1 /* $NetBSD: kern_malloc.c,v 1.111 2007/04/19 11:03:44 yamt Exp $ */ 2 3 /* 4 * Copyright (c) 1987, 1991, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * @(#)kern_malloc.c 8.4 (Berkeley) 5/20/95 32 */ 33 34 /* 35 * Copyright (c) 1996 Christopher G. Demetriou. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. All advertising materials mentioning features or use of this software 46 * must display the following acknowledgement: 47 * This product includes software developed by the University of 48 * California, Berkeley and its contributors. 49 * 4. Neither the name of the University nor the names of its contributors 50 * may be used to endorse or promote products derived from this software 51 * without specific prior written permission. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * @(#)kern_malloc.c 8.4 (Berkeley) 5/20/95 66 */ 67 68 #include <sys/cdefs.h> 69 __KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.111 2007/04/19 11:03:44 yamt Exp $"); 70 71 #include <sys/param.h> 72 #include <sys/proc.h> 73 #include <sys/kernel.h> 74 #include <sys/malloc.h> 75 #include <sys/systm.h> 76 #include <sys/debug.h> 77 #include <sys/mutex.h> 78 79 #include <uvm/uvm_extern.h> 80 81 static struct vm_map_kernel kmem_map_store; 82 struct vm_map *kmem_map = NULL; 83 84 #include "opt_kmempages.h" 85 86 #ifdef NKMEMCLUSTERS 87 #error NKMEMCLUSTERS is obsolete; remove it from your kernel config file and use NKMEMPAGES instead or let the kernel auto-size 88 #endif 89 90 /* 91 * Default number of pages in kmem_map. We attempt to calculate this 92 * at run-time, but allow it to be either patched or set in the kernel 93 * config file. 94 */ 95 #ifndef NKMEMPAGES 96 #define NKMEMPAGES 0 97 #endif 98 int nkmempages = NKMEMPAGES; 99 100 /* 101 * Defaults for lower- and upper-bounds for the kmem_map page count. 102 * Can be overridden by kernel config options. 103 */ 104 #ifndef NKMEMPAGES_MIN 105 #define NKMEMPAGES_MIN NKMEMPAGES_MIN_DEFAULT 106 #endif 107 108 #ifndef NKMEMPAGES_MAX 109 #define NKMEMPAGES_MAX NKMEMPAGES_MAX_DEFAULT 110 #endif 111 112 #include "opt_kmemstats.h" 113 #include "opt_malloclog.h" 114 #include "opt_malloc_debug.h" 115 116 #define MINALLOCSIZE (1 << MINBUCKET) 117 #define BUCKETINDX(size) \ 118 ((size) <= (MINALLOCSIZE * 128) \ 119 ? (size) <= (MINALLOCSIZE * 8) \ 120 ? (size) <= (MINALLOCSIZE * 2) \ 121 ? (size) <= (MINALLOCSIZE * 1) \ 122 ? (MINBUCKET + 0) \ 123 : (MINBUCKET + 1) \ 124 : (size) <= (MINALLOCSIZE * 4) \ 125 ? (MINBUCKET + 2) \ 126 : (MINBUCKET + 3) \ 127 : (size) <= (MINALLOCSIZE* 32) \ 128 ? (size) <= (MINALLOCSIZE * 16) \ 129 ? (MINBUCKET + 4) \ 130 : (MINBUCKET + 5) \ 131 : (size) <= (MINALLOCSIZE * 64) \ 132 ? (MINBUCKET + 6) \ 133 : (MINBUCKET + 7) \ 134 : (size) <= (MINALLOCSIZE * 2048) \ 135 ? (size) <= (MINALLOCSIZE * 512) \ 136 ? (size) <= (MINALLOCSIZE * 256) \ 137 ? (MINBUCKET + 8) \ 138 : (MINBUCKET + 9) \ 139 : (size) <= (MINALLOCSIZE * 1024) \ 140 ? (MINBUCKET + 10) \ 141 : (MINBUCKET + 11) \ 142 : (size) <= (MINALLOCSIZE * 8192) \ 143 ? (size) <= (MINALLOCSIZE * 4096) \ 144 ? (MINBUCKET + 12) \ 145 : (MINBUCKET + 13) \ 146 : (size) <= (MINALLOCSIZE * 16384) \ 147 ? (MINBUCKET + 14) \ 148 : (MINBUCKET + 15)) 149 150 /* 151 * Array of descriptors that describe the contents of each page 152 */ 153 struct kmemusage { 154 short ku_indx; /* bucket index */ 155 union { 156 u_short freecnt;/* for small allocations, free pieces in page */ 157 u_short pagecnt;/* for large allocations, pages alloced */ 158 } ku_un; 159 }; 160 #define ku_freecnt ku_un.freecnt 161 #define ku_pagecnt ku_un.pagecnt 162 163 struct kmembuckets kmembuckets[MINBUCKET + 16]; 164 struct kmemusage *kmemusage; 165 char *kmembase, *kmemlimit; 166 167 #ifdef DEBUG 168 static void *malloc_freecheck; 169 #endif 170 171 /* 172 * Turn virtual addresses into kmem map indicies 173 */ 174 #define btokup(addr) (&kmemusage[((char *)(addr) - kmembase) >> PGSHIFT]) 175 176 struct malloc_type *kmemstatistics; 177 178 #ifdef MALLOCLOG 179 #ifndef MALLOCLOGSIZE 180 #define MALLOCLOGSIZE 100000 181 #endif 182 183 struct malloclog { 184 void *addr; 185 long size; 186 struct malloc_type *type; 187 int action; 188 const char *file; 189 long line; 190 } malloclog[MALLOCLOGSIZE]; 191 192 long malloclogptr; 193 194 static void 195 domlog(void *a, long size, struct malloc_type *type, int action, 196 const char *file, long line) 197 { 198 199 malloclog[malloclogptr].addr = a; 200 malloclog[malloclogptr].size = size; 201 malloclog[malloclogptr].type = type; 202 malloclog[malloclogptr].action = action; 203 malloclog[malloclogptr].file = file; 204 malloclog[malloclogptr].line = line; 205 malloclogptr++; 206 if (malloclogptr >= MALLOCLOGSIZE) 207 malloclogptr = 0; 208 } 209 210 static void 211 hitmlog(void *a) 212 { 213 struct malloclog *lp; 214 long l; 215 216 #define PRT do { \ 217 lp = &malloclog[l]; \ 218 if (lp->addr == a && lp->action) { \ 219 printf("malloc log entry %ld:\n", l); \ 220 printf("\taddr = %p\n", lp->addr); \ 221 printf("\tsize = %ld\n", lp->size); \ 222 printf("\ttype = %s\n", lp->type->ks_shortdesc); \ 223 printf("\taction = %s\n", lp->action == 1 ? "alloc" : "free"); \ 224 printf("\tfile = %s\n", lp->file); \ 225 printf("\tline = %ld\n", lp->line); \ 226 } \ 227 } while (/* CONSTCOND */0) 228 229 for (l = malloclogptr; l < MALLOCLOGSIZE; l++) 230 PRT; 231 232 for (l = 0; l < malloclogptr; l++) 233 PRT; 234 #undef PRT 235 } 236 #endif /* MALLOCLOG */ 237 238 #ifdef DIAGNOSTIC 239 /* 240 * This structure provides a set of masks to catch unaligned frees. 241 */ 242 const long addrmask[] = { 0, 243 0x00000001, 0x00000003, 0x00000007, 0x0000000f, 244 0x0000001f, 0x0000003f, 0x0000007f, 0x000000ff, 245 0x000001ff, 0x000003ff, 0x000007ff, 0x00000fff, 246 0x00001fff, 0x00003fff, 0x00007fff, 0x0000ffff, 247 }; 248 249 /* 250 * The WEIRD_ADDR is used as known text to copy into free objects so 251 * that modifications after frees can be detected. 252 */ 253 #define WEIRD_ADDR ((uint32_t) 0xdeadbeef) 254 #ifdef DEBUG 255 #define MAX_COPY PAGE_SIZE 256 #else 257 #define MAX_COPY 32 258 #endif 259 260 /* 261 * Normally the freelist structure is used only to hold the list pointer 262 * for free objects. However, when running with diagnostics, the first 263 * 8/16 bytes of the structure is unused except for diagnostic information, 264 * and the free list pointer is at offset 8/16 in the structure. Since the 265 * first 8 bytes is the portion of the structure most often modified, this 266 * helps to detect memory reuse problems and avoid free list corruption. 267 */ 268 struct freelist { 269 uint32_t spare0; 270 #ifdef _LP64 271 uint32_t spare1; /* explicit padding */ 272 #endif 273 struct malloc_type *type; 274 void * next; 275 }; 276 #else /* !DIAGNOSTIC */ 277 struct freelist { 278 void * next; 279 }; 280 #endif /* DIAGNOSTIC */ 281 282 /* 283 * The following are standard, built-in malloc types and are not 284 * specific to any subsystem. 285 */ 286 MALLOC_DEFINE(M_DEVBUF, "devbuf", "device driver memory"); 287 MALLOC_DEFINE(M_DMAMAP, "DMA map", "bus_dma(9) structures"); 288 MALLOC_DEFINE(M_FREE, "free", "should be on free list"); 289 MALLOC_DEFINE(M_PCB, "pcb", "protocol control block"); 290 MALLOC_DEFINE(M_SOFTINTR, "softintr", "Softinterrupt structures"); 291 MALLOC_DEFINE(M_TEMP, "temp", "misc. temporary data buffers"); 292 293 /* XXX These should all be elsewhere. */ 294 MALLOC_DEFINE(M_RTABLE, "routetbl", "routing tables"); 295 MALLOC_DEFINE(M_FTABLE, "fragtbl", "fragment reassembly header"); 296 MALLOC_DEFINE(M_UFSMNT, "UFS mount", "UFS mount structure"); 297 MALLOC_DEFINE(M_NETADDR, "Export Host", "Export host address structure"); 298 MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options"); 299 MALLOC_DEFINE(M_IPMADDR, "in_multi", "internet multicast address"); 300 MALLOC_DEFINE(M_MRTABLE, "mrt", "multicast routing tables"); 301 MALLOC_DEFINE(M_BWMETER, "bwmeter", "multicast upcall bw meters"); 302 MALLOC_DEFINE(M_1394DATA, "1394data", "IEEE 1394 data buffers"); 303 304 kmutex_t malloc_lock; 305 306 /* 307 * Allocate a block of memory 308 */ 309 #ifdef MALLOCLOG 310 void * 311 _malloc(unsigned long size, struct malloc_type *ksp, int flags, 312 const char *file, long line) 313 #else 314 void * 315 malloc(unsigned long size, struct malloc_type *ksp, int flags) 316 #endif /* MALLOCLOG */ 317 { 318 struct kmembuckets *kbp; 319 struct kmemusage *kup; 320 struct freelist *freep; 321 long indx, npg, allocsize; 322 char *va, *cp, *savedlist; 323 #ifdef DIAGNOSTIC 324 uint32_t *end, *lp; 325 int copysize; 326 #endif 327 328 #ifdef LOCKDEBUG 329 if ((flags & M_NOWAIT) == 0) 330 ASSERT_SLEEPABLE(NULL, "malloc"); 331 #endif 332 #ifdef MALLOC_DEBUG 333 if (debug_malloc(size, ksp, flags, (void *) &va)) { 334 if (va != 0) 335 FREECHECK_OUT(&malloc_freecheck, (void *)va); 336 return ((void *) va); 337 } 338 #endif 339 indx = BUCKETINDX(size); 340 kbp = &kmembuckets[indx]; 341 mutex_enter(&malloc_lock); 342 #ifdef KMEMSTATS 343 while (ksp->ks_memuse >= ksp->ks_limit) { 344 if (flags & M_NOWAIT) { 345 mutex_exit(&malloc_lock); 346 return ((void *) NULL); 347 } 348 if (ksp->ks_limblocks < 65535) 349 ksp->ks_limblocks++; 350 mtsleep((void *)ksp, PSWP+2, ksp->ks_shortdesc, 0, 351 &malloc_lock); 352 } 353 ksp->ks_size |= 1 << indx; 354 #endif 355 #ifdef DIAGNOSTIC 356 copysize = 1 << indx < MAX_COPY ? 1 << indx : MAX_COPY; 357 #endif 358 if (kbp->kb_next == NULL) { 359 int s; 360 kbp->kb_last = NULL; 361 if (size > MAXALLOCSAVE) 362 allocsize = round_page(size); 363 else 364 allocsize = 1 << indx; 365 npg = btoc(allocsize); 366 mutex_exit(&malloc_lock); 367 s = splvm(); 368 va = (void *) uvm_km_alloc(kmem_map, 369 (vsize_t)ctob(npg), 0, 370 ((flags & M_NOWAIT) ? UVM_KMF_NOWAIT : 0) | 371 ((flags & M_CANFAIL) ? UVM_KMF_CANFAIL : 0) | 372 UVM_KMF_WIRED); 373 splx(s); 374 if (__predict_false(va == NULL)) { 375 /* 376 * Kmem_malloc() can return NULL, even if it can 377 * wait, if there is no map space available, because 378 * it can't fix that problem. Neither can we, 379 * right now. (We should release pages which 380 * are completely free and which are in kmembuckets 381 * with too many free elements.) 382 */ 383 if ((flags & (M_NOWAIT|M_CANFAIL)) == 0) 384 panic("malloc: out of space in kmem_map"); 385 return (NULL); 386 } 387 mutex_enter(&malloc_lock); 388 #ifdef KMEMSTATS 389 kbp->kb_total += kbp->kb_elmpercl; 390 #endif 391 kup = btokup(va); 392 kup->ku_indx = indx; 393 if (allocsize > MAXALLOCSAVE) { 394 if (npg > 65535) 395 panic("malloc: allocation too large"); 396 kup->ku_pagecnt = npg; 397 #ifdef KMEMSTATS 398 ksp->ks_memuse += allocsize; 399 #endif 400 goto out; 401 } 402 #ifdef KMEMSTATS 403 kup->ku_freecnt = kbp->kb_elmpercl; 404 kbp->kb_totalfree += kbp->kb_elmpercl; 405 #endif 406 /* 407 * Just in case we blocked while allocating memory, 408 * and someone else also allocated memory for this 409 * kmembucket, don't assume the list is still empty. 410 */ 411 savedlist = kbp->kb_next; 412 kbp->kb_next = cp = va + (npg << PAGE_SHIFT) - allocsize; 413 for (;;) { 414 freep = (struct freelist *)cp; 415 #ifdef DIAGNOSTIC 416 /* 417 * Copy in known text to detect modification 418 * after freeing. 419 */ 420 end = (uint32_t *)&cp[copysize]; 421 for (lp = (uint32_t *)cp; lp < end; lp++) 422 *lp = WEIRD_ADDR; 423 freep->type = M_FREE; 424 #endif /* DIAGNOSTIC */ 425 if (cp <= va) 426 break; 427 cp -= allocsize; 428 freep->next = cp; 429 } 430 freep->next = savedlist; 431 if (kbp->kb_last == NULL) 432 kbp->kb_last = (void *)freep; 433 } 434 va = kbp->kb_next; 435 kbp->kb_next = ((struct freelist *)va)->next; 436 #ifdef DIAGNOSTIC 437 freep = (struct freelist *)va; 438 /* XXX potential to get garbage pointer here. */ 439 if (kbp->kb_next) { 440 int rv; 441 vaddr_t addr = (vaddr_t)kbp->kb_next; 442 443 vm_map_lock(kmem_map); 444 rv = uvm_map_checkprot(kmem_map, addr, 445 addr + sizeof(struct freelist), VM_PROT_WRITE); 446 vm_map_unlock(kmem_map); 447 448 if (__predict_false(rv == 0)) { 449 printf("Data modified on freelist: " 450 "word %ld of object %p size %ld previous type %s " 451 "(invalid addr %p)\n", 452 (long)((int32_t *)&kbp->kb_next - (int32_t *)kbp), 453 va, size, "foo", kbp->kb_next); 454 #ifdef MALLOCLOG 455 hitmlog(va); 456 #endif 457 kbp->kb_next = NULL; 458 } 459 } 460 461 /* Fill the fields that we've used with WEIRD_ADDR */ 462 #ifdef _LP64 463 freep->type = (struct malloc_type *) 464 (WEIRD_ADDR | (((u_long) WEIRD_ADDR) << 32)); 465 #else 466 freep->type = (struct malloc_type *) WEIRD_ADDR; 467 #endif 468 end = (uint32_t *)&freep->next + 469 (sizeof(freep->next) / sizeof(int32_t)); 470 for (lp = (uint32_t *)&freep->next; lp < end; lp++) 471 *lp = WEIRD_ADDR; 472 473 /* and check that the data hasn't been modified. */ 474 end = (uint32_t *)&va[copysize]; 475 for (lp = (uint32_t *)va; lp < end; lp++) { 476 if (__predict_true(*lp == WEIRD_ADDR)) 477 continue; 478 printf("Data modified on freelist: " 479 "word %ld of object %p size %ld previous type %s " 480 "(0x%x != 0x%x)\n", 481 (long)(lp - (uint32_t *)va), va, size, 482 "bar", *lp, WEIRD_ADDR); 483 #ifdef MALLOCLOG 484 hitmlog(va); 485 #endif 486 break; 487 } 488 489 freep->spare0 = 0; 490 #endif /* DIAGNOSTIC */ 491 #ifdef KMEMSTATS 492 kup = btokup(va); 493 if (kup->ku_indx != indx) 494 panic("malloc: wrong bucket"); 495 if (kup->ku_freecnt == 0) 496 panic("malloc: lost data"); 497 kup->ku_freecnt--; 498 kbp->kb_totalfree--; 499 ksp->ks_memuse += 1 << indx; 500 out: 501 kbp->kb_calls++; 502 ksp->ks_inuse++; 503 ksp->ks_calls++; 504 if (ksp->ks_memuse > ksp->ks_maxused) 505 ksp->ks_maxused = ksp->ks_memuse; 506 #else 507 out: 508 #endif 509 #ifdef MALLOCLOG 510 domlog(va, size, ksp, 1, file, line); 511 #endif 512 mutex_exit(&malloc_lock); 513 if ((flags & M_ZERO) != 0) 514 memset(va, 0, size); 515 FREECHECK_OUT(&malloc_freecheck, (void *)va); 516 return ((void *) va); 517 } 518 519 /* 520 * Free a block of memory allocated by malloc. 521 */ 522 #ifdef MALLOCLOG 523 void 524 _free(void *addr, struct malloc_type *ksp, const char *file, long line) 525 #else 526 void 527 free(void *addr, struct malloc_type *ksp) 528 #endif /* MALLOCLOG */ 529 { 530 struct kmembuckets *kbp; 531 struct kmemusage *kup; 532 struct freelist *freep; 533 long size; 534 #ifdef DIAGNOSTIC 535 void *cp; 536 int32_t *end, *lp; 537 long alloc, copysize; 538 #endif 539 540 FREECHECK_IN(&malloc_freecheck, addr); 541 542 #ifdef MALLOC_DEBUG 543 if (debug_free(addr, ksp)) 544 return; 545 #endif 546 547 #ifdef DIAGNOSTIC 548 /* 549 * Ensure that we're free'ing something that we could 550 * have allocated in the first place. That is, check 551 * to see that the address is within kmem_map. 552 */ 553 if (__predict_false((vaddr_t)addr < vm_map_min(kmem_map) || 554 (vaddr_t)addr >= vm_map_max(kmem_map))) 555 panic("free: addr %p not within kmem_map", addr); 556 #endif 557 558 kup = btokup(addr); 559 size = 1 << kup->ku_indx; 560 kbp = &kmembuckets[kup->ku_indx]; 561 mutex_enter(&malloc_lock); 562 #ifdef MALLOCLOG 563 domlog(addr, 0, ksp, 2, file, line); 564 #endif 565 #ifdef DIAGNOSTIC 566 /* 567 * Check for returns of data that do not point to the 568 * beginning of the allocation. 569 */ 570 if (size > PAGE_SIZE) 571 alloc = addrmask[BUCKETINDX(PAGE_SIZE)]; 572 else 573 alloc = addrmask[kup->ku_indx]; 574 if (((u_long)addr & alloc) != 0) 575 panic("free: unaligned addr %p, size %ld, type %s, mask %ld", 576 addr, size, ksp->ks_shortdesc, alloc); 577 #endif /* DIAGNOSTIC */ 578 if (size > MAXALLOCSAVE) { 579 uvm_km_free(kmem_map, (vaddr_t)addr, ctob(kup->ku_pagecnt), 580 UVM_KMF_WIRED); 581 #ifdef KMEMSTATS 582 size = kup->ku_pagecnt << PGSHIFT; 583 ksp->ks_memuse -= size; 584 kup->ku_indx = 0; 585 kup->ku_pagecnt = 0; 586 if (ksp->ks_memuse + size >= ksp->ks_limit && 587 ksp->ks_memuse < ksp->ks_limit) 588 wakeup((void *)ksp); 589 #ifdef DIAGNOSTIC 590 if (ksp->ks_inuse == 0) 591 panic("free 1: inuse 0, probable double free"); 592 #endif 593 ksp->ks_inuse--; 594 kbp->kb_total -= 1; 595 #endif 596 mutex_exit(&malloc_lock); 597 return; 598 } 599 freep = (struct freelist *)addr; 600 #ifdef DIAGNOSTIC 601 /* 602 * Check for multiple frees. Use a quick check to see if 603 * it looks free before laboriously searching the freelist. 604 */ 605 if (__predict_false(freep->spare0 == WEIRD_ADDR)) { 606 for (cp = kbp->kb_next; cp; 607 cp = ((struct freelist *)cp)->next) { 608 if (addr != cp) 609 continue; 610 printf("multiply freed item %p\n", addr); 611 #ifdef MALLOCLOG 612 hitmlog(addr); 613 #endif 614 panic("free: duplicated free"); 615 } 616 } 617 #ifdef LOCKDEBUG 618 /* 619 * Check if we're freeing a locked simple lock. 620 */ 621 simple_lock_freecheck(addr, (char *)addr + size); 622 #endif 623 /* 624 * Copy in known text to detect modification after freeing 625 * and to make it look free. Also, save the type being freed 626 * so we can list likely culprit if modification is detected 627 * when the object is reallocated. 628 */ 629 copysize = size < MAX_COPY ? size : MAX_COPY; 630 end = (int32_t *)&((char *)addr)[copysize]; 631 for (lp = (int32_t *)addr; lp < end; lp++) 632 *lp = WEIRD_ADDR; 633 freep->type = ksp; 634 #endif /* DIAGNOSTIC */ 635 #ifdef KMEMSTATS 636 kup->ku_freecnt++; 637 if (kup->ku_freecnt >= kbp->kb_elmpercl) { 638 if (kup->ku_freecnt > kbp->kb_elmpercl) 639 panic("free: multiple frees"); 640 else if (kbp->kb_totalfree > kbp->kb_highwat) 641 kbp->kb_couldfree++; 642 } 643 kbp->kb_totalfree++; 644 ksp->ks_memuse -= size; 645 if (ksp->ks_memuse + size >= ksp->ks_limit && 646 ksp->ks_memuse < ksp->ks_limit) 647 wakeup((void *)ksp); 648 #ifdef DIAGNOSTIC 649 if (ksp->ks_inuse == 0) 650 panic("free 2: inuse 0, probable double free"); 651 #endif 652 ksp->ks_inuse--; 653 #endif 654 if (kbp->kb_next == NULL) 655 kbp->kb_next = addr; 656 else 657 ((struct freelist *)kbp->kb_last)->next = addr; 658 freep->next = NULL; 659 kbp->kb_last = addr; 660 mutex_exit(&malloc_lock); 661 } 662 663 /* 664 * Change the size of a block of memory. 665 */ 666 void * 667 realloc(void *curaddr, unsigned long newsize, struct malloc_type *ksp, 668 int flags) 669 { 670 struct kmemusage *kup; 671 unsigned long cursize; 672 void *newaddr; 673 #ifdef DIAGNOSTIC 674 long alloc; 675 #endif 676 677 /* 678 * realloc() with a NULL pointer is the same as malloc(). 679 */ 680 if (curaddr == NULL) 681 return (malloc(newsize, ksp, flags)); 682 683 /* 684 * realloc() with zero size is the same as free(). 685 */ 686 if (newsize == 0) { 687 free(curaddr, ksp); 688 return (NULL); 689 } 690 691 #ifdef LOCKDEBUG 692 if ((flags & M_NOWAIT) == 0) 693 ASSERT_SLEEPABLE(NULL, "realloc"); 694 #endif 695 696 /* 697 * Find out how large the old allocation was (and do some 698 * sanity checking). 699 */ 700 kup = btokup(curaddr); 701 cursize = 1 << kup->ku_indx; 702 703 #ifdef DIAGNOSTIC 704 /* 705 * Check for returns of data that do not point to the 706 * beginning of the allocation. 707 */ 708 if (cursize > PAGE_SIZE) 709 alloc = addrmask[BUCKETINDX(PAGE_SIZE)]; 710 else 711 alloc = addrmask[kup->ku_indx]; 712 if (((u_long)curaddr & alloc) != 0) 713 panic("realloc: " 714 "unaligned addr %p, size %ld, type %s, mask %ld\n", 715 curaddr, cursize, ksp->ks_shortdesc, alloc); 716 #endif /* DIAGNOSTIC */ 717 718 if (cursize > MAXALLOCSAVE) 719 cursize = ctob(kup->ku_pagecnt); 720 721 /* 722 * If we already actually have as much as they want, we're done. 723 */ 724 if (newsize <= cursize) 725 return (curaddr); 726 727 /* 728 * Can't satisfy the allocation with the existing block. 729 * Allocate a new one and copy the data. 730 */ 731 newaddr = malloc(newsize, ksp, flags); 732 if (__predict_false(newaddr == NULL)) { 733 /* 734 * malloc() failed, because flags included M_NOWAIT. 735 * Return NULL to indicate that failure. The old 736 * pointer is still valid. 737 */ 738 return (NULL); 739 } 740 memcpy(newaddr, curaddr, cursize); 741 742 /* 743 * We were successful: free the old allocation and return 744 * the new one. 745 */ 746 free(curaddr, ksp); 747 return (newaddr); 748 } 749 750 /* 751 * Roundup size to the actual allocation size. 752 */ 753 unsigned long 754 malloc_roundup(unsigned long size) 755 { 756 757 if (size > MAXALLOCSAVE) 758 return (roundup(size, PAGE_SIZE)); 759 else 760 return (1 << BUCKETINDX(size)); 761 } 762 763 /* 764 * Add a malloc type to the system. 765 */ 766 void 767 malloc_type_attach(struct malloc_type *type) 768 { 769 770 if (nkmempages == 0) 771 panic("malloc_type_attach: nkmempages == 0"); 772 773 if (type->ks_magic != M_MAGIC) 774 panic("malloc_type_attach: bad magic"); 775 776 #ifdef DIAGNOSTIC 777 { 778 struct malloc_type *ksp; 779 for (ksp = kmemstatistics; ksp != NULL; ksp = ksp->ks_next) { 780 if (ksp == type) 781 panic("malloc_type_attach: already on list"); 782 } 783 } 784 #endif 785 786 #ifdef KMEMSTATS 787 if (type->ks_limit == 0) 788 type->ks_limit = ((u_long)nkmempages << PAGE_SHIFT) * 6U / 10U; 789 #else 790 type->ks_limit = 0; 791 #endif 792 793 type->ks_next = kmemstatistics; 794 kmemstatistics = type; 795 } 796 797 /* 798 * Remove a malloc type from the system.. 799 */ 800 void 801 malloc_type_detach(struct malloc_type *type) 802 { 803 struct malloc_type *ksp; 804 805 #ifdef DIAGNOSTIC 806 if (type->ks_magic != M_MAGIC) 807 panic("malloc_type_detach: bad magic"); 808 #endif 809 810 if (type == kmemstatistics) 811 kmemstatistics = type->ks_next; 812 else { 813 for (ksp = kmemstatistics; ksp->ks_next != NULL; 814 ksp = ksp->ks_next) { 815 if (ksp->ks_next == type) { 816 ksp->ks_next = type->ks_next; 817 break; 818 } 819 } 820 #ifdef DIAGNOSTIC 821 if (ksp->ks_next == NULL) 822 panic("malloc_type_detach: not on list"); 823 #endif 824 } 825 type->ks_next = NULL; 826 } 827 828 /* 829 * Set the limit on a malloc type. 830 */ 831 void 832 malloc_type_setlimit(struct malloc_type *type, u_long limit) 833 { 834 #ifdef KMEMSTATS 835 mutex_enter(&malloc_lock); 836 type->ks_limit = limit; 837 mutex_exit(&malloc_lock); 838 #endif 839 } 840 841 /* 842 * Compute the number of pages that kmem_map will map, that is, 843 * the size of the kernel malloc arena. 844 */ 845 void 846 kmeminit_nkmempages(void) 847 { 848 int npages; 849 850 if (nkmempages != 0) { 851 /* 852 * It's already been set (by us being here before, or 853 * by patching or kernel config options), bail out now. 854 */ 855 return; 856 } 857 858 npages = physmem; 859 860 if (npages > NKMEMPAGES_MAX) 861 npages = NKMEMPAGES_MAX; 862 863 if (npages < NKMEMPAGES_MIN) 864 npages = NKMEMPAGES_MIN; 865 866 nkmempages = npages; 867 } 868 869 /* 870 * Initialize the kernel memory allocator 871 */ 872 void 873 kmeminit(void) 874 { 875 __link_set_decl(malloc_types, struct malloc_type); 876 struct malloc_type * const *ksp; 877 vaddr_t kmb, kml; 878 #ifdef KMEMSTATS 879 long indx; 880 #endif 881 882 #if ((MAXALLOCSAVE & (MAXALLOCSAVE - 1)) != 0) 883 ERROR!_kmeminit:_MAXALLOCSAVE_not_power_of_2 884 #endif 885 #if (MAXALLOCSAVE > MINALLOCSIZE * 32768) 886 ERROR!_kmeminit:_MAXALLOCSAVE_too_big 887 #endif 888 #if (MAXALLOCSAVE < NBPG) 889 ERROR!_kmeminit:_MAXALLOCSAVE_too_small 890 #endif 891 892 if (sizeof(struct freelist) > (1 << MINBUCKET)) 893 panic("minbucket too small/struct freelist too big"); 894 895 mutex_init(&malloc_lock, MUTEX_DRIVER, IPL_VM); 896 897 /* 898 * Compute the number of kmem_map pages, if we have not 899 * done so already. 900 */ 901 kmeminit_nkmempages(); 902 903 kmemusage = (struct kmemusage *) uvm_km_alloc(kernel_map, 904 (vsize_t)(nkmempages * sizeof(struct kmemusage)), 0, 905 UVM_KMF_WIRED|UVM_KMF_ZERO); 906 kmb = 0; 907 kmem_map = uvm_km_suballoc(kernel_map, &kmb, 908 &kml, ((vsize_t)nkmempages << PAGE_SHIFT), 909 VM_MAP_INTRSAFE, false, &kmem_map_store); 910 uvm_km_vacache_init(kmem_map, "kvakmem", 0); 911 kmembase = (char *)kmb; 912 kmemlimit = (char *)kml; 913 #ifdef KMEMSTATS 914 for (indx = 0; indx < MINBUCKET + 16; indx++) { 915 if (1 << indx >= PAGE_SIZE) 916 kmembuckets[indx].kb_elmpercl = 1; 917 else 918 kmembuckets[indx].kb_elmpercl = PAGE_SIZE / (1 << indx); 919 kmembuckets[indx].kb_highwat = 920 5 * kmembuckets[indx].kb_elmpercl; 921 } 922 #endif 923 924 /* Attach all of the statically-linked malloc types. */ 925 __link_set_foreach(ksp, malloc_types) 926 malloc_type_attach(*ksp); 927 928 #ifdef MALLOC_DEBUG 929 debug_malloc_init(); 930 #endif 931 } 932 933 #ifdef DDB 934 #include <ddb/db_output.h> 935 936 /* 937 * Dump kmem statistics from ddb. 938 * 939 * usage: call dump_kmemstats 940 */ 941 void dump_kmemstats(void); 942 943 void 944 dump_kmemstats(void) 945 { 946 #ifdef KMEMSTATS 947 struct malloc_type *ksp; 948 949 for (ksp = kmemstatistics; ksp != NULL; ksp = ksp->ks_next) { 950 if (ksp->ks_memuse == 0) 951 continue; 952 db_printf("%s%.*s %ld\n", ksp->ks_shortdesc, 953 (int)(20 - strlen(ksp->ks_shortdesc)), 954 " ", 955 ksp->ks_memuse); 956 } 957 #else 958 db_printf("Kmem stats are not being collected.\n"); 959 #endif /* KMEMSTATS */ 960 } 961 #endif /* DDB */ 962 963 964 #if 0 965 /* 966 * Diagnostic messages about "Data modified on 967 * freelist" indicate a memory corruption, but 968 * they do not help tracking it down. 969 * This function can be called at various places 970 * to sanity check malloc's freelist and discover 971 * where does the corruption take place. 972 */ 973 int 974 freelist_sanitycheck(void) { 975 int i,j; 976 struct kmembuckets *kbp; 977 struct freelist *freep; 978 int rv = 0; 979 980 for (i = MINBUCKET; i <= MINBUCKET + 15; i++) { 981 kbp = &kmembuckets[i]; 982 freep = (struct freelist *)kbp->kb_next; 983 j = 0; 984 while(freep) { 985 vm_map_lock(kmem_map); 986 rv = uvm_map_checkprot(kmem_map, (vaddr_t)freep, 987 (vaddr_t)freep + sizeof(struct freelist), 988 VM_PROT_WRITE); 989 vm_map_unlock(kmem_map); 990 991 if ((rv == 0) || (*(int *)freep != WEIRD_ADDR)) { 992 printf("bucket %i, chunck %d at %p modified\n", 993 i, j, freep); 994 return 1; 995 } 996 freep = (struct freelist *)freep->next; 997 j++; 998 } 999 } 1000 1001 return 0; 1002 } 1003 #endif 1004