X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/3e170ce000f1506b7b5d2c5c7faec85ceabb573d..cc8bc92ae4a8e9f1a1ab61bf83d34ad8150b3405:/osfmk/kern/kalloc.c

diff --git a/osfmk/kern/kalloc.c b/osfmk/kern/kalloc.c
index 2ac827b63..97b04c739 100644
--- a/osfmk/kern/kalloc.c
+++ b/osfmk/kern/kalloc.c
@@ -77,6 +77,9 @@
 #include <vm/vm_object.h>
 #include <vm/vm_map.h>
 #include <libkern/OSMalloc.h>
+#include <sys/kdebug.h>
+
+#include <san/kasan.h>
 
 #ifdef MACH_BSD
 zone_t kalloc_zone(vm_size_t);
@@ -114,28 +117,14 @@ static void
 KALLOC_ZINFO_SALLOC(vm_size_t bytes)
 {
 	thread_t thr = current_thread();
-	task_t task;
-	zinfo_usage_t zinfo;
-
 	ledger_debit(thr->t_ledger, task_ledgers.tkm_shared, bytes);
-
-	if (kalloc_fake_zone_index != -1 && 
-	    (task = thr->task) != NULL && (zinfo = task->tkm_zinfo) != NULL)
-		zinfo[kalloc_fake_zone_index].alloc += bytes;
 }
 
 static void
 KALLOC_ZINFO_SFREE(vm_size_t bytes)
 {
 	thread_t thr = current_thread();
-	task_t task;
-	zinfo_usage_t zinfo;
-
 	ledger_credit(thr->t_ledger, task_ledgers.tkm_shared, bytes);
-
-	if (kalloc_fake_zone_index != -1 && 
-	    (task = thr->task) != NULL && (zinfo = task->tkm_zinfo) != NULL)
-		zinfo[kalloc_fake_zone_index].free += bytes;
 }
 
 /*
@@ -165,11 +154,11 @@ KALLOC_ZINFO_SFREE(vm_size_t bytes)
 	80,				\
 	96,				\
 /* 6 */	128,				\
-	160,				\
+	160, 192,				\
 	256,				\
 /* 9 */	288,				\
-	512,				\
-	1024,				\
+	512, 576,				\
+	1024, 1152,				\
 /* C */	1280,				\
 	2048,				\
 	4096
@@ -183,10 +172,13 @@ KALLOC_ZINFO_SFREE(vm_size_t bytes)
 	"kalloc.96",			\
 /* 6 */	"kalloc.128",			\
 	"kalloc.160",			\
+	"kalloc.192",			\
 	"kalloc.256",			\
 /* 9 */	"kalloc.288",			\
 	"kalloc.512",			\
+	"kalloc.576",			\
 	"kalloc.1024",			\
+	"kalloc.1152", 			\
 /* C */	"kalloc.1280",			\
 	"kalloc.2048",			\
 	"kalloc.4096"
@@ -204,9 +196,9 @@ KALLOC_ZINFO_SFREE(vm_size_t bytes)
 /* 6 */	64,	72,	88,	112, 	\
 	128, 	192,			\
 	256, 	288,	384,	440,	\
-/* 9 */	512,	768,			\
+/* 9 */	512,	576, 	768,		\
 	1024,	1152,	1536,		\
-	2048,	3072,			\
+	2048,	2128, 	3072,			\
 	4096,	6144
 
 #define K_ZONE_NAMES			\
@@ -216,9 +208,9 @@ KALLOC_ZINFO_SFREE(vm_size_t bytes)
 /* 6 */	"kalloc.64",	"kalloc.72",	"kalloc.88",	"kalloc.112",	\
 	"kalloc.128",	"kalloc.192",	\
 	"kalloc.256",	"kalloc.288",	"kalloc.384",	"kalloc.440",	\
-/* 9 */	"kalloc.512",	"kalloc.768",	\
+/* 9 */	"kalloc.512",	"kalloc.576", 	"kalloc.768",	\
 	"kalloc.1024",	"kalloc.1152",	"kalloc.1536",	\
-	"kalloc.2048",	"kalloc.3072",	\
+	"kalloc.2048",	"kalloc.2128", 	"kalloc.3072",	\
 	"kalloc.4096",	"kalloc.6144"
 
 #else
@@ -309,7 +301,8 @@ kalloc_init(
 	kern_return_t retval;
 	vm_offset_t min;
 	vm_size_t size, kalloc_map_size;
-	register int i;
+	int i;
+	vm_map_kernel_flags_t vmk_flags;
 
 	/* 
 	 * Scale the kalloc_map_size to physical memory size: stay below 
@@ -323,8 +316,14 @@ kalloc_init(
 	if (kalloc_map_size < KALLOC_MAP_SIZE_MIN)
 		kalloc_map_size = KALLOC_MAP_SIZE_MIN;
 
+	vmk_flags = VM_MAP_KERNEL_FLAGS_NONE;
+	vmk_flags.vmkf_permanent = TRUE;
+
 	retval = kmem_suballoc(kernel_map, &min, kalloc_map_size,
-			       FALSE, VM_FLAGS_ANYWHERE | VM_FLAGS_PERMANENT | VM_MAKE_TAG(0),
+			       FALSE,
+			       (VM_FLAGS_ANYWHERE),
+			       vmk_flags,
+			       VM_KERN_MEMORY_KALLOC,
 			       &kalloc_map);
 
 	if (retval != KERN_SUCCESS)
@@ -358,6 +357,10 @@ kalloc_init(
 	for (i = 0; i < (int)MAX_K_ZONE && (size = k_zone_size[i]) < kalloc_max; i++) {
 		k_zone[i] = zinit(size, size, size, k_zone_name[i]);
 		zone_change(k_zone[i], Z_CALLERACCT, FALSE);
+#if VM_MAX_TAG_ZONES
+		if (zone_tagging_on) zone_change(k_zone[i], Z_TAGS_ENABLED, TRUE);
+#endif
+		zone_change(k_zone[i], Z_KASAN_QUARANTINE, FALSE);
 	}
 
 	/*
@@ -452,13 +455,166 @@ get_zone_search(vm_size_t size, int zindex)
 	return (k_zone[zindex]);
 }
 
+static vm_size_t
+vm_map_lookup_kalloc_entry_locked(
+		vm_map_t 	map,
+		void 		*addr)
+{
+	boolean_t       ret;
+	vm_map_entry_t  vm_entry = NULL;
+	
+	ret = vm_map_lookup_entry(map, (vm_map_offset_t)addr, &vm_entry);
+	if (!ret) {
+		panic("Attempting to lookup/free an address not allocated via kalloc! (vm_map_lookup_entry() failed map: %p, addr: %p)\n", 
+			map, addr);
+	}
+	if (vm_entry->vme_start != (vm_map_offset_t)addr) {
+		panic("Attempting to lookup/free the middle of a kalloc'ed element! (map: %p, addr: %p, entry: %p)\n",
+			map, addr, vm_entry);
+	}
+	if (!vm_entry->vme_atomic) {
+		panic("Attempting to lookup/free an address not managed by kalloc! (map: %p, addr: %p, entry: %p)\n",
+			map, addr, vm_entry); 
+	}
+	return (vm_entry->vme_end - vm_entry->vme_start);
+}
+
+#if KASAN_KALLOC
+/*
+ * KASAN kalloc stashes the original user-requested size away in the poisoned
+ * area. Return that directly.
+ */
+vm_size_t
+kalloc_size(void *addr)
+{
+	(void)vm_map_lookup_kalloc_entry_locked; /* silence warning */
+	return kasan_user_size((vm_offset_t)addr);
+}
+#else
+vm_size_t
+kalloc_size(
+		void 		*addr)
+{
+	vm_map_t 		map;
+	vm_size_t 		size;
+
+	size = zone_element_size(addr, NULL);
+	if (size) {
+		return size;
+	}
+	if (((vm_offset_t)addr >= kalloc_map_min) && ((vm_offset_t)addr < kalloc_map_max)) {
+		map = kalloc_map;
+	} else {
+		map = kernel_map;
+	}
+	vm_map_lock_read(map);
+	size = vm_map_lookup_kalloc_entry_locked(map, addr);
+	vm_map_unlock_read(map);
+	return size;
+}
+#endif
+
+vm_size_t
+kalloc_bucket_size(
+		vm_size_t 	size)
+{
+	zone_t 		z;
+	vm_map_t 	map;
+	
+	if (size < MAX_SIZE_ZDLUT) {
+		z = get_zone_dlut(size);
+		return z->elem_size;
+	} 
+	
+	if (size < kalloc_max_prerounded) {
+		z = get_zone_search(size, k_zindex_start);
+		return z->elem_size;
+	}
+
+	if (size >= kalloc_kernmap_size) 
+		map = kernel_map;
+	else
+		map = kalloc_map;
+	
+	return vm_map_round_page(size, VM_MAP_PAGE_MASK(map));
+}
+
+#if KASAN_KALLOC
+vm_size_t
+kfree_addr(void *addr)
+{
+	vm_size_t origsz = kalloc_size(addr);
+	kfree(addr, origsz);
+	return origsz;
+}
+#else
+vm_size_t
+kfree_addr(
+	void 		*addr)
+{
+	vm_map_t        map;
+	vm_size_t       size = 0;
+	kern_return_t 	ret;
+	zone_t 			z;
+
+	size = zone_element_size(addr, &z);
+	if (size) {
+		zfree(z, addr);
+		return size;
+	}
+
+	if (((vm_offset_t)addr >= kalloc_map_min) && ((vm_offset_t)addr < kalloc_map_max)) {
+		map = kalloc_map;
+	} else {
+		map = kernel_map;
+	}
+	if ((vm_offset_t)addr < VM_MIN_KERNEL_AND_KEXT_ADDRESS) {
+		panic("kfree on an address not in the kernel & kext address range! addr: %p\n", addr);
+	}
+
+	vm_map_lock(map);
+	size = vm_map_lookup_kalloc_entry_locked(map, addr);
+	ret = vm_map_remove_locked(map,
+							vm_map_trunc_page((vm_map_offset_t)addr,
+								VM_MAP_PAGE_MASK(map)),
+							vm_map_round_page((vm_map_offset_t)addr + size,
+								VM_MAP_PAGE_MASK(map)),
+							VM_MAP_REMOVE_KUNWIRE);
+	if (ret != KERN_SUCCESS) {
+		panic("vm_map_remove_locked() failed for kalloc vm_entry! addr: %p, map: %p ret: %d\n",
+				addr, map, ret);
+	}
+	vm_map_unlock(map);
+	
+	kalloc_spin_lock();
+	kalloc_large_total -= size;
+	kalloc_large_inuse--;
+	kalloc_unlock();
+
+	KALLOC_ZINFO_SFREE(size);
+	return size;
+}
+#endif
+
 void *
 kalloc_canblock(
-		vm_size_t	       size,
+		vm_size_t	       * psize,
 		boolean_t              canblock,
 		vm_allocation_site_t * site)
 {
 	zone_t z;
+	vm_size_t size;
+	void *addr;
+	vm_tag_t tag;
+
+	tag = VM_KERN_MEMORY_KALLOC;
+	size = *psize;
+
+#if KASAN_KALLOC
+	/* expand the allocation to accomodate redzones */
+	vm_size_t req_size = size;
+	size = kasan_alloc_resize(req_size);
+#endif
 
 	if (size < MAX_SIZE_ZDLUT)
 		z = get_zone_dlut(size);
@@ -471,27 +627,31 @@ kalloc_canblock(
 		 * krealloc can use kmem_realloc.)
 		 */
 		vm_map_t alloc_map;
-		void *addr;
 
 		/* kmem_alloc could block so we return if noblock */
 		if (!canblock) {
 			return(NULL);
 		}
 
+#if KASAN_KALLOC
+		/* large allocation - use guard pages instead of small redzones */
+		size = round_page(req_size + 2 * PAGE_SIZE);
+		assert(size >= MAX_SIZE_ZDLUT && size >= kalloc_max_prerounded);
+#endif
+
 		if (size >= kalloc_kernmap_size)
 		        alloc_map = kernel_map;
 		else
 			alloc_map = kalloc_map;
 
-		vm_tag_t tag;
-		tag = (site ? tag = vm_tag_alloc(site) : VM_KERN_MEMORY_KALLOC);
+		if (site) tag = vm_tag_alloc(site);
 
-		if (kmem_alloc(alloc_map, (vm_offset_t *)&addr, size, tag) != KERN_SUCCESS) {
+		if (kmem_alloc_flags(alloc_map, (vm_offset_t *)&addr, size, tag, KMA_ATOMIC) != KERN_SUCCESS) {
 			if (alloc_map != kernel_map) {
 				if (kalloc_fallback_count++ == 0) {
 					printf("%s: falling back to kernel_map\n", __func__);
 				}
-				if (kmem_alloc(kernel_map, (vm_offset_t *)&addr, size, tag) != KERN_SUCCESS)
+				if (kmem_alloc_flags(kernel_map, (vm_offset_t *)&addr, size, tag, KMA_ATOMIC) != KERN_SUCCESS)
 					addr = NULL;
 			}
 			else
@@ -518,6 +678,12 @@ kalloc_canblock(
 
 			KALLOC_ZINFO_SALLOC(size);
 		}
+#if KASAN_KALLOC
+		/* fixup the return address to skip the redzone */
+		addr = (void *)kasan_alloc((vm_offset_t)addr, size, req_size, PAGE_SIZE);
+#else
+		*psize = round_page(size);
+#endif
 		return(addr);
 	}
 #ifdef KALLOC_DEBUG
@@ -525,8 +691,30 @@ kalloc_canblock(
 		panic("%s: z %p (%s) but requested size %lu", __func__,
 		    z, z->zone_name, (unsigned long)size);
 #endif
+
 	assert(size <= z->elem_size);
-	return zalloc_canblock(z, canblock);
+
+#if VM_MAX_TAG_ZONES
+    if (z->tags && site)
+    {
+		tag = vm_tag_alloc(site);
+		if (!canblock && !vm_allocation_zone_totals[tag]) tag = VM_KERN_MEMORY_KALLOC;
+    }
+#endif
+
+	addr =  zalloc_canblock_tag(z, canblock, size, tag);
+
+#if KASAN_KALLOC
+	/* fixup the return address to skip the redzone */
+	addr = (void *)kasan_alloc((vm_offset_t)addr, z->elem_size, req_size, KASAN_GUARD_SIZE);
+
+	/* For KASan, the redzone lives in any additional space, so don't
+	 * expand the allocation. */
+#else
+	*psize = z->elem_size;
+#endif
+
+	return addr;
 }
 
 void *
@@ -548,6 +736,20 @@ kfree(
 {
 	zone_t z;
 
+#if KASAN_KALLOC
+	/*
+	 * Resize back to the real allocation size and hand off to the KASan
+	 * quarantine. `data` may then point to a different allocation.
+	 */
+	vm_size_t user_size = size;
+	kasan_check_free((vm_address_t)data, size, KASAN_HEAP_KALLOC);
+	data = (void *)kasan_dealloc((vm_address_t)data, &size);
+	kasan_free(&data, &size, KASAN_HEAP_KALLOC, NULL, user_size, true);
+	if (!data) {
+		return;
+	}
+#endif
+
 	if (size < MAX_SIZE_ZDLUT)
 		z = get_zone_dlut(size);
 	else if (size < kalloc_max_prerounded)
@@ -584,7 +786,6 @@ kfree(
 			        return;
 		}
 		kmem_free(alloc_map, (vm_offset_t)data, size);
-
 		kalloc_spin_lock();
 
 		kalloc_large_total -= size;
@@ -619,35 +820,6 @@ kalloc_zone(
 }
 #endif
 
-void
-kalloc_fake_zone_init(int zone_index)
-{
-	kalloc_fake_zone_index = zone_index;
-}
-
-void
-kalloc_fake_zone_info(int *count, 
-		      vm_size_t *cur_size, vm_size_t *max_size, vm_size_t *elem_size, vm_size_t *alloc_size,
-		      uint64_t *sum_size, int *collectable, int *exhaustable, int *caller_acct)
-{
-	*count      = kalloc_large_inuse;
-	*cur_size   = kalloc_large_total;
-	*max_size   = kalloc_large_max;
-
-	if (kalloc_large_inuse) {
-		*elem_size  = kalloc_large_total / kalloc_large_inuse;
-		*alloc_size = kalloc_large_total / kalloc_large_inuse;
-	} else {
-		*elem_size  = 0;
-		*alloc_size = 0;
-	}
-	*sum_size   = kalloc_large_sum;
-	*collectable = 0;
-	*exhaustable = 0;
-	*caller_acct = 0;
-}
-
-
 void
 OSMalloc_init(
 	void)
@@ -799,3 +971,11 @@ OSFree(
 
 	OSMalloc_Tagrele(tag);
 }
+
+uint32_t
+OSMalloc_size(
+	void 				*addr)
+{
+	return (uint32_t)kalloc_size(addr);
+}
+