KMEM_REDZONE on DIAGNOSTIC

To: tech-kern%netbsd.org@localhost
Subject: KMEM_REDZONE on DIAGNOSTIC
From: Maxime Villard <max%M00nBSD.net@localhost>
Date: Fri, 18 Jul 2014 11:46:26 +0200

Hi,
I intend to enable KMEM_REDZONE on DIAGNOSTIC. It adds a 2-byte-sized pattern at
the end of each allocated buffer when allocating, and checks this pattern when
freeing to ensure the caller hasn't written outside the requested area. It can
catch off-by-one's, and has almost no performance impact now.

I think it's a nice feature, and our (me and lars@) recent improvements make it
more efficient and lighter. As a comparison, one month ago I enabled KMEM_SIZE
and shortly afterwards it caught a memory corruption bug:

        http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=48963

Ok/Comments?

Index: subr_kmem.c
===================================================================
RCS file: /cvsroot/src/sys/kern/subr_kmem.c,v
retrieving revision 1.59
diff -u -r1.59 subr_kmem.c
--- subr_kmem.c 3 Jul 2014 08:43:49 -0000       1.59
+++ subr_kmem.c 3 Jul 2014 12:56:41 -0000
@@ -65,13 +65,23 @@
  *     Prefix each allocations with a fixed-sized, aligned header and record
  *     the exact user-requested allocation size in it. When freeing, compare
  *     it with kmem_free's "size" argument.
- */
-
-/*
+ *
  * KMEM_REDZONE: detect overrun bugs.
  *     Add a 2-byte pattern (allocate one more memory chunk if needed) at the
  *     end of each allocated buffer. Check this pattern on kmem_free.
  *
+ * These options are enabled on DIAGNOSTIC.
+ *
+ *  |CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|
+ *  +-----+-----+-----+-----+-----+-----+-----+-----+-----+---+-+--+--+
+ *  |/////|     |     |     |     |     |     |     |     |   |*|**|UU|
+ *  |/HSZ/|     |     |     |     |     |     |     |     |   |*|**|UU|
+ *  |/////|     |     |     |     |     |     |     |     |   |*|**|UU|
+ *  +-----+-----+-----+-----+-----+-----+-----+-----+-----+---+-+--+--+
+ *  |Size |    Buffer usable by the caller (requested size)   |RedZ|Unused\
+ */
+
+/*
  * KMEM_POISON: detect modify-after-free bugs.
  *     Fill freed (in the sense of kmem_free) memory with a garbage pattern.
  *     Check the pattern on allocation.
@@ -168,11 +178,11 @@
 
 #if defined(DIAGNOSTIC) && defined(_HARDKERNEL)
 #define        KMEM_SIZE
+#define        KMEM_REDZONE
 #endif /* defined(DIAGNOSTIC) */
 
 #if defined(DEBUG) && defined(_HARDKERNEL)
 #define        KMEM_POISON
-#define        KMEM_REDZONE
 #define        KMEM_GUARD
 #endif /* defined(DEBUG) */

Prev by Date: Re: RFC: mpsafe bridge and NIC drivers (vioif and wm)
Next by Date: Re: troubles with an USB touch screen
Previous by Thread: troubles with an USB touch screen
Next by Thread: icache sync private rump component
Indexes:

Home | Main Index | Thread Index | Old Index