Index: sys/vm/memguard.c =================================================================== --- sys/vm/memguard.c +++ sys/vm/memguard.c @@ -109,26 +109,20 @@ CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 0, memguard_sysctl_desc, "A", "Short description of memory type to monitor"); -static vm_offset_t memguard_cursor; static vm_offset_t memguard_base; static vm_size_t memguard_mapsize; static vm_size_t memguard_physlimit; static u_long memguard_wasted; -static u_long memguard_wrap; static u_long memguard_succ; static u_long memguard_fail_kva; static u_long memguard_fail_pgs; -SYSCTL_ULONG(_vm_memguard, OID_AUTO, cursor, CTLFLAG_RD, - &memguard_cursor, 0, "MemGuard cursor"); SYSCTL_ULONG(_vm_memguard, OID_AUTO, mapsize, CTLFLAG_RD, &memguard_mapsize, 0, "MemGuard private arena size"); SYSCTL_ULONG(_vm_memguard, OID_AUTO, phys_limit, CTLFLAG_RD, &memguard_physlimit, 0, "Limit on MemGuard memory consumption"); SYSCTL_ULONG(_vm_memguard, OID_AUTO, wasted, CTLFLAG_RD, &memguard_wasted, 0, "Excess memory used through page promotion"); -SYSCTL_ULONG(_vm_memguard, OID_AUTO, wrapcnt, CTLFLAG_RD, - &memguard_wrap, 0, "MemGuard cursor wrap count"); SYSCTL_ULONG(_vm_memguard, OID_AUTO, numalloc, CTLFLAG_RD, &memguard_succ, 0, "Count of successful MemGuard allocations"); SYSCTL_ULONG(_vm_memguard, OID_AUTO, fail_kva, CTLFLAG_RD, @@ -218,7 +212,6 @@ VMEM_ADDR_MIN, VMEM_ADDR_MAX, M_BESTFIT | M_WAITOK, &base); vmem_init(memguard_arena, "memguard arena", base, memguard_mapsize, PAGE_SIZE, 0, M_WAITOK); - memguard_cursor = base; memguard_base = base; printf("MEMGUARD DEBUGGING ALLOCATOR INITIALIZED:\n"); @@ -297,7 +290,7 @@ { vm_offset_t addr, origaddr; u_long size_p, size_v; - int domain, rv; + int domain, error, rv; bool do_guard; size_p = round_page(req_size); @@ -327,34 +320,17 @@ memguard_fail_pgs++; goto out; } + /* - * Keep a moving cursor so we don't recycle KVA as long as - * possible. It's not perfect, since we don't know in what - * order previous allocations will be free'd, but it's simple - * and fast, and requires O(1) additional storage if guard - * pages are not used. - * - * XXX This scheme will lead to greater fragmentation of the - * map, unless vm_map_findspace() is tweaked. + * Attempt to avoid address reuse for as long as possible, to increase + * the likelihood of catching a use-after-free. */ - for (;;) { - if (vmem_xalloc(memguard_arena, size_v, 0, 0, 0, - memguard_cursor, VMEM_ADDR_MAX, - M_BESTFIT | M_NOWAIT, &origaddr) == 0) - break; - - /* - * The map has no space. This may be due to - * fragmentation, or because the cursor is near the - * end of the map. - */ - if (memguard_cursor == memguard_base) { - memguard_fail_kva++; - addr = (vm_offset_t)NULL; - goto out; - } - memguard_wrap++; - memguard_cursor = memguard_base; + error = vmem_alloc(memguard_arena, size_v, M_NEXTFIT | M_NOWAIT, + &origaddr); + if (error != 0) { + memguard_fail_kva++; + addr = (vm_offset_t)NULL; + goto out; } addr = origaddr; if (do_guard) @@ -377,7 +353,6 @@ addr = (vm_offset_t)NULL; goto out; } - memguard_cursor = addr + size_v; *v2sizep(trunc_page(addr)) = req_size; *v2sizev(trunc_page(addr)) = size_v; memguard_succ++;