Date: Fri, 21 Mar 2025 05:34:16 -0400 From: Mark Johnston <markj@freebsd.org> To: Gleb Smirnoff <glebius@freebsd.org> Cc: "Bjoern A. Zeeb" <bz@freebsd.org>, David Wolfskill <david@catwhisker.org>, current@freebsd.org, kib@freebsd.org, jhb@freebsd.org Subject: Re: Possible video driver issue after main-n275966-d2a55e6a9348 -> main-n275975-5963423232e8 Message-ID: <Z90ymKjH18bkj-nc@framework> In-Reply-To: <Z90poZ960b6jCXqn@cell.glebi.us> References: <Z9WJsC4FcyHQkME-@albert.catwhisker.org> <Z9jRXIe5cNnlRfhU@albert.catwhisker.org> <01qqq28n-p1s3-n82q-9n1s-7o900ro5n62q@SerrOFQ.bet> <Z9l7vF_gt57AyzDC@albert.catwhisker.org> <Z9mN10KGg_pQXbly@albert.catwhisker.org> <Z9oBNVH7l8QKHSC3@cell.glebi.us> <rp062q43-939r-3o94-7s04-06s8669nsq1s@serrofq.bet> <Z90poZ960b6jCXqn@cell.glebi.us>
index | next in thread | previous in thread | raw e-mail
On Fri, Mar 21, 2025 at 01:56:01AM -0700, Gleb Smirnoff wrote:
> On Thu, Mar 20, 2025 at 07:52:19PM +0000, Bjoern A. Zeeb wrote:
> B> He's hitting a ... somewhere in i915kms.ko (here's the two instances I
> B> have):
> B> REDZONE: Buffer underflow detected. 16 bytes corrupted before 0xfffffe089bc65000 (262148 bytes allocated).
> B> REDZONE: Buffer underflow detected. 16 bytes corrupted before 0xfffffe08a7e70000 (262148 bytes allocated).
>
> I looked a bit into the problem and it actually seems very trivial to me.
> Please re-check my observations.
>
> A contigmalloc(9) allocation doesn't get redzone protection, see kern_malloc.c.
> But free(9) always does contigmalloc check. This makes deprecation of
> contigfree(9) incompatible with redzone(9). And looks like
> 19df0c5abcb9d4e951e610b6de98d4d8a00bd5f9 is our first bump into this sad fact.
Can we not just add redzone padding to contigmalloc() allocations?
Compile-tested patch below:
diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c
index b1347b15e651..0b76e633b04a 100644
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@@ -477,11 +477,18 @@ contigmalloc_size(uma_slab_t slab)
}
void *
-contigmalloc(unsigned long size, struct malloc_type *type, int flags,
+contigmalloc(unsigned long osize, struct malloc_type *type, int flags,
vm_paddr_t low, vm_paddr_t high, unsigned long alignment,
vm_paddr_t boundary)
{
void *ret;
+ unsigned long size;
+
+#ifdef DEBUG_REDZONE
+ size = redzone_size_ntor(osize);
+#else
+ size = osize;
+#endif
ret = (void *)kmem_alloc_contig(size, flags, low, high, alignment,
boundary, VM_MEMATTR_DEFAULT);
@@ -489,16 +496,26 @@ contigmalloc(unsigned long size, struct malloc_type *type, int flags,
/* Use low bits unused for slab pointers. */
vsetzoneslab((uintptr_t)ret, NULL, CONTIG_MALLOC_SLAB(size));
malloc_type_allocated(type, round_page(size));
+#ifdef DEBUG_REDZONE
+ ret = redzone_setup(ret, osize);
+#endif
}
return (ret);
}
void *
-contigmalloc_domainset(unsigned long size, struct malloc_type *type,
+contigmalloc_domainset(unsigned long osize, struct malloc_type *type,
struct domainset *ds, int flags, vm_paddr_t low, vm_paddr_t high,
unsigned long alignment, vm_paddr_t boundary)
{
void *ret;
+ unsigned long size;
+
+#ifdef DEBUG_REDZONE
+ size = redzone_size_ntor(osize);
+#else
+ size = osize;
+#endif
ret = (void *)kmem_alloc_contig_domainset(ds, size, flags, low, high,
alignment, boundary, VM_MEMATTR_DEFAULT);
@@ -506,6 +523,9 @@ contigmalloc_domainset(unsigned long size, struct malloc_type *type,
/* Use low bits unused for slab pointers. */
vsetzoneslab((uintptr_t)ret, NULL, CONTIG_MALLOC_SLAB(size));
malloc_type_allocated(type, round_page(size));
+#ifdef DEBUG_REDZONE
+ ret = redzone_setup(ret, osize);
+#endif
}
return (ret);
}
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Z90ymKjH18bkj-nc>