Date: Thu, 22 Jul 2010 09:54:51 -0700 From: mdf@FreeBSD.org To: freebsd-arch@freebsd.org Subject: Multi-zone malloc(9) Message-ID: <AANLkTikoY8CuAF3DThBAXH_mu1QAuUWyRMtkaIomaoi7@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Occasionally we run into use-after-free and malloc'd buffer overrun scenarios. When this happens it can be rather difficult to determine what code is at fault, since e.g. every 64 byte allocation, regardless of malloc type, comes from the same UMA zone. This means that an overflow in M_TEMP will affect M_DEVBUF, etc. Adding multiple uma zones for each bucket size means that we can hash on the malloc type's shortdesc field so that there are fewer collisions and misused memory from one malloc type only affects a subset of other malloc types. Varying the hash means that, with several crashes due to memory stomp, a single malloc type can usually be determined as the culprit. If the bug isn't obvious from inspection at this point, MemGuard will help catch the offender. The patch at: http://people.freebsd.org/~mdf/multizone_malloc.patch implements an optional multi-zone malloc(9). By default there is a single zone, and MALLOC_DEBUG_MAXZONES can be specified in the kernel configuration file. A ddb function will print all the malloc types that have a hash collision with the specified type. A few questions for -arch@: - We found this very useful at Isilon. Should this go into CURRENT? - Should this be on by default for GENERIC? The memory overhead of 8 uma zones per malloc allocation size shouldn't be very large. - would a __FreeBSD_version bump be needed since the malloc_internal type is known by user-space? Thanks, matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikoY8CuAF3DThBAXH_mu1QAuUWyRMtkaIomaoi7>