; 658 end = (int32_t *)&((char *)addr)[copysize]; 659 for (lp = (int32_t *)addr; lp < end; lp++) 660 *lp = WEIRD_ADDR; 661 freep->type = ksp; 662 #endif /* DIAGNOSTIC */ 663 #ifdef KMEMSTATS 664 kup->ku_freecnt++; 665 if (kup->ku_freecnt >= kbp->kb_elmpercl) { 666 if (kup->ku_freecnt > kbp->kb_elmpercl) 667 panic("free: multiple frees"); 668 else if (kbp->kb_totalfree > kbp->kb_highwat) 669 kbp->kb_couldfree++; 670 } 671 kbp->kb_totalfree++; 672 ksp->ks_memuse -= size; 673 #ifdef DIAGNOSTIC 674 if (ksp->ks_active[kup->ku_indx - MINBUCKET] == 0) 675 panic("no active allocation(2), probably double free"); 676 #endif 677 ksp->ks_active[kup->ku_indx - MINBUCKET]--; 678 if (ksp->ks_memuse + size >= ksp->ks_limit && 679 ksp->ks_memuse < ksp->ks_limit) 680 wakeup((void *)ksp); 681 #ifdef DIAGNOSTIC 682 if (ksp->ks_inuse == 0) 683 panic("free 2: inuse 0, probable double free"); 684 #endif 685 ksp->ks_inuse--; 686 #endif 687 if (kbp->kb_next == NULL) 688 kbp->kb_next = addr; 689 else 690 ((struct freelist *)kbp->kb_last)->next = addr; 691 freep->next = NULL; 692 kbp->kb_last = addr; 693 mutex_spin_exit(&malloc_lock); 694 } 695 696 /* 697 * Change the size of a block of memory. 698 */ 699 void * 700 kern_realloc(void *curaddr, unsigned long newsize, struct malloc_type *ksp, 701 int flags) 702 { 703 struct kmemusage *kup; 704 unsigned long cursize; 705 void *newaddr; 706 #ifdef DIAGNOSTIC 707 long alloc; 708 #endif 709 710 /* 711 * realloc() with a NULL pointer is the same as malloc(). 712 */ 713 if (curaddr == NULL) 714 return (malloc(newsize, ksp, flags)); 715 716 /* 717 * realloc() with zero size is the same as free(). 718 */ 719 if (newsize == 0) { 720 free(curaddr, ksp); 721 return (NULL); 722 } 723 724 #ifdef LOCKDEBUG 725 if ((flags & M_NOWAIT) == 0) { 726 ASSERT_SLEEPABLE(); 727 } 728 #endif 729 730 /* 731 * Find out how large the old allocation was (and do some 732 * sanity checking). 733 */ 734 kup = btokup(curaddr); 735 cursize = 1 << kup->ku_indx; 736 737 #ifdef DIAGNOSTIC 738 /* 739 * Check for returns of data that do not point to the 740 * beginning of the allocation. 741 */ 742 if (cursize > PAGE_SIZE) 743 alloc = addrmask[BUCKETINDX(PAGE_SIZE)]; 744 else 745 alloc = addrmask[kup->ku_indx]; 746 if (((u_long)curaddr & alloc) != 0) 747 panic("realloc: " 748 "unaligned addr %p, size %ld, type %s, mask %ld\n", 749 curaddr, cursize, ksp->ks_shortdesc, alloc); 750 #endif /* DIAGNOSTIC */ 751 752 if (cursize > MAXALLOCSAVE) 753 cursize = ctob(kup->ku_pagecnt); 754 755 /* 756 * If we already actually have as much as they want, we're done. 757 */ 758 if (newsize <= cursize) 759 return (curaddr); 760 761 /* 762 * Can't satisfy the allocation with the existing block. 763 * Allocate a new one and copy the data. 764 */ 765 newaddr = malloc(newsize, ksp, flags); 766 if (__predict_false(newaddr == NULL)) { 767 /* 768 * malloc() failed, because flags included M_NOWAIT. 769 * Return NULL to indicate that failure. The old 770 * pointer is still valid. 771 */ 772 return (NULL); 773 } 774 memcpy(newaddr, curaddr, cursize); 775 776 /* 777 * We were successful: free the old allocation and return 778 * the new one. 779 */ 780 free(curaddr, ksp); 781 return (newaddr); 782 } 783 784 /* 785 * Roundup size to the actual allocation size. 786 */ 787 unsigned long 788 malloc_roundup(unsigned long size) 789 { 790 791 if (size > MAXALLOCSAVE) 792 return (roundup(size, PAGE_SIZE)); 793 else 794 return (1 << BUCKETINDX(size)); 795 } 796 797 /* 798 * Add a malloc type to the system. 799 */ 800 void 801 malloc_type_attach(struct malloc_type *type) 802 { 803 804 if (nkmempages == 0) 805 panic("malloc_type_attach: nkmempages == 0"); 806 807 if (type->ks_magic != M_MAGIC) 808 panic("malloc_type_attach: bad magic"); 809 810 #ifdef DIAGNOSTIC 811 { 812 struct malloc_type *ksp; 813 for (ksp = kmemstatistics; ksp != NULL; ksp = ksp->ks_next) { 814 if (ksp == type) 815 panic("%s: `%s' already on list", __func__, 816 type->ks_shortdesc); 817 } 818 } 819 #endif 820 821 #ifdef KMEMSTATS 822 if (type->ks_limit == 0) 823 type->ks_limit = ((u_long)nkmempages << PAGE_SHIFT) * 6U / 10U; 824 #else 825 type->ks_limit = 0; 826 #endif 827 828 type->ks_next = kmemstatistics; 829 kmemstatistics = type; 830 } 831 832 /* 833 * Remove a malloc type from the system.. 834 */ 835 void 836 malloc_type_detach(struct malloc_type *type) 837 { 838 struct malloc_type *ksp; 839 840 #ifdef DIAGNOSTIC 841 if (type->ks_magic != M_MAGIC) 842 panic("malloc_type_detach: bad magic"); 843 #endif 844 845 if (type == kmemstatistics) 846 kmemstatistics = type->ks_next; 847 else { 848 for (ksp = kmemstatistics; ksp->ks_next != NULL; 849 ksp = ksp->ks_next) { 850 if (ksp->ks_next == type) { 851 ksp->ks_next = type->ks_next; 852 break; 853 } 854 } 855 #ifdef DIAGNOSTIC 856 if (ksp->ks_next == NULL) 857 panic("malloc_type_detach: not on list"); 858 #endif 859 } 860 type->ks_next = NULL; 861 } 862 863 /* 864 * Set the limit on a malloc type. 865 */ 866 void 867 malloc_type_setlimit(struct malloc_type *type, u_long limit) 868 { 869 #ifdef KMEMSTATS 870 mutex_spin_enter(&malloc_lock); 871 type->ks_limit = limit; 872 mutex_spin_exit(&malloc_lock); 873 #endif 874 } 875 876 /* 877 * Compute the number of pages that kmem_map will map, that is, 878 * the size of the kernel malloc arena. 879 */ 880 void 881 kmeminit_nkmempages(void) 882 { 883 int npages; 884 885 if (nkmempages != 0) { 886 /* 887 * It's already been set (by us being here before, or 888 * by patching or kernel config options), bail out now. 889 */ 890 return; 891 } 892 893 npages = physmem; 894 895 if (npages > NKMEMPAGES_MAX) 896 npages = NKMEMPAGES_MAX; 897 898 if (npages < NKMEMPAGES_MIN) 899 npages = NKMEMPAGES_MIN; 900 901 nkmempages = npages; 902 } 903 904 /* 905 * Initialize the kernel memory allocator 906 */ 907 void 908 kmeminit(void) 909 { 910 __link_set_decl(malloc_types, struct malloc_type); 911 struct malloc_type * const *ksp; 912 vaddr_t kmb, kml; 913 #ifdef KMEMSTATS 914 long indx; 915 #endif 916 917 #if ((MAXALLOCSAVE & (MAXALLOCSAVE - 1)) != 0) 918 ERROR!_kmeminit:_MAXALLOCSAVE_not_power_of_2 919 #endif 920 #if (MAXALLOCSAVE > MINALLOCSIZE * 32768) 921 ERROR!_kmeminit:_MAXALLOCSAVE_too_big 922 #endif 923 #if (MAXALLOCSAVE < NBPG) 924 ERROR!_kmeminit:_MAXALLOCSAVE_too_small 925 #endif 926 927 if (sizeof(struct freelist) > (1 << MINBUCKET)) 928 panic("minbucket too small/struct freelist too big"); 929 930 mutex_init(&malloc_lock, MUTEX_DEFAULT, IPL_VM); 931 932 /* 933 * Compute the number of kmem_map pages, if we have not 934 * done so already. 935 */ 936 kmeminit_nkmempages(); 937 938 kmemusage = (struct kmemusage *) uvm_km_alloc(kernel_map, 939 (vsize_t)(nkmempages * sizeof(struct kmemusage)), 0, 940 UVM_KMF_WIRED|UVM_KMF_ZERO); 941 kmb = 0; 942 kmem_map = uvm_km_suballoc(kernel_map, &kmb, 943 &kml, ((vsize_t)nkmempages << PAGE_SHIFT), 944 VM_MAP_INTRSAFE, false, &kmem_map_store); 945 uvm_km_vacache_init(kmem_map, "kvakmem", 0); 946 kmembase = (char *)kmb; 947 kmemlimit = (char *)kml; 948 #ifdef KMEMSTATS 949 for (indx = 0; indx < MINBUCKET + 16; indx++) { 950 if (1 << indx >= PAGE_SIZE) 951 kmembuckets[indx].kb_elmpercl = 1; 952 else 953 kmembuckets[indx].kb_elmpercl = PAGE_SIZE / (1 << indx); 954 kmembuckets[indx].kb_highwat = 955 5 * kmembuckets[indx].kb_elmpercl; 956 } 957 #endif 958 959 /* Attach all of the statically-linked malloc types. */ 960 __link_set_foreach(ksp, malloc_types) 961 malloc_type_attach(*ksp); 962 963 #ifdef MALLOC_DEBUG 964 debug_malloc_init(); 965 #endif 966 } 967 968 #ifdef DDB 969 #include <ddb/db_output.h> 970 971 /* 972 * Dump kmem statistics from ddb. 973 * 974 * usage: call dump_kmemstats 975 */ 976 void dump_kmemstats(void); 977 978 void 979 dump_kmemstats(void) 980 { 981 #ifdef KMEMSTATS 982 struct malloc_type *ksp; 983 984 for (ksp = kmemstatistics; ksp != NULL; ksp = ksp->ks_next) { 985 if (ksp->ks_memuse == 0) 986 continue; 987 db_printf("%s%.*s %ld\n", ksp->ks_shortdesc, 988 (int)(20 - strlen(ksp->ks_shortdesc)), 989 " ", 990 ksp->ks_memuse); 991 } 992 #else 993 db_printf("Kmem stats are not being collected.\n"); 994 #endif /* KMEMSTATS */ 995 } 996 #endif /* DDB */ 997 998 999 #if 0 1000 /* 1001 * Diagnostic messages about "Data modified on 1002 * freelist" indicate a memory corruption, but 1003 * they do not help tracking it down. 1004 * This function can be called at various places 1005 * to sanity check malloc's freelist and discover 1006 * where does the corruption take place. 1007 */ 1008 int 1009 freelist_sanitycheck(void) { 1010 int i,j; 1011 struct kmembuckets *kbp; 1012 struct freelist *freep; 1013 int rv = 0; 1014 1015 for (i = MINBUCKET; i <= MINBUCKET + 15; i++) { 1016 kbp = &kmembuckets[i]; 1017 freep = (struct freelist *)kbp->kb_next; 1018 j = 0; 1019 while(freep) { 1020 vm_map_lock(kmem_map); 1021 rv = uvm_map_checkprot(kmem_map, (vaddr_t)freep, 1022 (vaddr_t)freep + sizeof(struct freelist), 1023 VM_PROT_WRITE); 1024 vm_map_unlock(kmem_map); 1025 1026 if ((rv == 0) || (*(int *)freep != WEIRD_ADDR)) { 1027 printf("bucket %i, chunck %d at %p modified\n", 1028 i, j, freep); 1029 return 1; 1030 } 1031 freep = (struct freelist *)freep->next; 1032 j++; 1033 } 1034 } 1035 1036 return 0; 1037 } 1038 #endif 1039