Hi,
Currently two checks in free() function confirm the correctness of
freedsize argument. I think that it's better to check that provided
freedsize fall into the same bucket that was recorded in kmemusage
struct: it covers both cases.
Index: sys/kern/kern_malloc.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_malloc.c,v
retrieving revision 1.128
diff -u -p -r1.128 kern_malloc.c
--- sys/kern/kern_malloc.c 14 Mar 2015 03:38:50 -0000 1.128
+++ sys/kern/kern_malloc.c 9 Dec 2015 17:54:30 -0000
@@ -387,12 +387,10 @@ free(void *addr, int type, size_t freeds
size = kup->ku_pagecnt << PAGE_SHIFT;
s = splvm();
#ifdef DIAGNOSTIC
- if (freedsize != 0 && freedsize > size)
- panic("free: size too large %zu > %ld (%p) type %s",
- freedsize, size, addr, memname[type]);
- if (freedsize != 0 && size > MINALLOCSIZE && freedsize < size / 2)
- panic("free: size too small %zu < %ld / 2 (%p) type %s",
- freedsize, size, addr, memname[type]);
+ if (freedsize != 0 && kup->ku_indx != BUCKETINDX(freedsize))
+ panic("free: size is wrong %zu (bucket %ld, should be
%d) type %s",
+ freedsize, BUCKETINDX(freedsize),
+ kup->ku_indx, memname[type]);
/*
* Check for returns of data that do not point to the
* begi
