1.\" $OpenBSD: malloc.9,v 1.61 2014/11/19 05:42:26 deraadt Exp $ 2.\" $NetBSD: malloc.9,v 1.2 1996/10/30 05:29:54 lukem Exp $ 3.\" 4.\" Copyright (c) 1996 The NetBSD Foundation, Inc. 5.\" All rights reserved. 6.\" 7.\" This code is derived from software contributed to The NetBSD Foundation 8.\" by Paul Kranenburg. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 23.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.Dd $Mdocdate: November 19 2014 $ 32.Dt MALLOC 9 33.Os 34.Sh NAME 35.Nm malloc , 36.Nm mallocarray , 37.Nm free 38.Nd kernel memory allocator 39.Sh SYNOPSIS 40.In sys/types.h 41.In sys/malloc.h 42.Ft void * 43.Fn malloc "size_t size" "int type" "int flags" 44.Ft void * 45.Fn mallocarray "size_t nmemb" "size_t size" "int type" "int flags" 46.Ft void 47.Fn free "void *addr" "int type" "size_t size" 48.Sh DESCRIPTION 49The 50.Fn malloc 51function allocates uninitialized memory in kernel address space for an 52object whose size is specified by 53.Fa size . 54.Pp 55The 56.Fn mallocarray 57function is the same as 58.Fn malloc , 59but allocates space for an array of 60.Fa nmemb 61objects and checks for arithmetic overflow. 62.Pp 63The 64.Fn free 65function releases memory at address 66.Fa addr 67that was previously allocated by 68.Fn malloc 69or 70.Fn mallocarray 71for re-use. 72The same object size originally provided to 73.Fn malloc 74should be specified by 75.Fa size , 76because 77.Fn free 78will operate faster knowing this. 79If tracking the size is difficult, specify 80.Ar size 81as 0. 82If 83.Fa addr 84is a null pointer, no action occurs. 85.Pp 86The 87.Fa flags 88argument affects the operational characteristics of 89.Fn malloc 90and 91.Fn mallocarray 92as follows: 93.Bl -tag -width xxx -offset indent 94.It Dv M_WAITOK 95If memory is currently unavailable, 96.Fn malloc 97may call sleep to wait for resources to be released by other processes. 98.It Dv M_NOWAIT 99Causes 100.Fn malloc 101to return 102.Dv NULL 103if the request cannot be immediately fulfilled due to resource shortage. 104.It Dv M_CANFAIL 105In the 106.Dv M_WAITOK 107case, if not enough memory is available, return 108.Dv NULL 109instead of calling 110.Xr panic 9 . 111If 112.Fn mallocarray 113detects an overflow 114or 115.Fn malloc 116detects an excessive allocation, return 117.Dv NULL 118instead of calling 119.Xr panic 9 . 120.It Dv M_ZERO 121Causes allocated memory to be zeroed. 122.El 123.Pp 124One of 125.Dv M_NOWAIT 126or 127.Dv M_WAITOK 128must be specified via the 129.Fa flags 130argument. 131.Pp 132The 133.Fa type 134argument broadly identifies the kernel subsystem for which the allocated 135memory was needed, and is commonly used to maintain statistics about 136kernel memory usage. 137These statistics can be examined using 138.Xr vmstat 8 139or 140.Xr systat 1 141if either of the kernel 142.Xr options 4 143.Cm KMEMSTATS 144or 145.Cm DEBUG 146are enabled. 147.Pp 148The following types are currently defined: 149.Pp 150.Bl -tag -offset indent -width XXXXXXXXXXXXXX -compact 151.It Dv M_FREE 152Should be on free list. 153.It Dv M_DEVBUF 154Device driver memory. 155.It Dv M_DEBUG 156.Nm malloc 157debug structures. 158.It Dv M_PCB 159Protocol control blocks. 160.It Dv M_RTABLE 161Routing tables. 162.It Dv M_FTABLE 163Fragment reassembly headers. 164.It Dv M_IFADDR 165Interface addresses. 166.It Dv M_SOOPTS 167Socket options. 168.It Dv M_SYSCTL 169Sysctl persistent buffers. 170.It Dv M_IOCTLOPS 171Ioctl data buffers. 172.It Dv M_IOV 173Large IOVs. 174.It Dv M_MOUNT 175VFS mount structs. 176.It Dv M_NFSREQ 177NFS request headers. 178.It Dv M_NFSMNT 179NFS mount structures. 180.It Dv M_VNODE 181Dynamically allocated vnodes. 182.It Dv M_CACHE 183Dynamically allocated cache entries. 184.It Dv M_DQUOT 185UFS quota entries. 186.It Dv M_UFSMNT 187UFS mount structures. 188.It Dv M_SHM 189SVID compatible shared memory segments. 190.It Dv M_VMMAP 191VM map structures. 192.It Dv M_SEM 193SVID compatible semaphores. 194.It Dv M_DIRHASH 195UFS directory hash structures. 196.It Dv M_ACPI 197ACPI structures. 198.It Dv M_VMPMAP 199VM pmap data. 200.It Dv M_FILE 201Open file structures. 202.It Dv M_FILEDESC 203Open file descriptor tables. 204.It Dv M_PROC 205Proc structures. 206.It Dv M_SUBPROC 207Proc sub-structures. 208.It Dv M_VCLUSTER 209Cluster for VFS. 210.It Dv M_MFSNODE 211MFS vnode private part. 212.It Dv M_NETADDR 213Export host address structures. 214.It Dv M_NFSSVC 215NFS server structures. 216.It Dv M_NFSD 217NFS server daemon structures. 218.It Dv M_IPMOPTS 219Internet multicast options. 220.It Dv M_IPMADDR 221Internet multicast addresses. 222.It Dv M_IFMADDR 223Link-level multicast addresses. 224.It Dv M_MRTABLE 225Multicast routing tables. 226.It Dv M_ISOFSMNT 227ISOFS mount structures. 228.It Dv M_ISOFSNODE 229ISOFS vnode private part. 230.It Dv M_MSDOSFSMNT 231MSDOS FS mount structures. 232.It Dv M_MSDOSFSFAT 233MSDOS FS FAT tables. 234.It Dv M_MSDOSFSNODE 235MSDOS FS vnode private part. 236.It Dv M_TTYS 237Allocated tty structures. 238.It Dv M_EXEC 239Argument lists & other mem used by exec. 240.It Dv M_MISCFSMNT 241Miscellaneous FS mount structures. 242.It Dv M_FUSEFS 243FUSE FS mount structures. 244.It Dv M_PFKEY 245Pfkey data. 246.It Dv M_TDB 247Transforms database. 248.It Dv M_XDATA 249IPsec data. 250.It Dv M_PAGEDEP 251File page dependencies. 252.It Dv M_INODEDEP 253Inode dependencies. 254.It Dv M_NEWBLK 255New block allocation. 256.It Dv M_INDIRDEP 257Indirect block dependencies. 258.It Dv M_VMSWAP 259VM swap structures. 260.It Dv M_UVMAMAP 261UVM amap and related. 262.It Dv M_UVMAOBJ 263UVM aobj and related. 264.It Dv M_USB 265USB general. 266.It Dv M_USBDEV 267USB device driver. 268.It Dv M_USBHC 269USB host controller. 270.It Dv M_MEMDESC 271Memory range. 272.It Dv M_CRYPTO_DATA 273.Xr crypto 9 274data buffers. 275.It Dv M_CREDENTIALS 276.Xr ipsec 4 277related credentials. 278.It Dv M_EMULDATA 279Per process emulation data. 280.It Dv M_IP6OPT 281IPv6 options. 282.It Dv M_IP6NDP 283IPv6 neighbour discovery structures. 284.It Dv M_TEMP 285Miscellaneous temporary data buffers. 286.It Dv M_NTFSMNT 287NTFS mount structures. 288.It Dv M_NTFSNTNODE 289NTFS ntnode information. 290.It Dv M_NTFSNODE 291NTFS fnode information. 292.It Dv M_NTFSDIR 293NTFS directory buffers. 294.It Dv M_NTFSHASH 295NTFS ntnode hash tables. 296.It Dv M_NTFSVATTR 297NTFS file attribute information. 298.It Dv M_NTFSRDATA 299NTFS resident data. 300.It Dv M_NTFSDECOMP 301NTFS decompression temporary storage. 302.It Dv M_NTFSRUN 303NTFS vrun storage. 304.It Dv M_KEVENT 305.Xr kqueue 2 306data structures. 307.It Dv M_BWMETER 308Multicast upcall bandwidth meters. 309.It Dv M_UDFMOUNT 310UDF mount structures. 311.It Dv M_UDFFENTRY 312UDF file entries. 313.It Dv M_UDFFID 314UDF file ID. 315.It Dv M_AGP 316AGP memory. 317.It Dv M_DRM 318Direct Rendering Manager. 319.El 320.Sh CONTEXT 321.Fn malloc 322and 323.Fn mallocarray 324can be called during autoconf, from process context, or from interrupt context 325if 326.Dv M_NOWAIT 327is passed via 328.Fa flags . 329They can't be called from interrupt context if 330.Dv M_WAITOK 331is passed via 332.Fa flags . 333.Pp 334.Fn free 335can be called during autoconf, from process context, or from interrupt context. 336.Sh RETURN VALUES 337.Fn malloc 338and 339.Fn mallocarray 340return a kernel virtual address that is suitably aligned for storage of 341any type of object. 342.Sh DIAGNOSTICS 343A kernel compiled with the 344.Dv DIAGNOSTIC 345configuration option attempts to detect memory corruption caused by 346such things as writing outside the allocated area and unbalanced calls to 347.Fn malloc 348or 349.Fn mallocarray , 350and 351.Fn free . 352Failing consistency checks will cause a panic or a system console message: 353.Pp 354.Bl -bullet -offset indent -compact 355.It 356panic: 357.Dq malloc: bogus type 358.It 359panic: 360.Dq malloc: out of space in kmem_map 361.It 362panic: 363.Dq malloc: allocation too large 364.It 365panic: 366.Dq malloc: wrong bucket 367.It 368panic: 369.Dq malloc: lost data 370.It 371panic: 372.Dq mallocarray: overflow 373.It 374panic: 375.Dq free: unaligned addr 376.It 377panic: 378.Dq free: duplicated free 379.It 380panic: 381.Dq free: multiple frees 382.It 383panic: 384.Dq free: non-malloced addr 385.It 386panic: 387.Dq free: size too large 388.It 389panic: 390.Dq free: size too small 391.It 392panic: 393.Dq kmeminit: minbucket too small/struct freelist too big 394.It 395.Dq multiply freed item Aq addr 396.It 397.Dq Data modified on freelist: Aq data object description 398.El 399.Sh DEBUGGING 400A kernel compiled with the 401.Cm MALLOC_DEBUG 402option allows for more extensive debugging of memory allocations. 403The 404.Va debug_malloc_type , 405.Va debug_malloc_size , 406.Va debug_malloc_size_lo 407and 408.Va debug_malloc_size_hi 409variables choose which allocation to debug. 410.Va debug_malloc_type 411should be set to the memory type and 412.Va debug_malloc_size 413should be set to the memory size to debug. 4140 can be used as a wildcard. 415.Va debug_malloc_size_lo 416and 417.Va debug_malloc_size_hi 418can be used to specify a range of sizes if the exact size to debug is not 419known. 420When those are used, 421.Va debug_malloc_size 422needs to be set to the wildcard. 423.Dv M_DEBUG 424can also be specified as an allocation type to force allocation with 425debugging. 426.Pp 427Every call to 428.Fn malloc 429or 430.Fn mallocarray 431with a memory type and size that matches the debugged type and size will 432allocate two virtual pages. 433The pointer returned will be aligned so that 434the requested area will end at the page boundary and the second virtual page 435will be left unmapped. 436This way we can catch reads and writes outside the allocated area. 437.Pp 438Every call to 439.Fn free 440with memory that was returned by the debugging allocators will cause the memory 441area to become unmapped so that we can catch dangling reads and writes to 442freed memory. 443.Pp 444There are no special diagnostics if any errors are caught by the debugging 445malloc. 446The errors will look like normal access to unmapped memory. 447On a memory access error, the 448.Ic show malloc 449command in 450.Xr ddb 4 451can be invoked to see what memory areas are allocated and freed. 452If the faulting address is within two pages from an address on the allocated 453list, there was an access outside the allocated area. 454If the faulting address is within two pages from an address on the free list, 455there was an access to freed memory. 456.Pp 457Care needs to be taken when using the 458.Cm MALLOC_DEBUG 459option: the memory consumption can run away pretty quickly and there is 460a severe performance degradation when allocating and freeing debugged memory 461types. 462.Sh SEE ALSO 463.Xr systat 1 , 464.Xr vmstat 8 465