I’ve written most of the code for MemCheck. Enough to start testing and tweaking. I instrumented the __ld and __st functions to check that memory accesses are within allocated buffers. Initiallly I thought I would use the memory watchpoint code in QEMU to do the instrumentation, but this turned out fruitless as there is special handling/optimisation for the watchpoints, and to top it off, the helper functions use only physical addresses.
The problem I’ve encountered so far is the use of alloc_pages (__get_free_pages etc) in the kernel. kmalloc and kmem_cache_alloc use alloc_pages internally. But these symbols are exported publicly and general code is free to use them also. Also, alloc_pages returns a struct page *, when I really want virtual addresses. At first I tried writing a macro for the page -> address translation, but it seems there is an actual function on my kernel build that does it. I then tried intercepting the 1st call to page_address (the translation code) after alloc_pages to get the virtual address. This almost worked.
I think the best solution I have is to hack on the kernel sources, so that there is strict seperation between public and private interfaces.