From owner-freebsd-arch@FreeBSD.ORG Thu Jul 22 16:55:07 2010 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4C89106564A for ; Thu, 22 Jul 2010 16:55:07 +0000 (UTC) (envelope-from mdf356@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9C5828FC1C for ; Thu, 22 Jul 2010 16:55:07 +0000 (UTC) Received: by pvh1 with SMTP id 1so3624057pvh.13 for ; Thu, 22 Jul 2010 09:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=Hld6M2bRTI7+cCWo8SYf4ZuFK1h6p73gdGn5t4hpkE0=; b=Euo07CERtmaRXcMBK8Sm0DAd61H4L2tIu68m1l4FesSxoXI0rnHRUUQAD0vyDKCGkb J5+6XqnqoWC54rgwb6P7ap3eOKTV1jWGTc0PXJRwonAoYfkiiFcmiImAeXdyqZ64SQ9s RXlU13LI8ypoCL6M/pOc5hgrXriL96XzH/pNc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=jyOorcvG/VWnJ6SQBFWDwMITHfOHj7B0EY/hMvHKzxf5SD/BGpjT4E2kmdAJOEMgva pJ/UbWb9pleCFPZL9V0dVaPFHQRgS1d7Oq0zxi6iNwm3KqCXKBA21UeCOdklxX+SQVNI cv8Q8U7eubr8VaerKGit2F+JNHipQ7Btgk910= MIME-Version: 1.0 Received: by 10.114.107.6 with SMTP id f6mr3077033wac.54.1279817691803; Thu, 22 Jul 2010 09:54:51 -0700 (PDT) Sender: mdf356@gmail.com Received: by 10.42.6.85 with HTTP; Thu, 22 Jul 2010 09:54:51 -0700 (PDT) Date: Thu, 22 Jul 2010 09:54:51 -0700 X-Google-Sender-Auth: TRYyaztcjrEMqqaZy9wbWlsw5oA Message-ID: From: mdf@FreeBSD.org To: freebsd-arch@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Multi-zone malloc(9) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jul 2010 16:55:07 -0000 Occasionally we run into use-after-free and malloc'd buffer overrun scenarios. When this happens it can be rather difficult to determine what code is at fault, since e.g. every 64 byte allocation, regardless of malloc type, comes from the same UMA zone. This means that an overflow in M_TEMP will affect M_DEVBUF, etc. Adding multiple uma zones for each bucket size means that we can hash on the malloc type's shortdesc field so that there are fewer collisions and misused memory from one malloc type only affects a subset of other malloc types. Varying the hash means that, with several crashes due to memory stomp, a single malloc type can usually be determined as the culprit. If the bug isn't obvious from inspection at this point, MemGuard will help catch the offender. The patch at: http://people.freebsd.org/~mdf/multizone_malloc.patch implements an optional multi-zone malloc(9). By default there is a single zone, and MALLOC_DEBUG_MAXZONES can be specified in the kernel configuration file. A ddb function will print all the malloc types that have a hash collision with the specified type. A few questions for -arch@: - We found this very useful at Isilon. Should this go into CURRENT? - Should this be on by default for GENERIC? The memory overhead of 8 uma zones per malloc allocation size shouldn't be very large. - would a __FreeBSD_version bump be needed since the malloc_internal type is known by user-space? Thanks, matthew