Print this page
10093 kmem_log_enter() dereferences pointer before NULL check
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/kmem.c
+++ new/usr/src/uts/common/os/kmem.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright (c) 2012, 2017 by Delphix. All rights reserved.
24 24 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
25 25 * Copyright 2018, Joyent, Inc.
26 26 */
27 27
28 28 /*
29 29 * Kernel memory allocator, as described in the following two papers and a
30 30 * statement about the consolidator:
31 31 *
32 32 * Jeff Bonwick,
33 33 * The Slab Allocator: An Object-Caching Kernel Memory Allocator.
34 34 * Proceedings of the Summer 1994 Usenix Conference.
35 35 * Available as /shared/sac/PSARC/1994/028/materials/kmem.pdf.
36 36 *
37 37 * Jeff Bonwick and Jonathan Adams,
38 38 * Magazines and vmem: Extending the Slab Allocator to Many CPUs and
39 39 * Arbitrary Resources.
40 40 * Proceedings of the 2001 Usenix Conference.
41 41 * Available as /shared/sac/PSARC/2000/550/materials/vmem.pdf.
42 42 *
43 43 * kmem Slab Consolidator Big Theory Statement:
44 44 *
45 45 * 1. Motivation
46 46 *
47 47 * As stated in Bonwick94, slabs provide the following advantages over other
48 48 * allocation structures in terms of memory fragmentation:
49 49 *
50 50 * - Internal fragmentation (per-buffer wasted space) is minimal.
51 51 * - Severe external fragmentation (unused buffers on the free list) is
52 52 * unlikely.
53 53 *
54 54 * Segregating objects by size eliminates one source of external fragmentation,
55 55 * and according to Bonwick:
56 56 *
57 57 * The other reason that slabs reduce external fragmentation is that all
58 58 * objects in a slab are of the same type, so they have the same lifetime
59 59 * distribution. The resulting segregation of short-lived and long-lived
60 60 * objects at slab granularity reduces the likelihood of an entire page being
61 61 * held hostage due to a single long-lived allocation [Barrett93, Hanson90].
62 62 *
63 63 * While unlikely, severe external fragmentation remains possible. Clients that
64 64 * allocate both short- and long-lived objects from the same cache cannot
65 65 * anticipate the distribution of long-lived objects within the allocator's slab
66 66 * implementation. Even a small percentage of long-lived objects distributed
67 67 * randomly across many slabs can lead to a worst case scenario where the client
68 68 * frees the majority of its objects and the system gets back almost none of the
69 69 * slabs. Despite the client doing what it reasonably can to help the system
70 70 * reclaim memory, the allocator cannot shake free enough slabs because of
71 71 * lonely allocations stubbornly hanging on. Although the allocator is in a
72 72 * position to diagnose the fragmentation, there is nothing that the allocator
73 73 * by itself can do about it. It only takes a single allocated object to prevent
74 74 * an entire slab from being reclaimed, and any object handed out by
75 75 * kmem_cache_alloc() is by definition in the client's control. Conversely,
76 76 * although the client is in a position to move a long-lived object, it has no
77 77 * way of knowing if the object is causing fragmentation, and if so, where to
78 78 * move it. A solution necessarily requires further cooperation between the
79 79 * allocator and the client.
80 80 *
81 81 * 2. Move Callback
82 82 *
83 83 * The kmem slab consolidator therefore adds a move callback to the
84 84 * allocator/client interface, improving worst-case external fragmentation in
85 85 * kmem caches that supply a function to move objects from one memory location
86 86 * to another. In a situation of low memory kmem attempts to consolidate all of
87 87 * a cache's slabs at once; otherwise it works slowly to bring external
88 88 * fragmentation within the 1/8 limit guaranteed for internal fragmentation,
89 89 * thereby helping to avoid a low memory situation in the future.
90 90 *
91 91 * The callback has the following signature:
92 92 *
93 93 * kmem_cbrc_t move(void *old, void *new, size_t size, void *user_arg)
94 94 *
95 95 * It supplies the kmem client with two addresses: the allocated object that
96 96 * kmem wants to move and a buffer selected by kmem for the client to use as the
97 97 * copy destination. The callback is kmem's way of saying "Please get off of
98 98 * this buffer and use this one instead." kmem knows where it wants to move the
99 99 * object in order to best reduce fragmentation. All the client needs to know
100 100 * about the second argument (void *new) is that it is an allocated, constructed
101 101 * object ready to take the contents of the old object. When the move function
102 102 * is called, the system is likely to be low on memory, and the new object
103 103 * spares the client from having to worry about allocating memory for the
104 104 * requested move. The third argument supplies the size of the object, in case a
105 105 * single move function handles multiple caches whose objects differ only in
106 106 * size (such as zio_buf_512, zio_buf_1024, etc). Finally, the same optional
107 107 * user argument passed to the constructor, destructor, and reclaim functions is
108 108 * also passed to the move callback.
109 109 *
110 110 * 2.1 Setting the Move Callback
111 111 *
112 112 * The client sets the move callback after creating the cache and before
113 113 * allocating from it:
114 114 *
115 115 * object_cache = kmem_cache_create(...);
116 116 * kmem_cache_set_move(object_cache, object_move);
117 117 *
118 118 * 2.2 Move Callback Return Values
119 119 *
120 120 * Only the client knows about its own data and when is a good time to move it.
121 121 * The client is cooperating with kmem to return unused memory to the system,
122 122 * and kmem respectfully accepts this help at the client's convenience. When
123 123 * asked to move an object, the client can respond with any of the following:
124 124 *
125 125 * typedef enum kmem_cbrc {
126 126 * KMEM_CBRC_YES,
127 127 * KMEM_CBRC_NO,
128 128 * KMEM_CBRC_LATER,
129 129 * KMEM_CBRC_DONT_NEED,
130 130 * KMEM_CBRC_DONT_KNOW
131 131 * } kmem_cbrc_t;
132 132 *
133 133 * The client must not explicitly kmem_cache_free() either of the objects passed
134 134 * to the callback, since kmem wants to free them directly to the slab layer
135 135 * (bypassing the per-CPU magazine layer). The response tells kmem which of the
136 136 * objects to free:
137 137 *
138 138 * YES: (Did it) The client moved the object, so kmem frees the old one.
139 139 * NO: (Never) The client refused, so kmem frees the new object (the
140 140 * unused copy destination). kmem also marks the slab of the old
141 141 * object so as not to bother the client with further callbacks for
142 142 * that object as long as the slab remains on the partial slab list.
143 143 * (The system won't be getting the slab back as long as the
144 144 * immovable object holds it hostage, so there's no point in moving
145 145 * any of its objects.)
146 146 * LATER: The client is using the object and cannot move it now, so kmem
147 147 * frees the new object (the unused copy destination). kmem still
148 148 * attempts to move other objects off the slab, since it expects to
149 149 * succeed in clearing the slab in a later callback. The client
150 150 * should use LATER instead of NO if the object is likely to become
151 151 * movable very soon.
152 152 * DONT_NEED: The client no longer needs the object, so kmem frees the old along
153 153 * with the new object (the unused copy destination). This response
154 154 * is the client's opportunity to be a model citizen and give back as
155 155 * much as it can.
156 156 * DONT_KNOW: The client does not know about the object because
157 157 * a) the client has just allocated the object and not yet put it
158 158 * wherever it expects to find known objects
159 159 * b) the client has removed the object from wherever it expects to
160 160 * find known objects and is about to free it, or
161 161 * c) the client has freed the object.
162 162 * In all these cases (a, b, and c) kmem frees the new object (the
163 163 * unused copy destination). In the first case, the object is in
164 164 * use and the correct action is that for LATER; in the latter two
165 165 * cases, we know that the object is either freed or about to be
166 166 * freed, in which case it is either already in a magazine or about
167 167 * to be in one. In these cases, we know that the object will either
168 168 * be reallocated and reused, or it will end up in a full magazine
169 169 * that will be reaped (thereby liberating the slab). Because it
170 170 * is prohibitively expensive to differentiate these cases, and
171 171 * because the defrag code is executed when we're low on memory
172 172 * (thereby biasing the system to reclaim full magazines) we treat
173 173 * all DONT_KNOW cases as LATER and rely on cache reaping to
174 174 * generally clean up full magazines. While we take the same action
175 175 * for these cases, we maintain their semantic distinction: if
176 176 * defragmentation is not occurring, it is useful to know if this
177 177 * is due to objects in use (LATER) or objects in an unknown state
178 178 * of transition (DONT_KNOW).
179 179 *
180 180 * 2.3 Object States
181 181 *
182 182 * Neither kmem nor the client can be assumed to know the object's whereabouts
183 183 * at the time of the callback. An object belonging to a kmem cache may be in
184 184 * any of the following states:
185 185 *
186 186 * 1. Uninitialized on the slab
187 187 * 2. Allocated from the slab but not constructed (still uninitialized)
188 188 * 3. Allocated from the slab, constructed, but not yet ready for business
189 189 * (not in a valid state for the move callback)
190 190 * 4. In use (valid and known to the client)
191 191 * 5. About to be freed (no longer in a valid state for the move callback)
192 192 * 6. Freed to a magazine (still constructed)
193 193 * 7. Allocated from a magazine, not yet ready for business (not in a valid
194 194 * state for the move callback), and about to return to state #4
195 195 * 8. Deconstructed on a magazine that is about to be freed
196 196 * 9. Freed to the slab
197 197 *
198 198 * Since the move callback may be called at any time while the object is in any
199 199 * of the above states (except state #1), the client needs a safe way to
200 200 * determine whether or not it knows about the object. Specifically, the client
201 201 * needs to know whether or not the object is in state #4, the only state in
202 202 * which a move is valid. If the object is in any other state, the client should
203 203 * immediately return KMEM_CBRC_DONT_KNOW, since it is unsafe to access any of
204 204 * the object's fields.
205 205 *
206 206 * Note that although an object may be in state #4 when kmem initiates the move
207 207 * request, the object may no longer be in that state by the time kmem actually
208 208 * calls the move function. Not only does the client free objects
209 209 * asynchronously, kmem itself puts move requests on a queue where thay are
210 210 * pending until kmem processes them from another context. Also, objects freed
211 211 * to a magazine appear allocated from the point of view of the slab layer, so
212 212 * kmem may even initiate requests for objects in a state other than state #4.
213 213 *
214 214 * 2.3.1 Magazine Layer
215 215 *
216 216 * An important insight revealed by the states listed above is that the magazine
217 217 * layer is populated only by kmem_cache_free(). Magazines of constructed
218 218 * objects are never populated directly from the slab layer (which contains raw,
219 219 * unconstructed objects). Whenever an allocation request cannot be satisfied
220 220 * from the magazine layer, the magazines are bypassed and the request is
221 221 * satisfied from the slab layer (creating a new slab if necessary). kmem calls
222 222 * the object constructor only when allocating from the slab layer, and only in
223 223 * response to kmem_cache_alloc() or to prepare the destination buffer passed in
224 224 * the move callback. kmem does not preconstruct objects in anticipation of
225 225 * kmem_cache_alloc().
226 226 *
227 227 * 2.3.2 Object Constructor and Destructor
228 228 *
229 229 * If the client supplies a destructor, it must be valid to call the destructor
230 230 * on a newly created object (immediately after the constructor).
231 231 *
232 232 * 2.4 Recognizing Known Objects
233 233 *
234 234 * There is a simple test to determine safely whether or not the client knows
235 235 * about a given object in the move callback. It relies on the fact that kmem
236 236 * guarantees that the object of the move callback has only been touched by the
237 237 * client itself or else by kmem. kmem does this by ensuring that none of the
238 238 * cache's slabs are freed to the virtual memory (VM) subsystem while a move
239 239 * callback is pending. When the last object on a slab is freed, if there is a
240 240 * pending move, kmem puts the slab on a per-cache dead list and defers freeing
241 241 * slabs on that list until all pending callbacks are completed. That way,
242 242 * clients can be certain that the object of a move callback is in one of the
243 243 * states listed above, making it possible to distinguish known objects (in
244 244 * state #4) using the two low order bits of any pointer member (with the
245 245 * exception of 'char *' or 'short *' which may not be 4-byte aligned on some
246 246 * platforms).
247 247 *
248 248 * The test works as long as the client always transitions objects from state #4
249 249 * (known, in use) to state #5 (about to be freed, invalid) by setting the low
250 250 * order bit of the client-designated pointer member. Since kmem only writes
251 251 * invalid memory patterns, such as 0xbaddcafe to uninitialized memory and
252 252 * 0xdeadbeef to freed memory, any scribbling on the object done by kmem is
253 253 * guaranteed to set at least one of the two low order bits. Therefore, given an
254 254 * object with a back pointer to a 'container_t *o_container', the client can
255 255 * test
256 256 *
257 257 * container_t *container = object->o_container;
258 258 * if ((uintptr_t)container & 0x3) {
259 259 * return (KMEM_CBRC_DONT_KNOW);
260 260 * }
261 261 *
262 262 * Typically, an object will have a pointer to some structure with a list or
263 263 * hash where objects from the cache are kept while in use. Assuming that the
264 264 * client has some way of knowing that the container structure is valid and will
265 265 * not go away during the move, and assuming that the structure includes a lock
266 266 * to protect whatever collection is used, then the client would continue as
267 267 * follows:
268 268 *
269 269 * // Ensure that the container structure does not go away.
270 270 * if (container_hold(container) == 0) {
271 271 * return (KMEM_CBRC_DONT_KNOW);
272 272 * }
273 273 * mutex_enter(&container->c_objects_lock);
274 274 * if (container != object->o_container) {
275 275 * mutex_exit(&container->c_objects_lock);
276 276 * container_rele(container);
277 277 * return (KMEM_CBRC_DONT_KNOW);
278 278 * }
279 279 *
280 280 * At this point the client knows that the object cannot be freed as long as
281 281 * c_objects_lock is held. Note that after acquiring the lock, the client must
282 282 * recheck the o_container pointer in case the object was removed just before
283 283 * acquiring the lock.
284 284 *
285 285 * When the client is about to free an object, it must first remove that object
286 286 * from the list, hash, or other structure where it is kept. At that time, to
287 287 * mark the object so it can be distinguished from the remaining, known objects,
288 288 * the client sets the designated low order bit:
289 289 *
290 290 * mutex_enter(&container->c_objects_lock);
291 291 * object->o_container = (void *)((uintptr_t)object->o_container | 0x1);
292 292 * list_remove(&container->c_objects, object);
293 293 * mutex_exit(&container->c_objects_lock);
294 294 *
295 295 * In the common case, the object is freed to the magazine layer, where it may
296 296 * be reused on a subsequent allocation without the overhead of calling the
297 297 * constructor. While in the magazine it appears allocated from the point of
298 298 * view of the slab layer, making it a candidate for the move callback. Most
299 299 * objects unrecognized by the client in the move callback fall into this
300 300 * category and are cheaply distinguished from known objects by the test
301 301 * described earlier. Because searching magazines is prohibitively expensive
302 302 * for kmem, clients that do not mark freed objects (and therefore return
303 303 * KMEM_CBRC_DONT_KNOW for large numbers of objects) may find defragmentation
304 304 * efficacy reduced.
305 305 *
306 306 * Invalidating the designated pointer member before freeing the object marks
307 307 * the object to be avoided in the callback, and conversely, assigning a valid
308 308 * value to the designated pointer member after allocating the object makes the
309 309 * object fair game for the callback:
310 310 *
311 311 * ... allocate object ...
312 312 * ... set any initial state not set by the constructor ...
313 313 *
314 314 * mutex_enter(&container->c_objects_lock);
315 315 * list_insert_tail(&container->c_objects, object);
316 316 * membar_producer();
317 317 * object->o_container = container;
318 318 * mutex_exit(&container->c_objects_lock);
319 319 *
320 320 * Note that everything else must be valid before setting o_container makes the
321 321 * object fair game for the move callback. The membar_producer() call ensures
322 322 * that all the object's state is written to memory before setting the pointer
323 323 * that transitions the object from state #3 or #7 (allocated, constructed, not
324 324 * yet in use) to state #4 (in use, valid). That's important because the move
325 325 * function has to check the validity of the pointer before it can safely
326 326 * acquire the lock protecting the collection where it expects to find known
327 327 * objects.
328 328 *
329 329 * This method of distinguishing known objects observes the usual symmetry:
330 330 * invalidating the designated pointer is the first thing the client does before
331 331 * freeing the object, and setting the designated pointer is the last thing the
332 332 * client does after allocating the object. Of course, the client is not
333 333 * required to use this method. Fundamentally, how the client recognizes known
334 334 * objects is completely up to the client, but this method is recommended as an
335 335 * efficient and safe way to take advantage of the guarantees made by kmem. If
336 336 * the entire object is arbitrary data without any markable bits from a suitable
337 337 * pointer member, then the client must find some other method, such as
338 338 * searching a hash table of known objects.
339 339 *
340 340 * 2.5 Preventing Objects From Moving
341 341 *
342 342 * Besides a way to distinguish known objects, the other thing that the client
343 343 * needs is a strategy to ensure that an object will not move while the client
344 344 * is actively using it. The details of satisfying this requirement tend to be
345 345 * highly cache-specific. It might seem that the same rules that let a client
346 346 * remove an object safely should also decide when an object can be moved
347 347 * safely. However, any object state that makes a removal attempt invalid is
348 348 * likely to be long-lasting for objects that the client does not expect to
349 349 * remove. kmem knows nothing about the object state and is equally likely (from
350 350 * the client's point of view) to request a move for any object in the cache,
351 351 * whether prepared for removal or not. Even a low percentage of objects stuck
352 352 * in place by unremovability will defeat the consolidator if the stuck objects
353 353 * are the same long-lived allocations likely to hold slabs hostage.
354 354 * Fundamentally, the consolidator is not aimed at common cases. Severe external
355 355 * fragmentation is a worst case scenario manifested as sparsely allocated
356 356 * slabs, by definition a low percentage of the cache's objects. When deciding
357 357 * what makes an object movable, keep in mind the goal of the consolidator: to
358 358 * bring worst-case external fragmentation within the limits guaranteed for
359 359 * internal fragmentation. Removability is a poor criterion if it is likely to
360 360 * exclude more than an insignificant percentage of objects for long periods of
361 361 * time.
362 362 *
363 363 * A tricky general solution exists, and it has the advantage of letting you
364 364 * move any object at almost any moment, practically eliminating the likelihood
365 365 * that an object can hold a slab hostage. However, if there is a cache-specific
366 366 * way to ensure that an object is not actively in use in the vast majority of
367 367 * cases, a simpler solution that leverages this cache-specific knowledge is
368 368 * preferred.
369 369 *
370 370 * 2.5.1 Cache-Specific Solution
371 371 *
372 372 * As an example of a cache-specific solution, the ZFS znode cache takes
373 373 * advantage of the fact that the vast majority of znodes are only being
374 374 * referenced from the DNLC. (A typical case might be a few hundred in active
375 375 * use and a hundred thousand in the DNLC.) In the move callback, after the ZFS
376 376 * client has established that it recognizes the znode and can access its fields
377 377 * safely (using the method described earlier), it then tests whether the znode
378 378 * is referenced by anything other than the DNLC. If so, it assumes that the
379 379 * znode may be in active use and is unsafe to move, so it drops its locks and
380 380 * returns KMEM_CBRC_LATER. The advantage of this strategy is that everywhere
381 381 * else znodes are used, no change is needed to protect against the possibility
382 382 * of the znode moving. The disadvantage is that it remains possible for an
383 383 * application to hold a znode slab hostage with an open file descriptor.
384 384 * However, this case ought to be rare and the consolidator has a way to deal
385 385 * with it: If the client responds KMEM_CBRC_LATER repeatedly for the same
386 386 * object, kmem eventually stops believing it and treats the slab as if the
387 387 * client had responded KMEM_CBRC_NO. Having marked the hostage slab, kmem can
388 388 * then focus on getting it off of the partial slab list by allocating rather
389 389 * than freeing all of its objects. (Either way of getting a slab off the
390 390 * free list reduces fragmentation.)
391 391 *
392 392 * 2.5.2 General Solution
393 393 *
394 394 * The general solution, on the other hand, requires an explicit hold everywhere
395 395 * the object is used to prevent it from moving. To keep the client locking
396 396 * strategy as uncomplicated as possible, kmem guarantees the simplifying
397 397 * assumption that move callbacks are sequential, even across multiple caches.
398 398 * Internally, a global queue processed by a single thread supports all caches
399 399 * implementing the callback function. No matter how many caches supply a move
400 400 * function, the consolidator never moves more than one object at a time, so the
401 401 * client does not have to worry about tricky lock ordering involving several
402 402 * related objects from different kmem caches.
403 403 *
404 404 * The general solution implements the explicit hold as a read-write lock, which
405 405 * allows multiple readers to access an object from the cache simultaneously
406 406 * while a single writer is excluded from moving it. A single rwlock for the
407 407 * entire cache would lock out all threads from using any of the cache's objects
408 408 * even though only a single object is being moved, so to reduce contention,
409 409 * the client can fan out the single rwlock into an array of rwlocks hashed by
410 410 * the object address, making it probable that moving one object will not
411 411 * prevent other threads from using a different object. The rwlock cannot be a
412 412 * member of the object itself, because the possibility of the object moving
413 413 * makes it unsafe to access any of the object's fields until the lock is
414 414 * acquired.
415 415 *
416 416 * Assuming a small, fixed number of locks, it's possible that multiple objects
417 417 * will hash to the same lock. A thread that needs to use multiple objects in
418 418 * the same function may acquire the same lock multiple times. Since rwlocks are
419 419 * reentrant for readers, and since there is never more than a single writer at
420 420 * a time (assuming that the client acquires the lock as a writer only when
421 421 * moving an object inside the callback), there would seem to be no problem.
422 422 * However, a client locking multiple objects in the same function must handle
423 423 * one case of potential deadlock: Assume that thread A needs to prevent both
424 424 * object 1 and object 2 from moving, and thread B, the callback, meanwhile
425 425 * tries to move object 3. It's possible, if objects 1, 2, and 3 all hash to the
426 426 * same lock, that thread A will acquire the lock for object 1 as a reader
427 427 * before thread B sets the lock's write-wanted bit, preventing thread A from
428 428 * reacquiring the lock for object 2 as a reader. Unable to make forward
429 429 * progress, thread A will never release the lock for object 1, resulting in
430 430 * deadlock.
431 431 *
432 432 * There are two ways of avoiding the deadlock just described. The first is to
433 433 * use rw_tryenter() rather than rw_enter() in the callback function when
434 434 * attempting to acquire the lock as a writer. If tryenter discovers that the
435 435 * same object (or another object hashed to the same lock) is already in use, it
436 436 * aborts the callback and returns KMEM_CBRC_LATER. The second way is to use
437 437 * rprwlock_t (declared in common/fs/zfs/sys/rprwlock.h) instead of rwlock_t,
438 438 * since it allows a thread to acquire the lock as a reader in spite of a
439 439 * waiting writer. This second approach insists on moving the object now, no
440 440 * matter how many readers the move function must wait for in order to do so,
441 441 * and could delay the completion of the callback indefinitely (blocking
442 442 * callbacks to other clients). In practice, a less insistent callback using
443 443 * rw_tryenter() returns KMEM_CBRC_LATER infrequently enough that there seems
444 444 * little reason to use anything else.
445 445 *
446 446 * Avoiding deadlock is not the only problem that an implementation using an
447 447 * explicit hold needs to solve. Locking the object in the first place (to
448 448 * prevent it from moving) remains a problem, since the object could move
449 449 * between the time you obtain a pointer to the object and the time you acquire
450 450 * the rwlock hashed to that pointer value. Therefore the client needs to
451 451 * recheck the value of the pointer after acquiring the lock, drop the lock if
452 452 * the value has changed, and try again. This requires a level of indirection:
453 453 * something that points to the object rather than the object itself, that the
454 454 * client can access safely while attempting to acquire the lock. (The object
455 455 * itself cannot be referenced safely because it can move at any time.)
456 456 * The following lock-acquisition function takes whatever is safe to reference
457 457 * (arg), follows its pointer to the object (using function f), and tries as
458 458 * often as necessary to acquire the hashed lock and verify that the object
459 459 * still has not moved:
460 460 *
461 461 * object_t *
462 462 * object_hold(object_f f, void *arg)
463 463 * {
464 464 * object_t *op;
465 465 *
466 466 * op = f(arg);
467 467 * if (op == NULL) {
468 468 * return (NULL);
469 469 * }
470 470 *
471 471 * rw_enter(OBJECT_RWLOCK(op), RW_READER);
472 472 * while (op != f(arg)) {
473 473 * rw_exit(OBJECT_RWLOCK(op));
474 474 * op = f(arg);
475 475 * if (op == NULL) {
476 476 * break;
477 477 * }
478 478 * rw_enter(OBJECT_RWLOCK(op), RW_READER);
479 479 * }
480 480 *
481 481 * return (op);
482 482 * }
483 483 *
484 484 * The OBJECT_RWLOCK macro hashes the object address to obtain the rwlock. The
485 485 * lock reacquisition loop, while necessary, almost never executes. The function
486 486 * pointer f (used to obtain the object pointer from arg) has the following type
487 487 * definition:
488 488 *
489 489 * typedef object_t *(*object_f)(void *arg);
490 490 *
491 491 * An object_f implementation is likely to be as simple as accessing a structure
492 492 * member:
493 493 *
494 494 * object_t *
495 495 * s_object(void *arg)
496 496 * {
497 497 * something_t *sp = arg;
498 498 * return (sp->s_object);
499 499 * }
500 500 *
501 501 * The flexibility of a function pointer allows the path to the object to be
502 502 * arbitrarily complex and also supports the notion that depending on where you
503 503 * are using the object, you may need to get it from someplace different.
504 504 *
505 505 * The function that releases the explicit hold is simpler because it does not
506 506 * have to worry about the object moving:
507 507 *
508 508 * void
509 509 * object_rele(object_t *op)
510 510 * {
511 511 * rw_exit(OBJECT_RWLOCK(op));
512 512 * }
513 513 *
514 514 * The caller is spared these details so that obtaining and releasing an
515 515 * explicit hold feels like a simple mutex_enter()/mutex_exit() pair. The caller
516 516 * of object_hold() only needs to know that the returned object pointer is valid
517 517 * if not NULL and that the object will not move until released.
518 518 *
519 519 * Although object_hold() prevents an object from moving, it does not prevent it
520 520 * from being freed. The caller must take measures before calling object_hold()
521 521 * (afterwards is too late) to ensure that the held object cannot be freed. The
522 522 * caller must do so without accessing the unsafe object reference, so any lock
523 523 * or reference count used to ensure the continued existence of the object must
524 524 * live outside the object itself.
525 525 *
526 526 * Obtaining a new object is a special case where an explicit hold is impossible
527 527 * for the caller. Any function that returns a newly allocated object (either as
528 528 * a return value, or as an in-out paramter) must return it already held; after
529 529 * the caller gets it is too late, since the object cannot be safely accessed
530 530 * without the level of indirection described earlier. The following
531 531 * object_alloc() example uses the same code shown earlier to transition a new
532 532 * object into the state of being recognized (by the client) as a known object.
533 533 * The function must acquire the hold (rw_enter) before that state transition
534 534 * makes the object movable:
535 535 *
536 536 * static object_t *
537 537 * object_alloc(container_t *container)
538 538 * {
539 539 * object_t *object = kmem_cache_alloc(object_cache, 0);
540 540 * ... set any initial state not set by the constructor ...
541 541 * rw_enter(OBJECT_RWLOCK(object), RW_READER);
542 542 * mutex_enter(&container->c_objects_lock);
543 543 * list_insert_tail(&container->c_objects, object);
544 544 * membar_producer();
545 545 * object->o_container = container;
546 546 * mutex_exit(&container->c_objects_lock);
547 547 * return (object);
548 548 * }
549 549 *
550 550 * Functions that implicitly acquire an object hold (any function that calls
551 551 * object_alloc() to supply an object for the caller) need to be carefully noted
552 552 * so that the matching object_rele() is not neglected. Otherwise, leaked holds
553 553 * prevent all objects hashed to the affected rwlocks from ever being moved.
554 554 *
555 555 * The pointer to a held object can be hashed to the holding rwlock even after
556 556 * the object has been freed. Although it is possible to release the hold
557 557 * after freeing the object, you may decide to release the hold implicitly in
558 558 * whatever function frees the object, so as to release the hold as soon as
559 559 * possible, and for the sake of symmetry with the function that implicitly
560 560 * acquires the hold when it allocates the object. Here, object_free() releases
561 561 * the hold acquired by object_alloc(). Its implicit object_rele() forms a
562 562 * matching pair with object_hold():
563 563 *
564 564 * void
565 565 * object_free(object_t *object)
566 566 * {
567 567 * container_t *container;
568 568 *
569 569 * ASSERT(object_held(object));
570 570 * container = object->o_container;
571 571 * mutex_enter(&container->c_objects_lock);
572 572 * object->o_container =
573 573 * (void *)((uintptr_t)object->o_container | 0x1);
574 574 * list_remove(&container->c_objects, object);
575 575 * mutex_exit(&container->c_objects_lock);
576 576 * object_rele(object);
577 577 * kmem_cache_free(object_cache, object);
578 578 * }
579 579 *
580 580 * Note that object_free() cannot safely accept an object pointer as an argument
581 581 * unless the object is already held. Any function that calls object_free()
582 582 * needs to be carefully noted since it similarly forms a matching pair with
583 583 * object_hold().
584 584 *
585 585 * To complete the picture, the following callback function implements the
586 586 * general solution by moving objects only if they are currently unheld:
587 587 *
588 588 * static kmem_cbrc_t
589 589 * object_move(void *buf, void *newbuf, size_t size, void *arg)
590 590 * {
591 591 * object_t *op = buf, *np = newbuf;
592 592 * container_t *container;
593 593 *
594 594 * container = op->o_container;
595 595 * if ((uintptr_t)container & 0x3) {
596 596 * return (KMEM_CBRC_DONT_KNOW);
597 597 * }
598 598 *
599 599 * // Ensure that the container structure does not go away.
600 600 * if (container_hold(container) == 0) {
601 601 * return (KMEM_CBRC_DONT_KNOW);
602 602 * }
603 603 *
604 604 * mutex_enter(&container->c_objects_lock);
605 605 * if (container != op->o_container) {
606 606 * mutex_exit(&container->c_objects_lock);
607 607 * container_rele(container);
608 608 * return (KMEM_CBRC_DONT_KNOW);
609 609 * }
610 610 *
611 611 * if (rw_tryenter(OBJECT_RWLOCK(op), RW_WRITER) == 0) {
612 612 * mutex_exit(&container->c_objects_lock);
613 613 * container_rele(container);
614 614 * return (KMEM_CBRC_LATER);
615 615 * }
616 616 *
617 617 * object_move_impl(op, np); // critical section
618 618 * rw_exit(OBJECT_RWLOCK(op));
619 619 *
620 620 * op->o_container = (void *)((uintptr_t)op->o_container | 0x1);
621 621 * list_link_replace(&op->o_link_node, &np->o_link_node);
622 622 * mutex_exit(&container->c_objects_lock);
623 623 * container_rele(container);
624 624 * return (KMEM_CBRC_YES);
625 625 * }
626 626 *
627 627 * Note that object_move() must invalidate the designated o_container pointer of
628 628 * the old object in the same way that object_free() does, since kmem will free
629 629 * the object in response to the KMEM_CBRC_YES return value.
630 630 *
631 631 * The lock order in object_move() differs from object_alloc(), which locks
632 632 * OBJECT_RWLOCK first and &container->c_objects_lock second, but as long as the
633 633 * callback uses rw_tryenter() (preventing the deadlock described earlier), it's
634 634 * not a problem. Holding the lock on the object list in the example above
635 635 * through the entire callback not only prevents the object from going away, it
636 636 * also allows you to lock the list elsewhere and know that none of its elements
637 637 * will move during iteration.
638 638 *
639 639 * Adding an explicit hold everywhere an object from the cache is used is tricky
640 640 * and involves much more change to client code than a cache-specific solution
641 641 * that leverages existing state to decide whether or not an object is
642 642 * movable. However, this approach has the advantage that no object remains
643 643 * immovable for any significant length of time, making it extremely unlikely
644 644 * that long-lived allocations can continue holding slabs hostage; and it works
645 645 * for any cache.
646 646 *
647 647 * 3. Consolidator Implementation
648 648 *
649 649 * Once the client supplies a move function that a) recognizes known objects and
650 650 * b) avoids moving objects that are actively in use, the remaining work is up
651 651 * to the consolidator to decide which objects to move and when to issue
652 652 * callbacks.
653 653 *
654 654 * The consolidator relies on the fact that a cache's slabs are ordered by
655 655 * usage. Each slab has a fixed number of objects. Depending on the slab's
656 656 * "color" (the offset of the first object from the beginning of the slab;
657 657 * offsets are staggered to mitigate false sharing of cache lines) it is either
658 658 * the maximum number of objects per slab determined at cache creation time or
659 659 * else the number closest to the maximum that fits within the space remaining
660 660 * after the initial offset. A completely allocated slab may contribute some
661 661 * internal fragmentation (per-slab overhead) but no external fragmentation, so
662 662 * it is of no interest to the consolidator. At the other extreme, slabs whose
663 663 * objects have all been freed to the slab are released to the virtual memory
664 664 * (VM) subsystem (objects freed to magazines are still allocated as far as the
665 665 * slab is concerned). External fragmentation exists when there are slabs
666 666 * somewhere between these extremes. A partial slab has at least one but not all
667 667 * of its objects allocated. The more partial slabs, and the fewer allocated
668 668 * objects on each of them, the higher the fragmentation. Hence the
669 669 * consolidator's overall strategy is to reduce the number of partial slabs by
670 670 * moving allocated objects from the least allocated slabs to the most allocated
671 671 * slabs.
672 672 *
673 673 * Partial slabs are kept in an AVL tree ordered by usage. Completely allocated
674 674 * slabs are kept separately in an unordered list. Since the majority of slabs
675 675 * tend to be completely allocated (a typical unfragmented cache may have
676 676 * thousands of complete slabs and only a single partial slab), separating
677 677 * complete slabs improves the efficiency of partial slab ordering, since the
678 678 * complete slabs do not affect the depth or balance of the AVL tree. This
679 679 * ordered sequence of partial slabs acts as a "free list" supplying objects for
680 680 * allocation requests.
681 681 *
682 682 * Objects are always allocated from the first partial slab in the free list,
683 683 * where the allocation is most likely to eliminate a partial slab (by
684 684 * completely allocating it). Conversely, when a single object from a completely
685 685 * allocated slab is freed to the slab, that slab is added to the front of the
686 686 * free list. Since most free list activity involves highly allocated slabs
687 687 * coming and going at the front of the list, slabs tend naturally toward the
688 688 * ideal order: highly allocated at the front, sparsely allocated at the back.
689 689 * Slabs with few allocated objects are likely to become completely free if they
690 690 * keep a safe distance away from the front of the free list. Slab misorders
691 691 * interfere with the natural tendency of slabs to become completely free or
692 692 * completely allocated. For example, a slab with a single allocated object
693 693 * needs only a single free to escape the cache; its natural desire is
694 694 * frustrated when it finds itself at the front of the list where a second
695 695 * allocation happens just before the free could have released it. Another slab
696 696 * with all but one object allocated might have supplied the buffer instead, so
697 697 * that both (as opposed to neither) of the slabs would have been taken off the
698 698 * free list.
699 699 *
700 700 * Although slabs tend naturally toward the ideal order, misorders allowed by a
701 701 * simple list implementation defeat the consolidator's strategy of merging
702 702 * least- and most-allocated slabs. Without an AVL tree to guarantee order, kmem
703 703 * needs another way to fix misorders to optimize its callback strategy. One
704 704 * approach is to periodically scan a limited number of slabs, advancing a
705 705 * marker to hold the current scan position, and to move extreme misorders to
706 706 * the front or back of the free list and to the front or back of the current
707 707 * scan range. By making consecutive scan ranges overlap by one slab, the least
708 708 * allocated slab in the current range can be carried along from the end of one
709 709 * scan to the start of the next.
710 710 *
711 711 * Maintaining partial slabs in an AVL tree relieves kmem of this additional
712 712 * task, however. Since most of the cache's activity is in the magazine layer,
713 713 * and allocations from the slab layer represent only a startup cost, the
714 714 * overhead of maintaining a balanced tree is not a significant concern compared
715 715 * to the opportunity of reducing complexity by eliminating the partial slab
716 716 * scanner just described. The overhead of an AVL tree is minimized by
717 717 * maintaining only partial slabs in the tree and keeping completely allocated
718 718 * slabs separately in a list. To avoid increasing the size of the slab
719 719 * structure the AVL linkage pointers are reused for the slab's list linkage,
720 720 * since the slab will always be either partial or complete, never stored both
721 721 * ways at the same time. To further minimize the overhead of the AVL tree the
722 722 * compare function that orders partial slabs by usage divides the range of
723 723 * allocated object counts into bins such that counts within the same bin are
724 724 * considered equal. Binning partial slabs makes it less likely that allocating
725 725 * or freeing a single object will change the slab's order, requiring a tree
726 726 * reinsertion (an avl_remove() followed by an avl_add(), both potentially
727 727 * requiring some rebalancing of the tree). Allocation counts closest to
728 728 * completely free and completely allocated are left unbinned (finely sorted) to
729 729 * better support the consolidator's strategy of merging slabs at either
730 730 * extreme.
731 731 *
732 732 * 3.1 Assessing Fragmentation and Selecting Candidate Slabs
733 733 *
734 734 * The consolidator piggybacks on the kmem maintenance thread and is called on
735 735 * the same interval as kmem_cache_update(), once per cache every fifteen
736 736 * seconds. kmem maintains a running count of unallocated objects in the slab
737 737 * layer (cache_bufslab). The consolidator checks whether that number exceeds
738 738 * 12.5% (1/8) of the total objects in the cache (cache_buftotal), and whether
739 739 * there is a significant number of slabs in the cache (arbitrarily a minimum
740 740 * 101 total slabs). Unused objects that have fallen out of the magazine layer's
741 741 * working set are included in the assessment, and magazines in the depot are
742 742 * reaped if those objects would lift cache_bufslab above the fragmentation
743 743 * threshold. Once the consolidator decides that a cache is fragmented, it looks
744 744 * for a candidate slab to reclaim, starting at the end of the partial slab free
745 745 * list and scanning backwards. At first the consolidator is choosy: only a slab
746 746 * with fewer than 12.5% (1/8) of its objects allocated qualifies (or else a
747 747 * single allocated object, regardless of percentage). If there is difficulty
748 748 * finding a candidate slab, kmem raises the allocation threshold incrementally,
749 749 * up to a maximum 87.5% (7/8), so that eventually the consolidator will reduce
750 750 * external fragmentation (unused objects on the free list) below 12.5% (1/8),
751 751 * even in the worst case of every slab in the cache being almost 7/8 allocated.
752 752 * The threshold can also be lowered incrementally when candidate slabs are easy
753 753 * to find, and the threshold is reset to the minimum 1/8 as soon as the cache
754 754 * is no longer fragmented.
755 755 *
756 756 * 3.2 Generating Callbacks
757 757 *
758 758 * Once an eligible slab is chosen, a callback is generated for every allocated
759 759 * object on the slab, in the hope that the client will move everything off the
760 760 * slab and make it reclaimable. Objects selected as move destinations are
761 761 * chosen from slabs at the front of the free list. Assuming slabs in the ideal
762 762 * order (most allocated at the front, least allocated at the back) and a
763 763 * cooperative client, the consolidator will succeed in removing slabs from both
764 764 * ends of the free list, completely allocating on the one hand and completely
765 765 * freeing on the other. Objects selected as move destinations are allocated in
766 766 * the kmem maintenance thread where move requests are enqueued. A separate
767 767 * callback thread removes pending callbacks from the queue and calls the
768 768 * client. The separate thread ensures that client code (the move function) does
769 769 * not interfere with internal kmem maintenance tasks. A map of pending
770 770 * callbacks keyed by object address (the object to be moved) is checked to
771 771 * ensure that duplicate callbacks are not generated for the same object.
772 772 * Allocating the move destination (the object to move to) prevents subsequent
773 773 * callbacks from selecting the same destination as an earlier pending callback.
774 774 *
775 775 * Move requests can also be generated by kmem_cache_reap() when the system is
776 776 * desperate for memory and by kmem_cache_move_notify(), called by the client to
777 777 * notify kmem that a move refused earlier with KMEM_CBRC_LATER is now possible.
778 778 * The map of pending callbacks is protected by the same lock that protects the
779 779 * slab layer.
780 780 *
781 781 * When the system is desperate for memory, kmem does not bother to determine
782 782 * whether or not the cache exceeds the fragmentation threshold, but tries to
783 783 * consolidate as many slabs as possible. Normally, the consolidator chews
784 784 * slowly, one sparsely allocated slab at a time during each maintenance
785 785 * interval that the cache is fragmented. When desperate, the consolidator
786 786 * starts at the last partial slab and enqueues callbacks for every allocated
787 787 * object on every partial slab, working backwards until it reaches the first
788 788 * partial slab. The first partial slab, meanwhile, advances in pace with the
789 789 * consolidator as allocations to supply move destinations for the enqueued
790 790 * callbacks use up the highly allocated slabs at the front of the free list.
791 791 * Ideally, the overgrown free list collapses like an accordion, starting at
792 792 * both ends and ending at the center with a single partial slab.
793 793 *
794 794 * 3.3 Client Responses
795 795 *
796 796 * When the client returns KMEM_CBRC_NO in response to the move callback, kmem
797 797 * marks the slab that supplied the stuck object non-reclaimable and moves it to
798 798 * front of the free list. The slab remains marked as long as it remains on the
799 799 * free list, and it appears more allocated to the partial slab compare function
800 800 * than any unmarked slab, no matter how many of its objects are allocated.
801 801 * Since even one immovable object ties up the entire slab, the goal is to
802 802 * completely allocate any slab that cannot be completely freed. kmem does not
803 803 * bother generating callbacks to move objects from a marked slab unless the
804 804 * system is desperate.
805 805 *
806 806 * When the client responds KMEM_CBRC_LATER, kmem increments a count for the
807 807 * slab. If the client responds LATER too many times, kmem disbelieves and
808 808 * treats the response as a NO. The count is cleared when the slab is taken off
809 809 * the partial slab list or when the client moves one of the slab's objects.
810 810 *
811 811 * 4. Observability
812 812 *
813 813 * A kmem cache's external fragmentation is best observed with 'mdb -k' using
814 814 * the ::kmem_slabs dcmd. For a complete description of the command, enter
815 815 * '::help kmem_slabs' at the mdb prompt.
816 816 */
817 817
818 818 #include <sys/kmem_impl.h>
819 819 #include <sys/vmem_impl.h>
820 820 #include <sys/param.h>
821 821 #include <sys/sysmacros.h>
822 822 #include <sys/vm.h>
823 823 #include <sys/proc.h>
824 824 #include <sys/tuneable.h>
825 825 #include <sys/systm.h>
826 826 #include <sys/cmn_err.h>
827 827 #include <sys/debug.h>
828 828 #include <sys/sdt.h>
829 829 #include <sys/mutex.h>
830 830 #include <sys/bitmap.h>
831 831 #include <sys/atomic.h>
832 832 #include <sys/kobj.h>
833 833 #include <sys/disp.h>
834 834 #include <vm/seg_kmem.h>
835 835 #include <sys/log.h>
836 836 #include <sys/callb.h>
837 837 #include <sys/taskq.h>
838 838 #include <sys/modctl.h>
839 839 #include <sys/reboot.h>
840 840 #include <sys/id32.h>
841 841 #include <sys/zone.h>
842 842 #include <sys/netstack.h>
843 843 #ifdef DEBUG
844 844 #include <sys/random.h>
845 845 #endif
846 846
847 847 extern void streams_msg_init(void);
848 848 extern int segkp_fromheap;
849 849 extern void segkp_cache_free(void);
850 850 extern int callout_init_done;
851 851
852 852 struct kmem_cache_kstat {
853 853 kstat_named_t kmc_buf_size;
854 854 kstat_named_t kmc_align;
855 855 kstat_named_t kmc_chunk_size;
856 856 kstat_named_t kmc_slab_size;
857 857 kstat_named_t kmc_alloc;
858 858 kstat_named_t kmc_alloc_fail;
859 859 kstat_named_t kmc_free;
860 860 kstat_named_t kmc_depot_alloc;
861 861 kstat_named_t kmc_depot_free;
862 862 kstat_named_t kmc_depot_contention;
863 863 kstat_named_t kmc_slab_alloc;
864 864 kstat_named_t kmc_slab_free;
865 865 kstat_named_t kmc_buf_constructed;
866 866 kstat_named_t kmc_buf_avail;
867 867 kstat_named_t kmc_buf_inuse;
868 868 kstat_named_t kmc_buf_total;
869 869 kstat_named_t kmc_buf_max;
870 870 kstat_named_t kmc_slab_create;
871 871 kstat_named_t kmc_slab_destroy;
872 872 kstat_named_t kmc_vmem_source;
873 873 kstat_named_t kmc_hash_size;
874 874 kstat_named_t kmc_hash_lookup_depth;
875 875 kstat_named_t kmc_hash_rescale;
876 876 kstat_named_t kmc_full_magazines;
877 877 kstat_named_t kmc_empty_magazines;
878 878 kstat_named_t kmc_magazine_size;
879 879 kstat_named_t kmc_reap; /* number of kmem_cache_reap() calls */
880 880 kstat_named_t kmc_defrag; /* attempts to defrag all partial slabs */
881 881 kstat_named_t kmc_scan; /* attempts to defrag one partial slab */
882 882 kstat_named_t kmc_move_callbacks; /* sum of yes, no, later, dn, dk */
883 883 kstat_named_t kmc_move_yes;
884 884 kstat_named_t kmc_move_no;
885 885 kstat_named_t kmc_move_later;
886 886 kstat_named_t kmc_move_dont_need;
887 887 kstat_named_t kmc_move_dont_know; /* obj unrecognized by client ... */
888 888 kstat_named_t kmc_move_hunt_found; /* ... but found in mag layer */
889 889 kstat_named_t kmc_move_slabs_freed; /* slabs freed by consolidator */
890 890 kstat_named_t kmc_move_reclaimable; /* buffers, if consolidator ran */
891 891 } kmem_cache_kstat = {
892 892 { "buf_size", KSTAT_DATA_UINT64 },
893 893 { "align", KSTAT_DATA_UINT64 },
894 894 { "chunk_size", KSTAT_DATA_UINT64 },
895 895 { "slab_size", KSTAT_DATA_UINT64 },
896 896 { "alloc", KSTAT_DATA_UINT64 },
897 897 { "alloc_fail", KSTAT_DATA_UINT64 },
898 898 { "free", KSTAT_DATA_UINT64 },
899 899 { "depot_alloc", KSTAT_DATA_UINT64 },
900 900 { "depot_free", KSTAT_DATA_UINT64 },
901 901 { "depot_contention", KSTAT_DATA_UINT64 },
902 902 { "slab_alloc", KSTAT_DATA_UINT64 },
903 903 { "slab_free", KSTAT_DATA_UINT64 },
904 904 { "buf_constructed", KSTAT_DATA_UINT64 },
905 905 { "buf_avail", KSTAT_DATA_UINT64 },
906 906 { "buf_inuse", KSTAT_DATA_UINT64 },
907 907 { "buf_total", KSTAT_DATA_UINT64 },
908 908 { "buf_max", KSTAT_DATA_UINT64 },
909 909 { "slab_create", KSTAT_DATA_UINT64 },
910 910 { "slab_destroy", KSTAT_DATA_UINT64 },
911 911 { "vmem_source", KSTAT_DATA_UINT64 },
912 912 { "hash_size", KSTAT_DATA_UINT64 },
913 913 { "hash_lookup_depth", KSTAT_DATA_UINT64 },
914 914 { "hash_rescale", KSTAT_DATA_UINT64 },
915 915 { "full_magazines", KSTAT_DATA_UINT64 },
916 916 { "empty_magazines", KSTAT_DATA_UINT64 },
917 917 { "magazine_size", KSTAT_DATA_UINT64 },
918 918 { "reap", KSTAT_DATA_UINT64 },
919 919 { "defrag", KSTAT_DATA_UINT64 },
920 920 { "scan", KSTAT_DATA_UINT64 },
921 921 { "move_callbacks", KSTAT_DATA_UINT64 },
922 922 { "move_yes", KSTAT_DATA_UINT64 },
923 923 { "move_no", KSTAT_DATA_UINT64 },
924 924 { "move_later", KSTAT_DATA_UINT64 },
925 925 { "move_dont_need", KSTAT_DATA_UINT64 },
926 926 { "move_dont_know", KSTAT_DATA_UINT64 },
927 927 { "move_hunt_found", KSTAT_DATA_UINT64 },
928 928 { "move_slabs_freed", KSTAT_DATA_UINT64 },
929 929 { "move_reclaimable", KSTAT_DATA_UINT64 },
930 930 };
931 931
932 932 static kmutex_t kmem_cache_kstat_lock;
933 933
934 934 /*
935 935 * The default set of caches to back kmem_alloc().
936 936 * These sizes should be reevaluated periodically.
937 937 *
938 938 * We want allocations that are multiples of the coherency granularity
939 939 * (64 bytes) to be satisfied from a cache which is a multiple of 64
940 940 * bytes, so that it will be 64-byte aligned. For all multiples of 64,
941 941 * the next kmem_cache_size greater than or equal to it must be a
942 942 * multiple of 64.
943 943 *
944 944 * We split the table into two sections: size <= 4k and size > 4k. This
945 945 * saves a lot of space and cache footprint in our cache tables.
946 946 */
947 947 static const int kmem_alloc_sizes[] = {
948 948 1 * 8,
949 949 2 * 8,
950 950 3 * 8,
951 951 4 * 8, 5 * 8, 6 * 8, 7 * 8,
952 952 4 * 16, 5 * 16, 6 * 16, 7 * 16,
953 953 4 * 32, 5 * 32, 6 * 32, 7 * 32,
954 954 4 * 64, 5 * 64, 6 * 64, 7 * 64,
955 955 4 * 128, 5 * 128, 6 * 128, 7 * 128,
956 956 P2ALIGN(8192 / 7, 64),
957 957 P2ALIGN(8192 / 6, 64),
958 958 P2ALIGN(8192 / 5, 64),
959 959 P2ALIGN(8192 / 4, 64),
960 960 P2ALIGN(8192 / 3, 64),
961 961 P2ALIGN(8192 / 2, 64),
962 962 };
963 963
964 964 static const int kmem_big_alloc_sizes[] = {
965 965 2 * 4096, 3 * 4096,
966 966 2 * 8192, 3 * 8192,
967 967 4 * 8192, 5 * 8192, 6 * 8192, 7 * 8192,
968 968 8 * 8192, 9 * 8192, 10 * 8192, 11 * 8192,
969 969 12 * 8192, 13 * 8192, 14 * 8192, 15 * 8192,
970 970 16 * 8192
971 971 };
972 972
973 973 #define KMEM_MAXBUF 4096
974 974 #define KMEM_BIG_MAXBUF_32BIT 32768
975 975 #define KMEM_BIG_MAXBUF 131072
976 976
977 977 #define KMEM_BIG_MULTIPLE 4096 /* big_alloc_sizes must be a multiple */
978 978 #define KMEM_BIG_SHIFT 12 /* lg(KMEM_BIG_MULTIPLE) */
979 979
980 980 static kmem_cache_t *kmem_alloc_table[KMEM_MAXBUF >> KMEM_ALIGN_SHIFT];
981 981 static kmem_cache_t *kmem_big_alloc_table[KMEM_BIG_MAXBUF >> KMEM_BIG_SHIFT];
982 982
983 983 #define KMEM_ALLOC_TABLE_MAX (KMEM_MAXBUF >> KMEM_ALIGN_SHIFT)
984 984 static size_t kmem_big_alloc_table_max = 0; /* # of filled elements */
985 985
986 986 static kmem_magtype_t kmem_magtype[] = {
987 987 { 1, 8, 3200, 65536 },
988 988 { 3, 16, 256, 32768 },
989 989 { 7, 32, 64, 16384 },
990 990 { 15, 64, 0, 8192 },
991 991 { 31, 64, 0, 4096 },
992 992 { 47, 64, 0, 2048 },
993 993 { 63, 64, 0, 1024 },
994 994 { 95, 64, 0, 512 },
995 995 { 143, 64, 0, 0 },
996 996 };
997 997
998 998 static uint32_t kmem_reaping;
999 999 static uint32_t kmem_reaping_idspace;
1000 1000
1001 1001 /*
1002 1002 * kmem tunables
1003 1003 */
1004 1004 clock_t kmem_reap_interval; /* cache reaping rate [15 * HZ ticks] */
1005 1005 int kmem_depot_contention = 3; /* max failed tryenters per real interval */
1006 1006 pgcnt_t kmem_reapahead = 0; /* start reaping N pages before pageout */
1007 1007 int kmem_panic = 1; /* whether to panic on error */
1008 1008 int kmem_logging = 1; /* kmem_log_enter() override */
1009 1009 uint32_t kmem_mtbf = 0; /* mean time between failures [default: off] */
1010 1010 size_t kmem_transaction_log_size; /* transaction log size [2% of memory] */
1011 1011 size_t kmem_content_log_size; /* content log size [2% of memory] */
1012 1012 size_t kmem_failure_log_size; /* failure log [4 pages per CPU] */
1013 1013 size_t kmem_slab_log_size; /* slab create log [4 pages per CPU] */
1014 1014 size_t kmem_content_maxsave = 256; /* KMF_CONTENTS max bytes to log */
1015 1015 size_t kmem_lite_minsize = 0; /* minimum buffer size for KMF_LITE */
1016 1016 size_t kmem_lite_maxalign = 1024; /* maximum buffer alignment for KMF_LITE */
1017 1017 int kmem_lite_pcs = 4; /* number of PCs to store in KMF_LITE mode */
1018 1018 size_t kmem_maxverify; /* maximum bytes to inspect in debug routines */
1019 1019 size_t kmem_minfirewall; /* hardware-enforced redzone threshold */
1020 1020
1021 1021 #ifdef _LP64
1022 1022 size_t kmem_max_cached = KMEM_BIG_MAXBUF; /* maximum kmem_alloc cache */
1023 1023 #else
1024 1024 size_t kmem_max_cached = KMEM_BIG_MAXBUF_32BIT; /* maximum kmem_alloc cache */
1025 1025 #endif
1026 1026
1027 1027 #ifdef DEBUG
1028 1028 int kmem_flags = KMF_AUDIT | KMF_DEADBEEF | KMF_REDZONE | KMF_CONTENTS;
1029 1029 #else
1030 1030 int kmem_flags = 0;
1031 1031 #endif
1032 1032 int kmem_ready;
1033 1033
1034 1034 static kmem_cache_t *kmem_slab_cache;
1035 1035 static kmem_cache_t *kmem_bufctl_cache;
1036 1036 static kmem_cache_t *kmem_bufctl_audit_cache;
1037 1037
1038 1038 static kmutex_t kmem_cache_lock; /* inter-cache linkage only */
1039 1039 static list_t kmem_caches;
1040 1040
1041 1041 static taskq_t *kmem_taskq;
1042 1042 static kmutex_t kmem_flags_lock;
1043 1043 static vmem_t *kmem_metadata_arena;
1044 1044 static vmem_t *kmem_msb_arena; /* arena for metadata caches */
1045 1045 static vmem_t *kmem_cache_arena;
1046 1046 static vmem_t *kmem_hash_arena;
1047 1047 static vmem_t *kmem_log_arena;
1048 1048 static vmem_t *kmem_oversize_arena;
1049 1049 static vmem_t *kmem_va_arena;
1050 1050 static vmem_t *kmem_default_arena;
1051 1051 static vmem_t *kmem_firewall_va_arena;
1052 1052 static vmem_t *kmem_firewall_arena;
1053 1053
1054 1054 /*
1055 1055 * kmem slab consolidator thresholds (tunables)
1056 1056 */
1057 1057 size_t kmem_frag_minslabs = 101; /* minimum total slabs */
1058 1058 size_t kmem_frag_numer = 1; /* free buffers (numerator) */
1059 1059 size_t kmem_frag_denom = KMEM_VOID_FRACTION; /* buffers (denominator) */
1060 1060 /*
1061 1061 * Maximum number of slabs from which to move buffers during a single
1062 1062 * maintenance interval while the system is not low on memory.
1063 1063 */
1064 1064 size_t kmem_reclaim_max_slabs = 1;
1065 1065 /*
1066 1066 * Number of slabs to scan backwards from the end of the partial slab list
1067 1067 * when searching for buffers to relocate.
1068 1068 */
1069 1069 size_t kmem_reclaim_scan_range = 12;
1070 1070
1071 1071 /* consolidator knobs */
1072 1072 boolean_t kmem_move_noreap;
1073 1073 boolean_t kmem_move_blocked;
1074 1074 boolean_t kmem_move_fulltilt;
1075 1075 boolean_t kmem_move_any_partial;
1076 1076
1077 1077 #ifdef DEBUG
1078 1078 /*
1079 1079 * kmem consolidator debug tunables:
1080 1080 * Ensure code coverage by occasionally running the consolidator even when the
1081 1081 * caches are not fragmented (they may never be). These intervals are mean time
1082 1082 * in cache maintenance intervals (kmem_cache_update).
1083 1083 */
1084 1084 uint32_t kmem_mtb_move = 60; /* defrag 1 slab (~15min) */
1085 1085 uint32_t kmem_mtb_reap = 1800; /* defrag all slabs (~7.5hrs) */
1086 1086 #endif /* DEBUG */
1087 1087
1088 1088 static kmem_cache_t *kmem_defrag_cache;
1089 1089 static kmem_cache_t *kmem_move_cache;
1090 1090 static taskq_t *kmem_move_taskq;
1091 1091
1092 1092 static void kmem_cache_scan(kmem_cache_t *);
1093 1093 static void kmem_cache_defrag(kmem_cache_t *);
1094 1094 static void kmem_slab_prefill(kmem_cache_t *, kmem_slab_t *);
1095 1095
1096 1096
1097 1097 kmem_log_header_t *kmem_transaction_log;
1098 1098 kmem_log_header_t *kmem_content_log;
1099 1099 kmem_log_header_t *kmem_failure_log;
1100 1100 kmem_log_header_t *kmem_slab_log;
1101 1101
1102 1102 static int kmem_lite_count; /* # of PCs in kmem_buftag_lite_t */
1103 1103
1104 1104 #define KMEM_BUFTAG_LITE_ENTER(bt, count, caller) \
1105 1105 if ((count) > 0) { \
1106 1106 pc_t *_s = ((kmem_buftag_lite_t *)(bt))->bt_history; \
1107 1107 pc_t *_e; \
1108 1108 /* memmove() the old entries down one notch */ \
1109 1109 for (_e = &_s[(count) - 1]; _e > _s; _e--) \
1110 1110 *_e = *(_e - 1); \
1111 1111 *_s = (uintptr_t)(caller); \
1112 1112 }
1113 1113
1114 1114 #define KMERR_MODIFIED 0 /* buffer modified while on freelist */
1115 1115 #define KMERR_REDZONE 1 /* redzone violation (write past end of buf) */
1116 1116 #define KMERR_DUPFREE 2 /* freed a buffer twice */
1117 1117 #define KMERR_BADADDR 3 /* freed a bad (unallocated) address */
1118 1118 #define KMERR_BADBUFTAG 4 /* buftag corrupted */
1119 1119 #define KMERR_BADBUFCTL 5 /* bufctl corrupted */
1120 1120 #define KMERR_BADCACHE 6 /* freed a buffer to the wrong cache */
1121 1121 #define KMERR_BADSIZE 7 /* alloc size != free size */
1122 1122 #define KMERR_BADBASE 8 /* buffer base address wrong */
1123 1123
1124 1124 struct {
1125 1125 hrtime_t kmp_timestamp; /* timestamp of panic */
1126 1126 int kmp_error; /* type of kmem error */
1127 1127 void *kmp_buffer; /* buffer that induced panic */
1128 1128 void *kmp_realbuf; /* real start address for buffer */
1129 1129 kmem_cache_t *kmp_cache; /* buffer's cache according to client */
1130 1130 kmem_cache_t *kmp_realcache; /* actual cache containing buffer */
1131 1131 kmem_slab_t *kmp_slab; /* slab accoring to kmem_findslab() */
1132 1132 kmem_bufctl_t *kmp_bufctl; /* bufctl */
1133 1133 } kmem_panic_info;
1134 1134
1135 1135
1136 1136 static void
1137 1137 copy_pattern(uint64_t pattern, void *buf_arg, size_t size)
1138 1138 {
1139 1139 uint64_t *bufend = (uint64_t *)((char *)buf_arg + size);
1140 1140 uint64_t *buf = buf_arg;
1141 1141
1142 1142 while (buf < bufend)
1143 1143 *buf++ = pattern;
1144 1144 }
1145 1145
1146 1146 static void *
1147 1147 verify_pattern(uint64_t pattern, void *buf_arg, size_t size)
1148 1148 {
1149 1149 uint64_t *bufend = (uint64_t *)((char *)buf_arg + size);
1150 1150 uint64_t *buf;
1151 1151
1152 1152 for (buf = buf_arg; buf < bufend; buf++)
1153 1153 if (*buf != pattern)
1154 1154 return (buf);
1155 1155 return (NULL);
1156 1156 }
1157 1157
1158 1158 static void *
1159 1159 verify_and_copy_pattern(uint64_t old, uint64_t new, void *buf_arg, size_t size)
1160 1160 {
1161 1161 uint64_t *bufend = (uint64_t *)((char *)buf_arg + size);
1162 1162 uint64_t *buf;
1163 1163
1164 1164 for (buf = buf_arg; buf < bufend; buf++) {
1165 1165 if (*buf != old) {
1166 1166 copy_pattern(old, buf_arg,
1167 1167 (char *)buf - (char *)buf_arg);
1168 1168 return (buf);
1169 1169 }
1170 1170 *buf = new;
1171 1171 }
1172 1172
1173 1173 return (NULL);
1174 1174 }
1175 1175
1176 1176 static void
1177 1177 kmem_cache_applyall(void (*func)(kmem_cache_t *), taskq_t *tq, int tqflag)
1178 1178 {
1179 1179 kmem_cache_t *cp;
1180 1180
1181 1181 mutex_enter(&kmem_cache_lock);
1182 1182 for (cp = list_head(&kmem_caches); cp != NULL;
1183 1183 cp = list_next(&kmem_caches, cp))
1184 1184 if (tq != NULL)
1185 1185 (void) taskq_dispatch(tq, (task_func_t *)func, cp,
1186 1186 tqflag);
1187 1187 else
1188 1188 func(cp);
1189 1189 mutex_exit(&kmem_cache_lock);
1190 1190 }
1191 1191
1192 1192 static void
1193 1193 kmem_cache_applyall_id(void (*func)(kmem_cache_t *), taskq_t *tq, int tqflag)
1194 1194 {
1195 1195 kmem_cache_t *cp;
1196 1196
1197 1197 mutex_enter(&kmem_cache_lock);
1198 1198 for (cp = list_head(&kmem_caches); cp != NULL;
1199 1199 cp = list_next(&kmem_caches, cp)) {
1200 1200 if (!(cp->cache_cflags & KMC_IDENTIFIER))
1201 1201 continue;
1202 1202 if (tq != NULL)
1203 1203 (void) taskq_dispatch(tq, (task_func_t *)func, cp,
1204 1204 tqflag);
1205 1205 else
1206 1206 func(cp);
1207 1207 }
1208 1208 mutex_exit(&kmem_cache_lock);
1209 1209 }
1210 1210
1211 1211 /*
1212 1212 * Debugging support. Given a buffer address, find its slab.
1213 1213 */
1214 1214 static kmem_slab_t *
1215 1215 kmem_findslab(kmem_cache_t *cp, void *buf)
1216 1216 {
1217 1217 kmem_slab_t *sp;
1218 1218
1219 1219 mutex_enter(&cp->cache_lock);
1220 1220 for (sp = list_head(&cp->cache_complete_slabs); sp != NULL;
1221 1221 sp = list_next(&cp->cache_complete_slabs, sp)) {
1222 1222 if (KMEM_SLAB_MEMBER(sp, buf)) {
1223 1223 mutex_exit(&cp->cache_lock);
1224 1224 return (sp);
1225 1225 }
1226 1226 }
1227 1227 for (sp = avl_first(&cp->cache_partial_slabs); sp != NULL;
1228 1228 sp = AVL_NEXT(&cp->cache_partial_slabs, sp)) {
1229 1229 if (KMEM_SLAB_MEMBER(sp, buf)) {
1230 1230 mutex_exit(&cp->cache_lock);
1231 1231 return (sp);
1232 1232 }
1233 1233 }
1234 1234 mutex_exit(&cp->cache_lock);
1235 1235
1236 1236 return (NULL);
1237 1237 }
1238 1238
1239 1239 static void
1240 1240 kmem_error(int error, kmem_cache_t *cparg, void *bufarg)
1241 1241 {
1242 1242 kmem_buftag_t *btp = NULL;
1243 1243 kmem_bufctl_t *bcp = NULL;
1244 1244 kmem_cache_t *cp = cparg;
1245 1245 kmem_slab_t *sp;
1246 1246 uint64_t *off;
1247 1247 void *buf = bufarg;
1248 1248
1249 1249 kmem_logging = 0; /* stop logging when a bad thing happens */
1250 1250
1251 1251 kmem_panic_info.kmp_timestamp = gethrtime();
1252 1252
1253 1253 sp = kmem_findslab(cp, buf);
1254 1254 if (sp == NULL) {
1255 1255 for (cp = list_tail(&kmem_caches); cp != NULL;
1256 1256 cp = list_prev(&kmem_caches, cp)) {
1257 1257 if ((sp = kmem_findslab(cp, buf)) != NULL)
1258 1258 break;
1259 1259 }
1260 1260 }
1261 1261
1262 1262 if (sp == NULL) {
1263 1263 cp = NULL;
1264 1264 error = KMERR_BADADDR;
1265 1265 } else {
1266 1266 if (cp != cparg)
1267 1267 error = KMERR_BADCACHE;
1268 1268 else
1269 1269 buf = (char *)bufarg - ((uintptr_t)bufarg -
1270 1270 (uintptr_t)sp->slab_base) % cp->cache_chunksize;
1271 1271 if (buf != bufarg)
1272 1272 error = KMERR_BADBASE;
1273 1273 if (cp->cache_flags & KMF_BUFTAG)
1274 1274 btp = KMEM_BUFTAG(cp, buf);
1275 1275 if (cp->cache_flags & KMF_HASH) {
1276 1276 mutex_enter(&cp->cache_lock);
1277 1277 for (bcp = *KMEM_HASH(cp, buf); bcp; bcp = bcp->bc_next)
1278 1278 if (bcp->bc_addr == buf)
1279 1279 break;
1280 1280 mutex_exit(&cp->cache_lock);
1281 1281 if (bcp == NULL && btp != NULL)
1282 1282 bcp = btp->bt_bufctl;
1283 1283 if (kmem_findslab(cp->cache_bufctl_cache, bcp) ==
1284 1284 NULL || P2PHASE((uintptr_t)bcp, KMEM_ALIGN) ||
1285 1285 bcp->bc_addr != buf) {
1286 1286 error = KMERR_BADBUFCTL;
1287 1287 bcp = NULL;
1288 1288 }
1289 1289 }
1290 1290 }
1291 1291
1292 1292 kmem_panic_info.kmp_error = error;
1293 1293 kmem_panic_info.kmp_buffer = bufarg;
1294 1294 kmem_panic_info.kmp_realbuf = buf;
1295 1295 kmem_panic_info.kmp_cache = cparg;
1296 1296 kmem_panic_info.kmp_realcache = cp;
1297 1297 kmem_panic_info.kmp_slab = sp;
1298 1298 kmem_panic_info.kmp_bufctl = bcp;
1299 1299
1300 1300 printf("kernel memory allocator: ");
1301 1301
1302 1302 switch (error) {
1303 1303
1304 1304 case KMERR_MODIFIED:
1305 1305 printf("buffer modified after being freed\n");
1306 1306 off = verify_pattern(KMEM_FREE_PATTERN, buf, cp->cache_verify);
1307 1307 if (off == NULL) /* shouldn't happen */
1308 1308 off = buf;
1309 1309 printf("modification occurred at offset 0x%lx "
1310 1310 "(0x%llx replaced by 0x%llx)\n",
1311 1311 (uintptr_t)off - (uintptr_t)buf,
1312 1312 (longlong_t)KMEM_FREE_PATTERN, (longlong_t)*off);
1313 1313 break;
1314 1314
1315 1315 case KMERR_REDZONE:
1316 1316 printf("redzone violation: write past end of buffer\n");
1317 1317 break;
1318 1318
1319 1319 case KMERR_BADADDR:
1320 1320 printf("invalid free: buffer not in cache\n");
1321 1321 break;
1322 1322
1323 1323 case KMERR_DUPFREE:
1324 1324 printf("duplicate free: buffer freed twice\n");
1325 1325 break;
1326 1326
1327 1327 case KMERR_BADBUFTAG:
1328 1328 printf("boundary tag corrupted\n");
1329 1329 printf("bcp ^ bxstat = %lx, should be %lx\n",
1330 1330 (intptr_t)btp->bt_bufctl ^ btp->bt_bxstat,
1331 1331 KMEM_BUFTAG_FREE);
1332 1332 break;
1333 1333
1334 1334 case KMERR_BADBUFCTL:
1335 1335 printf("bufctl corrupted\n");
1336 1336 break;
1337 1337
1338 1338 case KMERR_BADCACHE:
1339 1339 printf("buffer freed to wrong cache\n");
1340 1340 printf("buffer was allocated from %s,\n", cp->cache_name);
1341 1341 printf("caller attempting free to %s.\n", cparg->cache_name);
1342 1342 break;
1343 1343
1344 1344 case KMERR_BADSIZE:
1345 1345 printf("bad free: free size (%u) != alloc size (%u)\n",
1346 1346 KMEM_SIZE_DECODE(((uint32_t *)btp)[0]),
1347 1347 KMEM_SIZE_DECODE(((uint32_t *)btp)[1]));
1348 1348 break;
1349 1349
1350 1350 case KMERR_BADBASE:
1351 1351 printf("bad free: free address (%p) != alloc address (%p)\n",
1352 1352 bufarg, buf);
1353 1353 break;
1354 1354 }
1355 1355
1356 1356 printf("buffer=%p bufctl=%p cache: %s\n",
1357 1357 bufarg, (void *)bcp, cparg->cache_name);
1358 1358
1359 1359 if (bcp != NULL && (cp->cache_flags & KMF_AUDIT) &&
1360 1360 error != KMERR_BADBUFCTL) {
1361 1361 int d;
1362 1362 timestruc_t ts;
1363 1363 kmem_bufctl_audit_t *bcap = (kmem_bufctl_audit_t *)bcp;
1364 1364
1365 1365 hrt2ts(kmem_panic_info.kmp_timestamp - bcap->bc_timestamp, &ts);
1366 1366 printf("previous transaction on buffer %p:\n", buf);
1367 1367 printf("thread=%p time=T-%ld.%09ld slab=%p cache: %s\n",
1368 1368 (void *)bcap->bc_thread, ts.tv_sec, ts.tv_nsec,
1369 1369 (void *)sp, cp->cache_name);
1370 1370 for (d = 0; d < MIN(bcap->bc_depth, KMEM_STACK_DEPTH); d++) {
1371 1371 ulong_t off;
1372 1372 char *sym = kobj_getsymname(bcap->bc_stack[d], &off);
1373 1373 printf("%s+%lx\n", sym ? sym : "?", off);
1374 1374 }
1375 1375 }
1376 1376 if (kmem_panic > 0)
1377 1377 panic("kernel heap corruption detected");
1378 1378 if (kmem_panic == 0)
1379 1379 debug_enter(NULL);
1380 1380 kmem_logging = 1; /* resume logging */
1381 1381 }
1382 1382
1383 1383 static kmem_log_header_t *
1384 1384 kmem_log_init(size_t logsize)
1385 1385 {
1386 1386 kmem_log_header_t *lhp;
1387 1387 int nchunks = 4 * max_ncpus;
1388 1388 size_t lhsize = (size_t)&((kmem_log_header_t *)0)->lh_cpu[max_ncpus];
1389 1389 int i;
1390 1390
1391 1391 /*
1392 1392 * Make sure that lhp->lh_cpu[] is nicely aligned
1393 1393 * to prevent false sharing of cache lines.
1394 1394 */
1395 1395 lhsize = P2ROUNDUP(lhsize, KMEM_ALIGN);
1396 1396 lhp = vmem_xalloc(kmem_log_arena, lhsize, 64, P2NPHASE(lhsize, 64), 0,
1397 1397 NULL, NULL, VM_SLEEP);
1398 1398 bzero(lhp, lhsize);
1399 1399
1400 1400 mutex_init(&lhp->lh_lock, NULL, MUTEX_DEFAULT, NULL);
1401 1401 lhp->lh_nchunks = nchunks;
1402 1402 lhp->lh_chunksize = P2ROUNDUP(logsize / nchunks + 1, PAGESIZE);
1403 1403 lhp->lh_base = vmem_alloc(kmem_log_arena,
1404 1404 lhp->lh_chunksize * nchunks, VM_SLEEP);
1405 1405 lhp->lh_free = vmem_alloc(kmem_log_arena,
1406 1406 nchunks * sizeof (int), VM_SLEEP);
1407 1407 bzero(lhp->lh_base, lhp->lh_chunksize * nchunks);
1408 1408
1409 1409 for (i = 0; i < max_ncpus; i++) {
1410 1410 kmem_cpu_log_header_t *clhp = &lhp->lh_cpu[i];
1411 1411 mutex_init(&clhp->clh_lock, NULL, MUTEX_DEFAULT, NULL);
1412 1412 clhp->clh_chunk = i;
1413 1413 }
1414 1414
1415 1415 for (i = max_ncpus; i < nchunks; i++)
1416 1416 lhp->lh_free[i] = i;
1417 1417
|
↓ open down ↓ |
1417 lines elided |
↑ open up ↑ |
1418 1418 lhp->lh_head = max_ncpus;
1419 1419 lhp->lh_tail = 0;
1420 1420
1421 1421 return (lhp);
1422 1422 }
1423 1423
1424 1424 static void *
1425 1425 kmem_log_enter(kmem_log_header_t *lhp, void *data, size_t size)
1426 1426 {
1427 1427 void *logspace;
1428 - kmem_cpu_log_header_t *clhp = &lhp->lh_cpu[CPU->cpu_seqid];
1428 + kmem_cpu_log_header_t *clhp;
1429 1429
1430 1430 if (lhp == NULL || kmem_logging == 0 || panicstr)
1431 1431 return (NULL);
1432 1432
1433 + clhp = &lhp->lh_cpu[CPU->cpu_seqid];
1434 +
1433 1435 mutex_enter(&clhp->clh_lock);
1434 1436 clhp->clh_hits++;
1435 1437 if (size > clhp->clh_avail) {
1436 1438 mutex_enter(&lhp->lh_lock);
1437 1439 lhp->lh_hits++;
1438 1440 lhp->lh_free[lhp->lh_tail] = clhp->clh_chunk;
1439 1441 lhp->lh_tail = (lhp->lh_tail + 1) % lhp->lh_nchunks;
1440 1442 clhp->clh_chunk = lhp->lh_free[lhp->lh_head];
1441 1443 lhp->lh_head = (lhp->lh_head + 1) % lhp->lh_nchunks;
1442 1444 clhp->clh_current = lhp->lh_base +
1443 1445 clhp->clh_chunk * lhp->lh_chunksize;
1444 1446 clhp->clh_avail = lhp->lh_chunksize;
1445 1447 if (size > lhp->lh_chunksize)
1446 1448 size = lhp->lh_chunksize;
1447 1449 mutex_exit(&lhp->lh_lock);
1448 1450 }
1449 1451 logspace = clhp->clh_current;
1450 1452 clhp->clh_current += size;
1451 1453 clhp->clh_avail -= size;
1452 1454 bcopy(data, logspace, size);
1453 1455 mutex_exit(&clhp->clh_lock);
1454 1456 return (logspace);
1455 1457 }
1456 1458
1457 1459 #define KMEM_AUDIT(lp, cp, bcp) \
1458 1460 { \
1459 1461 kmem_bufctl_audit_t *_bcp = (kmem_bufctl_audit_t *)(bcp); \
1460 1462 _bcp->bc_timestamp = gethrtime(); \
1461 1463 _bcp->bc_thread = curthread; \
1462 1464 _bcp->bc_depth = getpcstack(_bcp->bc_stack, KMEM_STACK_DEPTH); \
1463 1465 _bcp->bc_lastlog = kmem_log_enter((lp), _bcp, sizeof (*_bcp)); \
1464 1466 }
1465 1467
1466 1468 static void
1467 1469 kmem_log_event(kmem_log_header_t *lp, kmem_cache_t *cp,
1468 1470 kmem_slab_t *sp, void *addr)
1469 1471 {
1470 1472 kmem_bufctl_audit_t bca;
1471 1473
1472 1474 bzero(&bca, sizeof (kmem_bufctl_audit_t));
1473 1475 bca.bc_addr = addr;
1474 1476 bca.bc_slab = sp;
1475 1477 bca.bc_cache = cp;
1476 1478 KMEM_AUDIT(lp, cp, &bca);
1477 1479 }
1478 1480
1479 1481 /*
1480 1482 * Create a new slab for cache cp.
1481 1483 */
1482 1484 static kmem_slab_t *
1483 1485 kmem_slab_create(kmem_cache_t *cp, int kmflag)
1484 1486 {
1485 1487 size_t slabsize = cp->cache_slabsize;
1486 1488 size_t chunksize = cp->cache_chunksize;
1487 1489 int cache_flags = cp->cache_flags;
1488 1490 size_t color, chunks;
1489 1491 char *buf, *slab;
1490 1492 kmem_slab_t *sp;
1491 1493 kmem_bufctl_t *bcp;
1492 1494 vmem_t *vmp = cp->cache_arena;
1493 1495
1494 1496 ASSERT(MUTEX_NOT_HELD(&cp->cache_lock));
1495 1497
1496 1498 color = cp->cache_color + cp->cache_align;
1497 1499 if (color > cp->cache_maxcolor)
1498 1500 color = cp->cache_mincolor;
1499 1501 cp->cache_color = color;
1500 1502
1501 1503 slab = vmem_alloc(vmp, slabsize, kmflag & KM_VMFLAGS);
1502 1504
1503 1505 if (slab == NULL)
1504 1506 goto vmem_alloc_failure;
1505 1507
1506 1508 ASSERT(P2PHASE((uintptr_t)slab, vmp->vm_quantum) == 0);
1507 1509
1508 1510 /*
1509 1511 * Reverify what was already checked in kmem_cache_set_move(), since the
1510 1512 * consolidator depends (for correctness) on slabs being initialized
1511 1513 * with the 0xbaddcafe memory pattern (setting a low order bit usable by
1512 1514 * clients to distinguish uninitialized memory from known objects).
1513 1515 */
1514 1516 ASSERT((cp->cache_move == NULL) || !(cp->cache_cflags & KMC_NOTOUCH));
1515 1517 if (!(cp->cache_cflags & KMC_NOTOUCH))
1516 1518 copy_pattern(KMEM_UNINITIALIZED_PATTERN, slab, slabsize);
1517 1519
1518 1520 if (cache_flags & KMF_HASH) {
1519 1521 if ((sp = kmem_cache_alloc(kmem_slab_cache, kmflag)) == NULL)
1520 1522 goto slab_alloc_failure;
1521 1523 chunks = (slabsize - color) / chunksize;
1522 1524 } else {
1523 1525 sp = KMEM_SLAB(cp, slab);
1524 1526 chunks = (slabsize - sizeof (kmem_slab_t) - color) / chunksize;
1525 1527 }
1526 1528
1527 1529 sp->slab_cache = cp;
1528 1530 sp->slab_head = NULL;
1529 1531 sp->slab_refcnt = 0;
1530 1532 sp->slab_base = buf = slab + color;
1531 1533 sp->slab_chunks = chunks;
1532 1534 sp->slab_stuck_offset = (uint32_t)-1;
1533 1535 sp->slab_later_count = 0;
1534 1536 sp->slab_flags = 0;
1535 1537
1536 1538 ASSERT(chunks > 0);
1537 1539 while (chunks-- != 0) {
1538 1540 if (cache_flags & KMF_HASH) {
1539 1541 bcp = kmem_cache_alloc(cp->cache_bufctl_cache, kmflag);
1540 1542 if (bcp == NULL)
1541 1543 goto bufctl_alloc_failure;
1542 1544 if (cache_flags & KMF_AUDIT) {
1543 1545 kmem_bufctl_audit_t *bcap =
1544 1546 (kmem_bufctl_audit_t *)bcp;
1545 1547 bzero(bcap, sizeof (kmem_bufctl_audit_t));
1546 1548 bcap->bc_cache = cp;
1547 1549 }
1548 1550 bcp->bc_addr = buf;
1549 1551 bcp->bc_slab = sp;
1550 1552 } else {
1551 1553 bcp = KMEM_BUFCTL(cp, buf);
1552 1554 }
1553 1555 if (cache_flags & KMF_BUFTAG) {
1554 1556 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
1555 1557 btp->bt_redzone = KMEM_REDZONE_PATTERN;
1556 1558 btp->bt_bufctl = bcp;
1557 1559 btp->bt_bxstat = (intptr_t)bcp ^ KMEM_BUFTAG_FREE;
1558 1560 if (cache_flags & KMF_DEADBEEF) {
1559 1561 copy_pattern(KMEM_FREE_PATTERN, buf,
1560 1562 cp->cache_verify);
1561 1563 }
1562 1564 }
1563 1565 bcp->bc_next = sp->slab_head;
1564 1566 sp->slab_head = bcp;
1565 1567 buf += chunksize;
1566 1568 }
1567 1569
1568 1570 kmem_log_event(kmem_slab_log, cp, sp, slab);
1569 1571
1570 1572 return (sp);
1571 1573
1572 1574 bufctl_alloc_failure:
1573 1575
1574 1576 while ((bcp = sp->slab_head) != NULL) {
1575 1577 sp->slab_head = bcp->bc_next;
1576 1578 kmem_cache_free(cp->cache_bufctl_cache, bcp);
1577 1579 }
1578 1580 kmem_cache_free(kmem_slab_cache, sp);
1579 1581
1580 1582 slab_alloc_failure:
1581 1583
1582 1584 vmem_free(vmp, slab, slabsize);
1583 1585
1584 1586 vmem_alloc_failure:
1585 1587
1586 1588 kmem_log_event(kmem_failure_log, cp, NULL, NULL);
1587 1589 atomic_inc_64(&cp->cache_alloc_fail);
1588 1590
1589 1591 return (NULL);
1590 1592 }
1591 1593
1592 1594 /*
1593 1595 * Destroy a slab.
1594 1596 */
1595 1597 static void
1596 1598 kmem_slab_destroy(kmem_cache_t *cp, kmem_slab_t *sp)
1597 1599 {
1598 1600 vmem_t *vmp = cp->cache_arena;
1599 1601 void *slab = (void *)P2ALIGN((uintptr_t)sp->slab_base, vmp->vm_quantum);
1600 1602
1601 1603 ASSERT(MUTEX_NOT_HELD(&cp->cache_lock));
1602 1604 ASSERT(sp->slab_refcnt == 0);
1603 1605
1604 1606 if (cp->cache_flags & KMF_HASH) {
1605 1607 kmem_bufctl_t *bcp;
1606 1608 while ((bcp = sp->slab_head) != NULL) {
1607 1609 sp->slab_head = bcp->bc_next;
1608 1610 kmem_cache_free(cp->cache_bufctl_cache, bcp);
1609 1611 }
1610 1612 kmem_cache_free(kmem_slab_cache, sp);
1611 1613 }
1612 1614 vmem_free(vmp, slab, cp->cache_slabsize);
1613 1615 }
1614 1616
1615 1617 static void *
1616 1618 kmem_slab_alloc_impl(kmem_cache_t *cp, kmem_slab_t *sp, boolean_t prefill)
1617 1619 {
1618 1620 kmem_bufctl_t *bcp, **hash_bucket;
1619 1621 void *buf;
1620 1622 boolean_t new_slab = (sp->slab_refcnt == 0);
1621 1623
1622 1624 ASSERT(MUTEX_HELD(&cp->cache_lock));
1623 1625 /*
1624 1626 * kmem_slab_alloc() drops cache_lock when it creates a new slab, so we
1625 1627 * can't ASSERT(avl_is_empty(&cp->cache_partial_slabs)) here when the
1626 1628 * slab is newly created.
1627 1629 */
1628 1630 ASSERT(new_slab || (KMEM_SLAB_IS_PARTIAL(sp) &&
1629 1631 (sp == avl_first(&cp->cache_partial_slabs))));
1630 1632 ASSERT(sp->slab_cache == cp);
1631 1633
1632 1634 cp->cache_slab_alloc++;
1633 1635 cp->cache_bufslab--;
1634 1636 sp->slab_refcnt++;
1635 1637
1636 1638 bcp = sp->slab_head;
1637 1639 sp->slab_head = bcp->bc_next;
1638 1640
1639 1641 if (cp->cache_flags & KMF_HASH) {
1640 1642 /*
1641 1643 * Add buffer to allocated-address hash table.
1642 1644 */
1643 1645 buf = bcp->bc_addr;
1644 1646 hash_bucket = KMEM_HASH(cp, buf);
1645 1647 bcp->bc_next = *hash_bucket;
1646 1648 *hash_bucket = bcp;
1647 1649 if ((cp->cache_flags & (KMF_AUDIT | KMF_BUFTAG)) == KMF_AUDIT) {
1648 1650 KMEM_AUDIT(kmem_transaction_log, cp, bcp);
1649 1651 }
1650 1652 } else {
1651 1653 buf = KMEM_BUF(cp, bcp);
1652 1654 }
1653 1655
1654 1656 ASSERT(KMEM_SLAB_MEMBER(sp, buf));
1655 1657
1656 1658 if (sp->slab_head == NULL) {
1657 1659 ASSERT(KMEM_SLAB_IS_ALL_USED(sp));
1658 1660 if (new_slab) {
1659 1661 ASSERT(sp->slab_chunks == 1);
1660 1662 } else {
1661 1663 ASSERT(sp->slab_chunks > 1); /* the slab was partial */
1662 1664 avl_remove(&cp->cache_partial_slabs, sp);
1663 1665 sp->slab_later_count = 0; /* clear history */
1664 1666 sp->slab_flags &= ~KMEM_SLAB_NOMOVE;
1665 1667 sp->slab_stuck_offset = (uint32_t)-1;
1666 1668 }
1667 1669 list_insert_head(&cp->cache_complete_slabs, sp);
1668 1670 cp->cache_complete_slab_count++;
1669 1671 return (buf);
1670 1672 }
1671 1673
1672 1674 ASSERT(KMEM_SLAB_IS_PARTIAL(sp));
1673 1675 /*
1674 1676 * Peek to see if the magazine layer is enabled before
1675 1677 * we prefill. We're not holding the cpu cache lock,
1676 1678 * so the peek could be wrong, but there's no harm in it.
1677 1679 */
1678 1680 if (new_slab && prefill && (cp->cache_flags & KMF_PREFILL) &&
1679 1681 (KMEM_CPU_CACHE(cp)->cc_magsize != 0)) {
1680 1682 kmem_slab_prefill(cp, sp);
1681 1683 return (buf);
1682 1684 }
1683 1685
1684 1686 if (new_slab) {
1685 1687 avl_add(&cp->cache_partial_slabs, sp);
1686 1688 return (buf);
1687 1689 }
1688 1690
1689 1691 /*
1690 1692 * The slab is now more allocated than it was, so the
1691 1693 * order remains unchanged.
1692 1694 */
1693 1695 ASSERT(!avl_update(&cp->cache_partial_slabs, sp));
1694 1696 return (buf);
1695 1697 }
1696 1698
1697 1699 /*
1698 1700 * Allocate a raw (unconstructed) buffer from cp's slab layer.
1699 1701 */
1700 1702 static void *
1701 1703 kmem_slab_alloc(kmem_cache_t *cp, int kmflag)
1702 1704 {
1703 1705 kmem_slab_t *sp;
1704 1706 void *buf;
1705 1707 boolean_t test_destructor;
1706 1708
1707 1709 mutex_enter(&cp->cache_lock);
1708 1710 test_destructor = (cp->cache_slab_alloc == 0);
1709 1711 sp = avl_first(&cp->cache_partial_slabs);
1710 1712 if (sp == NULL) {
1711 1713 ASSERT(cp->cache_bufslab == 0);
1712 1714
1713 1715 /*
1714 1716 * The freelist is empty. Create a new slab.
1715 1717 */
1716 1718 mutex_exit(&cp->cache_lock);
1717 1719 if ((sp = kmem_slab_create(cp, kmflag)) == NULL) {
1718 1720 return (NULL);
1719 1721 }
1720 1722 mutex_enter(&cp->cache_lock);
1721 1723 cp->cache_slab_create++;
1722 1724 if ((cp->cache_buftotal += sp->slab_chunks) > cp->cache_bufmax)
1723 1725 cp->cache_bufmax = cp->cache_buftotal;
1724 1726 cp->cache_bufslab += sp->slab_chunks;
1725 1727 }
1726 1728
1727 1729 buf = kmem_slab_alloc_impl(cp, sp, B_TRUE);
1728 1730 ASSERT((cp->cache_slab_create - cp->cache_slab_destroy) ==
1729 1731 (cp->cache_complete_slab_count +
1730 1732 avl_numnodes(&cp->cache_partial_slabs) +
1731 1733 (cp->cache_defrag == NULL ? 0 : cp->cache_defrag->kmd_deadcount)));
1732 1734 mutex_exit(&cp->cache_lock);
1733 1735
1734 1736 if (test_destructor && cp->cache_destructor != NULL) {
1735 1737 /*
1736 1738 * On the first kmem_slab_alloc(), assert that it is valid to
1737 1739 * call the destructor on a newly constructed object without any
1738 1740 * client involvement.
1739 1741 */
1740 1742 if ((cp->cache_constructor == NULL) ||
1741 1743 cp->cache_constructor(buf, cp->cache_private,
1742 1744 kmflag) == 0) {
1743 1745 cp->cache_destructor(buf, cp->cache_private);
1744 1746 }
1745 1747 copy_pattern(KMEM_UNINITIALIZED_PATTERN, buf,
1746 1748 cp->cache_bufsize);
1747 1749 if (cp->cache_flags & KMF_DEADBEEF) {
1748 1750 copy_pattern(KMEM_FREE_PATTERN, buf, cp->cache_verify);
1749 1751 }
1750 1752 }
1751 1753
1752 1754 return (buf);
1753 1755 }
1754 1756
1755 1757 static void kmem_slab_move_yes(kmem_cache_t *, kmem_slab_t *, void *);
1756 1758
1757 1759 /*
1758 1760 * Free a raw (unconstructed) buffer to cp's slab layer.
1759 1761 */
1760 1762 static void
1761 1763 kmem_slab_free(kmem_cache_t *cp, void *buf)
1762 1764 {
1763 1765 kmem_slab_t *sp;
1764 1766 kmem_bufctl_t *bcp, **prev_bcpp;
1765 1767
1766 1768 ASSERT(buf != NULL);
1767 1769
1768 1770 mutex_enter(&cp->cache_lock);
1769 1771 cp->cache_slab_free++;
1770 1772
1771 1773 if (cp->cache_flags & KMF_HASH) {
1772 1774 /*
1773 1775 * Look up buffer in allocated-address hash table.
1774 1776 */
1775 1777 prev_bcpp = KMEM_HASH(cp, buf);
1776 1778 while ((bcp = *prev_bcpp) != NULL) {
1777 1779 if (bcp->bc_addr == buf) {
1778 1780 *prev_bcpp = bcp->bc_next;
1779 1781 sp = bcp->bc_slab;
1780 1782 break;
1781 1783 }
1782 1784 cp->cache_lookup_depth++;
1783 1785 prev_bcpp = &bcp->bc_next;
1784 1786 }
1785 1787 } else {
1786 1788 bcp = KMEM_BUFCTL(cp, buf);
1787 1789 sp = KMEM_SLAB(cp, buf);
1788 1790 }
1789 1791
1790 1792 if (bcp == NULL || sp->slab_cache != cp || !KMEM_SLAB_MEMBER(sp, buf)) {
1791 1793 mutex_exit(&cp->cache_lock);
1792 1794 kmem_error(KMERR_BADADDR, cp, buf);
1793 1795 return;
1794 1796 }
1795 1797
1796 1798 if (KMEM_SLAB_OFFSET(sp, buf) == sp->slab_stuck_offset) {
1797 1799 /*
1798 1800 * If this is the buffer that prevented the consolidator from
1799 1801 * clearing the slab, we can reset the slab flags now that the
1800 1802 * buffer is freed. (It makes sense to do this in
1801 1803 * kmem_cache_free(), where the client gives up ownership of the
1802 1804 * buffer, but on the hot path the test is too expensive.)
1803 1805 */
1804 1806 kmem_slab_move_yes(cp, sp, buf);
1805 1807 }
1806 1808
1807 1809 if ((cp->cache_flags & (KMF_AUDIT | KMF_BUFTAG)) == KMF_AUDIT) {
1808 1810 if (cp->cache_flags & KMF_CONTENTS)
1809 1811 ((kmem_bufctl_audit_t *)bcp)->bc_contents =
1810 1812 kmem_log_enter(kmem_content_log, buf,
1811 1813 cp->cache_contents);
1812 1814 KMEM_AUDIT(kmem_transaction_log, cp, bcp);
1813 1815 }
1814 1816
1815 1817 bcp->bc_next = sp->slab_head;
1816 1818 sp->slab_head = bcp;
1817 1819
1818 1820 cp->cache_bufslab++;
1819 1821 ASSERT(sp->slab_refcnt >= 1);
1820 1822
1821 1823 if (--sp->slab_refcnt == 0) {
1822 1824 /*
1823 1825 * There are no outstanding allocations from this slab,
1824 1826 * so we can reclaim the memory.
1825 1827 */
1826 1828 if (sp->slab_chunks == 1) {
1827 1829 list_remove(&cp->cache_complete_slabs, sp);
1828 1830 cp->cache_complete_slab_count--;
1829 1831 } else {
1830 1832 avl_remove(&cp->cache_partial_slabs, sp);
1831 1833 }
1832 1834
1833 1835 cp->cache_buftotal -= sp->slab_chunks;
1834 1836 cp->cache_bufslab -= sp->slab_chunks;
1835 1837 /*
1836 1838 * Defer releasing the slab to the virtual memory subsystem
1837 1839 * while there is a pending move callback, since we guarantee
1838 1840 * that buffers passed to the move callback have only been
1839 1841 * touched by kmem or by the client itself. Since the memory
1840 1842 * patterns baddcafe (uninitialized) and deadbeef (freed) both
1841 1843 * set at least one of the two lowest order bits, the client can
1842 1844 * test those bits in the move callback to determine whether or
1843 1845 * not it knows about the buffer (assuming that the client also
1844 1846 * sets one of those low order bits whenever it frees a buffer).
1845 1847 */
1846 1848 if (cp->cache_defrag == NULL ||
1847 1849 (avl_is_empty(&cp->cache_defrag->kmd_moves_pending) &&
1848 1850 !(sp->slab_flags & KMEM_SLAB_MOVE_PENDING))) {
1849 1851 cp->cache_slab_destroy++;
1850 1852 mutex_exit(&cp->cache_lock);
1851 1853 kmem_slab_destroy(cp, sp);
1852 1854 } else {
1853 1855 list_t *deadlist = &cp->cache_defrag->kmd_deadlist;
1854 1856 /*
1855 1857 * Slabs are inserted at both ends of the deadlist to
1856 1858 * distinguish between slabs freed while move callbacks
1857 1859 * are pending (list head) and a slab freed while the
1858 1860 * lock is dropped in kmem_move_buffers() (list tail) so
1859 1861 * that in both cases slab_destroy() is called from the
1860 1862 * right context.
1861 1863 */
1862 1864 if (sp->slab_flags & KMEM_SLAB_MOVE_PENDING) {
1863 1865 list_insert_tail(deadlist, sp);
1864 1866 } else {
1865 1867 list_insert_head(deadlist, sp);
1866 1868 }
1867 1869 cp->cache_defrag->kmd_deadcount++;
1868 1870 mutex_exit(&cp->cache_lock);
1869 1871 }
1870 1872 return;
1871 1873 }
1872 1874
1873 1875 if (bcp->bc_next == NULL) {
1874 1876 /* Transition the slab from completely allocated to partial. */
1875 1877 ASSERT(sp->slab_refcnt == (sp->slab_chunks - 1));
1876 1878 ASSERT(sp->slab_chunks > 1);
1877 1879 list_remove(&cp->cache_complete_slabs, sp);
1878 1880 cp->cache_complete_slab_count--;
1879 1881 avl_add(&cp->cache_partial_slabs, sp);
1880 1882 } else {
1881 1883 (void) avl_update_gt(&cp->cache_partial_slabs, sp);
1882 1884 }
1883 1885
1884 1886 ASSERT((cp->cache_slab_create - cp->cache_slab_destroy) ==
1885 1887 (cp->cache_complete_slab_count +
1886 1888 avl_numnodes(&cp->cache_partial_slabs) +
1887 1889 (cp->cache_defrag == NULL ? 0 : cp->cache_defrag->kmd_deadcount)));
1888 1890 mutex_exit(&cp->cache_lock);
1889 1891 }
1890 1892
1891 1893 /*
1892 1894 * Return -1 if kmem_error, 1 if constructor fails, 0 if successful.
1893 1895 */
1894 1896 static int
1895 1897 kmem_cache_alloc_debug(kmem_cache_t *cp, void *buf, int kmflag, int construct,
1896 1898 caddr_t caller)
1897 1899 {
1898 1900 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
1899 1901 kmem_bufctl_audit_t *bcp = (kmem_bufctl_audit_t *)btp->bt_bufctl;
1900 1902 uint32_t mtbf;
1901 1903
1902 1904 if (btp->bt_bxstat != ((intptr_t)bcp ^ KMEM_BUFTAG_FREE)) {
1903 1905 kmem_error(KMERR_BADBUFTAG, cp, buf);
1904 1906 return (-1);
1905 1907 }
1906 1908
1907 1909 btp->bt_bxstat = (intptr_t)bcp ^ KMEM_BUFTAG_ALLOC;
1908 1910
1909 1911 if ((cp->cache_flags & KMF_HASH) && bcp->bc_addr != buf) {
1910 1912 kmem_error(KMERR_BADBUFCTL, cp, buf);
1911 1913 return (-1);
1912 1914 }
1913 1915
1914 1916 if (cp->cache_flags & KMF_DEADBEEF) {
1915 1917 if (!construct && (cp->cache_flags & KMF_LITE)) {
1916 1918 if (*(uint64_t *)buf != KMEM_FREE_PATTERN) {
1917 1919 kmem_error(KMERR_MODIFIED, cp, buf);
1918 1920 return (-1);
1919 1921 }
1920 1922 if (cp->cache_constructor != NULL)
1921 1923 *(uint64_t *)buf = btp->bt_redzone;
1922 1924 else
1923 1925 *(uint64_t *)buf = KMEM_UNINITIALIZED_PATTERN;
1924 1926 } else {
1925 1927 construct = 1;
1926 1928 if (verify_and_copy_pattern(KMEM_FREE_PATTERN,
1927 1929 KMEM_UNINITIALIZED_PATTERN, buf,
1928 1930 cp->cache_verify)) {
1929 1931 kmem_error(KMERR_MODIFIED, cp, buf);
1930 1932 return (-1);
1931 1933 }
1932 1934 }
1933 1935 }
1934 1936 btp->bt_redzone = KMEM_REDZONE_PATTERN;
1935 1937
1936 1938 if ((mtbf = kmem_mtbf | cp->cache_mtbf) != 0 &&
1937 1939 gethrtime() % mtbf == 0 &&
1938 1940 (kmflag & (KM_NOSLEEP | KM_PANIC)) == KM_NOSLEEP) {
1939 1941 kmem_log_event(kmem_failure_log, cp, NULL, NULL);
1940 1942 if (!construct && cp->cache_destructor != NULL)
1941 1943 cp->cache_destructor(buf, cp->cache_private);
1942 1944 } else {
1943 1945 mtbf = 0;
1944 1946 }
1945 1947
1946 1948 if (mtbf || (construct && cp->cache_constructor != NULL &&
1947 1949 cp->cache_constructor(buf, cp->cache_private, kmflag) != 0)) {
1948 1950 atomic_inc_64(&cp->cache_alloc_fail);
1949 1951 btp->bt_bxstat = (intptr_t)bcp ^ KMEM_BUFTAG_FREE;
1950 1952 if (cp->cache_flags & KMF_DEADBEEF)
1951 1953 copy_pattern(KMEM_FREE_PATTERN, buf, cp->cache_verify);
1952 1954 kmem_slab_free(cp, buf);
1953 1955 return (1);
1954 1956 }
1955 1957
1956 1958 if (cp->cache_flags & KMF_AUDIT) {
1957 1959 KMEM_AUDIT(kmem_transaction_log, cp, bcp);
1958 1960 }
1959 1961
1960 1962 if ((cp->cache_flags & KMF_LITE) &&
1961 1963 !(cp->cache_cflags & KMC_KMEM_ALLOC)) {
1962 1964 KMEM_BUFTAG_LITE_ENTER(btp, kmem_lite_count, caller);
1963 1965 }
1964 1966
1965 1967 return (0);
1966 1968 }
1967 1969
1968 1970 static int
1969 1971 kmem_cache_free_debug(kmem_cache_t *cp, void *buf, caddr_t caller)
1970 1972 {
1971 1973 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
1972 1974 kmem_bufctl_audit_t *bcp = (kmem_bufctl_audit_t *)btp->bt_bufctl;
1973 1975 kmem_slab_t *sp;
1974 1976
1975 1977 if (btp->bt_bxstat != ((intptr_t)bcp ^ KMEM_BUFTAG_ALLOC)) {
1976 1978 if (btp->bt_bxstat == ((intptr_t)bcp ^ KMEM_BUFTAG_FREE)) {
1977 1979 kmem_error(KMERR_DUPFREE, cp, buf);
1978 1980 return (-1);
1979 1981 }
1980 1982 sp = kmem_findslab(cp, buf);
1981 1983 if (sp == NULL || sp->slab_cache != cp)
1982 1984 kmem_error(KMERR_BADADDR, cp, buf);
1983 1985 else
1984 1986 kmem_error(KMERR_REDZONE, cp, buf);
1985 1987 return (-1);
1986 1988 }
1987 1989
1988 1990 btp->bt_bxstat = (intptr_t)bcp ^ KMEM_BUFTAG_FREE;
1989 1991
1990 1992 if ((cp->cache_flags & KMF_HASH) && bcp->bc_addr != buf) {
1991 1993 kmem_error(KMERR_BADBUFCTL, cp, buf);
1992 1994 return (-1);
1993 1995 }
1994 1996
1995 1997 if (btp->bt_redzone != KMEM_REDZONE_PATTERN) {
1996 1998 kmem_error(KMERR_REDZONE, cp, buf);
1997 1999 return (-1);
1998 2000 }
1999 2001
2000 2002 if (cp->cache_flags & KMF_AUDIT) {
2001 2003 if (cp->cache_flags & KMF_CONTENTS)
2002 2004 bcp->bc_contents = kmem_log_enter(kmem_content_log,
2003 2005 buf, cp->cache_contents);
2004 2006 KMEM_AUDIT(kmem_transaction_log, cp, bcp);
2005 2007 }
2006 2008
2007 2009 if ((cp->cache_flags & KMF_LITE) &&
2008 2010 !(cp->cache_cflags & KMC_KMEM_ALLOC)) {
2009 2011 KMEM_BUFTAG_LITE_ENTER(btp, kmem_lite_count, caller);
2010 2012 }
2011 2013
2012 2014 if (cp->cache_flags & KMF_DEADBEEF) {
2013 2015 if (cp->cache_flags & KMF_LITE)
2014 2016 btp->bt_redzone = *(uint64_t *)buf;
2015 2017 else if (cp->cache_destructor != NULL)
2016 2018 cp->cache_destructor(buf, cp->cache_private);
2017 2019
2018 2020 copy_pattern(KMEM_FREE_PATTERN, buf, cp->cache_verify);
2019 2021 }
2020 2022
2021 2023 return (0);
2022 2024 }
2023 2025
2024 2026 /*
2025 2027 * Free each object in magazine mp to cp's slab layer, and free mp itself.
2026 2028 */
2027 2029 static void
2028 2030 kmem_magazine_destroy(kmem_cache_t *cp, kmem_magazine_t *mp, int nrounds)
2029 2031 {
2030 2032 int round;
2031 2033
2032 2034 ASSERT(!list_link_active(&cp->cache_link) ||
2033 2035 taskq_member(kmem_taskq, curthread));
2034 2036
2035 2037 for (round = 0; round < nrounds; round++) {
2036 2038 void *buf = mp->mag_round[round];
2037 2039
2038 2040 if (cp->cache_flags & KMF_DEADBEEF) {
2039 2041 if (verify_pattern(KMEM_FREE_PATTERN, buf,
2040 2042 cp->cache_verify) != NULL) {
2041 2043 kmem_error(KMERR_MODIFIED, cp, buf);
2042 2044 continue;
2043 2045 }
2044 2046 if ((cp->cache_flags & KMF_LITE) &&
2045 2047 cp->cache_destructor != NULL) {
2046 2048 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
2047 2049 *(uint64_t *)buf = btp->bt_redzone;
2048 2050 cp->cache_destructor(buf, cp->cache_private);
2049 2051 *(uint64_t *)buf = KMEM_FREE_PATTERN;
2050 2052 }
2051 2053 } else if (cp->cache_destructor != NULL) {
2052 2054 cp->cache_destructor(buf, cp->cache_private);
2053 2055 }
2054 2056
2055 2057 kmem_slab_free(cp, buf);
2056 2058 }
2057 2059 ASSERT(KMEM_MAGAZINE_VALID(cp, mp));
2058 2060 kmem_cache_free(cp->cache_magtype->mt_cache, mp);
2059 2061 }
2060 2062
2061 2063 /*
2062 2064 * Allocate a magazine from the depot.
2063 2065 */
2064 2066 static kmem_magazine_t *
2065 2067 kmem_depot_alloc(kmem_cache_t *cp, kmem_maglist_t *mlp)
2066 2068 {
2067 2069 kmem_magazine_t *mp;
2068 2070
2069 2071 /*
2070 2072 * If we can't get the depot lock without contention,
2071 2073 * update our contention count. We use the depot
2072 2074 * contention rate to determine whether we need to
2073 2075 * increase the magazine size for better scalability.
2074 2076 */
2075 2077 if (!mutex_tryenter(&cp->cache_depot_lock)) {
2076 2078 mutex_enter(&cp->cache_depot_lock);
2077 2079 cp->cache_depot_contention++;
2078 2080 }
2079 2081
2080 2082 if ((mp = mlp->ml_list) != NULL) {
2081 2083 ASSERT(KMEM_MAGAZINE_VALID(cp, mp));
2082 2084 mlp->ml_list = mp->mag_next;
2083 2085 if (--mlp->ml_total < mlp->ml_min)
2084 2086 mlp->ml_min = mlp->ml_total;
2085 2087 mlp->ml_alloc++;
2086 2088 }
2087 2089
2088 2090 mutex_exit(&cp->cache_depot_lock);
2089 2091
2090 2092 return (mp);
2091 2093 }
2092 2094
2093 2095 /*
2094 2096 * Free a magazine to the depot.
2095 2097 */
2096 2098 static void
2097 2099 kmem_depot_free(kmem_cache_t *cp, kmem_maglist_t *mlp, kmem_magazine_t *mp)
2098 2100 {
2099 2101 mutex_enter(&cp->cache_depot_lock);
2100 2102 ASSERT(KMEM_MAGAZINE_VALID(cp, mp));
2101 2103 mp->mag_next = mlp->ml_list;
2102 2104 mlp->ml_list = mp;
2103 2105 mlp->ml_total++;
2104 2106 mutex_exit(&cp->cache_depot_lock);
2105 2107 }
2106 2108
2107 2109 /*
2108 2110 * Update the working set statistics for cp's depot.
2109 2111 */
2110 2112 static void
2111 2113 kmem_depot_ws_update(kmem_cache_t *cp)
2112 2114 {
2113 2115 mutex_enter(&cp->cache_depot_lock);
2114 2116 cp->cache_full.ml_reaplimit = cp->cache_full.ml_min;
2115 2117 cp->cache_full.ml_min = cp->cache_full.ml_total;
2116 2118 cp->cache_empty.ml_reaplimit = cp->cache_empty.ml_min;
2117 2119 cp->cache_empty.ml_min = cp->cache_empty.ml_total;
2118 2120 mutex_exit(&cp->cache_depot_lock);
2119 2121 }
2120 2122
2121 2123 /*
2122 2124 * Set the working set statistics for cp's depot to zero. (Everything is
2123 2125 * eligible for reaping.)
2124 2126 */
2125 2127 static void
2126 2128 kmem_depot_ws_zero(kmem_cache_t *cp)
2127 2129 {
2128 2130 mutex_enter(&cp->cache_depot_lock);
2129 2131 cp->cache_full.ml_reaplimit = cp->cache_full.ml_total;
2130 2132 cp->cache_full.ml_min = cp->cache_full.ml_total;
2131 2133 cp->cache_empty.ml_reaplimit = cp->cache_empty.ml_total;
2132 2134 cp->cache_empty.ml_min = cp->cache_empty.ml_total;
2133 2135 mutex_exit(&cp->cache_depot_lock);
2134 2136 }
2135 2137
2136 2138 /*
2137 2139 * The number of bytes to reap before we call kpreempt(). The default (1MB)
2138 2140 * causes us to preempt reaping up to hundreds of times per second. Using a
2139 2141 * larger value (1GB) causes this to have virtually no effect.
2140 2142 */
2141 2143 size_t kmem_reap_preempt_bytes = 1024 * 1024;
2142 2144
2143 2145 /*
2144 2146 * Reap all magazines that have fallen out of the depot's working set.
2145 2147 */
2146 2148 static void
2147 2149 kmem_depot_ws_reap(kmem_cache_t *cp)
2148 2150 {
2149 2151 size_t bytes = 0;
2150 2152 long reap;
2151 2153 kmem_magazine_t *mp;
2152 2154
2153 2155 ASSERT(!list_link_active(&cp->cache_link) ||
2154 2156 taskq_member(kmem_taskq, curthread));
2155 2157
2156 2158 reap = MIN(cp->cache_full.ml_reaplimit, cp->cache_full.ml_min);
2157 2159 while (reap-- &&
2158 2160 (mp = kmem_depot_alloc(cp, &cp->cache_full)) != NULL) {
2159 2161 kmem_magazine_destroy(cp, mp, cp->cache_magtype->mt_magsize);
2160 2162 bytes += cp->cache_magtype->mt_magsize * cp->cache_bufsize;
2161 2163 if (bytes > kmem_reap_preempt_bytes) {
2162 2164 kpreempt(KPREEMPT_SYNC);
2163 2165 bytes = 0;
2164 2166 }
2165 2167 }
2166 2168
2167 2169 reap = MIN(cp->cache_empty.ml_reaplimit, cp->cache_empty.ml_min);
2168 2170 while (reap-- &&
2169 2171 (mp = kmem_depot_alloc(cp, &cp->cache_empty)) != NULL) {
2170 2172 kmem_magazine_destroy(cp, mp, 0);
2171 2173 bytes += cp->cache_magtype->mt_magsize * cp->cache_bufsize;
2172 2174 if (bytes > kmem_reap_preempt_bytes) {
2173 2175 kpreempt(KPREEMPT_SYNC);
2174 2176 bytes = 0;
2175 2177 }
2176 2178 }
2177 2179 }
2178 2180
2179 2181 static void
2180 2182 kmem_cpu_reload(kmem_cpu_cache_t *ccp, kmem_magazine_t *mp, int rounds)
2181 2183 {
2182 2184 ASSERT((ccp->cc_loaded == NULL && ccp->cc_rounds == -1) ||
2183 2185 (ccp->cc_loaded && ccp->cc_rounds + rounds == ccp->cc_magsize));
2184 2186 ASSERT(ccp->cc_magsize > 0);
2185 2187
2186 2188 ccp->cc_ploaded = ccp->cc_loaded;
2187 2189 ccp->cc_prounds = ccp->cc_rounds;
2188 2190 ccp->cc_loaded = mp;
2189 2191 ccp->cc_rounds = rounds;
2190 2192 }
2191 2193
2192 2194 /*
2193 2195 * Intercept kmem alloc/free calls during crash dump in order to avoid
2194 2196 * changing kmem state while memory is being saved to the dump device.
2195 2197 * Otherwise, ::kmem_verify will report "corrupt buffers". Note that
2196 2198 * there are no locks because only one CPU calls kmem during a crash
2197 2199 * dump. To enable this feature, first create the associated vmem
2198 2200 * arena with VMC_DUMPSAFE.
2199 2201 */
2200 2202 static void *kmem_dump_start; /* start of pre-reserved heap */
2201 2203 static void *kmem_dump_end; /* end of heap area */
2202 2204 static void *kmem_dump_curr; /* current free heap pointer */
2203 2205 static size_t kmem_dump_size; /* size of heap area */
2204 2206
2205 2207 /* append to each buf created in the pre-reserved heap */
2206 2208 typedef struct kmem_dumpctl {
2207 2209 void *kdc_next; /* cache dump free list linkage */
2208 2210 } kmem_dumpctl_t;
2209 2211
2210 2212 #define KMEM_DUMPCTL(cp, buf) \
2211 2213 ((kmem_dumpctl_t *)P2ROUNDUP((uintptr_t)(buf) + (cp)->cache_bufsize, \
2212 2214 sizeof (void *)))
2213 2215
2214 2216 /* set non zero for full report */
2215 2217 uint_t kmem_dump_verbose = 0;
2216 2218
2217 2219 /* stats for overize heap */
2218 2220 uint_t kmem_dump_oversize_allocs = 0;
2219 2221 uint_t kmem_dump_oversize_max = 0;
2220 2222
2221 2223 static void
2222 2224 kmem_dumppr(char **pp, char *e, const char *format, ...)
2223 2225 {
2224 2226 char *p = *pp;
2225 2227
2226 2228 if (p < e) {
2227 2229 int n;
2228 2230 va_list ap;
2229 2231
2230 2232 va_start(ap, format);
2231 2233 n = vsnprintf(p, e - p, format, ap);
2232 2234 va_end(ap);
2233 2235 *pp = p + n;
2234 2236 }
2235 2237 }
2236 2238
2237 2239 /*
2238 2240 * Called when dumpadm(1M) configures dump parameters.
2239 2241 */
2240 2242 void
2241 2243 kmem_dump_init(size_t size)
2242 2244 {
2243 2245 /* Our caller ensures size is always set. */
2244 2246 ASSERT3U(size, >, 0);
2245 2247
2246 2248 if (kmem_dump_start != NULL)
2247 2249 kmem_free(kmem_dump_start, kmem_dump_size);
2248 2250
2249 2251 kmem_dump_start = kmem_alloc(size, KM_SLEEP);
2250 2252 kmem_dump_size = size;
2251 2253 kmem_dump_curr = kmem_dump_start;
2252 2254 kmem_dump_end = (void *)((char *)kmem_dump_start + size);
2253 2255 copy_pattern(KMEM_UNINITIALIZED_PATTERN, kmem_dump_start, size);
2254 2256 }
2255 2257
2256 2258 /*
2257 2259 * Set flag for each kmem_cache_t if is safe to use alternate dump
2258 2260 * memory. Called just before panic crash dump starts. Set the flag
2259 2261 * for the calling CPU.
2260 2262 */
2261 2263 void
2262 2264 kmem_dump_begin(void)
2263 2265 {
2264 2266 kmem_cache_t *cp;
2265 2267
2266 2268 ASSERT(panicstr != NULL);
2267 2269
2268 2270 for (cp = list_head(&kmem_caches); cp != NULL;
2269 2271 cp = list_next(&kmem_caches, cp)) {
2270 2272 kmem_cpu_cache_t *ccp = KMEM_CPU_CACHE(cp);
2271 2273
2272 2274 if (cp->cache_arena->vm_cflags & VMC_DUMPSAFE) {
2273 2275 cp->cache_flags |= KMF_DUMPDIVERT;
2274 2276 ccp->cc_flags |= KMF_DUMPDIVERT;
2275 2277 ccp->cc_dump_rounds = ccp->cc_rounds;
2276 2278 ccp->cc_dump_prounds = ccp->cc_prounds;
2277 2279 ccp->cc_rounds = ccp->cc_prounds = -1;
2278 2280 } else {
2279 2281 cp->cache_flags |= KMF_DUMPUNSAFE;
2280 2282 ccp->cc_flags |= KMF_DUMPUNSAFE;
2281 2283 }
2282 2284 }
2283 2285 }
2284 2286
2285 2287 /*
2286 2288 * finished dump intercept
2287 2289 * print any warnings on the console
2288 2290 * return verbose information to dumpsys() in the given buffer
2289 2291 */
2290 2292 size_t
2291 2293 kmem_dump_finish(char *buf, size_t size)
2292 2294 {
2293 2295 int percent = 0;
2294 2296 size_t used;
2295 2297 char *e = buf + size;
2296 2298 char *p = buf;
2297 2299
2298 2300 if (kmem_dump_curr == kmem_dump_end) {
2299 2301 cmn_err(CE_WARN, "exceeded kmem_dump space of %lu "
2300 2302 "bytes: kmem state in dump may be inconsistent",
2301 2303 kmem_dump_size);
2302 2304 }
2303 2305
2304 2306 if (kmem_dump_verbose == 0)
2305 2307 return (0);
2306 2308
2307 2309 used = (char *)kmem_dump_curr - (char *)kmem_dump_start;
2308 2310 percent = (used * 100) / kmem_dump_size;
2309 2311
2310 2312 kmem_dumppr(&p, e, "%% heap used,%d\n", percent);
2311 2313 kmem_dumppr(&p, e, "used bytes,%ld\n", used);
2312 2314 kmem_dumppr(&p, e, "heap size,%ld\n", kmem_dump_size);
2313 2315 kmem_dumppr(&p, e, "Oversize allocs,%d\n",
2314 2316 kmem_dump_oversize_allocs);
2315 2317 kmem_dumppr(&p, e, "Oversize max size,%ld\n",
2316 2318 kmem_dump_oversize_max);
2317 2319
2318 2320 /* return buffer size used */
2319 2321 if (p < e)
2320 2322 bzero(p, e - p);
2321 2323 return (p - buf);
2322 2324 }
2323 2325
2324 2326 /*
2325 2327 * Allocate a constructed object from alternate dump memory.
2326 2328 */
2327 2329 void *
2328 2330 kmem_cache_alloc_dump(kmem_cache_t *cp, int kmflag)
2329 2331 {
2330 2332 void *buf;
2331 2333 void *curr;
2332 2334 char *bufend;
2333 2335
2334 2336 /* return a constructed object */
2335 2337 if ((buf = cp->cache_dump.kd_freelist) != NULL) {
2336 2338 cp->cache_dump.kd_freelist = KMEM_DUMPCTL(cp, buf)->kdc_next;
2337 2339 return (buf);
2338 2340 }
2339 2341
2340 2342 /* create a new constructed object */
2341 2343 curr = kmem_dump_curr;
2342 2344 buf = (void *)P2ROUNDUP((uintptr_t)curr, cp->cache_align);
2343 2345 bufend = (char *)KMEM_DUMPCTL(cp, buf) + sizeof (kmem_dumpctl_t);
2344 2346
2345 2347 /* hat layer objects cannot cross a page boundary */
2346 2348 if (cp->cache_align < PAGESIZE) {
2347 2349 char *page = (char *)P2ROUNDUP((uintptr_t)buf, PAGESIZE);
2348 2350 if (bufend > page) {
2349 2351 bufend += page - (char *)buf;
2350 2352 buf = (void *)page;
2351 2353 }
2352 2354 }
2353 2355
2354 2356 /* fall back to normal alloc if reserved area is used up */
2355 2357 if (bufend > (char *)kmem_dump_end) {
2356 2358 kmem_dump_curr = kmem_dump_end;
2357 2359 cp->cache_dump.kd_alloc_fails++;
2358 2360 return (NULL);
2359 2361 }
2360 2362
2361 2363 /*
2362 2364 * Must advance curr pointer before calling a constructor that
2363 2365 * may also allocate memory.
2364 2366 */
2365 2367 kmem_dump_curr = bufend;
2366 2368
2367 2369 /* run constructor */
2368 2370 if (cp->cache_constructor != NULL &&
2369 2371 cp->cache_constructor(buf, cp->cache_private, kmflag)
2370 2372 != 0) {
2371 2373 #ifdef DEBUG
2372 2374 printf("name='%s' cache=0x%p: kmem cache constructor failed\n",
2373 2375 cp->cache_name, (void *)cp);
2374 2376 #endif
2375 2377 /* reset curr pointer iff no allocs were done */
2376 2378 if (kmem_dump_curr == bufend)
2377 2379 kmem_dump_curr = curr;
2378 2380
2379 2381 cp->cache_dump.kd_alloc_fails++;
2380 2382 /* fall back to normal alloc if the constructor fails */
2381 2383 return (NULL);
2382 2384 }
2383 2385
2384 2386 return (buf);
2385 2387 }
2386 2388
2387 2389 /*
2388 2390 * Free a constructed object in alternate dump memory.
2389 2391 */
2390 2392 int
2391 2393 kmem_cache_free_dump(kmem_cache_t *cp, void *buf)
2392 2394 {
2393 2395 /* save constructed buffers for next time */
2394 2396 if ((char *)buf >= (char *)kmem_dump_start &&
2395 2397 (char *)buf < (char *)kmem_dump_end) {
2396 2398 KMEM_DUMPCTL(cp, buf)->kdc_next = cp->cache_dump.kd_freelist;
2397 2399 cp->cache_dump.kd_freelist = buf;
2398 2400 return (0);
2399 2401 }
2400 2402
2401 2403 /* just drop buffers that were allocated before dump started */
2402 2404 if (kmem_dump_curr < kmem_dump_end)
2403 2405 return (0);
2404 2406
2405 2407 /* fall back to normal free if reserved area is used up */
2406 2408 return (1);
2407 2409 }
2408 2410
2409 2411 /*
2410 2412 * Allocate a constructed object from cache cp.
2411 2413 */
2412 2414 void *
2413 2415 kmem_cache_alloc(kmem_cache_t *cp, int kmflag)
2414 2416 {
2415 2417 kmem_cpu_cache_t *ccp = KMEM_CPU_CACHE(cp);
2416 2418 kmem_magazine_t *fmp;
2417 2419 void *buf;
2418 2420
2419 2421 mutex_enter(&ccp->cc_lock);
2420 2422 for (;;) {
2421 2423 /*
2422 2424 * If there's an object available in the current CPU's
2423 2425 * loaded magazine, just take it and return.
2424 2426 */
2425 2427 if (ccp->cc_rounds > 0) {
2426 2428 buf = ccp->cc_loaded->mag_round[--ccp->cc_rounds];
2427 2429 ccp->cc_alloc++;
2428 2430 mutex_exit(&ccp->cc_lock);
2429 2431 if (ccp->cc_flags & (KMF_BUFTAG | KMF_DUMPUNSAFE)) {
2430 2432 if (ccp->cc_flags & KMF_DUMPUNSAFE) {
2431 2433 ASSERT(!(ccp->cc_flags &
2432 2434 KMF_DUMPDIVERT));
2433 2435 cp->cache_dump.kd_unsafe++;
2434 2436 }
2435 2437 if ((ccp->cc_flags & KMF_BUFTAG) &&
2436 2438 kmem_cache_alloc_debug(cp, buf, kmflag, 0,
2437 2439 caller()) != 0) {
2438 2440 if (kmflag & KM_NOSLEEP)
2439 2441 return (NULL);
2440 2442 mutex_enter(&ccp->cc_lock);
2441 2443 continue;
2442 2444 }
2443 2445 }
2444 2446 return (buf);
2445 2447 }
2446 2448
2447 2449 /*
2448 2450 * The loaded magazine is empty. If the previously loaded
2449 2451 * magazine was full, exchange them and try again.
2450 2452 */
2451 2453 if (ccp->cc_prounds > 0) {
2452 2454 kmem_cpu_reload(ccp, ccp->cc_ploaded, ccp->cc_prounds);
2453 2455 continue;
2454 2456 }
2455 2457
2456 2458 /*
2457 2459 * Return an alternate buffer at dump time to preserve
2458 2460 * the heap.
2459 2461 */
2460 2462 if (ccp->cc_flags & (KMF_DUMPDIVERT | KMF_DUMPUNSAFE)) {
2461 2463 if (ccp->cc_flags & KMF_DUMPUNSAFE) {
2462 2464 ASSERT(!(ccp->cc_flags & KMF_DUMPDIVERT));
2463 2465 /* log it so that we can warn about it */
2464 2466 cp->cache_dump.kd_unsafe++;
2465 2467 } else {
2466 2468 if ((buf = kmem_cache_alloc_dump(cp, kmflag)) !=
2467 2469 NULL) {
2468 2470 mutex_exit(&ccp->cc_lock);
2469 2471 return (buf);
2470 2472 }
2471 2473 break; /* fall back to slab layer */
2472 2474 }
2473 2475 }
2474 2476
2475 2477 /*
2476 2478 * If the magazine layer is disabled, break out now.
2477 2479 */
2478 2480 if (ccp->cc_magsize == 0)
2479 2481 break;
2480 2482
2481 2483 /*
2482 2484 * Try to get a full magazine from the depot.
2483 2485 */
2484 2486 fmp = kmem_depot_alloc(cp, &cp->cache_full);
2485 2487 if (fmp != NULL) {
2486 2488 if (ccp->cc_ploaded != NULL)
2487 2489 kmem_depot_free(cp, &cp->cache_empty,
2488 2490 ccp->cc_ploaded);
2489 2491 kmem_cpu_reload(ccp, fmp, ccp->cc_magsize);
2490 2492 continue;
2491 2493 }
2492 2494
2493 2495 /*
2494 2496 * There are no full magazines in the depot,
2495 2497 * so fall through to the slab layer.
2496 2498 */
2497 2499 break;
2498 2500 }
2499 2501 mutex_exit(&ccp->cc_lock);
2500 2502
2501 2503 /*
2502 2504 * We couldn't allocate a constructed object from the magazine layer,
2503 2505 * so get a raw buffer from the slab layer and apply its constructor.
2504 2506 */
2505 2507 buf = kmem_slab_alloc(cp, kmflag);
2506 2508
2507 2509 if (buf == NULL)
2508 2510 return (NULL);
2509 2511
2510 2512 if (cp->cache_flags & KMF_BUFTAG) {
2511 2513 /*
2512 2514 * Make kmem_cache_alloc_debug() apply the constructor for us.
2513 2515 */
2514 2516 int rc = kmem_cache_alloc_debug(cp, buf, kmflag, 1, caller());
2515 2517 if (rc != 0) {
2516 2518 if (kmflag & KM_NOSLEEP)
2517 2519 return (NULL);
2518 2520 /*
2519 2521 * kmem_cache_alloc_debug() detected corruption
2520 2522 * but didn't panic (kmem_panic <= 0). We should not be
2521 2523 * here because the constructor failed (indicated by a
2522 2524 * return code of 1). Try again.
2523 2525 */
2524 2526 ASSERT(rc == -1);
2525 2527 return (kmem_cache_alloc(cp, kmflag));
2526 2528 }
2527 2529 return (buf);
2528 2530 }
2529 2531
2530 2532 if (cp->cache_constructor != NULL &&
2531 2533 cp->cache_constructor(buf, cp->cache_private, kmflag) != 0) {
2532 2534 atomic_inc_64(&cp->cache_alloc_fail);
2533 2535 kmem_slab_free(cp, buf);
2534 2536 return (NULL);
2535 2537 }
2536 2538
2537 2539 return (buf);
2538 2540 }
2539 2541
2540 2542 /*
2541 2543 * The freed argument tells whether or not kmem_cache_free_debug() has already
2542 2544 * been called so that we can avoid the duplicate free error. For example, a
2543 2545 * buffer on a magazine has already been freed by the client but is still
2544 2546 * constructed.
2545 2547 */
2546 2548 static void
2547 2549 kmem_slab_free_constructed(kmem_cache_t *cp, void *buf, boolean_t freed)
2548 2550 {
2549 2551 if (!freed && (cp->cache_flags & KMF_BUFTAG))
2550 2552 if (kmem_cache_free_debug(cp, buf, caller()) == -1)
2551 2553 return;
2552 2554
2553 2555 /*
2554 2556 * Note that if KMF_DEADBEEF is in effect and KMF_LITE is not,
2555 2557 * kmem_cache_free_debug() will have already applied the destructor.
2556 2558 */
2557 2559 if ((cp->cache_flags & (KMF_DEADBEEF | KMF_LITE)) != KMF_DEADBEEF &&
2558 2560 cp->cache_destructor != NULL) {
2559 2561 if (cp->cache_flags & KMF_DEADBEEF) { /* KMF_LITE implied */
2560 2562 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
2561 2563 *(uint64_t *)buf = btp->bt_redzone;
2562 2564 cp->cache_destructor(buf, cp->cache_private);
2563 2565 *(uint64_t *)buf = KMEM_FREE_PATTERN;
2564 2566 } else {
2565 2567 cp->cache_destructor(buf, cp->cache_private);
2566 2568 }
2567 2569 }
2568 2570
2569 2571 kmem_slab_free(cp, buf);
2570 2572 }
2571 2573
2572 2574 /*
2573 2575 * Used when there's no room to free a buffer to the per-CPU cache.
2574 2576 * Drops and re-acquires &ccp->cc_lock, and returns non-zero if the
2575 2577 * caller should try freeing to the per-CPU cache again.
2576 2578 * Note that we don't directly install the magazine in the cpu cache,
2577 2579 * since its state may have changed wildly while the lock was dropped.
2578 2580 */
2579 2581 static int
2580 2582 kmem_cpucache_magazine_alloc(kmem_cpu_cache_t *ccp, kmem_cache_t *cp)
2581 2583 {
2582 2584 kmem_magazine_t *emp;
2583 2585 kmem_magtype_t *mtp;
2584 2586
2585 2587 ASSERT(MUTEX_HELD(&ccp->cc_lock));
2586 2588 ASSERT(((uint_t)ccp->cc_rounds == ccp->cc_magsize ||
2587 2589 ((uint_t)ccp->cc_rounds == -1)) &&
2588 2590 ((uint_t)ccp->cc_prounds == ccp->cc_magsize ||
2589 2591 ((uint_t)ccp->cc_prounds == -1)));
2590 2592
2591 2593 emp = kmem_depot_alloc(cp, &cp->cache_empty);
2592 2594 if (emp != NULL) {
2593 2595 if (ccp->cc_ploaded != NULL)
2594 2596 kmem_depot_free(cp, &cp->cache_full,
2595 2597 ccp->cc_ploaded);
2596 2598 kmem_cpu_reload(ccp, emp, 0);
2597 2599 return (1);
2598 2600 }
2599 2601 /*
2600 2602 * There are no empty magazines in the depot,
2601 2603 * so try to allocate a new one. We must drop all locks
2602 2604 * across kmem_cache_alloc() because lower layers may
2603 2605 * attempt to allocate from this cache.
2604 2606 */
2605 2607 mtp = cp->cache_magtype;
2606 2608 mutex_exit(&ccp->cc_lock);
2607 2609 emp = kmem_cache_alloc(mtp->mt_cache, KM_NOSLEEP);
2608 2610 mutex_enter(&ccp->cc_lock);
2609 2611
2610 2612 if (emp != NULL) {
2611 2613 /*
2612 2614 * We successfully allocated an empty magazine.
2613 2615 * However, we had to drop ccp->cc_lock to do it,
2614 2616 * so the cache's magazine size may have changed.
2615 2617 * If so, free the magazine and try again.
2616 2618 */
2617 2619 if (ccp->cc_magsize != mtp->mt_magsize) {
2618 2620 mutex_exit(&ccp->cc_lock);
2619 2621 kmem_cache_free(mtp->mt_cache, emp);
2620 2622 mutex_enter(&ccp->cc_lock);
2621 2623 return (1);
2622 2624 }
2623 2625
2624 2626 /*
2625 2627 * We got a magazine of the right size. Add it to
2626 2628 * the depot and try the whole dance again.
2627 2629 */
2628 2630 kmem_depot_free(cp, &cp->cache_empty, emp);
2629 2631 return (1);
2630 2632 }
2631 2633
2632 2634 /*
2633 2635 * We couldn't allocate an empty magazine,
2634 2636 * so fall through to the slab layer.
2635 2637 */
2636 2638 return (0);
2637 2639 }
2638 2640
2639 2641 /*
2640 2642 * Free a constructed object to cache cp.
2641 2643 */
2642 2644 void
2643 2645 kmem_cache_free(kmem_cache_t *cp, void *buf)
2644 2646 {
2645 2647 kmem_cpu_cache_t *ccp = KMEM_CPU_CACHE(cp);
2646 2648
2647 2649 /*
2648 2650 * The client must not free either of the buffers passed to the move
2649 2651 * callback function.
2650 2652 */
2651 2653 ASSERT(cp->cache_defrag == NULL ||
2652 2654 cp->cache_defrag->kmd_thread != curthread ||
2653 2655 (buf != cp->cache_defrag->kmd_from_buf &&
2654 2656 buf != cp->cache_defrag->kmd_to_buf));
2655 2657
2656 2658 if (ccp->cc_flags & (KMF_BUFTAG | KMF_DUMPDIVERT | KMF_DUMPUNSAFE)) {
2657 2659 if (ccp->cc_flags & KMF_DUMPUNSAFE) {
2658 2660 ASSERT(!(ccp->cc_flags & KMF_DUMPDIVERT));
2659 2661 /* log it so that we can warn about it */
2660 2662 cp->cache_dump.kd_unsafe++;
2661 2663 } else if (KMEM_DUMPCC(ccp) && !kmem_cache_free_dump(cp, buf)) {
2662 2664 return;
2663 2665 }
2664 2666 if (ccp->cc_flags & KMF_BUFTAG) {
2665 2667 if (kmem_cache_free_debug(cp, buf, caller()) == -1)
2666 2668 return;
2667 2669 }
2668 2670 }
2669 2671
2670 2672 mutex_enter(&ccp->cc_lock);
2671 2673 /*
2672 2674 * Any changes to this logic should be reflected in kmem_slab_prefill()
2673 2675 */
2674 2676 for (;;) {
2675 2677 /*
2676 2678 * If there's a slot available in the current CPU's
2677 2679 * loaded magazine, just put the object there and return.
2678 2680 */
2679 2681 if ((uint_t)ccp->cc_rounds < ccp->cc_magsize) {
2680 2682 ccp->cc_loaded->mag_round[ccp->cc_rounds++] = buf;
2681 2683 ccp->cc_free++;
2682 2684 mutex_exit(&ccp->cc_lock);
2683 2685 return;
2684 2686 }
2685 2687
2686 2688 /*
2687 2689 * The loaded magazine is full. If the previously loaded
2688 2690 * magazine was empty, exchange them and try again.
2689 2691 */
2690 2692 if (ccp->cc_prounds == 0) {
2691 2693 kmem_cpu_reload(ccp, ccp->cc_ploaded, ccp->cc_prounds);
2692 2694 continue;
2693 2695 }
2694 2696
2695 2697 /*
2696 2698 * If the magazine layer is disabled, break out now.
2697 2699 */
2698 2700 if (ccp->cc_magsize == 0)
2699 2701 break;
2700 2702
2701 2703 if (!kmem_cpucache_magazine_alloc(ccp, cp)) {
2702 2704 /*
2703 2705 * We couldn't free our constructed object to the
2704 2706 * magazine layer, so apply its destructor and free it
2705 2707 * to the slab layer.
2706 2708 */
2707 2709 break;
2708 2710 }
2709 2711 }
2710 2712 mutex_exit(&ccp->cc_lock);
2711 2713 kmem_slab_free_constructed(cp, buf, B_TRUE);
2712 2714 }
2713 2715
2714 2716 static void
2715 2717 kmem_slab_prefill(kmem_cache_t *cp, kmem_slab_t *sp)
2716 2718 {
2717 2719 kmem_cpu_cache_t *ccp = KMEM_CPU_CACHE(cp);
2718 2720 int cache_flags = cp->cache_flags;
2719 2721
2720 2722 kmem_bufctl_t *next, *head;
2721 2723 size_t nbufs;
2722 2724
2723 2725 /*
2724 2726 * Completely allocate the newly created slab and put the pre-allocated
2725 2727 * buffers in magazines. Any of the buffers that cannot be put in
2726 2728 * magazines must be returned to the slab.
2727 2729 */
2728 2730 ASSERT(MUTEX_HELD(&cp->cache_lock));
2729 2731 ASSERT((cache_flags & (KMF_PREFILL|KMF_BUFTAG)) == KMF_PREFILL);
2730 2732 ASSERT(cp->cache_constructor == NULL);
2731 2733 ASSERT(sp->slab_cache == cp);
2732 2734 ASSERT(sp->slab_refcnt == 1);
2733 2735 ASSERT(sp->slab_head != NULL && sp->slab_chunks > sp->slab_refcnt);
2734 2736 ASSERT(avl_find(&cp->cache_partial_slabs, sp, NULL) == NULL);
2735 2737
2736 2738 head = sp->slab_head;
2737 2739 nbufs = (sp->slab_chunks - sp->slab_refcnt);
2738 2740 sp->slab_head = NULL;
2739 2741 sp->slab_refcnt += nbufs;
2740 2742 cp->cache_bufslab -= nbufs;
2741 2743 cp->cache_slab_alloc += nbufs;
2742 2744 list_insert_head(&cp->cache_complete_slabs, sp);
2743 2745 cp->cache_complete_slab_count++;
2744 2746 mutex_exit(&cp->cache_lock);
2745 2747 mutex_enter(&ccp->cc_lock);
2746 2748
2747 2749 while (head != NULL) {
2748 2750 void *buf = KMEM_BUF(cp, head);
2749 2751 /*
2750 2752 * If there's a slot available in the current CPU's
2751 2753 * loaded magazine, just put the object there and
2752 2754 * continue.
2753 2755 */
2754 2756 if ((uint_t)ccp->cc_rounds < ccp->cc_magsize) {
2755 2757 ccp->cc_loaded->mag_round[ccp->cc_rounds++] =
2756 2758 buf;
2757 2759 ccp->cc_free++;
2758 2760 nbufs--;
2759 2761 head = head->bc_next;
2760 2762 continue;
2761 2763 }
2762 2764
2763 2765 /*
2764 2766 * The loaded magazine is full. If the previously
2765 2767 * loaded magazine was empty, exchange them and try
2766 2768 * again.
2767 2769 */
2768 2770 if (ccp->cc_prounds == 0) {
2769 2771 kmem_cpu_reload(ccp, ccp->cc_ploaded,
2770 2772 ccp->cc_prounds);
2771 2773 continue;
2772 2774 }
2773 2775
2774 2776 /*
2775 2777 * If the magazine layer is disabled, break out now.
2776 2778 */
2777 2779
2778 2780 if (ccp->cc_magsize == 0) {
2779 2781 break;
2780 2782 }
2781 2783
2782 2784 if (!kmem_cpucache_magazine_alloc(ccp, cp))
2783 2785 break;
2784 2786 }
2785 2787 mutex_exit(&ccp->cc_lock);
2786 2788 if (nbufs != 0) {
2787 2789 ASSERT(head != NULL);
2788 2790
2789 2791 /*
2790 2792 * If there was a failure, return remaining objects to
2791 2793 * the slab
2792 2794 */
2793 2795 while (head != NULL) {
2794 2796 ASSERT(nbufs != 0);
2795 2797 next = head->bc_next;
2796 2798 head->bc_next = NULL;
2797 2799 kmem_slab_free(cp, KMEM_BUF(cp, head));
2798 2800 head = next;
2799 2801 nbufs--;
2800 2802 }
2801 2803 }
2802 2804 ASSERT(head == NULL);
2803 2805 ASSERT(nbufs == 0);
2804 2806 mutex_enter(&cp->cache_lock);
2805 2807 }
2806 2808
2807 2809 void *
2808 2810 kmem_zalloc(size_t size, int kmflag)
2809 2811 {
2810 2812 size_t index;
2811 2813 void *buf;
2812 2814
2813 2815 if ((index = ((size - 1) >> KMEM_ALIGN_SHIFT)) < KMEM_ALLOC_TABLE_MAX) {
2814 2816 kmem_cache_t *cp = kmem_alloc_table[index];
2815 2817 buf = kmem_cache_alloc(cp, kmflag);
2816 2818 if (buf != NULL) {
2817 2819 if ((cp->cache_flags & KMF_BUFTAG) && !KMEM_DUMP(cp)) {
2818 2820 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
2819 2821 ((uint8_t *)buf)[size] = KMEM_REDZONE_BYTE;
2820 2822 ((uint32_t *)btp)[1] = KMEM_SIZE_ENCODE(size);
2821 2823
2822 2824 if (cp->cache_flags & KMF_LITE) {
2823 2825 KMEM_BUFTAG_LITE_ENTER(btp,
2824 2826 kmem_lite_count, caller());
2825 2827 }
2826 2828 }
2827 2829 bzero(buf, size);
2828 2830 }
2829 2831 } else {
2830 2832 buf = kmem_alloc(size, kmflag);
2831 2833 if (buf != NULL)
2832 2834 bzero(buf, size);
2833 2835 }
2834 2836 return (buf);
2835 2837 }
2836 2838
2837 2839 void *
2838 2840 kmem_alloc(size_t size, int kmflag)
2839 2841 {
2840 2842 size_t index;
2841 2843 kmem_cache_t *cp;
2842 2844 void *buf;
2843 2845
2844 2846 if ((index = ((size - 1) >> KMEM_ALIGN_SHIFT)) < KMEM_ALLOC_TABLE_MAX) {
2845 2847 cp = kmem_alloc_table[index];
2846 2848 /* fall through to kmem_cache_alloc() */
2847 2849
2848 2850 } else if ((index = ((size - 1) >> KMEM_BIG_SHIFT)) <
2849 2851 kmem_big_alloc_table_max) {
2850 2852 cp = kmem_big_alloc_table[index];
2851 2853 /* fall through to kmem_cache_alloc() */
2852 2854
2853 2855 } else {
2854 2856 if (size == 0)
2855 2857 return (NULL);
2856 2858
2857 2859 buf = vmem_alloc(kmem_oversize_arena, size,
2858 2860 kmflag & KM_VMFLAGS);
2859 2861 if (buf == NULL)
2860 2862 kmem_log_event(kmem_failure_log, NULL, NULL,
2861 2863 (void *)size);
2862 2864 else if (KMEM_DUMP(kmem_slab_cache)) {
2863 2865 /* stats for dump intercept */
2864 2866 kmem_dump_oversize_allocs++;
2865 2867 if (size > kmem_dump_oversize_max)
2866 2868 kmem_dump_oversize_max = size;
2867 2869 }
2868 2870 return (buf);
2869 2871 }
2870 2872
2871 2873 buf = kmem_cache_alloc(cp, kmflag);
2872 2874 if ((cp->cache_flags & KMF_BUFTAG) && !KMEM_DUMP(cp) && buf != NULL) {
2873 2875 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
2874 2876 ((uint8_t *)buf)[size] = KMEM_REDZONE_BYTE;
2875 2877 ((uint32_t *)btp)[1] = KMEM_SIZE_ENCODE(size);
2876 2878
2877 2879 if (cp->cache_flags & KMF_LITE) {
2878 2880 KMEM_BUFTAG_LITE_ENTER(btp, kmem_lite_count, caller());
2879 2881 }
2880 2882 }
2881 2883 return (buf);
2882 2884 }
2883 2885
2884 2886 void
2885 2887 kmem_free(void *buf, size_t size)
2886 2888 {
2887 2889 size_t index;
2888 2890 kmem_cache_t *cp;
2889 2891
2890 2892 if ((index = (size - 1) >> KMEM_ALIGN_SHIFT) < KMEM_ALLOC_TABLE_MAX) {
2891 2893 cp = kmem_alloc_table[index];
2892 2894 /* fall through to kmem_cache_free() */
2893 2895
2894 2896 } else if ((index = ((size - 1) >> KMEM_BIG_SHIFT)) <
2895 2897 kmem_big_alloc_table_max) {
2896 2898 cp = kmem_big_alloc_table[index];
2897 2899 /* fall through to kmem_cache_free() */
2898 2900
2899 2901 } else {
2900 2902 EQUIV(buf == NULL, size == 0);
2901 2903 if (buf == NULL && size == 0)
2902 2904 return;
2903 2905 vmem_free(kmem_oversize_arena, buf, size);
2904 2906 return;
2905 2907 }
2906 2908
2907 2909 if ((cp->cache_flags & KMF_BUFTAG) && !KMEM_DUMP(cp)) {
2908 2910 kmem_buftag_t *btp = KMEM_BUFTAG(cp, buf);
2909 2911 uint32_t *ip = (uint32_t *)btp;
2910 2912 if (ip[1] != KMEM_SIZE_ENCODE(size)) {
2911 2913 if (*(uint64_t *)buf == KMEM_FREE_PATTERN) {
2912 2914 kmem_error(KMERR_DUPFREE, cp, buf);
2913 2915 return;
2914 2916 }
2915 2917 if (KMEM_SIZE_VALID(ip[1])) {
2916 2918 ip[0] = KMEM_SIZE_ENCODE(size);
2917 2919 kmem_error(KMERR_BADSIZE, cp, buf);
2918 2920 } else {
2919 2921 kmem_error(KMERR_REDZONE, cp, buf);
2920 2922 }
2921 2923 return;
2922 2924 }
2923 2925 if (((uint8_t *)buf)[size] != KMEM_REDZONE_BYTE) {
2924 2926 kmem_error(KMERR_REDZONE, cp, buf);
2925 2927 return;
2926 2928 }
2927 2929 btp->bt_redzone = KMEM_REDZONE_PATTERN;
2928 2930 if (cp->cache_flags & KMF_LITE) {
2929 2931 KMEM_BUFTAG_LITE_ENTER(btp, kmem_lite_count,
2930 2932 caller());
2931 2933 }
2932 2934 }
2933 2935 kmem_cache_free(cp, buf);
2934 2936 }
2935 2937
2936 2938 void *
2937 2939 kmem_firewall_va_alloc(vmem_t *vmp, size_t size, int vmflag)
2938 2940 {
2939 2941 size_t realsize = size + vmp->vm_quantum;
2940 2942 void *addr;
2941 2943
2942 2944 /*
2943 2945 * Annoying edge case: if 'size' is just shy of ULONG_MAX, adding
2944 2946 * vm_quantum will cause integer wraparound. Check for this, and
2945 2947 * blow off the firewall page in this case. Note that such a
2946 2948 * giant allocation (the entire kernel address space) can never
2947 2949 * be satisfied, so it will either fail immediately (VM_NOSLEEP)
2948 2950 * or sleep forever (VM_SLEEP). Thus, there is no need for a
2949 2951 * corresponding check in kmem_firewall_va_free().
2950 2952 */
2951 2953 if (realsize < size)
2952 2954 realsize = size;
2953 2955
2954 2956 /*
2955 2957 * While boot still owns resource management, make sure that this
2956 2958 * redzone virtual address allocation is properly accounted for in
2957 2959 * OBPs "virtual-memory" "available" lists because we're
2958 2960 * effectively claiming them for a red zone. If we don't do this,
2959 2961 * the available lists become too fragmented and too large for the
2960 2962 * current boot/kernel memory list interface.
2961 2963 */
2962 2964 addr = vmem_alloc(vmp, realsize, vmflag | VM_NEXTFIT);
2963 2965
2964 2966 if (addr != NULL && kvseg.s_base == NULL && realsize != size)
2965 2967 (void) boot_virt_alloc((char *)addr + size, vmp->vm_quantum);
2966 2968
2967 2969 return (addr);
2968 2970 }
2969 2971
2970 2972 void
2971 2973 kmem_firewall_va_free(vmem_t *vmp, void *addr, size_t size)
2972 2974 {
2973 2975 ASSERT((kvseg.s_base == NULL ?
2974 2976 va_to_pfn((char *)addr + size) :
2975 2977 hat_getpfnum(kas.a_hat, (caddr_t)addr + size)) == PFN_INVALID);
2976 2978
2977 2979 vmem_free(vmp, addr, size + vmp->vm_quantum);
2978 2980 }
2979 2981
2980 2982 /*
2981 2983 * Try to allocate at least `size' bytes of memory without sleeping or
2982 2984 * panicking. Return actual allocated size in `asize'. If allocation failed,
2983 2985 * try final allocation with sleep or panic allowed.
2984 2986 */
2985 2987 void *
2986 2988 kmem_alloc_tryhard(size_t size, size_t *asize, int kmflag)
2987 2989 {
2988 2990 void *p;
2989 2991
2990 2992 *asize = P2ROUNDUP(size, KMEM_ALIGN);
2991 2993 do {
2992 2994 p = kmem_alloc(*asize, (kmflag | KM_NOSLEEP) & ~KM_PANIC);
2993 2995 if (p != NULL)
2994 2996 return (p);
2995 2997 *asize += KMEM_ALIGN;
2996 2998 } while (*asize <= PAGESIZE);
2997 2999
2998 3000 *asize = P2ROUNDUP(size, KMEM_ALIGN);
2999 3001 return (kmem_alloc(*asize, kmflag));
3000 3002 }
3001 3003
3002 3004 /*
3003 3005 * Reclaim all unused memory from a cache.
3004 3006 */
3005 3007 static void
3006 3008 kmem_cache_reap(kmem_cache_t *cp)
3007 3009 {
3008 3010 ASSERT(taskq_member(kmem_taskq, curthread));
3009 3011 cp->cache_reap++;
3010 3012
3011 3013 /*
3012 3014 * Ask the cache's owner to free some memory if possible.
3013 3015 * The idea is to handle things like the inode cache, which
3014 3016 * typically sits on a bunch of memory that it doesn't truly
3015 3017 * *need*. Reclaim policy is entirely up to the owner; this
3016 3018 * callback is just an advisory plea for help.
3017 3019 */
3018 3020 if (cp->cache_reclaim != NULL) {
3019 3021 long delta;
3020 3022
3021 3023 /*
3022 3024 * Reclaimed memory should be reapable (not included in the
3023 3025 * depot's working set).
3024 3026 */
3025 3027 delta = cp->cache_full.ml_total;
3026 3028 cp->cache_reclaim(cp->cache_private);
3027 3029 delta = cp->cache_full.ml_total - delta;
3028 3030 if (delta > 0) {
3029 3031 mutex_enter(&cp->cache_depot_lock);
3030 3032 cp->cache_full.ml_reaplimit += delta;
3031 3033 cp->cache_full.ml_min += delta;
3032 3034 mutex_exit(&cp->cache_depot_lock);
3033 3035 }
3034 3036 }
3035 3037
3036 3038 kmem_depot_ws_reap(cp);
3037 3039
3038 3040 if (cp->cache_defrag != NULL && !kmem_move_noreap) {
3039 3041 kmem_cache_defrag(cp);
3040 3042 }
3041 3043 }
3042 3044
3043 3045 static void
3044 3046 kmem_reap_timeout(void *flag_arg)
3045 3047 {
3046 3048 uint32_t *flag = (uint32_t *)flag_arg;
3047 3049
3048 3050 ASSERT(flag == &kmem_reaping || flag == &kmem_reaping_idspace);
3049 3051 *flag = 0;
3050 3052 }
3051 3053
3052 3054 static void
3053 3055 kmem_reap_done(void *flag)
3054 3056 {
3055 3057 if (!callout_init_done) {
3056 3058 /* can't schedule a timeout at this point */
3057 3059 kmem_reap_timeout(flag);
3058 3060 } else {
3059 3061 (void) timeout(kmem_reap_timeout, flag, kmem_reap_interval);
3060 3062 }
3061 3063 }
3062 3064
3063 3065 static void
3064 3066 kmem_reap_start(void *flag)
3065 3067 {
3066 3068 ASSERT(flag == &kmem_reaping || flag == &kmem_reaping_idspace);
3067 3069
3068 3070 if (flag == &kmem_reaping) {
3069 3071 kmem_cache_applyall(kmem_cache_reap, kmem_taskq, TQ_NOSLEEP);
3070 3072 /*
3071 3073 * if we have segkp under heap, reap segkp cache.
3072 3074 */
3073 3075 if (segkp_fromheap)
3074 3076 segkp_cache_free();
3075 3077 }
3076 3078 else
3077 3079 kmem_cache_applyall_id(kmem_cache_reap, kmem_taskq, TQ_NOSLEEP);
3078 3080
3079 3081 /*
3080 3082 * We use taskq_dispatch() to schedule a timeout to clear
3081 3083 * the flag so that kmem_reap() becomes self-throttling:
3082 3084 * we won't reap again until the current reap completes *and*
3083 3085 * at least kmem_reap_interval ticks have elapsed.
3084 3086 */
3085 3087 if (!taskq_dispatch(kmem_taskq, kmem_reap_done, flag, TQ_NOSLEEP))
3086 3088 kmem_reap_done(flag);
3087 3089 }
3088 3090
3089 3091 static void
3090 3092 kmem_reap_common(void *flag_arg)
3091 3093 {
3092 3094 uint32_t *flag = (uint32_t *)flag_arg;
3093 3095
3094 3096 if (MUTEX_HELD(&kmem_cache_lock) || kmem_taskq == NULL ||
3095 3097 atomic_cas_32(flag, 0, 1) != 0)
3096 3098 return;
3097 3099
3098 3100 /*
3099 3101 * It may not be kosher to do memory allocation when a reap is called
3100 3102 * (for example, if vmem_populate() is in the call chain). So we
3101 3103 * start the reap going with a TQ_NOALLOC dispatch. If the dispatch
3102 3104 * fails, we reset the flag, and the next reap will try again.
3103 3105 */
3104 3106 if (!taskq_dispatch(kmem_taskq, kmem_reap_start, flag, TQ_NOALLOC))
3105 3107 *flag = 0;
3106 3108 }
3107 3109
3108 3110 /*
3109 3111 * Reclaim all unused memory from all caches. Called from the VM system
3110 3112 * when memory gets tight.
3111 3113 */
3112 3114 void
3113 3115 kmem_reap(void)
3114 3116 {
3115 3117 kmem_reap_common(&kmem_reaping);
3116 3118 }
3117 3119
3118 3120 /*
3119 3121 * Reclaim all unused memory from identifier arenas, called when a vmem
3120 3122 * arena not back by memory is exhausted. Since reaping memory-backed caches
3121 3123 * cannot help with identifier exhaustion, we avoid both a large amount of
3122 3124 * work and unwanted side-effects from reclaim callbacks.
3123 3125 */
3124 3126 void
3125 3127 kmem_reap_idspace(void)
3126 3128 {
3127 3129 kmem_reap_common(&kmem_reaping_idspace);
3128 3130 }
3129 3131
3130 3132 /*
3131 3133 * Purge all magazines from a cache and set its magazine limit to zero.
3132 3134 * All calls are serialized by the kmem_taskq lock, except for the final
3133 3135 * call from kmem_cache_destroy().
3134 3136 */
3135 3137 static void
3136 3138 kmem_cache_magazine_purge(kmem_cache_t *cp)
3137 3139 {
3138 3140 kmem_cpu_cache_t *ccp;
3139 3141 kmem_magazine_t *mp, *pmp;
3140 3142 int rounds, prounds, cpu_seqid;
3141 3143
3142 3144 ASSERT(!list_link_active(&cp->cache_link) ||
3143 3145 taskq_member(kmem_taskq, curthread));
3144 3146 ASSERT(MUTEX_NOT_HELD(&cp->cache_lock));
3145 3147
3146 3148 for (cpu_seqid = 0; cpu_seqid < max_ncpus; cpu_seqid++) {
3147 3149 ccp = &cp->cache_cpu[cpu_seqid];
3148 3150
3149 3151 mutex_enter(&ccp->cc_lock);
3150 3152 mp = ccp->cc_loaded;
3151 3153 pmp = ccp->cc_ploaded;
3152 3154 rounds = ccp->cc_rounds;
3153 3155 prounds = ccp->cc_prounds;
3154 3156 ccp->cc_loaded = NULL;
3155 3157 ccp->cc_ploaded = NULL;
3156 3158 ccp->cc_rounds = -1;
3157 3159 ccp->cc_prounds = -1;
3158 3160 ccp->cc_magsize = 0;
3159 3161 mutex_exit(&ccp->cc_lock);
3160 3162
3161 3163 if (mp)
3162 3164 kmem_magazine_destroy(cp, mp, rounds);
3163 3165 if (pmp)
3164 3166 kmem_magazine_destroy(cp, pmp, prounds);
3165 3167 }
3166 3168
3167 3169 kmem_depot_ws_zero(cp);
3168 3170 kmem_depot_ws_reap(cp);
3169 3171 }
3170 3172
3171 3173 /*
3172 3174 * Enable per-cpu magazines on a cache.
3173 3175 */
3174 3176 static void
3175 3177 kmem_cache_magazine_enable(kmem_cache_t *cp)
3176 3178 {
3177 3179 int cpu_seqid;
3178 3180
3179 3181 if (cp->cache_flags & KMF_NOMAGAZINE)
3180 3182 return;
3181 3183
3182 3184 for (cpu_seqid = 0; cpu_seqid < max_ncpus; cpu_seqid++) {
3183 3185 kmem_cpu_cache_t *ccp = &cp->cache_cpu[cpu_seqid];
3184 3186 mutex_enter(&ccp->cc_lock);
3185 3187 ccp->cc_magsize = cp->cache_magtype->mt_magsize;
3186 3188 mutex_exit(&ccp->cc_lock);
3187 3189 }
3188 3190
3189 3191 }
3190 3192
3191 3193 /*
3192 3194 * Allow our caller to determine if there are running reaps.
3193 3195 *
3194 3196 * This call is very conservative and may return B_TRUE even when
3195 3197 * reaping activity isn't active. If it returns B_FALSE, then reaping
3196 3198 * activity is definitely inactive.
3197 3199 */
3198 3200 boolean_t
3199 3201 kmem_cache_reap_active(void)
3200 3202 {
3201 3203 return (!taskq_empty(kmem_taskq));
3202 3204 }
3203 3205
3204 3206 /*
3205 3207 * Reap (almost) everything soon.
3206 3208 *
3207 3209 * Note: this does not wait for the reap-tasks to complete. Caller
3208 3210 * should use kmem_cache_reap_active() (above) and/or moderation to
3209 3211 * avoid scheduling too many reap-tasks.
3210 3212 */
3211 3213 void
3212 3214 kmem_cache_reap_soon(kmem_cache_t *cp)
3213 3215 {
3214 3216 ASSERT(list_link_active(&cp->cache_link));
3215 3217
3216 3218 kmem_depot_ws_zero(cp);
3217 3219
3218 3220 (void) taskq_dispatch(kmem_taskq,
3219 3221 (task_func_t *)kmem_depot_ws_reap, cp, TQ_SLEEP);
3220 3222 }
3221 3223
3222 3224 /*
3223 3225 * Recompute a cache's magazine size. The trade-off is that larger magazines
3224 3226 * provide a higher transfer rate with the depot, while smaller magazines
3225 3227 * reduce memory consumption. Magazine resizing is an expensive operation;
3226 3228 * it should not be done frequently.
3227 3229 *
3228 3230 * Changes to the magazine size are serialized by the kmem_taskq lock.
3229 3231 *
3230 3232 * Note: at present this only grows the magazine size. It might be useful
3231 3233 * to allow shrinkage too.
3232 3234 */
3233 3235 static void
3234 3236 kmem_cache_magazine_resize(kmem_cache_t *cp)
3235 3237 {
3236 3238 kmem_magtype_t *mtp = cp->cache_magtype;
3237 3239
3238 3240 ASSERT(taskq_member(kmem_taskq, curthread));
3239 3241
3240 3242 if (cp->cache_chunksize < mtp->mt_maxbuf) {
3241 3243 kmem_cache_magazine_purge(cp);
3242 3244 mutex_enter(&cp->cache_depot_lock);
3243 3245 cp->cache_magtype = ++mtp;
3244 3246 cp->cache_depot_contention_prev =
3245 3247 cp->cache_depot_contention + INT_MAX;
3246 3248 mutex_exit(&cp->cache_depot_lock);
3247 3249 kmem_cache_magazine_enable(cp);
3248 3250 }
3249 3251 }
3250 3252
3251 3253 /*
3252 3254 * Rescale a cache's hash table, so that the table size is roughly the
3253 3255 * cache size. We want the average lookup time to be extremely small.
3254 3256 */
3255 3257 static void
3256 3258 kmem_hash_rescale(kmem_cache_t *cp)
3257 3259 {
3258 3260 kmem_bufctl_t **old_table, **new_table, *bcp;
3259 3261 size_t old_size, new_size, h;
3260 3262
3261 3263 ASSERT(taskq_member(kmem_taskq, curthread));
3262 3264
3263 3265 new_size = MAX(KMEM_HASH_INITIAL,
3264 3266 1 << (highbit(3 * cp->cache_buftotal + 4) - 2));
3265 3267 old_size = cp->cache_hash_mask + 1;
3266 3268
3267 3269 if ((old_size >> 1) <= new_size && new_size <= (old_size << 1))
3268 3270 return;
3269 3271
3270 3272 new_table = vmem_alloc(kmem_hash_arena, new_size * sizeof (void *),
3271 3273 VM_NOSLEEP);
3272 3274 if (new_table == NULL)
3273 3275 return;
3274 3276 bzero(new_table, new_size * sizeof (void *));
3275 3277
3276 3278 mutex_enter(&cp->cache_lock);
3277 3279
3278 3280 old_size = cp->cache_hash_mask + 1;
3279 3281 old_table = cp->cache_hash_table;
3280 3282
3281 3283 cp->cache_hash_mask = new_size - 1;
3282 3284 cp->cache_hash_table = new_table;
3283 3285 cp->cache_rescale++;
3284 3286
3285 3287 for (h = 0; h < old_size; h++) {
3286 3288 bcp = old_table[h];
3287 3289 while (bcp != NULL) {
3288 3290 void *addr = bcp->bc_addr;
3289 3291 kmem_bufctl_t *next_bcp = bcp->bc_next;
3290 3292 kmem_bufctl_t **hash_bucket = KMEM_HASH(cp, addr);
3291 3293 bcp->bc_next = *hash_bucket;
3292 3294 *hash_bucket = bcp;
3293 3295 bcp = next_bcp;
3294 3296 }
3295 3297 }
3296 3298
3297 3299 mutex_exit(&cp->cache_lock);
3298 3300
3299 3301 vmem_free(kmem_hash_arena, old_table, old_size * sizeof (void *));
3300 3302 }
3301 3303
3302 3304 /*
3303 3305 * Perform periodic maintenance on a cache: hash rescaling, depot working-set
3304 3306 * update, magazine resizing, and slab consolidation.
3305 3307 */
3306 3308 static void
3307 3309 kmem_cache_update(kmem_cache_t *cp)
3308 3310 {
3309 3311 int need_hash_rescale = 0;
3310 3312 int need_magazine_resize = 0;
3311 3313
3312 3314 ASSERT(MUTEX_HELD(&kmem_cache_lock));
3313 3315
3314 3316 /*
3315 3317 * If the cache has become much larger or smaller than its hash table,
3316 3318 * fire off a request to rescale the hash table.
3317 3319 */
3318 3320 mutex_enter(&cp->cache_lock);
3319 3321
3320 3322 if ((cp->cache_flags & KMF_HASH) &&
3321 3323 (cp->cache_buftotal > (cp->cache_hash_mask << 1) ||
3322 3324 (cp->cache_buftotal < (cp->cache_hash_mask >> 1) &&
3323 3325 cp->cache_hash_mask > KMEM_HASH_INITIAL)))
3324 3326 need_hash_rescale = 1;
3325 3327
3326 3328 mutex_exit(&cp->cache_lock);
3327 3329
3328 3330 /*
3329 3331 * Update the depot working set statistics.
3330 3332 */
3331 3333 kmem_depot_ws_update(cp);
3332 3334
3333 3335 /*
3334 3336 * If there's a lot of contention in the depot,
3335 3337 * increase the magazine size.
3336 3338 */
3337 3339 mutex_enter(&cp->cache_depot_lock);
3338 3340
3339 3341 if (cp->cache_chunksize < cp->cache_magtype->mt_maxbuf &&
3340 3342 (int)(cp->cache_depot_contention -
3341 3343 cp->cache_depot_contention_prev) > kmem_depot_contention)
3342 3344 need_magazine_resize = 1;
3343 3345
3344 3346 cp->cache_depot_contention_prev = cp->cache_depot_contention;
3345 3347
3346 3348 mutex_exit(&cp->cache_depot_lock);
3347 3349
3348 3350 if (need_hash_rescale)
3349 3351 (void) taskq_dispatch(kmem_taskq,
3350 3352 (task_func_t *)kmem_hash_rescale, cp, TQ_NOSLEEP);
3351 3353
3352 3354 if (need_magazine_resize)
3353 3355 (void) taskq_dispatch(kmem_taskq,
3354 3356 (task_func_t *)kmem_cache_magazine_resize, cp, TQ_NOSLEEP);
3355 3357
3356 3358 if (cp->cache_defrag != NULL)
3357 3359 (void) taskq_dispatch(kmem_taskq,
3358 3360 (task_func_t *)kmem_cache_scan, cp, TQ_NOSLEEP);
3359 3361 }
3360 3362
3361 3363 static void kmem_update(void *);
3362 3364
3363 3365 static void
3364 3366 kmem_update_timeout(void *dummy)
3365 3367 {
3366 3368 (void) timeout(kmem_update, dummy, kmem_reap_interval);
3367 3369 }
3368 3370
3369 3371 static void
3370 3372 kmem_update(void *dummy)
3371 3373 {
3372 3374 kmem_cache_applyall(kmem_cache_update, NULL, TQ_NOSLEEP);
3373 3375
3374 3376 /*
3375 3377 * We use taskq_dispatch() to reschedule the timeout so that
3376 3378 * kmem_update() becomes self-throttling: it won't schedule
3377 3379 * new tasks until all previous tasks have completed.
3378 3380 */
3379 3381 if (!taskq_dispatch(kmem_taskq, kmem_update_timeout, dummy, TQ_NOSLEEP))
3380 3382 kmem_update_timeout(NULL);
3381 3383 }
3382 3384
3383 3385 static int
3384 3386 kmem_cache_kstat_update(kstat_t *ksp, int rw)
3385 3387 {
3386 3388 struct kmem_cache_kstat *kmcp = &kmem_cache_kstat;
3387 3389 kmem_cache_t *cp = ksp->ks_private;
3388 3390 uint64_t cpu_buf_avail;
3389 3391 uint64_t buf_avail = 0;
3390 3392 int cpu_seqid;
3391 3393 long reap;
3392 3394
3393 3395 ASSERT(MUTEX_HELD(&kmem_cache_kstat_lock));
3394 3396
3395 3397 if (rw == KSTAT_WRITE)
3396 3398 return (EACCES);
3397 3399
3398 3400 mutex_enter(&cp->cache_lock);
3399 3401
3400 3402 kmcp->kmc_alloc_fail.value.ui64 = cp->cache_alloc_fail;
3401 3403 kmcp->kmc_alloc.value.ui64 = cp->cache_slab_alloc;
3402 3404 kmcp->kmc_free.value.ui64 = cp->cache_slab_free;
3403 3405 kmcp->kmc_slab_alloc.value.ui64 = cp->cache_slab_alloc;
3404 3406 kmcp->kmc_slab_free.value.ui64 = cp->cache_slab_free;
3405 3407
3406 3408 for (cpu_seqid = 0; cpu_seqid < max_ncpus; cpu_seqid++) {
3407 3409 kmem_cpu_cache_t *ccp = &cp->cache_cpu[cpu_seqid];
3408 3410
3409 3411 mutex_enter(&ccp->cc_lock);
3410 3412
3411 3413 cpu_buf_avail = 0;
3412 3414 if (ccp->cc_rounds > 0)
3413 3415 cpu_buf_avail += ccp->cc_rounds;
3414 3416 if (ccp->cc_prounds > 0)
3415 3417 cpu_buf_avail += ccp->cc_prounds;
3416 3418
3417 3419 kmcp->kmc_alloc.value.ui64 += ccp->cc_alloc;
3418 3420 kmcp->kmc_free.value.ui64 += ccp->cc_free;
3419 3421 buf_avail += cpu_buf_avail;
3420 3422
3421 3423 mutex_exit(&ccp->cc_lock);
3422 3424 }
3423 3425
3424 3426 mutex_enter(&cp->cache_depot_lock);
3425 3427
3426 3428 kmcp->kmc_depot_alloc.value.ui64 = cp->cache_full.ml_alloc;
3427 3429 kmcp->kmc_depot_free.value.ui64 = cp->cache_empty.ml_alloc;
3428 3430 kmcp->kmc_depot_contention.value.ui64 = cp->cache_depot_contention;
3429 3431 kmcp->kmc_full_magazines.value.ui64 = cp->cache_full.ml_total;
3430 3432 kmcp->kmc_empty_magazines.value.ui64 = cp->cache_empty.ml_total;
3431 3433 kmcp->kmc_magazine_size.value.ui64 =
3432 3434 (cp->cache_flags & KMF_NOMAGAZINE) ?
3433 3435 0 : cp->cache_magtype->mt_magsize;
3434 3436
3435 3437 kmcp->kmc_alloc.value.ui64 += cp->cache_full.ml_alloc;
3436 3438 kmcp->kmc_free.value.ui64 += cp->cache_empty.ml_alloc;
3437 3439 buf_avail += cp->cache_full.ml_total * cp->cache_magtype->mt_magsize;
3438 3440
3439 3441 reap = MIN(cp->cache_full.ml_reaplimit, cp->cache_full.ml_min);
3440 3442 reap = MIN(reap, cp->cache_full.ml_total);
3441 3443
3442 3444 mutex_exit(&cp->cache_depot_lock);
3443 3445
3444 3446 kmcp->kmc_buf_size.value.ui64 = cp->cache_bufsize;
3445 3447 kmcp->kmc_align.value.ui64 = cp->cache_align;
3446 3448 kmcp->kmc_chunk_size.value.ui64 = cp->cache_chunksize;
3447 3449 kmcp->kmc_slab_size.value.ui64 = cp->cache_slabsize;
3448 3450 kmcp->kmc_buf_constructed.value.ui64 = buf_avail;
3449 3451 buf_avail += cp->cache_bufslab;
3450 3452 kmcp->kmc_buf_avail.value.ui64 = buf_avail;
3451 3453 kmcp->kmc_buf_inuse.value.ui64 = cp->cache_buftotal - buf_avail;
3452 3454 kmcp->kmc_buf_total.value.ui64 = cp->cache_buftotal;
3453 3455 kmcp->kmc_buf_max.value.ui64 = cp->cache_bufmax;
3454 3456 kmcp->kmc_slab_create.value.ui64 = cp->cache_slab_create;
3455 3457 kmcp->kmc_slab_destroy.value.ui64 = cp->cache_slab_destroy;
3456 3458 kmcp->kmc_hash_size.value.ui64 = (cp->cache_flags & KMF_HASH) ?
3457 3459 cp->cache_hash_mask + 1 : 0;
3458 3460 kmcp->kmc_hash_lookup_depth.value.ui64 = cp->cache_lookup_depth;
3459 3461 kmcp->kmc_hash_rescale.value.ui64 = cp->cache_rescale;
3460 3462 kmcp->kmc_vmem_source.value.ui64 = cp->cache_arena->vm_id;
3461 3463 kmcp->kmc_reap.value.ui64 = cp->cache_reap;
3462 3464
3463 3465 if (cp->cache_defrag == NULL) {
3464 3466 kmcp->kmc_move_callbacks.value.ui64 = 0;
3465 3467 kmcp->kmc_move_yes.value.ui64 = 0;
3466 3468 kmcp->kmc_move_no.value.ui64 = 0;
3467 3469 kmcp->kmc_move_later.value.ui64 = 0;
3468 3470 kmcp->kmc_move_dont_need.value.ui64 = 0;
3469 3471 kmcp->kmc_move_dont_know.value.ui64 = 0;
3470 3472 kmcp->kmc_move_hunt_found.value.ui64 = 0;
3471 3473 kmcp->kmc_move_slabs_freed.value.ui64 = 0;
3472 3474 kmcp->kmc_defrag.value.ui64 = 0;
3473 3475 kmcp->kmc_scan.value.ui64 = 0;
3474 3476 kmcp->kmc_move_reclaimable.value.ui64 = 0;
3475 3477 } else {
3476 3478 int64_t reclaimable;
3477 3479
3478 3480 kmem_defrag_t *kd = cp->cache_defrag;
3479 3481 kmcp->kmc_move_callbacks.value.ui64 = kd->kmd_callbacks;
3480 3482 kmcp->kmc_move_yes.value.ui64 = kd->kmd_yes;
3481 3483 kmcp->kmc_move_no.value.ui64 = kd->kmd_no;
3482 3484 kmcp->kmc_move_later.value.ui64 = kd->kmd_later;
3483 3485 kmcp->kmc_move_dont_need.value.ui64 = kd->kmd_dont_need;
3484 3486 kmcp->kmc_move_dont_know.value.ui64 = kd->kmd_dont_know;
3485 3487 kmcp->kmc_move_hunt_found.value.ui64 = 0;
3486 3488 kmcp->kmc_move_slabs_freed.value.ui64 = kd->kmd_slabs_freed;
3487 3489 kmcp->kmc_defrag.value.ui64 = kd->kmd_defrags;
3488 3490 kmcp->kmc_scan.value.ui64 = kd->kmd_scans;
3489 3491
3490 3492 reclaimable = cp->cache_bufslab - (cp->cache_maxchunks - 1);
3491 3493 reclaimable = MAX(reclaimable, 0);
3492 3494 reclaimable += ((uint64_t)reap * cp->cache_magtype->mt_magsize);
3493 3495 kmcp->kmc_move_reclaimable.value.ui64 = reclaimable;
3494 3496 }
3495 3497
3496 3498 mutex_exit(&cp->cache_lock);
3497 3499 return (0);
3498 3500 }
3499 3501
3500 3502 /*
3501 3503 * Return a named statistic about a particular cache.
3502 3504 * This shouldn't be called very often, so it's currently designed for
3503 3505 * simplicity (leverages existing kstat support) rather than efficiency.
3504 3506 */
3505 3507 uint64_t
3506 3508 kmem_cache_stat(kmem_cache_t *cp, char *name)
3507 3509 {
3508 3510 int i;
3509 3511 kstat_t *ksp = cp->cache_kstat;
3510 3512 kstat_named_t *knp = (kstat_named_t *)&kmem_cache_kstat;
3511 3513 uint64_t value = 0;
3512 3514
3513 3515 if (ksp != NULL) {
3514 3516 mutex_enter(&kmem_cache_kstat_lock);
3515 3517 (void) kmem_cache_kstat_update(ksp, KSTAT_READ);
3516 3518 for (i = 0; i < ksp->ks_ndata; i++) {
3517 3519 if (strcmp(knp[i].name, name) == 0) {
3518 3520 value = knp[i].value.ui64;
3519 3521 break;
3520 3522 }
3521 3523 }
3522 3524 mutex_exit(&kmem_cache_kstat_lock);
3523 3525 }
3524 3526 return (value);
3525 3527 }
3526 3528
3527 3529 /*
3528 3530 * Return an estimate of currently available kernel heap memory.
3529 3531 * On 32-bit systems, physical memory may exceed virtual memory,
3530 3532 * we just truncate the result at 1GB.
3531 3533 */
3532 3534 size_t
3533 3535 kmem_avail(void)
3534 3536 {
3535 3537 spgcnt_t rmem = availrmem - tune.t_minarmem;
3536 3538 spgcnt_t fmem = freemem - minfree;
3537 3539
3538 3540 return ((size_t)ptob(MIN(MAX(MIN(rmem, fmem), 0),
3539 3541 1 << (30 - PAGESHIFT))));
3540 3542 }
3541 3543
3542 3544 /*
3543 3545 * Return the maximum amount of memory that is (in theory) allocatable
3544 3546 * from the heap. This may be used as an estimate only since there
3545 3547 * is no guarentee this space will still be available when an allocation
3546 3548 * request is made, nor that the space may be allocated in one big request
3547 3549 * due to kernel heap fragmentation.
3548 3550 */
3549 3551 size_t
3550 3552 kmem_maxavail(void)
3551 3553 {
3552 3554 spgcnt_t pmem = availrmem - tune.t_minarmem;
3553 3555 spgcnt_t vmem = btop(vmem_size(heap_arena, VMEM_FREE));
3554 3556
3555 3557 return ((size_t)ptob(MAX(MIN(pmem, vmem), 0)));
3556 3558 }
3557 3559
3558 3560 /*
3559 3561 * Indicate whether memory-intensive kmem debugging is enabled.
3560 3562 */
3561 3563 int
3562 3564 kmem_debugging(void)
3563 3565 {
3564 3566 return (kmem_flags & (KMF_AUDIT | KMF_REDZONE));
3565 3567 }
3566 3568
3567 3569 /* binning function, sorts finely at the two extremes */
3568 3570 #define KMEM_PARTIAL_SLAB_WEIGHT(sp, binshift) \
3569 3571 ((((sp)->slab_refcnt <= (binshift)) || \
3570 3572 (((sp)->slab_chunks - (sp)->slab_refcnt) <= (binshift))) \
3571 3573 ? -(sp)->slab_refcnt \
3572 3574 : -((binshift) + ((sp)->slab_refcnt >> (binshift))))
3573 3575
3574 3576 /*
3575 3577 * Minimizing the number of partial slabs on the freelist minimizes
3576 3578 * fragmentation (the ratio of unused buffers held by the slab layer). There are
3577 3579 * two ways to get a slab off of the freelist: 1) free all the buffers on the
3578 3580 * slab, and 2) allocate all the buffers on the slab. It follows that we want
3579 3581 * the most-used slabs at the front of the list where they have the best chance
3580 3582 * of being completely allocated, and the least-used slabs at a safe distance
3581 3583 * from the front to improve the odds that the few remaining buffers will all be
3582 3584 * freed before another allocation can tie up the slab. For that reason a slab
3583 3585 * with a higher slab_refcnt sorts less than than a slab with a lower
3584 3586 * slab_refcnt.
3585 3587 *
3586 3588 * However, if a slab has at least one buffer that is deemed unfreeable, we
3587 3589 * would rather have that slab at the front of the list regardless of
3588 3590 * slab_refcnt, since even one unfreeable buffer makes the entire slab
3589 3591 * unfreeable. If the client returns KMEM_CBRC_NO in response to a cache_move()
3590 3592 * callback, the slab is marked unfreeable for as long as it remains on the
3591 3593 * freelist.
3592 3594 */
3593 3595 static int
3594 3596 kmem_partial_slab_cmp(const void *p0, const void *p1)
3595 3597 {
3596 3598 const kmem_cache_t *cp;
3597 3599 const kmem_slab_t *s0 = p0;
3598 3600 const kmem_slab_t *s1 = p1;
3599 3601 int w0, w1;
3600 3602 size_t binshift;
3601 3603
3602 3604 ASSERT(KMEM_SLAB_IS_PARTIAL(s0));
3603 3605 ASSERT(KMEM_SLAB_IS_PARTIAL(s1));
3604 3606 ASSERT(s0->slab_cache == s1->slab_cache);
3605 3607 cp = s1->slab_cache;
3606 3608 ASSERT(MUTEX_HELD(&cp->cache_lock));
3607 3609 binshift = cp->cache_partial_binshift;
3608 3610
3609 3611 /* weight of first slab */
3610 3612 w0 = KMEM_PARTIAL_SLAB_WEIGHT(s0, binshift);
3611 3613 if (s0->slab_flags & KMEM_SLAB_NOMOVE) {
3612 3614 w0 -= cp->cache_maxchunks;
3613 3615 }
3614 3616
3615 3617 /* weight of second slab */
3616 3618 w1 = KMEM_PARTIAL_SLAB_WEIGHT(s1, binshift);
3617 3619 if (s1->slab_flags & KMEM_SLAB_NOMOVE) {
3618 3620 w1 -= cp->cache_maxchunks;
3619 3621 }
3620 3622
3621 3623 if (w0 < w1)
3622 3624 return (-1);
3623 3625 if (w0 > w1)
3624 3626 return (1);
3625 3627
3626 3628 /* compare pointer values */
3627 3629 if ((uintptr_t)s0 < (uintptr_t)s1)
3628 3630 return (-1);
3629 3631 if ((uintptr_t)s0 > (uintptr_t)s1)
3630 3632 return (1);
3631 3633
3632 3634 return (0);
3633 3635 }
3634 3636
3635 3637 /*
3636 3638 * It must be valid to call the destructor (if any) on a newly created object.
3637 3639 * That is, the constructor (if any) must leave the object in a valid state for
3638 3640 * the destructor.
3639 3641 */
3640 3642 kmem_cache_t *
3641 3643 kmem_cache_create(
3642 3644 char *name, /* descriptive name for this cache */
3643 3645 size_t bufsize, /* size of the objects it manages */
3644 3646 size_t align, /* required object alignment */
3645 3647 int (*constructor)(void *, void *, int), /* object constructor */
3646 3648 void (*destructor)(void *, void *), /* object destructor */
3647 3649 void (*reclaim)(void *), /* memory reclaim callback */
3648 3650 void *private, /* pass-thru arg for constr/destr/reclaim */
3649 3651 vmem_t *vmp, /* vmem source for slab allocation */
3650 3652 int cflags) /* cache creation flags */
3651 3653 {
3652 3654 int cpu_seqid;
3653 3655 size_t chunksize;
3654 3656 kmem_cache_t *cp;
3655 3657 kmem_magtype_t *mtp;
3656 3658 size_t csize = KMEM_CACHE_SIZE(max_ncpus);
3657 3659
3658 3660 #ifdef DEBUG
3659 3661 /*
3660 3662 * Cache names should conform to the rules for valid C identifiers
3661 3663 */
3662 3664 if (!strident_valid(name)) {
3663 3665 cmn_err(CE_CONT,
3664 3666 "kmem_cache_create: '%s' is an invalid cache name\n"
3665 3667 "cache names must conform to the rules for "
3666 3668 "C identifiers\n", name);
3667 3669 }
3668 3670 #endif /* DEBUG */
3669 3671
3670 3672 if (vmp == NULL)
3671 3673 vmp = kmem_default_arena;
3672 3674
3673 3675 /*
3674 3676 * If this kmem cache has an identifier vmem arena as its source, mark
3675 3677 * it such to allow kmem_reap_idspace().
3676 3678 */
3677 3679 ASSERT(!(cflags & KMC_IDENTIFIER)); /* consumer should not set this */
3678 3680 if (vmp->vm_cflags & VMC_IDENTIFIER)
3679 3681 cflags |= KMC_IDENTIFIER;
3680 3682
3681 3683 /*
3682 3684 * Get a kmem_cache structure. We arrange that cp->cache_cpu[]
3683 3685 * is aligned on a KMEM_CPU_CACHE_SIZE boundary to prevent
3684 3686 * false sharing of per-CPU data.
3685 3687 */
3686 3688 cp = vmem_xalloc(kmem_cache_arena, csize, KMEM_CPU_CACHE_SIZE,
3687 3689 P2NPHASE(csize, KMEM_CPU_CACHE_SIZE), 0, NULL, NULL, VM_SLEEP);
3688 3690 bzero(cp, csize);
3689 3691 list_link_init(&cp->cache_link);
3690 3692
3691 3693 if (align == 0)
3692 3694 align = KMEM_ALIGN;
3693 3695
3694 3696 /*
3695 3697 * If we're not at least KMEM_ALIGN aligned, we can't use free
3696 3698 * memory to hold bufctl information (because we can't safely
3697 3699 * perform word loads and stores on it).
3698 3700 */
3699 3701 if (align < KMEM_ALIGN)
3700 3702 cflags |= KMC_NOTOUCH;
3701 3703
3702 3704 if (!ISP2(align) || align > vmp->vm_quantum)
3703 3705 panic("kmem_cache_create: bad alignment %lu", align);
3704 3706
3705 3707 mutex_enter(&kmem_flags_lock);
3706 3708 if (kmem_flags & KMF_RANDOMIZE)
3707 3709 kmem_flags = (((kmem_flags | ~KMF_RANDOM) + 1) & KMF_RANDOM) |
3708 3710 KMF_RANDOMIZE;
3709 3711 cp->cache_flags = (kmem_flags | cflags) & KMF_DEBUG;
3710 3712 mutex_exit(&kmem_flags_lock);
3711 3713
3712 3714 /*
3713 3715 * Make sure all the various flags are reasonable.
3714 3716 */
3715 3717 ASSERT(!(cflags & KMC_NOHASH) || !(cflags & KMC_NOTOUCH));
3716 3718
3717 3719 if (cp->cache_flags & KMF_LITE) {
3718 3720 if (bufsize >= kmem_lite_minsize &&
3719 3721 align <= kmem_lite_maxalign &&
3720 3722 P2PHASE(bufsize, kmem_lite_maxalign) != 0) {
3721 3723 cp->cache_flags |= KMF_BUFTAG;
3722 3724 cp->cache_flags &= ~(KMF_AUDIT | KMF_FIREWALL);
3723 3725 } else {
3724 3726 cp->cache_flags &= ~KMF_DEBUG;
3725 3727 }
3726 3728 }
3727 3729
3728 3730 if (cp->cache_flags & KMF_DEADBEEF)
3729 3731 cp->cache_flags |= KMF_REDZONE;
3730 3732
3731 3733 if ((cflags & KMC_QCACHE) && (cp->cache_flags & KMF_AUDIT))
3732 3734 cp->cache_flags |= KMF_NOMAGAZINE;
3733 3735
3734 3736 if (cflags & KMC_NODEBUG)
3735 3737 cp->cache_flags &= ~KMF_DEBUG;
3736 3738
3737 3739 if (cflags & KMC_NOTOUCH)
3738 3740 cp->cache_flags &= ~KMF_TOUCH;
3739 3741
3740 3742 if (cflags & KMC_PREFILL)
3741 3743 cp->cache_flags |= KMF_PREFILL;
3742 3744
3743 3745 if (cflags & KMC_NOHASH)
3744 3746 cp->cache_flags &= ~(KMF_AUDIT | KMF_FIREWALL);
3745 3747
3746 3748 if (cflags & KMC_NOMAGAZINE)
3747 3749 cp->cache_flags |= KMF_NOMAGAZINE;
3748 3750
3749 3751 if ((cp->cache_flags & KMF_AUDIT) && !(cflags & KMC_NOTOUCH))
3750 3752 cp->cache_flags |= KMF_REDZONE;
3751 3753
3752 3754 if (!(cp->cache_flags & KMF_AUDIT))
3753 3755 cp->cache_flags &= ~KMF_CONTENTS;
3754 3756
3755 3757 if ((cp->cache_flags & KMF_BUFTAG) && bufsize >= kmem_minfirewall &&
3756 3758 !(cp->cache_flags & KMF_LITE) && !(cflags & KMC_NOHASH))
3757 3759 cp->cache_flags |= KMF_FIREWALL;
3758 3760
3759 3761 if (vmp != kmem_default_arena || kmem_firewall_arena == NULL)
3760 3762 cp->cache_flags &= ~KMF_FIREWALL;
3761 3763
3762 3764 if (cp->cache_flags & KMF_FIREWALL) {
3763 3765 cp->cache_flags &= ~KMF_BUFTAG;
3764 3766 cp->cache_flags |= KMF_NOMAGAZINE;
3765 3767 ASSERT(vmp == kmem_default_arena);
3766 3768 vmp = kmem_firewall_arena;
3767 3769 }
3768 3770
3769 3771 /*
3770 3772 * Set cache properties.
3771 3773 */
3772 3774 (void) strncpy(cp->cache_name, name, KMEM_CACHE_NAMELEN);
3773 3775 strident_canon(cp->cache_name, KMEM_CACHE_NAMELEN + 1);
3774 3776 cp->cache_bufsize = bufsize;
3775 3777 cp->cache_align = align;
3776 3778 cp->cache_constructor = constructor;
3777 3779 cp->cache_destructor = destructor;
3778 3780 cp->cache_reclaim = reclaim;
3779 3781 cp->cache_private = private;
3780 3782 cp->cache_arena = vmp;
3781 3783 cp->cache_cflags = cflags;
3782 3784
3783 3785 /*
3784 3786 * Determine the chunk size.
3785 3787 */
3786 3788 chunksize = bufsize;
3787 3789
3788 3790 if (align >= KMEM_ALIGN) {
3789 3791 chunksize = P2ROUNDUP(chunksize, KMEM_ALIGN);
3790 3792 cp->cache_bufctl = chunksize - KMEM_ALIGN;
3791 3793 }
3792 3794
3793 3795 if (cp->cache_flags & KMF_BUFTAG) {
3794 3796 cp->cache_bufctl = chunksize;
3795 3797 cp->cache_buftag = chunksize;
3796 3798 if (cp->cache_flags & KMF_LITE)
3797 3799 chunksize += KMEM_BUFTAG_LITE_SIZE(kmem_lite_count);
3798 3800 else
3799 3801 chunksize += sizeof (kmem_buftag_t);
3800 3802 }
3801 3803
3802 3804 if (cp->cache_flags & KMF_DEADBEEF) {
3803 3805 cp->cache_verify = MIN(cp->cache_buftag, kmem_maxverify);
3804 3806 if (cp->cache_flags & KMF_LITE)
3805 3807 cp->cache_verify = sizeof (uint64_t);
3806 3808 }
3807 3809
3808 3810 cp->cache_contents = MIN(cp->cache_bufctl, kmem_content_maxsave);
3809 3811
3810 3812 cp->cache_chunksize = chunksize = P2ROUNDUP(chunksize, align);
3811 3813
3812 3814 /*
3813 3815 * Now that we know the chunk size, determine the optimal slab size.
3814 3816 */
3815 3817 if (vmp == kmem_firewall_arena) {
3816 3818 cp->cache_slabsize = P2ROUNDUP(chunksize, vmp->vm_quantum);
3817 3819 cp->cache_mincolor = cp->cache_slabsize - chunksize;
3818 3820 cp->cache_maxcolor = cp->cache_mincolor;
3819 3821 cp->cache_flags |= KMF_HASH;
3820 3822 ASSERT(!(cp->cache_flags & KMF_BUFTAG));
3821 3823 } else if ((cflags & KMC_NOHASH) || (!(cflags & KMC_NOTOUCH) &&
3822 3824 !(cp->cache_flags & KMF_AUDIT) &&
3823 3825 chunksize < vmp->vm_quantum / KMEM_VOID_FRACTION)) {
3824 3826 cp->cache_slabsize = vmp->vm_quantum;
3825 3827 cp->cache_mincolor = 0;
3826 3828 cp->cache_maxcolor =
3827 3829 (cp->cache_slabsize - sizeof (kmem_slab_t)) % chunksize;
3828 3830 ASSERT(chunksize + sizeof (kmem_slab_t) <= cp->cache_slabsize);
3829 3831 ASSERT(!(cp->cache_flags & KMF_AUDIT));
3830 3832 } else {
3831 3833 size_t chunks, bestfit, waste, slabsize;
3832 3834 size_t minwaste = LONG_MAX;
3833 3835
3834 3836 for (chunks = 1; chunks <= KMEM_VOID_FRACTION; chunks++) {
3835 3837 slabsize = P2ROUNDUP(chunksize * chunks,
3836 3838 vmp->vm_quantum);
3837 3839 chunks = slabsize / chunksize;
3838 3840 waste = (slabsize % chunksize) / chunks;
3839 3841 if (waste < minwaste) {
3840 3842 minwaste = waste;
3841 3843 bestfit = slabsize;
3842 3844 }
3843 3845 }
3844 3846 if (cflags & KMC_QCACHE)
3845 3847 bestfit = VMEM_QCACHE_SLABSIZE(vmp->vm_qcache_max);
3846 3848 cp->cache_slabsize = bestfit;
3847 3849 cp->cache_mincolor = 0;
3848 3850 cp->cache_maxcolor = bestfit % chunksize;
3849 3851 cp->cache_flags |= KMF_HASH;
3850 3852 }
3851 3853
3852 3854 cp->cache_maxchunks = (cp->cache_slabsize / cp->cache_chunksize);
3853 3855 cp->cache_partial_binshift = highbit(cp->cache_maxchunks / 16) + 1;
3854 3856
3855 3857 /*
3856 3858 * Disallowing prefill when either the DEBUG or HASH flag is set or when
3857 3859 * there is a constructor avoids some tricky issues with debug setup
3858 3860 * that may be revisited later. We cannot allow prefill in a
3859 3861 * metadata cache because of potential recursion.
3860 3862 */
3861 3863 if (vmp == kmem_msb_arena ||
3862 3864 cp->cache_flags & (KMF_HASH | KMF_BUFTAG) ||
3863 3865 cp->cache_constructor != NULL)
3864 3866 cp->cache_flags &= ~KMF_PREFILL;
3865 3867
3866 3868 if (cp->cache_flags & KMF_HASH) {
3867 3869 ASSERT(!(cflags & KMC_NOHASH));
3868 3870 cp->cache_bufctl_cache = (cp->cache_flags & KMF_AUDIT) ?
3869 3871 kmem_bufctl_audit_cache : kmem_bufctl_cache;
3870 3872 }
3871 3873
3872 3874 if (cp->cache_maxcolor >= vmp->vm_quantum)
3873 3875 cp->cache_maxcolor = vmp->vm_quantum - 1;
3874 3876
3875 3877 cp->cache_color = cp->cache_mincolor;
3876 3878
3877 3879 /*
3878 3880 * Initialize the rest of the slab layer.
3879 3881 */
3880 3882 mutex_init(&cp->cache_lock, NULL, MUTEX_DEFAULT, NULL);
3881 3883
3882 3884 avl_create(&cp->cache_partial_slabs, kmem_partial_slab_cmp,
3883 3885 sizeof (kmem_slab_t), offsetof(kmem_slab_t, slab_link));
3884 3886 /* LINTED: E_TRUE_LOGICAL_EXPR */
3885 3887 ASSERT(sizeof (list_node_t) <= sizeof (avl_node_t));
3886 3888 /* reuse partial slab AVL linkage for complete slab list linkage */
3887 3889 list_create(&cp->cache_complete_slabs,
3888 3890 sizeof (kmem_slab_t), offsetof(kmem_slab_t, slab_link));
3889 3891
3890 3892 if (cp->cache_flags & KMF_HASH) {
3891 3893 cp->cache_hash_table = vmem_alloc(kmem_hash_arena,
3892 3894 KMEM_HASH_INITIAL * sizeof (void *), VM_SLEEP);
3893 3895 bzero(cp->cache_hash_table,
3894 3896 KMEM_HASH_INITIAL * sizeof (void *));
3895 3897 cp->cache_hash_mask = KMEM_HASH_INITIAL - 1;
3896 3898 cp->cache_hash_shift = highbit((ulong_t)chunksize) - 1;
3897 3899 }
3898 3900
3899 3901 /*
3900 3902 * Initialize the depot.
3901 3903 */
3902 3904 mutex_init(&cp->cache_depot_lock, NULL, MUTEX_DEFAULT, NULL);
3903 3905
3904 3906 for (mtp = kmem_magtype; chunksize <= mtp->mt_minbuf; mtp++)
3905 3907 continue;
3906 3908
3907 3909 cp->cache_magtype = mtp;
3908 3910
3909 3911 /*
3910 3912 * Initialize the CPU layer.
3911 3913 */
3912 3914 for (cpu_seqid = 0; cpu_seqid < max_ncpus; cpu_seqid++) {
3913 3915 kmem_cpu_cache_t *ccp = &cp->cache_cpu[cpu_seqid];
3914 3916 mutex_init(&ccp->cc_lock, NULL, MUTEX_DEFAULT, NULL);
3915 3917 ccp->cc_flags = cp->cache_flags;
3916 3918 ccp->cc_rounds = -1;
3917 3919 ccp->cc_prounds = -1;
3918 3920 }
3919 3921
3920 3922 /*
3921 3923 * Create the cache's kstats.
3922 3924 */
3923 3925 if ((cp->cache_kstat = kstat_create("unix", 0, cp->cache_name,
3924 3926 "kmem_cache", KSTAT_TYPE_NAMED,
3925 3927 sizeof (kmem_cache_kstat) / sizeof (kstat_named_t),
3926 3928 KSTAT_FLAG_VIRTUAL)) != NULL) {
3927 3929 cp->cache_kstat->ks_data = &kmem_cache_kstat;
3928 3930 cp->cache_kstat->ks_update = kmem_cache_kstat_update;
3929 3931 cp->cache_kstat->ks_private = cp;
3930 3932 cp->cache_kstat->ks_lock = &kmem_cache_kstat_lock;
3931 3933 kstat_install(cp->cache_kstat);
3932 3934 }
3933 3935
3934 3936 /*
3935 3937 * Add the cache to the global list. This makes it visible
3936 3938 * to kmem_update(), so the cache must be ready for business.
3937 3939 */
3938 3940 mutex_enter(&kmem_cache_lock);
3939 3941 list_insert_tail(&kmem_caches, cp);
3940 3942 mutex_exit(&kmem_cache_lock);
3941 3943
3942 3944 if (kmem_ready)
3943 3945 kmem_cache_magazine_enable(cp);
3944 3946
3945 3947 return (cp);
3946 3948 }
3947 3949
3948 3950 static int
3949 3951 kmem_move_cmp(const void *buf, const void *p)
3950 3952 {
3951 3953 const kmem_move_t *kmm = p;
3952 3954 uintptr_t v1 = (uintptr_t)buf;
3953 3955 uintptr_t v2 = (uintptr_t)kmm->kmm_from_buf;
3954 3956 return (v1 < v2 ? -1 : (v1 > v2 ? 1 : 0));
3955 3957 }
3956 3958
3957 3959 static void
3958 3960 kmem_reset_reclaim_threshold(kmem_defrag_t *kmd)
3959 3961 {
3960 3962 kmd->kmd_reclaim_numer = 1;
3961 3963 }
3962 3964
3963 3965 /*
3964 3966 * Initially, when choosing candidate slabs for buffers to move, we want to be
3965 3967 * very selective and take only slabs that are less than
3966 3968 * (1 / KMEM_VOID_FRACTION) allocated. If we have difficulty finding candidate
3967 3969 * slabs, then we raise the allocation ceiling incrementally. The reclaim
3968 3970 * threshold is reset to (1 / KMEM_VOID_FRACTION) as soon as the cache is no
3969 3971 * longer fragmented.
3970 3972 */
3971 3973 static void
3972 3974 kmem_adjust_reclaim_threshold(kmem_defrag_t *kmd, int direction)
3973 3975 {
3974 3976 if (direction > 0) {
3975 3977 /* make it easier to find a candidate slab */
3976 3978 if (kmd->kmd_reclaim_numer < (KMEM_VOID_FRACTION - 1)) {
3977 3979 kmd->kmd_reclaim_numer++;
3978 3980 }
3979 3981 } else {
3980 3982 /* be more selective */
3981 3983 if (kmd->kmd_reclaim_numer > 1) {
3982 3984 kmd->kmd_reclaim_numer--;
3983 3985 }
3984 3986 }
3985 3987 }
3986 3988
3987 3989 void
3988 3990 kmem_cache_set_move(kmem_cache_t *cp,
3989 3991 kmem_cbrc_t (*move)(void *, void *, size_t, void *))
3990 3992 {
3991 3993 kmem_defrag_t *defrag;
3992 3994
3993 3995 ASSERT(move != NULL);
3994 3996 /*
3995 3997 * The consolidator does not support NOTOUCH caches because kmem cannot
3996 3998 * initialize their slabs with the 0xbaddcafe memory pattern, which sets
3997 3999 * a low order bit usable by clients to distinguish uninitialized memory
3998 4000 * from known objects (see kmem_slab_create).
3999 4001 */
4000 4002 ASSERT(!(cp->cache_cflags & KMC_NOTOUCH));
4001 4003 ASSERT(!(cp->cache_cflags & KMC_IDENTIFIER));
4002 4004
4003 4005 /*
4004 4006 * We should not be holding anyone's cache lock when calling
4005 4007 * kmem_cache_alloc(), so allocate in all cases before acquiring the
4006 4008 * lock.
4007 4009 */
4008 4010 defrag = kmem_cache_alloc(kmem_defrag_cache, KM_SLEEP);
4009 4011
4010 4012 mutex_enter(&cp->cache_lock);
4011 4013
4012 4014 if (KMEM_IS_MOVABLE(cp)) {
4013 4015 if (cp->cache_move == NULL) {
4014 4016 ASSERT(cp->cache_slab_alloc == 0);
4015 4017
4016 4018 cp->cache_defrag = defrag;
4017 4019 defrag = NULL; /* nothing to free */
4018 4020 bzero(cp->cache_defrag, sizeof (kmem_defrag_t));
4019 4021 avl_create(&cp->cache_defrag->kmd_moves_pending,
4020 4022 kmem_move_cmp, sizeof (kmem_move_t),
4021 4023 offsetof(kmem_move_t, kmm_entry));
4022 4024 /* LINTED: E_TRUE_LOGICAL_EXPR */
4023 4025 ASSERT(sizeof (list_node_t) <= sizeof (avl_node_t));
4024 4026 /* reuse the slab's AVL linkage for deadlist linkage */
4025 4027 list_create(&cp->cache_defrag->kmd_deadlist,
4026 4028 sizeof (kmem_slab_t),
4027 4029 offsetof(kmem_slab_t, slab_link));
4028 4030 kmem_reset_reclaim_threshold(cp->cache_defrag);
4029 4031 }
4030 4032 cp->cache_move = move;
4031 4033 }
4032 4034
4033 4035 mutex_exit(&cp->cache_lock);
4034 4036
4035 4037 if (defrag != NULL) {
4036 4038 kmem_cache_free(kmem_defrag_cache, defrag); /* unused */
4037 4039 }
4038 4040 }
4039 4041
4040 4042 void
4041 4043 kmem_cache_destroy(kmem_cache_t *cp)
4042 4044 {
4043 4045 int cpu_seqid;
4044 4046
4045 4047 /*
4046 4048 * Remove the cache from the global cache list so that no one else
4047 4049 * can schedule tasks on its behalf, wait for any pending tasks to
4048 4050 * complete, purge the cache, and then destroy it.
4049 4051 */
4050 4052 mutex_enter(&kmem_cache_lock);
4051 4053 list_remove(&kmem_caches, cp);
4052 4054 mutex_exit(&kmem_cache_lock);
4053 4055
4054 4056 if (kmem_taskq != NULL)
4055 4057 taskq_wait(kmem_taskq);
4056 4058
4057 4059 if (kmem_move_taskq != NULL && cp->cache_defrag != NULL)
4058 4060 taskq_wait(kmem_move_taskq);
4059 4061
4060 4062 kmem_cache_magazine_purge(cp);
4061 4063
4062 4064 mutex_enter(&cp->cache_lock);
4063 4065 if (cp->cache_buftotal != 0)
4064 4066 cmn_err(CE_WARN, "kmem_cache_destroy: '%s' (%p) not empty",
4065 4067 cp->cache_name, (void *)cp);
4066 4068 if (cp->cache_defrag != NULL) {
4067 4069 avl_destroy(&cp->cache_defrag->kmd_moves_pending);
4068 4070 list_destroy(&cp->cache_defrag->kmd_deadlist);
4069 4071 kmem_cache_free(kmem_defrag_cache, cp->cache_defrag);
4070 4072 cp->cache_defrag = NULL;
4071 4073 }
4072 4074 /*
4073 4075 * The cache is now dead. There should be no further activity. We
4074 4076 * enforce this by setting land mines in the constructor, destructor,
4075 4077 * reclaim, and move routines that induce a kernel text fault if
4076 4078 * invoked.
4077 4079 */
4078 4080 cp->cache_constructor = (int (*)(void *, void *, int))1;
4079 4081 cp->cache_destructor = (void (*)(void *, void *))2;
4080 4082 cp->cache_reclaim = (void (*)(void *))3;
4081 4083 cp->cache_move = (kmem_cbrc_t (*)(void *, void *, size_t, void *))4;
4082 4084 mutex_exit(&cp->cache_lock);
4083 4085
4084 4086 kstat_delete(cp->cache_kstat);
4085 4087
4086 4088 if (cp->cache_hash_table != NULL)
4087 4089 vmem_free(kmem_hash_arena, cp->cache_hash_table,
4088 4090 (cp->cache_hash_mask + 1) * sizeof (void *));
4089 4091
4090 4092 for (cpu_seqid = 0; cpu_seqid < max_ncpus; cpu_seqid++)
4091 4093 mutex_destroy(&cp->cache_cpu[cpu_seqid].cc_lock);
4092 4094
4093 4095 mutex_destroy(&cp->cache_depot_lock);
4094 4096 mutex_destroy(&cp->cache_lock);
4095 4097
4096 4098 vmem_free(kmem_cache_arena, cp, KMEM_CACHE_SIZE(max_ncpus));
4097 4099 }
4098 4100
4099 4101 /*ARGSUSED*/
4100 4102 static int
4101 4103 kmem_cpu_setup(cpu_setup_t what, int id, void *arg)
4102 4104 {
4103 4105 ASSERT(MUTEX_HELD(&cpu_lock));
4104 4106 if (what == CPU_UNCONFIG) {
4105 4107 kmem_cache_applyall(kmem_cache_magazine_purge,
4106 4108 kmem_taskq, TQ_SLEEP);
4107 4109 kmem_cache_applyall(kmem_cache_magazine_enable,
4108 4110 kmem_taskq, TQ_SLEEP);
4109 4111 }
4110 4112 return (0);
4111 4113 }
4112 4114
4113 4115 static void
4114 4116 kmem_alloc_caches_create(const int *array, size_t count,
4115 4117 kmem_cache_t **alloc_table, size_t maxbuf, uint_t shift)
4116 4118 {
4117 4119 char name[KMEM_CACHE_NAMELEN + 1];
4118 4120 size_t table_unit = (1 << shift); /* range of one alloc_table entry */
4119 4121 size_t size = table_unit;
4120 4122 int i;
4121 4123
4122 4124 for (i = 0; i < count; i++) {
4123 4125 size_t cache_size = array[i];
4124 4126 size_t align = KMEM_ALIGN;
4125 4127 kmem_cache_t *cp;
4126 4128
4127 4129 /* if the table has an entry for maxbuf, we're done */
4128 4130 if (size > maxbuf)
4129 4131 break;
4130 4132
4131 4133 /* cache size must be a multiple of the table unit */
4132 4134 ASSERT(P2PHASE(cache_size, table_unit) == 0);
4133 4135
4134 4136 /*
4135 4137 * If they allocate a multiple of the coherency granularity,
4136 4138 * they get a coherency-granularity-aligned address.
4137 4139 */
4138 4140 if (IS_P2ALIGNED(cache_size, 64))
4139 4141 align = 64;
4140 4142 if (IS_P2ALIGNED(cache_size, PAGESIZE))
4141 4143 align = PAGESIZE;
4142 4144 (void) snprintf(name, sizeof (name),
4143 4145 "kmem_alloc_%lu", cache_size);
4144 4146 cp = kmem_cache_create(name, cache_size, align,
4145 4147 NULL, NULL, NULL, NULL, NULL, KMC_KMEM_ALLOC);
4146 4148
4147 4149 while (size <= cache_size) {
4148 4150 alloc_table[(size - 1) >> shift] = cp;
4149 4151 size += table_unit;
4150 4152 }
4151 4153 }
4152 4154
4153 4155 ASSERT(size > maxbuf); /* i.e. maxbuf <= max(cache_size) */
4154 4156 }
4155 4157
4156 4158 static void
4157 4159 kmem_cache_init(int pass, int use_large_pages)
4158 4160 {
4159 4161 int i;
4160 4162 size_t maxbuf;
4161 4163 kmem_magtype_t *mtp;
4162 4164
4163 4165 for (i = 0; i < sizeof (kmem_magtype) / sizeof (*mtp); i++) {
4164 4166 char name[KMEM_CACHE_NAMELEN + 1];
4165 4167
4166 4168 mtp = &kmem_magtype[i];
4167 4169 (void) sprintf(name, "kmem_magazine_%d", mtp->mt_magsize);
4168 4170 mtp->mt_cache = kmem_cache_create(name,
4169 4171 (mtp->mt_magsize + 1) * sizeof (void *),
4170 4172 mtp->mt_align, NULL, NULL, NULL, NULL,
4171 4173 kmem_msb_arena, KMC_NOHASH);
4172 4174 }
4173 4175
4174 4176 kmem_slab_cache = kmem_cache_create("kmem_slab_cache",
4175 4177 sizeof (kmem_slab_t), 0, NULL, NULL, NULL, NULL,
4176 4178 kmem_msb_arena, KMC_NOHASH);
4177 4179
4178 4180 kmem_bufctl_cache = kmem_cache_create("kmem_bufctl_cache",
4179 4181 sizeof (kmem_bufctl_t), 0, NULL, NULL, NULL, NULL,
4180 4182 kmem_msb_arena, KMC_NOHASH);
4181 4183
4182 4184 kmem_bufctl_audit_cache = kmem_cache_create("kmem_bufctl_audit_cache",
4183 4185 sizeof (kmem_bufctl_audit_t), 0, NULL, NULL, NULL, NULL,
4184 4186 kmem_msb_arena, KMC_NOHASH);
4185 4187
4186 4188 if (pass == 2) {
4187 4189 kmem_va_arena = vmem_create("kmem_va",
4188 4190 NULL, 0, PAGESIZE,
4189 4191 vmem_alloc, vmem_free, heap_arena,
4190 4192 8 * PAGESIZE, VM_SLEEP);
4191 4193
4192 4194 if (use_large_pages) {
4193 4195 kmem_default_arena = vmem_xcreate("kmem_default",
4194 4196 NULL, 0, PAGESIZE,
4195 4197 segkmem_alloc_lp, segkmem_free_lp, kmem_va_arena,
4196 4198 0, VMC_DUMPSAFE | VM_SLEEP);
4197 4199 } else {
4198 4200 kmem_default_arena = vmem_create("kmem_default",
4199 4201 NULL, 0, PAGESIZE,
4200 4202 segkmem_alloc, segkmem_free, kmem_va_arena,
4201 4203 0, VMC_DUMPSAFE | VM_SLEEP);
4202 4204 }
4203 4205
4204 4206 /* Figure out what our maximum cache size is */
4205 4207 maxbuf = kmem_max_cached;
4206 4208 if (maxbuf <= KMEM_MAXBUF) {
4207 4209 maxbuf = 0;
4208 4210 kmem_max_cached = KMEM_MAXBUF;
4209 4211 } else {
4210 4212 size_t size = 0;
4211 4213 size_t max =
4212 4214 sizeof (kmem_big_alloc_sizes) / sizeof (int);
4213 4215 /*
4214 4216 * Round maxbuf up to an existing cache size. If maxbuf
4215 4217 * is larger than the largest cache, we truncate it to
4216 4218 * the largest cache's size.
4217 4219 */
4218 4220 for (i = 0; i < max; i++) {
4219 4221 size = kmem_big_alloc_sizes[i];
4220 4222 if (maxbuf <= size)
4221 4223 break;
4222 4224 }
4223 4225 kmem_max_cached = maxbuf = size;
4224 4226 }
4225 4227
4226 4228 /*
4227 4229 * The big alloc table may not be completely overwritten, so
4228 4230 * we clear out any stale cache pointers from the first pass.
4229 4231 */
4230 4232 bzero(kmem_big_alloc_table, sizeof (kmem_big_alloc_table));
4231 4233 } else {
4232 4234 /*
4233 4235 * During the first pass, the kmem_alloc_* caches
4234 4236 * are treated as metadata.
4235 4237 */
4236 4238 kmem_default_arena = kmem_msb_arena;
4237 4239 maxbuf = KMEM_BIG_MAXBUF_32BIT;
4238 4240 }
4239 4241
4240 4242 /*
4241 4243 * Set up the default caches to back kmem_alloc()
4242 4244 */
4243 4245 kmem_alloc_caches_create(
4244 4246 kmem_alloc_sizes, sizeof (kmem_alloc_sizes) / sizeof (int),
4245 4247 kmem_alloc_table, KMEM_MAXBUF, KMEM_ALIGN_SHIFT);
4246 4248
4247 4249 kmem_alloc_caches_create(
4248 4250 kmem_big_alloc_sizes, sizeof (kmem_big_alloc_sizes) / sizeof (int),
4249 4251 kmem_big_alloc_table, maxbuf, KMEM_BIG_SHIFT);
4250 4252
4251 4253 kmem_big_alloc_table_max = maxbuf >> KMEM_BIG_SHIFT;
4252 4254 }
4253 4255
4254 4256 void
4255 4257 kmem_init(void)
4256 4258 {
4257 4259 kmem_cache_t *cp;
4258 4260 int old_kmem_flags = kmem_flags;
4259 4261 int use_large_pages = 0;
4260 4262 size_t maxverify, minfirewall;
4261 4263
4262 4264 kstat_init();
4263 4265
4264 4266 /*
4265 4267 * Don't do firewalled allocations if the heap is less than 1TB
4266 4268 * (i.e. on a 32-bit kernel)
4267 4269 * The resulting VM_NEXTFIT allocations would create too much
4268 4270 * fragmentation in a small heap.
4269 4271 */
4270 4272 #if defined(_LP64)
4271 4273 maxverify = minfirewall = PAGESIZE / 2;
4272 4274 #else
4273 4275 maxverify = minfirewall = ULONG_MAX;
4274 4276 #endif
4275 4277
4276 4278 /* LINTED */
4277 4279 ASSERT(sizeof (kmem_cpu_cache_t) == KMEM_CPU_CACHE_SIZE);
4278 4280
4279 4281 list_create(&kmem_caches, sizeof (kmem_cache_t),
4280 4282 offsetof(kmem_cache_t, cache_link));
4281 4283
4282 4284 kmem_metadata_arena = vmem_create("kmem_metadata", NULL, 0, PAGESIZE,
4283 4285 vmem_alloc, vmem_free, heap_arena, 8 * PAGESIZE,
4284 4286 VM_SLEEP | VMC_NO_QCACHE);
4285 4287
4286 4288 kmem_msb_arena = vmem_create("kmem_msb", NULL, 0,
4287 4289 PAGESIZE, segkmem_alloc, segkmem_free, kmem_metadata_arena, 0,
4288 4290 VMC_DUMPSAFE | VM_SLEEP);
4289 4291
4290 4292 kmem_cache_arena = vmem_create("kmem_cache", NULL, 0, KMEM_ALIGN,
4291 4293 segkmem_alloc, segkmem_free, kmem_metadata_arena, 0, VM_SLEEP);
4292 4294
4293 4295 kmem_hash_arena = vmem_create("kmem_hash", NULL, 0, KMEM_ALIGN,
4294 4296 segkmem_alloc, segkmem_free, kmem_metadata_arena, 0, VM_SLEEP);
4295 4297
4296 4298 kmem_log_arena = vmem_create("kmem_log", NULL, 0, KMEM_ALIGN,
4297 4299 segkmem_alloc, segkmem_free, heap_arena, 0, VM_SLEEP);
4298 4300
4299 4301 kmem_firewall_va_arena = vmem_create("kmem_firewall_va",
4300 4302 NULL, 0, PAGESIZE,
4301 4303 kmem_firewall_va_alloc, kmem_firewall_va_free, heap_arena,
4302 4304 0, VM_SLEEP);
4303 4305
4304 4306 kmem_firewall_arena = vmem_create("kmem_firewall", NULL, 0, PAGESIZE,
4305 4307 segkmem_alloc, segkmem_free, kmem_firewall_va_arena, 0,
4306 4308 VMC_DUMPSAFE | VM_SLEEP);
4307 4309
4308 4310 /* temporary oversize arena for mod_read_system_file */
4309 4311 kmem_oversize_arena = vmem_create("kmem_oversize", NULL, 0, PAGESIZE,
4310 4312 segkmem_alloc, segkmem_free, heap_arena, 0, VM_SLEEP);
4311 4313
4312 4314 kmem_reap_interval = 15 * hz;
4313 4315
4314 4316 /*
4315 4317 * Read /etc/system. This is a chicken-and-egg problem because
4316 4318 * kmem_flags may be set in /etc/system, but mod_read_system_file()
4317 4319 * needs to use the allocator. The simplest solution is to create
4318 4320 * all the standard kmem caches, read /etc/system, destroy all the
4319 4321 * caches we just created, and then create them all again in light
4320 4322 * of the (possibly) new kmem_flags and other kmem tunables.
4321 4323 */
4322 4324 kmem_cache_init(1, 0);
4323 4325
4324 4326 mod_read_system_file(boothowto & RB_ASKNAME);
4325 4327
4326 4328 while ((cp = list_tail(&kmem_caches)) != NULL)
4327 4329 kmem_cache_destroy(cp);
4328 4330
4329 4331 vmem_destroy(kmem_oversize_arena);
4330 4332
4331 4333 if (old_kmem_flags & KMF_STICKY)
4332 4334 kmem_flags = old_kmem_flags;
4333 4335
4334 4336 if (!(kmem_flags & KMF_AUDIT))
4335 4337 vmem_seg_size = offsetof(vmem_seg_t, vs_thread);
4336 4338
4337 4339 if (kmem_maxverify == 0)
4338 4340 kmem_maxverify = maxverify;
4339 4341
4340 4342 if (kmem_minfirewall == 0)
4341 4343 kmem_minfirewall = minfirewall;
4342 4344
4343 4345 /*
4344 4346 * give segkmem a chance to figure out if we are using large pages
4345 4347 * for the kernel heap
4346 4348 */
4347 4349 use_large_pages = segkmem_lpsetup();
4348 4350
4349 4351 /*
4350 4352 * To protect against corruption, we keep the actual number of callers
4351 4353 * KMF_LITE records seperate from the tunable. We arbitrarily clamp
4352 4354 * to 16, since the overhead for small buffers quickly gets out of
4353 4355 * hand.
4354 4356 *
4355 4357 * The real limit would depend on the needs of the largest KMC_NOHASH
4356 4358 * cache.
4357 4359 */
4358 4360 kmem_lite_count = MIN(MAX(0, kmem_lite_pcs), 16);
4359 4361 kmem_lite_pcs = kmem_lite_count;
4360 4362
4361 4363 /*
4362 4364 * Normally, we firewall oversized allocations when possible, but
4363 4365 * if we are using large pages for kernel memory, and we don't have
4364 4366 * any non-LITE debugging flags set, we want to allocate oversized
4365 4367 * buffers from large pages, and so skip the firewalling.
4366 4368 */
4367 4369 if (use_large_pages &&
4368 4370 ((kmem_flags & KMF_LITE) || !(kmem_flags & KMF_DEBUG))) {
4369 4371 kmem_oversize_arena = vmem_xcreate("kmem_oversize", NULL, 0,
4370 4372 PAGESIZE, segkmem_alloc_lp, segkmem_free_lp, heap_arena,
4371 4373 0, VMC_DUMPSAFE | VM_SLEEP);
4372 4374 } else {
4373 4375 kmem_oversize_arena = vmem_create("kmem_oversize",
4374 4376 NULL, 0, PAGESIZE,
4375 4377 segkmem_alloc, segkmem_free, kmem_minfirewall < ULONG_MAX?
4376 4378 kmem_firewall_va_arena : heap_arena, 0, VMC_DUMPSAFE |
4377 4379 VM_SLEEP);
4378 4380 }
4379 4381
4380 4382 kmem_cache_init(2, use_large_pages);
4381 4383
4382 4384 if (kmem_flags & (KMF_AUDIT | KMF_RANDOMIZE)) {
4383 4385 if (kmem_transaction_log_size == 0)
4384 4386 kmem_transaction_log_size = kmem_maxavail() / 50;
4385 4387 kmem_transaction_log = kmem_log_init(kmem_transaction_log_size);
4386 4388 }
4387 4389
4388 4390 if (kmem_flags & (KMF_CONTENTS | KMF_RANDOMIZE)) {
4389 4391 if (kmem_content_log_size == 0)
4390 4392 kmem_content_log_size = kmem_maxavail() / 50;
4391 4393 kmem_content_log = kmem_log_init(kmem_content_log_size);
4392 4394 }
4393 4395
4394 4396 kmem_failure_log = kmem_log_init(kmem_failure_log_size);
4395 4397
4396 4398 kmem_slab_log = kmem_log_init(kmem_slab_log_size);
4397 4399
4398 4400 /*
4399 4401 * Initialize STREAMS message caches so allocb() is available.
4400 4402 * This allows us to initialize the logging framework (cmn_err(9F),
4401 4403 * strlog(9F), etc) so we can start recording messages.
4402 4404 */
4403 4405 streams_msg_init();
4404 4406
4405 4407 /*
4406 4408 * Initialize the ZSD framework in Zones so modules loaded henceforth
4407 4409 * can register their callbacks.
4408 4410 */
4409 4411 zone_zsd_init();
4410 4412
4411 4413 log_init();
4412 4414 taskq_init();
4413 4415
4414 4416 /*
4415 4417 * Warn about invalid or dangerous values of kmem_flags.
4416 4418 * Always warn about unsupported values.
4417 4419 */
4418 4420 if (((kmem_flags & ~(KMF_AUDIT | KMF_DEADBEEF | KMF_REDZONE |
4419 4421 KMF_CONTENTS | KMF_LITE)) != 0) ||
4420 4422 ((kmem_flags & KMF_LITE) && kmem_flags != KMF_LITE))
4421 4423 cmn_err(CE_WARN, "kmem_flags set to unsupported value 0x%x. "
4422 4424 "See the Solaris Tunable Parameters Reference Manual.",
4423 4425 kmem_flags);
4424 4426
4425 4427 #ifdef DEBUG
4426 4428 if ((kmem_flags & KMF_DEBUG) == 0)
4427 4429 cmn_err(CE_NOTE, "kmem debugging disabled.");
4428 4430 #else
4429 4431 /*
4430 4432 * For non-debug kernels, the only "normal" flags are 0, KMF_LITE,
4431 4433 * KMF_REDZONE, and KMF_CONTENTS (the last because it is only enabled
4432 4434 * if KMF_AUDIT is set). We should warn the user about the performance
4433 4435 * penalty of KMF_AUDIT or KMF_DEADBEEF if they are set and KMF_LITE
4434 4436 * isn't set (since that disables AUDIT).
4435 4437 */
4436 4438 if (!(kmem_flags & KMF_LITE) &&
4437 4439 (kmem_flags & (KMF_AUDIT | KMF_DEADBEEF)) != 0)
4438 4440 cmn_err(CE_WARN, "High-overhead kmem debugging features "
4439 4441 "enabled (kmem_flags = 0x%x). Performance degradation "
4440 4442 "and large memory overhead possible. See the Solaris "
4441 4443 "Tunable Parameters Reference Manual.", kmem_flags);
4442 4444 #endif /* not DEBUG */
4443 4445
4444 4446 kmem_cache_applyall(kmem_cache_magazine_enable, NULL, TQ_SLEEP);
4445 4447
4446 4448 kmem_ready = 1;
4447 4449
4448 4450 /*
4449 4451 * Initialize the platform-specific aligned/DMA memory allocator.
4450 4452 */
4451 4453 ka_init();
4452 4454
4453 4455 /*
4454 4456 * Initialize 32-bit ID cache.
4455 4457 */
4456 4458 id32_init();
4457 4459
4458 4460 /*
4459 4461 * Initialize the networking stack so modules loaded can
4460 4462 * register their callbacks.
4461 4463 */
4462 4464 netstack_init();
4463 4465 }
4464 4466
4465 4467 static void
4466 4468 kmem_move_init(void)
4467 4469 {
4468 4470 kmem_defrag_cache = kmem_cache_create("kmem_defrag_cache",
4469 4471 sizeof (kmem_defrag_t), 0, NULL, NULL, NULL, NULL,
4470 4472 kmem_msb_arena, KMC_NOHASH);
4471 4473 kmem_move_cache = kmem_cache_create("kmem_move_cache",
4472 4474 sizeof (kmem_move_t), 0, NULL, NULL, NULL, NULL,
4473 4475 kmem_msb_arena, KMC_NOHASH);
4474 4476
4475 4477 /*
4476 4478 * kmem guarantees that move callbacks are sequential and that even
4477 4479 * across multiple caches no two moves ever execute simultaneously.
4478 4480 * Move callbacks are processed on a separate taskq so that client code
4479 4481 * does not interfere with internal maintenance tasks.
4480 4482 */
4481 4483 kmem_move_taskq = taskq_create_instance("kmem_move_taskq", 0, 1,
4482 4484 minclsyspri, 100, INT_MAX, TASKQ_PREPOPULATE);
4483 4485 }
4484 4486
4485 4487 void
4486 4488 kmem_thread_init(void)
4487 4489 {
4488 4490 kmem_move_init();
4489 4491 kmem_taskq = taskq_create_instance("kmem_taskq", 0, 1, minclsyspri,
4490 4492 300, INT_MAX, TASKQ_PREPOPULATE);
4491 4493 }
4492 4494
4493 4495 void
4494 4496 kmem_mp_init(void)
4495 4497 {
4496 4498 mutex_enter(&cpu_lock);
4497 4499 register_cpu_setup_func(kmem_cpu_setup, NULL);
4498 4500 mutex_exit(&cpu_lock);
4499 4501
4500 4502 kmem_update_timeout(NULL);
4501 4503
4502 4504 taskq_mp_init();
4503 4505 }
4504 4506
4505 4507 /*
4506 4508 * Return the slab of the allocated buffer, or NULL if the buffer is not
4507 4509 * allocated. This function may be called with a known slab address to determine
4508 4510 * whether or not the buffer is allocated, or with a NULL slab address to obtain
4509 4511 * an allocated buffer's slab.
4510 4512 */
4511 4513 static kmem_slab_t *
4512 4514 kmem_slab_allocated(kmem_cache_t *cp, kmem_slab_t *sp, void *buf)
4513 4515 {
4514 4516 kmem_bufctl_t *bcp, *bufbcp;
4515 4517
4516 4518 ASSERT(MUTEX_HELD(&cp->cache_lock));
4517 4519 ASSERT(sp == NULL || KMEM_SLAB_MEMBER(sp, buf));
4518 4520
4519 4521 if (cp->cache_flags & KMF_HASH) {
4520 4522 for (bcp = *KMEM_HASH(cp, buf);
4521 4523 (bcp != NULL) && (bcp->bc_addr != buf);
4522 4524 bcp = bcp->bc_next) {
4523 4525 continue;
4524 4526 }
4525 4527 ASSERT(sp != NULL && bcp != NULL ? sp == bcp->bc_slab : 1);
4526 4528 return (bcp == NULL ? NULL : bcp->bc_slab);
4527 4529 }
4528 4530
4529 4531 if (sp == NULL) {
4530 4532 sp = KMEM_SLAB(cp, buf);
4531 4533 }
4532 4534 bufbcp = KMEM_BUFCTL(cp, buf);
4533 4535 for (bcp = sp->slab_head;
4534 4536 (bcp != NULL) && (bcp != bufbcp);
4535 4537 bcp = bcp->bc_next) {
4536 4538 continue;
4537 4539 }
4538 4540 return (bcp == NULL ? sp : NULL);
4539 4541 }
4540 4542
4541 4543 static boolean_t
4542 4544 kmem_slab_is_reclaimable(kmem_cache_t *cp, kmem_slab_t *sp, int flags)
4543 4545 {
4544 4546 long refcnt = sp->slab_refcnt;
4545 4547
4546 4548 ASSERT(cp->cache_defrag != NULL);
4547 4549
4548 4550 /*
4549 4551 * For code coverage we want to be able to move an object within the
4550 4552 * same slab (the only partial slab) even if allocating the destination
4551 4553 * buffer resulted in a completely allocated slab.
4552 4554 */
4553 4555 if (flags & KMM_DEBUG) {
4554 4556 return ((flags & KMM_DESPERATE) ||
4555 4557 ((sp->slab_flags & KMEM_SLAB_NOMOVE) == 0));
4556 4558 }
4557 4559
4558 4560 /* If we're desperate, we don't care if the client said NO. */
4559 4561 if (flags & KMM_DESPERATE) {
4560 4562 return (refcnt < sp->slab_chunks); /* any partial */
4561 4563 }
4562 4564
4563 4565 if (sp->slab_flags & KMEM_SLAB_NOMOVE) {
4564 4566 return (B_FALSE);
4565 4567 }
4566 4568
4567 4569 if ((refcnt == 1) || kmem_move_any_partial) {
4568 4570 return (refcnt < sp->slab_chunks);
4569 4571 }
4570 4572
4571 4573 /*
4572 4574 * The reclaim threshold is adjusted at each kmem_cache_scan() so that
4573 4575 * slabs with a progressively higher percentage of used buffers can be
4574 4576 * reclaimed until the cache as a whole is no longer fragmented.
4575 4577 *
4576 4578 * sp->slab_refcnt kmd_reclaim_numer
4577 4579 * --------------- < ------------------
4578 4580 * sp->slab_chunks KMEM_VOID_FRACTION
4579 4581 */
4580 4582 return ((refcnt * KMEM_VOID_FRACTION) <
4581 4583 (sp->slab_chunks * cp->cache_defrag->kmd_reclaim_numer));
4582 4584 }
4583 4585
4584 4586 /*
4585 4587 * May be called from the kmem_move_taskq, from kmem_cache_move_notify_task(),
4586 4588 * or when the buffer is freed.
4587 4589 */
4588 4590 static void
4589 4591 kmem_slab_move_yes(kmem_cache_t *cp, kmem_slab_t *sp, void *from_buf)
4590 4592 {
4591 4593 ASSERT(MUTEX_HELD(&cp->cache_lock));
4592 4594 ASSERT(KMEM_SLAB_MEMBER(sp, from_buf));
4593 4595
4594 4596 if (!KMEM_SLAB_IS_PARTIAL(sp)) {
4595 4597 return;
4596 4598 }
4597 4599
4598 4600 if (sp->slab_flags & KMEM_SLAB_NOMOVE) {
4599 4601 if (KMEM_SLAB_OFFSET(sp, from_buf) == sp->slab_stuck_offset) {
4600 4602 avl_remove(&cp->cache_partial_slabs, sp);
4601 4603 sp->slab_flags &= ~KMEM_SLAB_NOMOVE;
4602 4604 sp->slab_stuck_offset = (uint32_t)-1;
4603 4605 avl_add(&cp->cache_partial_slabs, sp);
4604 4606 }
4605 4607 } else {
4606 4608 sp->slab_later_count = 0;
4607 4609 sp->slab_stuck_offset = (uint32_t)-1;
4608 4610 }
4609 4611 }
4610 4612
4611 4613 static void
4612 4614 kmem_slab_move_no(kmem_cache_t *cp, kmem_slab_t *sp, void *from_buf)
4613 4615 {
4614 4616 ASSERT(taskq_member(kmem_move_taskq, curthread));
4615 4617 ASSERT(MUTEX_HELD(&cp->cache_lock));
4616 4618 ASSERT(KMEM_SLAB_MEMBER(sp, from_buf));
4617 4619
4618 4620 if (!KMEM_SLAB_IS_PARTIAL(sp)) {
4619 4621 return;
4620 4622 }
4621 4623
4622 4624 avl_remove(&cp->cache_partial_slabs, sp);
4623 4625 sp->slab_later_count = 0;
4624 4626 sp->slab_flags |= KMEM_SLAB_NOMOVE;
4625 4627 sp->slab_stuck_offset = KMEM_SLAB_OFFSET(sp, from_buf);
4626 4628 avl_add(&cp->cache_partial_slabs, sp);
4627 4629 }
4628 4630
4629 4631 static void kmem_move_end(kmem_cache_t *, kmem_move_t *);
4630 4632
4631 4633 /*
4632 4634 * The move callback takes two buffer addresses, the buffer to be moved, and a
4633 4635 * newly allocated and constructed buffer selected by kmem as the destination.
4634 4636 * It also takes the size of the buffer and an optional user argument specified
4635 4637 * at cache creation time. kmem guarantees that the buffer to be moved has not
4636 4638 * been unmapped by the virtual memory subsystem. Beyond that, it cannot
4637 4639 * guarantee the present whereabouts of the buffer to be moved, so it is up to
4638 4640 * the client to safely determine whether or not it is still using the buffer.
4639 4641 * The client must not free either of the buffers passed to the move callback,
4640 4642 * since kmem wants to free them directly to the slab layer. The client response
4641 4643 * tells kmem which of the two buffers to free:
4642 4644 *
4643 4645 * YES kmem frees the old buffer (the move was successful)
4644 4646 * NO kmem frees the new buffer, marks the slab of the old buffer
4645 4647 * non-reclaimable to avoid bothering the client again
4646 4648 * LATER kmem frees the new buffer, increments slab_later_count
4647 4649 * DONT_KNOW kmem frees the new buffer
4648 4650 * DONT_NEED kmem frees both the old buffer and the new buffer
4649 4651 *
4650 4652 * The pending callback argument now being processed contains both of the
4651 4653 * buffers (old and new) passed to the move callback function, the slab of the
4652 4654 * old buffer, and flags related to the move request, such as whether or not the
4653 4655 * system was desperate for memory.
4654 4656 *
4655 4657 * Slabs are not freed while there is a pending callback, but instead are kept
4656 4658 * on a deadlist, which is drained after the last callback completes. This means
4657 4659 * that slabs are safe to access until kmem_move_end(), no matter how many of
4658 4660 * their buffers have been freed. Once slab_refcnt reaches zero, it stays at
4659 4661 * zero for as long as the slab remains on the deadlist and until the slab is
4660 4662 * freed.
4661 4663 */
4662 4664 static void
4663 4665 kmem_move_buffer(kmem_move_t *callback)
4664 4666 {
4665 4667 kmem_cbrc_t response;
4666 4668 kmem_slab_t *sp = callback->kmm_from_slab;
4667 4669 kmem_cache_t *cp = sp->slab_cache;
4668 4670 boolean_t free_on_slab;
4669 4671
4670 4672 ASSERT(taskq_member(kmem_move_taskq, curthread));
4671 4673 ASSERT(MUTEX_NOT_HELD(&cp->cache_lock));
4672 4674 ASSERT(KMEM_SLAB_MEMBER(sp, callback->kmm_from_buf));
4673 4675
4674 4676 /*
4675 4677 * The number of allocated buffers on the slab may have changed since we
4676 4678 * last checked the slab's reclaimability (when the pending move was
4677 4679 * enqueued), or the client may have responded NO when asked to move
4678 4680 * another buffer on the same slab.
4679 4681 */
4680 4682 if (!kmem_slab_is_reclaimable(cp, sp, callback->kmm_flags)) {
4681 4683 kmem_slab_free(cp, callback->kmm_to_buf);
4682 4684 kmem_move_end(cp, callback);
4683 4685 return;
4684 4686 }
4685 4687
4686 4688 /*
4687 4689 * Checking the slab layer is easy, so we might as well do that here
4688 4690 * in case we can avoid bothering the client.
4689 4691 */
4690 4692 mutex_enter(&cp->cache_lock);
4691 4693 free_on_slab = (kmem_slab_allocated(cp, sp,
4692 4694 callback->kmm_from_buf) == NULL);
4693 4695 mutex_exit(&cp->cache_lock);
4694 4696
4695 4697 if (free_on_slab) {
4696 4698 kmem_slab_free(cp, callback->kmm_to_buf);
4697 4699 kmem_move_end(cp, callback);
4698 4700 return;
4699 4701 }
4700 4702
4701 4703 if (cp->cache_flags & KMF_BUFTAG) {
4702 4704 /*
4703 4705 * Make kmem_cache_alloc_debug() apply the constructor for us.
4704 4706 */
4705 4707 if (kmem_cache_alloc_debug(cp, callback->kmm_to_buf,
4706 4708 KM_NOSLEEP, 1, caller()) != 0) {
4707 4709 kmem_move_end(cp, callback);
4708 4710 return;
4709 4711 }
4710 4712 } else if (cp->cache_constructor != NULL &&
4711 4713 cp->cache_constructor(callback->kmm_to_buf, cp->cache_private,
4712 4714 KM_NOSLEEP) != 0) {
4713 4715 atomic_inc_64(&cp->cache_alloc_fail);
4714 4716 kmem_slab_free(cp, callback->kmm_to_buf);
4715 4717 kmem_move_end(cp, callback);
4716 4718 return;
4717 4719 }
4718 4720
4719 4721 cp->cache_defrag->kmd_callbacks++;
4720 4722 cp->cache_defrag->kmd_thread = curthread;
4721 4723 cp->cache_defrag->kmd_from_buf = callback->kmm_from_buf;
4722 4724 cp->cache_defrag->kmd_to_buf = callback->kmm_to_buf;
4723 4725 DTRACE_PROBE2(kmem__move__start, kmem_cache_t *, cp, kmem_move_t *,
4724 4726 callback);
4725 4727
4726 4728 response = cp->cache_move(callback->kmm_from_buf,
4727 4729 callback->kmm_to_buf, cp->cache_bufsize, cp->cache_private);
4728 4730
4729 4731 DTRACE_PROBE3(kmem__move__end, kmem_cache_t *, cp, kmem_move_t *,
4730 4732 callback, kmem_cbrc_t, response);
4731 4733 cp->cache_defrag->kmd_thread = NULL;
4732 4734 cp->cache_defrag->kmd_from_buf = NULL;
4733 4735 cp->cache_defrag->kmd_to_buf = NULL;
4734 4736
4735 4737 if (response == KMEM_CBRC_YES) {
4736 4738 cp->cache_defrag->kmd_yes++;
4737 4739 kmem_slab_free_constructed(cp, callback->kmm_from_buf, B_FALSE);
4738 4740 /* slab safe to access until kmem_move_end() */
4739 4741 if (sp->slab_refcnt == 0)
4740 4742 cp->cache_defrag->kmd_slabs_freed++;
4741 4743 mutex_enter(&cp->cache_lock);
4742 4744 kmem_slab_move_yes(cp, sp, callback->kmm_from_buf);
4743 4745 mutex_exit(&cp->cache_lock);
4744 4746 kmem_move_end(cp, callback);
4745 4747 return;
4746 4748 }
4747 4749
4748 4750 switch (response) {
4749 4751 case KMEM_CBRC_NO:
4750 4752 cp->cache_defrag->kmd_no++;
4751 4753 mutex_enter(&cp->cache_lock);
4752 4754 kmem_slab_move_no(cp, sp, callback->kmm_from_buf);
4753 4755 mutex_exit(&cp->cache_lock);
4754 4756 break;
4755 4757 case KMEM_CBRC_LATER:
4756 4758 cp->cache_defrag->kmd_later++;
4757 4759 mutex_enter(&cp->cache_lock);
4758 4760 if (!KMEM_SLAB_IS_PARTIAL(sp)) {
4759 4761 mutex_exit(&cp->cache_lock);
4760 4762 break;
4761 4763 }
4762 4764
4763 4765 if (++sp->slab_later_count >= KMEM_DISBELIEF) {
4764 4766 kmem_slab_move_no(cp, sp, callback->kmm_from_buf);
4765 4767 } else if (!(sp->slab_flags & KMEM_SLAB_NOMOVE)) {
4766 4768 sp->slab_stuck_offset = KMEM_SLAB_OFFSET(sp,
4767 4769 callback->kmm_from_buf);
4768 4770 }
4769 4771 mutex_exit(&cp->cache_lock);
4770 4772 break;
4771 4773 case KMEM_CBRC_DONT_NEED:
4772 4774 cp->cache_defrag->kmd_dont_need++;
4773 4775 kmem_slab_free_constructed(cp, callback->kmm_from_buf, B_FALSE);
4774 4776 if (sp->slab_refcnt == 0)
4775 4777 cp->cache_defrag->kmd_slabs_freed++;
4776 4778 mutex_enter(&cp->cache_lock);
4777 4779 kmem_slab_move_yes(cp, sp, callback->kmm_from_buf);
4778 4780 mutex_exit(&cp->cache_lock);
4779 4781 break;
4780 4782 case KMEM_CBRC_DONT_KNOW:
4781 4783 /*
4782 4784 * If we don't know if we can move this buffer or not, we'll
4783 4785 * just assume that we can't: if the buffer is in fact free,
4784 4786 * then it is sitting in one of the per-CPU magazines or in
4785 4787 * a full magazine in the depot layer. Either way, because
4786 4788 * defrag is induced in the same logic that reaps a cache,
4787 4789 * it's likely that full magazines will be returned to the
4788 4790 * system soon (thereby accomplishing what we're trying to
4789 4791 * accomplish here: return those magazines to their slabs).
4790 4792 * Given this, any work that we might do now to locate a buffer
4791 4793 * in a magazine is wasted (and expensive!) work; we bump
4792 4794 * a counter in this case and otherwise assume that we can't
4793 4795 * move it.
4794 4796 */
4795 4797 cp->cache_defrag->kmd_dont_know++;
4796 4798 break;
4797 4799 default:
4798 4800 panic("'%s' (%p) unexpected move callback response %d\n",
4799 4801 cp->cache_name, (void *)cp, response);
4800 4802 }
4801 4803
4802 4804 kmem_slab_free_constructed(cp, callback->kmm_to_buf, B_FALSE);
4803 4805 kmem_move_end(cp, callback);
4804 4806 }
4805 4807
4806 4808 /* Return B_FALSE if there is insufficient memory for the move request. */
4807 4809 static boolean_t
4808 4810 kmem_move_begin(kmem_cache_t *cp, kmem_slab_t *sp, void *buf, int flags)
4809 4811 {
4810 4812 void *to_buf;
4811 4813 avl_index_t index;
4812 4814 kmem_move_t *callback, *pending;
4813 4815 ulong_t n;
4814 4816
4815 4817 ASSERT(taskq_member(kmem_taskq, curthread));
4816 4818 ASSERT(MUTEX_NOT_HELD(&cp->cache_lock));
4817 4819 ASSERT(sp->slab_flags & KMEM_SLAB_MOVE_PENDING);
4818 4820
4819 4821 callback = kmem_cache_alloc(kmem_move_cache, KM_NOSLEEP);
4820 4822
4821 4823 if (callback == NULL)
4822 4824 return (B_FALSE);
4823 4825
4824 4826 callback->kmm_from_slab = sp;
4825 4827 callback->kmm_from_buf = buf;
4826 4828 callback->kmm_flags = flags;
4827 4829
4828 4830 mutex_enter(&cp->cache_lock);
4829 4831
4830 4832 n = avl_numnodes(&cp->cache_partial_slabs);
4831 4833 if ((n == 0) || ((n == 1) && !(flags & KMM_DEBUG))) {
4832 4834 mutex_exit(&cp->cache_lock);
4833 4835 kmem_cache_free(kmem_move_cache, callback);
4834 4836 return (B_TRUE); /* there is no need for the move request */
4835 4837 }
4836 4838
4837 4839 pending = avl_find(&cp->cache_defrag->kmd_moves_pending, buf, &index);
4838 4840 if (pending != NULL) {
4839 4841 /*
4840 4842 * If the move is already pending and we're desperate now,
4841 4843 * update the move flags.
4842 4844 */
4843 4845 if (flags & KMM_DESPERATE) {
4844 4846 pending->kmm_flags |= KMM_DESPERATE;
4845 4847 }
4846 4848 mutex_exit(&cp->cache_lock);
4847 4849 kmem_cache_free(kmem_move_cache, callback);
4848 4850 return (B_TRUE);
4849 4851 }
4850 4852
4851 4853 to_buf = kmem_slab_alloc_impl(cp, avl_first(&cp->cache_partial_slabs),
4852 4854 B_FALSE);
4853 4855 callback->kmm_to_buf = to_buf;
4854 4856 avl_insert(&cp->cache_defrag->kmd_moves_pending, callback, index);
4855 4857
4856 4858 mutex_exit(&cp->cache_lock);
4857 4859
4858 4860 if (!taskq_dispatch(kmem_move_taskq, (task_func_t *)kmem_move_buffer,
4859 4861 callback, TQ_NOSLEEP)) {
4860 4862 mutex_enter(&cp->cache_lock);
4861 4863 avl_remove(&cp->cache_defrag->kmd_moves_pending, callback);
4862 4864 mutex_exit(&cp->cache_lock);
4863 4865 kmem_slab_free(cp, to_buf);
4864 4866 kmem_cache_free(kmem_move_cache, callback);
4865 4867 return (B_FALSE);
4866 4868 }
4867 4869
4868 4870 return (B_TRUE);
4869 4871 }
4870 4872
4871 4873 static void
4872 4874 kmem_move_end(kmem_cache_t *cp, kmem_move_t *callback)
4873 4875 {
4874 4876 avl_index_t index;
4875 4877
4876 4878 ASSERT(cp->cache_defrag != NULL);
4877 4879 ASSERT(taskq_member(kmem_move_taskq, curthread));
4878 4880 ASSERT(MUTEX_NOT_HELD(&cp->cache_lock));
4879 4881
4880 4882 mutex_enter(&cp->cache_lock);
4881 4883 VERIFY(avl_find(&cp->cache_defrag->kmd_moves_pending,
4882 4884 callback->kmm_from_buf, &index) != NULL);
4883 4885 avl_remove(&cp->cache_defrag->kmd_moves_pending, callback);
4884 4886 if (avl_is_empty(&cp->cache_defrag->kmd_moves_pending)) {
4885 4887 list_t *deadlist = &cp->cache_defrag->kmd_deadlist;
4886 4888 kmem_slab_t *sp;
4887 4889
4888 4890 /*
4889 4891 * The last pending move completed. Release all slabs from the
4890 4892 * front of the dead list except for any slab at the tail that
4891 4893 * needs to be released from the context of kmem_move_buffers().
4892 4894 * kmem deferred unmapping the buffers on these slabs in order
4893 4895 * to guarantee that buffers passed to the move callback have
4894 4896 * been touched only by kmem or by the client itself.
4895 4897 */
4896 4898 while ((sp = list_remove_head(deadlist)) != NULL) {
4897 4899 if (sp->slab_flags & KMEM_SLAB_MOVE_PENDING) {
4898 4900 list_insert_tail(deadlist, sp);
4899 4901 break;
4900 4902 }
4901 4903 cp->cache_defrag->kmd_deadcount--;
4902 4904 cp->cache_slab_destroy++;
4903 4905 mutex_exit(&cp->cache_lock);
4904 4906 kmem_slab_destroy(cp, sp);
4905 4907 mutex_enter(&cp->cache_lock);
4906 4908 }
4907 4909 }
4908 4910 mutex_exit(&cp->cache_lock);
4909 4911 kmem_cache_free(kmem_move_cache, callback);
4910 4912 }
4911 4913
4912 4914 /*
4913 4915 * Move buffers from least used slabs first by scanning backwards from the end
4914 4916 * of the partial slab list. Scan at most max_scan candidate slabs and move
4915 4917 * buffers from at most max_slabs slabs (0 for all partial slabs in both cases).
4916 4918 * If desperate to reclaim memory, move buffers from any partial slab, otherwise
4917 4919 * skip slabs with a ratio of allocated buffers at or above the current
4918 4920 * threshold. Return the number of unskipped slabs (at most max_slabs, -1 if the
4919 4921 * scan is aborted) so that the caller can adjust the reclaimability threshold
4920 4922 * depending on how many reclaimable slabs it finds.
4921 4923 *
4922 4924 * kmem_move_buffers() drops and reacquires cache_lock every time it issues a
4923 4925 * move request, since it is not valid for kmem_move_begin() to call
4924 4926 * kmem_cache_alloc() or taskq_dispatch() with cache_lock held.
4925 4927 */
4926 4928 static int
4927 4929 kmem_move_buffers(kmem_cache_t *cp, size_t max_scan, size_t max_slabs,
4928 4930 int flags)
4929 4931 {
4930 4932 kmem_slab_t *sp;
4931 4933 void *buf;
4932 4934 int i, j; /* slab index, buffer index */
4933 4935 int s; /* reclaimable slabs */
4934 4936 int b; /* allocated (movable) buffers on reclaimable slab */
4935 4937 boolean_t success;
4936 4938 int refcnt;
4937 4939 int nomove;
4938 4940
4939 4941 ASSERT(taskq_member(kmem_taskq, curthread));
4940 4942 ASSERT(MUTEX_HELD(&cp->cache_lock));
4941 4943 ASSERT(kmem_move_cache != NULL);
4942 4944 ASSERT(cp->cache_move != NULL && cp->cache_defrag != NULL);
4943 4945 ASSERT((flags & KMM_DEBUG) ? !avl_is_empty(&cp->cache_partial_slabs) :
4944 4946 avl_numnodes(&cp->cache_partial_slabs) > 1);
4945 4947
4946 4948 if (kmem_move_blocked) {
4947 4949 return (0);
4948 4950 }
4949 4951
4950 4952 if (kmem_move_fulltilt) {
4951 4953 flags |= KMM_DESPERATE;
4952 4954 }
4953 4955
4954 4956 if (max_scan == 0 || (flags & KMM_DESPERATE)) {
4955 4957 /*
4956 4958 * Scan as many slabs as needed to find the desired number of
4957 4959 * candidate slabs.
4958 4960 */
4959 4961 max_scan = (size_t)-1;
4960 4962 }
4961 4963
4962 4964 if (max_slabs == 0 || (flags & KMM_DESPERATE)) {
4963 4965 /* Find as many candidate slabs as possible. */
4964 4966 max_slabs = (size_t)-1;
4965 4967 }
4966 4968
4967 4969 sp = avl_last(&cp->cache_partial_slabs);
4968 4970 ASSERT(KMEM_SLAB_IS_PARTIAL(sp));
4969 4971 for (i = 0, s = 0; (i < max_scan) && (s < max_slabs) && (sp != NULL) &&
4970 4972 ((sp != avl_first(&cp->cache_partial_slabs)) ||
4971 4973 (flags & KMM_DEBUG));
4972 4974 sp = AVL_PREV(&cp->cache_partial_slabs, sp), i++) {
4973 4975
4974 4976 if (!kmem_slab_is_reclaimable(cp, sp, flags)) {
4975 4977 continue;
4976 4978 }
4977 4979 s++;
4978 4980
4979 4981 /* Look for allocated buffers to move. */
4980 4982 for (j = 0, b = 0, buf = sp->slab_base;
4981 4983 (j < sp->slab_chunks) && (b < sp->slab_refcnt);
4982 4984 buf = (((char *)buf) + cp->cache_chunksize), j++) {
4983 4985
4984 4986 if (kmem_slab_allocated(cp, sp, buf) == NULL) {
4985 4987 continue;
4986 4988 }
4987 4989
4988 4990 b++;
4989 4991
4990 4992 /*
4991 4993 * Prevent the slab from being destroyed while we drop
4992 4994 * cache_lock and while the pending move is not yet
4993 4995 * registered. Flag the pending move while
4994 4996 * kmd_moves_pending may still be empty, since we can't
4995 4997 * yet rely on a non-zero pending move count to prevent
4996 4998 * the slab from being destroyed.
4997 4999 */
4998 5000 ASSERT(!(sp->slab_flags & KMEM_SLAB_MOVE_PENDING));
4999 5001 sp->slab_flags |= KMEM_SLAB_MOVE_PENDING;
5000 5002 /*
5001 5003 * Recheck refcnt and nomove after reacquiring the lock,
5002 5004 * since these control the order of partial slabs, and
5003 5005 * we want to know if we can pick up the scan where we
5004 5006 * left off.
5005 5007 */
5006 5008 refcnt = sp->slab_refcnt;
5007 5009 nomove = (sp->slab_flags & KMEM_SLAB_NOMOVE);
5008 5010 mutex_exit(&cp->cache_lock);
5009 5011
5010 5012 success = kmem_move_begin(cp, sp, buf, flags);
5011 5013
5012 5014 /*
5013 5015 * Now, before the lock is reacquired, kmem could
5014 5016 * process all pending move requests and purge the
5015 5017 * deadlist, so that upon reacquiring the lock, sp has
5016 5018 * been remapped. Or, the client may free all the
5017 5019 * objects on the slab while the pending moves are still
5018 5020 * on the taskq. Therefore, the KMEM_SLAB_MOVE_PENDING
5019 5021 * flag causes the slab to be put at the end of the
5020 5022 * deadlist and prevents it from being destroyed, since
5021 5023 * we plan to destroy it here after reacquiring the
5022 5024 * lock.
5023 5025 */
5024 5026 mutex_enter(&cp->cache_lock);
5025 5027 ASSERT(sp->slab_flags & KMEM_SLAB_MOVE_PENDING);
5026 5028 sp->slab_flags &= ~KMEM_SLAB_MOVE_PENDING;
5027 5029
5028 5030 if (sp->slab_refcnt == 0) {
5029 5031 list_t *deadlist =
5030 5032 &cp->cache_defrag->kmd_deadlist;
5031 5033 list_remove(deadlist, sp);
5032 5034
5033 5035 if (!avl_is_empty(
5034 5036 &cp->cache_defrag->kmd_moves_pending)) {
5035 5037 /*
5036 5038 * A pending move makes it unsafe to
5037 5039 * destroy the slab, because even though
5038 5040 * the move is no longer needed, the
5039 5041 * context where that is determined
5040 5042 * requires the slab to exist.
5041 5043 * Fortunately, a pending move also
5042 5044 * means we don't need to destroy the
5043 5045 * slab here, since it will get
5044 5046 * destroyed along with any other slabs
5045 5047 * on the deadlist after the last
5046 5048 * pending move completes.
5047 5049 */
5048 5050 list_insert_head(deadlist, sp);
5049 5051 return (-1);
5050 5052 }
5051 5053
5052 5054 /*
5053 5055 * Destroy the slab now if it was completely
5054 5056 * freed while we dropped cache_lock and there
5055 5057 * are no pending moves. Since slab_refcnt
5056 5058 * cannot change once it reaches zero, no new
5057 5059 * pending moves from that slab are possible.
5058 5060 */
5059 5061 cp->cache_defrag->kmd_deadcount--;
5060 5062 cp->cache_slab_destroy++;
5061 5063 mutex_exit(&cp->cache_lock);
5062 5064 kmem_slab_destroy(cp, sp);
5063 5065 mutex_enter(&cp->cache_lock);
5064 5066 /*
5065 5067 * Since we can't pick up the scan where we left
5066 5068 * off, abort the scan and say nothing about the
5067 5069 * number of reclaimable slabs.
5068 5070 */
5069 5071 return (-1);
5070 5072 }
5071 5073
5072 5074 if (!success) {
5073 5075 /*
5074 5076 * Abort the scan if there is not enough memory
5075 5077 * for the request and say nothing about the
5076 5078 * number of reclaimable slabs.
5077 5079 */
5078 5080 return (-1);
5079 5081 }
5080 5082
5081 5083 /*
5082 5084 * The slab's position changed while the lock was
5083 5085 * dropped, so we don't know where we are in the
5084 5086 * sequence any more.
5085 5087 */
5086 5088 if (sp->slab_refcnt != refcnt) {
5087 5089 /*
5088 5090 * If this is a KMM_DEBUG move, the slab_refcnt
5089 5091 * may have changed because we allocated a
5090 5092 * destination buffer on the same slab. In that
5091 5093 * case, we're not interested in counting it.
5092 5094 */
5093 5095 return (-1);
5094 5096 }
5095 5097 if ((sp->slab_flags & KMEM_SLAB_NOMOVE) != nomove)
5096 5098 return (-1);
5097 5099
5098 5100 /*
5099 5101 * Generating a move request allocates a destination
5100 5102 * buffer from the slab layer, bumping the first partial
5101 5103 * slab if it is completely allocated. If the current
5102 5104 * slab becomes the first partial slab as a result, we
5103 5105 * can't continue to scan backwards.
5104 5106 *
5105 5107 * If this is a KMM_DEBUG move and we allocated the
5106 5108 * destination buffer from the last partial slab, then
5107 5109 * the buffer we're moving is on the same slab and our
5108 5110 * slab_refcnt has changed, causing us to return before
5109 5111 * reaching here if there are no partial slabs left.
5110 5112 */
5111 5113 ASSERT(!avl_is_empty(&cp->cache_partial_slabs));
5112 5114 if (sp == avl_first(&cp->cache_partial_slabs)) {
5113 5115 /*
5114 5116 * We're not interested in a second KMM_DEBUG
5115 5117 * move.
5116 5118 */
5117 5119 goto end_scan;
5118 5120 }
5119 5121 }
5120 5122 }
5121 5123 end_scan:
5122 5124
5123 5125 return (s);
5124 5126 }
5125 5127
5126 5128 typedef struct kmem_move_notify_args {
5127 5129 kmem_cache_t *kmna_cache;
5128 5130 void *kmna_buf;
5129 5131 } kmem_move_notify_args_t;
5130 5132
5131 5133 static void
5132 5134 kmem_cache_move_notify_task(void *arg)
5133 5135 {
5134 5136 kmem_move_notify_args_t *args = arg;
5135 5137 kmem_cache_t *cp = args->kmna_cache;
5136 5138 void *buf = args->kmna_buf;
5137 5139 kmem_slab_t *sp;
5138 5140
5139 5141 ASSERT(taskq_member(kmem_taskq, curthread));
5140 5142 ASSERT(list_link_active(&cp->cache_link));
5141 5143
5142 5144 kmem_free(args, sizeof (kmem_move_notify_args_t));
5143 5145 mutex_enter(&cp->cache_lock);
5144 5146 sp = kmem_slab_allocated(cp, NULL, buf);
5145 5147
5146 5148 /* Ignore the notification if the buffer is no longer allocated. */
5147 5149 if (sp == NULL) {
5148 5150 mutex_exit(&cp->cache_lock);
5149 5151 return;
5150 5152 }
5151 5153
5152 5154 /* Ignore the notification if there's no reason to move the buffer. */
5153 5155 if (avl_numnodes(&cp->cache_partial_slabs) > 1) {
5154 5156 /*
5155 5157 * So far the notification is not ignored. Ignore the
5156 5158 * notification if the slab is not marked by an earlier refusal
5157 5159 * to move a buffer.
5158 5160 */
5159 5161 if (!(sp->slab_flags & KMEM_SLAB_NOMOVE) &&
5160 5162 (sp->slab_later_count == 0)) {
5161 5163 mutex_exit(&cp->cache_lock);
5162 5164 return;
5163 5165 }
5164 5166
5165 5167 kmem_slab_move_yes(cp, sp, buf);
5166 5168 ASSERT(!(sp->slab_flags & KMEM_SLAB_MOVE_PENDING));
5167 5169 sp->slab_flags |= KMEM_SLAB_MOVE_PENDING;
5168 5170 mutex_exit(&cp->cache_lock);
5169 5171 /* see kmem_move_buffers() about dropping the lock */
5170 5172 (void) kmem_move_begin(cp, sp, buf, KMM_NOTIFY);
5171 5173 mutex_enter(&cp->cache_lock);
5172 5174 ASSERT(sp->slab_flags & KMEM_SLAB_MOVE_PENDING);
5173 5175 sp->slab_flags &= ~KMEM_SLAB_MOVE_PENDING;
5174 5176 if (sp->slab_refcnt == 0) {
5175 5177 list_t *deadlist = &cp->cache_defrag->kmd_deadlist;
5176 5178 list_remove(deadlist, sp);
5177 5179
5178 5180 if (!avl_is_empty(
5179 5181 &cp->cache_defrag->kmd_moves_pending)) {
5180 5182 list_insert_head(deadlist, sp);
5181 5183 mutex_exit(&cp->cache_lock);
5182 5184 return;
5183 5185 }
5184 5186
5185 5187 cp->cache_defrag->kmd_deadcount--;
5186 5188 cp->cache_slab_destroy++;
5187 5189 mutex_exit(&cp->cache_lock);
5188 5190 kmem_slab_destroy(cp, sp);
5189 5191 return;
5190 5192 }
5191 5193 } else {
5192 5194 kmem_slab_move_yes(cp, sp, buf);
5193 5195 }
5194 5196 mutex_exit(&cp->cache_lock);
5195 5197 }
5196 5198
5197 5199 void
5198 5200 kmem_cache_move_notify(kmem_cache_t *cp, void *buf)
5199 5201 {
5200 5202 kmem_move_notify_args_t *args;
5201 5203
5202 5204 args = kmem_alloc(sizeof (kmem_move_notify_args_t), KM_NOSLEEP);
5203 5205 if (args != NULL) {
5204 5206 args->kmna_cache = cp;
5205 5207 args->kmna_buf = buf;
5206 5208 if (!taskq_dispatch(kmem_taskq,
5207 5209 (task_func_t *)kmem_cache_move_notify_task, args,
5208 5210 TQ_NOSLEEP))
5209 5211 kmem_free(args, sizeof (kmem_move_notify_args_t));
5210 5212 }
5211 5213 }
5212 5214
5213 5215 static void
5214 5216 kmem_cache_defrag(kmem_cache_t *cp)
5215 5217 {
5216 5218 size_t n;
5217 5219
5218 5220 ASSERT(cp->cache_defrag != NULL);
5219 5221
5220 5222 mutex_enter(&cp->cache_lock);
5221 5223 n = avl_numnodes(&cp->cache_partial_slabs);
5222 5224 if (n > 1) {
5223 5225 /* kmem_move_buffers() drops and reacquires cache_lock */
5224 5226 cp->cache_defrag->kmd_defrags++;
5225 5227 (void) kmem_move_buffers(cp, n, 0, KMM_DESPERATE);
5226 5228 }
5227 5229 mutex_exit(&cp->cache_lock);
5228 5230 }
5229 5231
5230 5232 /* Is this cache above the fragmentation threshold? */
5231 5233 static boolean_t
5232 5234 kmem_cache_frag_threshold(kmem_cache_t *cp, uint64_t nfree)
5233 5235 {
5234 5236 /*
5235 5237 * nfree kmem_frag_numer
5236 5238 * ------------------ > ---------------
5237 5239 * cp->cache_buftotal kmem_frag_denom
5238 5240 */
5239 5241 return ((nfree * kmem_frag_denom) >
5240 5242 (cp->cache_buftotal * kmem_frag_numer));
5241 5243 }
5242 5244
5243 5245 static boolean_t
5244 5246 kmem_cache_is_fragmented(kmem_cache_t *cp, boolean_t *doreap)
5245 5247 {
5246 5248 boolean_t fragmented;
5247 5249 uint64_t nfree;
5248 5250
5249 5251 ASSERT(MUTEX_HELD(&cp->cache_lock));
5250 5252 *doreap = B_FALSE;
5251 5253
5252 5254 if (kmem_move_fulltilt) {
5253 5255 if (avl_numnodes(&cp->cache_partial_slabs) > 1) {
5254 5256 return (B_TRUE);
5255 5257 }
5256 5258 } else {
5257 5259 if ((cp->cache_complete_slab_count + avl_numnodes(
5258 5260 &cp->cache_partial_slabs)) < kmem_frag_minslabs) {
5259 5261 return (B_FALSE);
5260 5262 }
5261 5263 }
5262 5264
5263 5265 nfree = cp->cache_bufslab;
5264 5266 fragmented = ((avl_numnodes(&cp->cache_partial_slabs) > 1) &&
5265 5267 kmem_cache_frag_threshold(cp, nfree));
5266 5268
5267 5269 /*
5268 5270 * Free buffers in the magazine layer appear allocated from the point of
5269 5271 * view of the slab layer. We want to know if the slab layer would
5270 5272 * appear fragmented if we included free buffers from magazines that
5271 5273 * have fallen out of the working set.
5272 5274 */
5273 5275 if (!fragmented) {
5274 5276 long reap;
5275 5277
5276 5278 mutex_enter(&cp->cache_depot_lock);
5277 5279 reap = MIN(cp->cache_full.ml_reaplimit, cp->cache_full.ml_min);
5278 5280 reap = MIN(reap, cp->cache_full.ml_total);
5279 5281 mutex_exit(&cp->cache_depot_lock);
5280 5282
5281 5283 nfree += ((uint64_t)reap * cp->cache_magtype->mt_magsize);
5282 5284 if (kmem_cache_frag_threshold(cp, nfree)) {
5283 5285 *doreap = B_TRUE;
5284 5286 }
5285 5287 }
5286 5288
5287 5289 return (fragmented);
5288 5290 }
5289 5291
5290 5292 /* Called periodically from kmem_taskq */
5291 5293 static void
5292 5294 kmem_cache_scan(kmem_cache_t *cp)
5293 5295 {
5294 5296 boolean_t reap = B_FALSE;
5295 5297 kmem_defrag_t *kmd;
5296 5298
5297 5299 ASSERT(taskq_member(kmem_taskq, curthread));
5298 5300
5299 5301 mutex_enter(&cp->cache_lock);
5300 5302
5301 5303 kmd = cp->cache_defrag;
5302 5304 if (kmd->kmd_consolidate > 0) {
5303 5305 kmd->kmd_consolidate--;
5304 5306 mutex_exit(&cp->cache_lock);
5305 5307 kmem_cache_reap(cp);
5306 5308 return;
5307 5309 }
5308 5310
5309 5311 if (kmem_cache_is_fragmented(cp, &reap)) {
5310 5312 size_t slabs_found;
5311 5313
5312 5314 /*
5313 5315 * Consolidate reclaimable slabs from the end of the partial
5314 5316 * slab list (scan at most kmem_reclaim_scan_range slabs to find
5315 5317 * reclaimable slabs). Keep track of how many candidate slabs we
5316 5318 * looked for and how many we actually found so we can adjust
5317 5319 * the definition of a candidate slab if we're having trouble
5318 5320 * finding them.
5319 5321 *
5320 5322 * kmem_move_buffers() drops and reacquires cache_lock.
5321 5323 */
5322 5324 kmd->kmd_scans++;
5323 5325 slabs_found = kmem_move_buffers(cp, kmem_reclaim_scan_range,
5324 5326 kmem_reclaim_max_slabs, 0);
5325 5327 if (slabs_found >= 0) {
5326 5328 kmd->kmd_slabs_sought += kmem_reclaim_max_slabs;
5327 5329 kmd->kmd_slabs_found += slabs_found;
5328 5330 }
5329 5331
5330 5332 if (++kmd->kmd_tries >= kmem_reclaim_scan_range) {
5331 5333 kmd->kmd_tries = 0;
5332 5334
5333 5335 /*
5334 5336 * If we had difficulty finding candidate slabs in
5335 5337 * previous scans, adjust the threshold so that
5336 5338 * candidates are easier to find.
5337 5339 */
5338 5340 if (kmd->kmd_slabs_found == kmd->kmd_slabs_sought) {
5339 5341 kmem_adjust_reclaim_threshold(kmd, -1);
5340 5342 } else if ((kmd->kmd_slabs_found * 2) <
5341 5343 kmd->kmd_slabs_sought) {
5342 5344 kmem_adjust_reclaim_threshold(kmd, 1);
5343 5345 }
5344 5346 kmd->kmd_slabs_sought = 0;
5345 5347 kmd->kmd_slabs_found = 0;
5346 5348 }
5347 5349 } else {
5348 5350 kmem_reset_reclaim_threshold(cp->cache_defrag);
5349 5351 #ifdef DEBUG
5350 5352 if (!avl_is_empty(&cp->cache_partial_slabs)) {
5351 5353 /*
5352 5354 * In a debug kernel we want the consolidator to
5353 5355 * run occasionally even when there is plenty of
5354 5356 * memory.
5355 5357 */
5356 5358 uint16_t debug_rand;
5357 5359
5358 5360 (void) random_get_bytes((uint8_t *)&debug_rand, 2);
5359 5361 if (!kmem_move_noreap &&
5360 5362 ((debug_rand % kmem_mtb_reap) == 0)) {
5361 5363 mutex_exit(&cp->cache_lock);
5362 5364 kmem_cache_reap(cp);
5363 5365 return;
5364 5366 } else if ((debug_rand % kmem_mtb_move) == 0) {
5365 5367 kmd->kmd_scans++;
5366 5368 (void) kmem_move_buffers(cp,
5367 5369 kmem_reclaim_scan_range, 1, KMM_DEBUG);
5368 5370 }
5369 5371 }
5370 5372 #endif /* DEBUG */
5371 5373 }
5372 5374
5373 5375 mutex_exit(&cp->cache_lock);
5374 5376
5375 5377 if (reap)
5376 5378 kmem_depot_ws_reap(cp);
5377 5379 }
|
↓ open down ↓ |
3935 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX