Index: subr_poison.c
===================================================================
RCS file: /cvs/src/sys/kern/subr_poison.c,v
retrieving revision 1.13
diff -u -p -r1.13 subr_poison.c
--- subr_poison.c	14 Mar 2015 03:38:50 -0000	1.13
+++ subr_poison.c	19 Apr 2015 01:29:17 -0000
@@ -20,6 +20,8 @@
 
 #include <uvm/uvm_extern.h>
 
+#include <crypto/chacha_private.h>
+
 /*
  * The POISON is used as known text to copy into free objects so
  * that modifications after frees can be detected.
@@ -34,7 +36,6 @@
 #else
 #define POISON1	((unsigned) 0xdeafbead)
 #endif
-#define POISON_SIZE	64
 
 uint32_t
 poison_value(void *v)
@@ -56,41 +57,41 @@ poison_value(void *v)
 	return 0;
 }
 
+u_int8_t	poison_key[32] __attribute__((section(".openbsd.randomdata")));
+
 void
 poison_mem(void *v, size_t len)
 {
-	uint32_t *ip = v;
-	size_t i;
-	uint32_t poison;
+	chacha_ctx stream;
+	u_int64_t iv = (vaddr_t)v;
 
-	poison = poison_value(v);
-
-	if (len > POISON_SIZE)
-		len = POISON_SIZE;
-	len = len / sizeof(*ip);
-	for (i = 0; i < len; i++)
-		ip[i] = poison;
+	chacha_keysetup(&stream, poison_key, sizeof(poison_key) * 8, 0);
+	chacha_ivsetup(&stream, (u_int8_t *)&iv);
+	memset(v, 0, len);
+	chacha_encrypt_bytes(&stream, v, v, len);
 }
 
 int
 poison_check(void *v, size_t len, size_t *pidx, uint32_t *pval)
 {
+	chacha_ctx stream;
+	u_int64_t iv = (vaddr_t)v;
 	uint32_t *ip = v;
 	size_t i;
-	uint32_t poison;
 
-	poison = poison_value(v);
+	chacha_keysetup(&stream, poison_key, sizeof(poison_key) * 8, 0);
+	chacha_ivsetup(&stream, (u_int8_t *)&iv);
+	chacha_encrypt_bytes(&stream, v, v, len);
 
-	if (len > POISON_SIZE)
-		len = POISON_SIZE;
 	len = len / sizeof(*ip);
 	for (i = 0; i < len; i++) {
-		if (ip[i] != poison) {
+		if (ip[i] != 0) {
 			*pidx = i;
-			*pval = poison;
+			*pval = ip[i];
 			return 1;
 		}
 	}
+
 	return 0;
 }