1 .. SPDX-License-Identifier: GPL-2.0 1 .. SPDX-License-Identifier: GPL-2.0 2 .. Copyright (C) 2020, Google LLC. 2 .. Copyright (C) 2020, Google LLC. 3 3 4 Kernel Electric-Fence (KFENCE) 4 Kernel Electric-Fence (KFENCE) 5 ============================== 5 ============================== 6 6 7 Kernel Electric-Fence (KFENCE) is a low-overhe 7 Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety 8 error detector. KFENCE detects heap out-of-bou 8 error detector. KFENCE detects heap out-of-bounds access, use-after-free, and 9 invalid-free errors. 9 invalid-free errors. 10 10 11 KFENCE is designed to be enabled in production 11 KFENCE is designed to be enabled in production kernels, and has near zero 12 performance overhead. Compared to KASAN, KFENC 12 performance overhead. Compared to KASAN, KFENCE trades performance for 13 precision. The main motivation behind KFENCE's 13 precision. The main motivation behind KFENCE's design, is that with enough 14 total uptime KFENCE will detect bugs in code p 14 total uptime KFENCE will detect bugs in code paths not typically exercised by 15 non-production test workloads. One way to quic 15 non-production test workloads. One way to quickly achieve a large enough total 16 uptime is when the tool is deployed across a l 16 uptime is when the tool is deployed across a large fleet of machines. 17 17 18 Usage 18 Usage 19 ----- 19 ----- 20 20 21 To enable KFENCE, configure the kernel with:: 21 To enable KFENCE, configure the kernel with:: 22 22 23 CONFIG_KFENCE=y 23 CONFIG_KFENCE=y 24 24 25 To build a kernel with KFENCE support, but dis 25 To build a kernel with KFENCE support, but disabled by default (to enable, set 26 ``kfence.sample_interval`` to non-zero value), 26 ``kfence.sample_interval`` to non-zero value), configure the kernel with:: 27 27 28 CONFIG_KFENCE=y 28 CONFIG_KFENCE=y 29 CONFIG_KFENCE_SAMPLE_INTERVAL=0 29 CONFIG_KFENCE_SAMPLE_INTERVAL=0 30 30 31 KFENCE provides several other configuration op 31 KFENCE provides several other configuration options to customize behaviour (see 32 the respective help text in ``lib/Kconfig.kfen 32 the respective help text in ``lib/Kconfig.kfence`` for more info). 33 33 34 Tuning performance 34 Tuning performance 35 ~~~~~~~~~~~~~~~~~~ 35 ~~~~~~~~~~~~~~~~~~ 36 36 37 The most important parameter is KFENCE's sampl 37 The most important parameter is KFENCE's sample interval, which can be set via 38 the kernel boot parameter ``kfence.sample_inte 38 the kernel boot parameter ``kfence.sample_interval`` in milliseconds. The 39 sample interval determines the frequency with 39 sample interval determines the frequency with which heap allocations will be 40 guarded by KFENCE. The default is configurable 40 guarded by KFENCE. The default is configurable via the Kconfig option 41 ``CONFIG_KFENCE_SAMPLE_INTERVAL``. Setting ``k 41 ``CONFIG_KFENCE_SAMPLE_INTERVAL``. Setting ``kfence.sample_interval=0`` 42 disables KFENCE. 42 disables KFENCE. 43 43 44 The sample interval controls a timer that sets << 45 default, to keep the real sample interval pred << 46 causes CPU wake-ups when the system is complet << 47 on power-constrained systems. The boot paramet << 48 instead switches to a "deferrable" timer which << 49 idle systems, at the risk of unpredictable sam << 50 configurable via the Kconfig option ``CONFIG_K << 51 << 52 .. warning:: << 53 The KUnit test suite is very likely to fail << 54 since it currently causes very unpredictabl << 55 << 56 By default KFENCE will only sample 1 heap allo << 57 interval. *Burst mode* allows to sample succes << 58 kernel boot parameter ``kfence.burst`` can be << 59 denotes the *additional* successive allocation << 60 setting ``kfence.burst=N`` means that ``1 + N` << 61 attempted through KFENCE for each sample inter << 62 << 63 The KFENCE memory pool is of fixed size, and i 44 The KFENCE memory pool is of fixed size, and if the pool is exhausted, no 64 further KFENCE allocations occur. With ``CONFI 45 further KFENCE allocations occur. With ``CONFIG_KFENCE_NUM_OBJECTS`` (default 65 255), the number of available guarded objects 46 255), the number of available guarded objects can be controlled. Each object 66 requires 2 pages, one for the object itself an 47 requires 2 pages, one for the object itself and the other one used as a guard 67 page; object pages are interleaved with guard 48 page; object pages are interleaved with guard pages, and every object page is 68 therefore surrounded by two guard pages. 49 therefore surrounded by two guard pages. 69 50 70 The total memory dedicated to the KFENCE memor 51 The total memory dedicated to the KFENCE memory pool can be computed as:: 71 52 72 ( #objects + 1 ) * 2 * PAGE_SIZE 53 ( #objects + 1 ) * 2 * PAGE_SIZE 73 54 74 Using the default config, and assuming a page 55 Using the default config, and assuming a page size of 4 KiB, results in 75 dedicating 2 MiB to the KFENCE memory pool. 56 dedicating 2 MiB to the KFENCE memory pool. 76 57 77 Note: On architectures that support huge pages 58 Note: On architectures that support huge pages, KFENCE will ensure that the 78 pool is using pages of size ``PAGE_SIZE``. Thi 59 pool is using pages of size ``PAGE_SIZE``. This will result in additional page 79 tables being allocated. 60 tables being allocated. 80 61 81 Error reports 62 Error reports 82 ~~~~~~~~~~~~~ 63 ~~~~~~~~~~~~~ 83 64 84 A typical out-of-bounds access looks like this 65 A typical out-of-bounds access looks like this:: 85 66 86 ========================================== 67 ================================================================== 87 BUG: KFENCE: out-of-bounds read in test_ou 68 BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read+0xa6/0x234 88 69 89 Out-of-bounds read at 0xffff8c3f2e291fff ( 70 Out-of-bounds read at 0xffff8c3f2e291fff (1B left of kfence-#72): 90 test_out_of_bounds_read+0xa6/0x234 71 test_out_of_bounds_read+0xa6/0x234 91 kunit_try_run_case+0x61/0xa0 72 kunit_try_run_case+0x61/0xa0 92 kunit_generic_run_threadfn_adapter+0x16/0 73 kunit_generic_run_threadfn_adapter+0x16/0x30 93 kthread+0x176/0x1b0 74 kthread+0x176/0x1b0 94 ret_from_fork+0x22/0x30 75 ret_from_fork+0x22/0x30 95 76 96 kfence-#72: 0xffff8c3f2e292000-0xffff8c3f2 77 kfence-#72: 0xffff8c3f2e292000-0xffff8c3f2e29201f, size=32, cache=kmalloc-32 97 78 98 allocated by task 484 on cpu 0 at 32.91933 79 allocated by task 484 on cpu 0 at 32.919330s: 99 test_alloc+0xfe/0x738 80 test_alloc+0xfe/0x738 100 test_out_of_bounds_read+0x9b/0x234 81 test_out_of_bounds_read+0x9b/0x234 101 kunit_try_run_case+0x61/0xa0 82 kunit_try_run_case+0x61/0xa0 102 kunit_generic_run_threadfn_adapter+0x16/0 83 kunit_generic_run_threadfn_adapter+0x16/0x30 103 kthread+0x176/0x1b0 84 kthread+0x176/0x1b0 104 ret_from_fork+0x22/0x30 85 ret_from_fork+0x22/0x30 105 86 106 CPU: 0 PID: 484 Comm: kunit_try_catch Not 87 CPU: 0 PID: 484 Comm: kunit_try_catch Not tainted 5.13.0-rc3+ #7 107 Hardware name: QEMU Standard PC (i440FX + 88 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 108 ========================================== 89 ================================================================== 109 90 110 The header of the report provides a short summ 91 The header of the report provides a short summary of the function involved in 111 the access. It is followed by more detailed in 92 the access. It is followed by more detailed information about the access and 112 its origin. Note that, real kernel addresses a 93 its origin. Note that, real kernel addresses are only shown when using the 113 kernel command line option ``no_hash_pointers` 94 kernel command line option ``no_hash_pointers``. 114 95 115 Use-after-free accesses are reported as:: 96 Use-after-free accesses are reported as:: 116 97 117 ========================================== 98 ================================================================== 118 BUG: KFENCE: use-after-free read in test_u 99 BUG: KFENCE: use-after-free read in test_use_after_free_read+0xb3/0x143 119 100 120 Use-after-free read at 0xffff8c3f2e2a0000 101 Use-after-free read at 0xffff8c3f2e2a0000 (in kfence-#79): 121 test_use_after_free_read+0xb3/0x143 102 test_use_after_free_read+0xb3/0x143 122 kunit_try_run_case+0x61/0xa0 103 kunit_try_run_case+0x61/0xa0 123 kunit_generic_run_threadfn_adapter+0x16/0 104 kunit_generic_run_threadfn_adapter+0x16/0x30 124 kthread+0x176/0x1b0 105 kthread+0x176/0x1b0 125 ret_from_fork+0x22/0x30 106 ret_from_fork+0x22/0x30 126 107 127 kfence-#79: 0xffff8c3f2e2a0000-0xffff8c3f2 108 kfence-#79: 0xffff8c3f2e2a0000-0xffff8c3f2e2a001f, size=32, cache=kmalloc-32 128 109 129 allocated by task 488 on cpu 2 at 33.87132 110 allocated by task 488 on cpu 2 at 33.871326s: 130 test_alloc+0xfe/0x738 111 test_alloc+0xfe/0x738 131 test_use_after_free_read+0x76/0x143 112 test_use_after_free_read+0x76/0x143 132 kunit_try_run_case+0x61/0xa0 113 kunit_try_run_case+0x61/0xa0 133 kunit_generic_run_threadfn_adapter+0x16/0 114 kunit_generic_run_threadfn_adapter+0x16/0x30 134 kthread+0x176/0x1b0 115 kthread+0x176/0x1b0 135 ret_from_fork+0x22/0x30 116 ret_from_fork+0x22/0x30 136 117 137 freed by task 488 on cpu 2 at 33.871358s: 118 freed by task 488 on cpu 2 at 33.871358s: 138 test_use_after_free_read+0xa8/0x143 119 test_use_after_free_read+0xa8/0x143 139 kunit_try_run_case+0x61/0xa0 120 kunit_try_run_case+0x61/0xa0 140 kunit_generic_run_threadfn_adapter+0x16/0 121 kunit_generic_run_threadfn_adapter+0x16/0x30 141 kthread+0x176/0x1b0 122 kthread+0x176/0x1b0 142 ret_from_fork+0x22/0x30 123 ret_from_fork+0x22/0x30 143 124 144 CPU: 2 PID: 488 Comm: kunit_try_catch Tain 125 CPU: 2 PID: 488 Comm: kunit_try_catch Tainted: G B 5.13.0-rc3+ #7 145 Hardware name: QEMU Standard PC (i440FX + 126 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 146 ========================================== 127 ================================================================== 147 128 148 KFENCE also reports on invalid frees, such as 129 KFENCE also reports on invalid frees, such as double-frees:: 149 130 150 ========================================== 131 ================================================================== 151 BUG: KFENCE: invalid free in test_double_f 132 BUG: KFENCE: invalid free in test_double_free+0xdc/0x171 152 133 153 Invalid free of 0xffff8c3f2e2a4000 (in kfe 134 Invalid free of 0xffff8c3f2e2a4000 (in kfence-#81): 154 test_double_free+0xdc/0x171 135 test_double_free+0xdc/0x171 155 kunit_try_run_case+0x61/0xa0 136 kunit_try_run_case+0x61/0xa0 156 kunit_generic_run_threadfn_adapter+0x16/0 137 kunit_generic_run_threadfn_adapter+0x16/0x30 157 kthread+0x176/0x1b0 138 kthread+0x176/0x1b0 158 ret_from_fork+0x22/0x30 139 ret_from_fork+0x22/0x30 159 140 160 kfence-#81: 0xffff8c3f2e2a4000-0xffff8c3f2 141 kfence-#81: 0xffff8c3f2e2a4000-0xffff8c3f2e2a401f, size=32, cache=kmalloc-32 161 142 162 allocated by task 490 on cpu 1 at 34.17532 143 allocated by task 490 on cpu 1 at 34.175321s: 163 test_alloc+0xfe/0x738 144 test_alloc+0xfe/0x738 164 test_double_free+0x76/0x171 145 test_double_free+0x76/0x171 165 kunit_try_run_case+0x61/0xa0 146 kunit_try_run_case+0x61/0xa0 166 kunit_generic_run_threadfn_adapter+0x16/0 147 kunit_generic_run_threadfn_adapter+0x16/0x30 167 kthread+0x176/0x1b0 148 kthread+0x176/0x1b0 168 ret_from_fork+0x22/0x30 149 ret_from_fork+0x22/0x30 169 150 170 freed by task 490 on cpu 1 at 34.175348s: 151 freed by task 490 on cpu 1 at 34.175348s: 171 test_double_free+0xa8/0x171 152 test_double_free+0xa8/0x171 172 kunit_try_run_case+0x61/0xa0 153 kunit_try_run_case+0x61/0xa0 173 kunit_generic_run_threadfn_adapter+0x16/0 154 kunit_generic_run_threadfn_adapter+0x16/0x30 174 kthread+0x176/0x1b0 155 kthread+0x176/0x1b0 175 ret_from_fork+0x22/0x30 156 ret_from_fork+0x22/0x30 176 157 177 CPU: 1 PID: 490 Comm: kunit_try_catch Tain 158 CPU: 1 PID: 490 Comm: kunit_try_catch Tainted: G B 5.13.0-rc3+ #7 178 Hardware name: QEMU Standard PC (i440FX + 159 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 179 ========================================== 160 ================================================================== 180 161 181 KFENCE also uses pattern-based redzones on the 162 KFENCE also uses pattern-based redzones on the other side of an object's guard 182 page, to detect out-of-bounds writes on the un 163 page, to detect out-of-bounds writes on the unprotected side of the object. 183 These are reported on frees:: 164 These are reported on frees:: 184 165 185 ========================================== 166 ================================================================== 186 BUG: KFENCE: memory corruption in test_kma 167 BUG: KFENCE: memory corruption in test_kmalloc_aligned_oob_write+0xef/0x184 187 168 188 Corrupted memory at 0xffff8c3f2e33aff9 [ 0 169 Corrupted memory at 0xffff8c3f2e33aff9 [ 0xac . . . . . . ] (in kfence-#156): 189 test_kmalloc_aligned_oob_write+0xef/0x184 170 test_kmalloc_aligned_oob_write+0xef/0x184 190 kunit_try_run_case+0x61/0xa0 171 kunit_try_run_case+0x61/0xa0 191 kunit_generic_run_threadfn_adapter+0x16/0 172 kunit_generic_run_threadfn_adapter+0x16/0x30 192 kthread+0x176/0x1b0 173 kthread+0x176/0x1b0 193 ret_from_fork+0x22/0x30 174 ret_from_fork+0x22/0x30 194 175 195 kfence-#156: 0xffff8c3f2e33afb0-0xffff8c3f 176 kfence-#156: 0xffff8c3f2e33afb0-0xffff8c3f2e33aff8, size=73, cache=kmalloc-96 196 177 197 allocated by task 502 on cpu 7 at 42.15930 178 allocated by task 502 on cpu 7 at 42.159302s: 198 test_alloc+0xfe/0x738 179 test_alloc+0xfe/0x738 199 test_kmalloc_aligned_oob_write+0x57/0x184 180 test_kmalloc_aligned_oob_write+0x57/0x184 200 kunit_try_run_case+0x61/0xa0 181 kunit_try_run_case+0x61/0xa0 201 kunit_generic_run_threadfn_adapter+0x16/0 182 kunit_generic_run_threadfn_adapter+0x16/0x30 202 kthread+0x176/0x1b0 183 kthread+0x176/0x1b0 203 ret_from_fork+0x22/0x30 184 ret_from_fork+0x22/0x30 204 185 205 CPU: 7 PID: 502 Comm: kunit_try_catch Tain 186 CPU: 7 PID: 502 Comm: kunit_try_catch Tainted: G B 5.13.0-rc3+ #7 206 Hardware name: QEMU Standard PC (i440FX + 187 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 207 ========================================== 188 ================================================================== 208 189 209 For such errors, the address where the corrupt 190 For such errors, the address where the corruption occurred as well as the 210 invalidly written bytes (offset from the addre 191 invalidly written bytes (offset from the address) are shown; in this 211 representation, '.' denote untouched bytes. In 192 representation, '.' denote untouched bytes. In the example above ``0xac`` is 212 the value written to the invalid address at of 193 the value written to the invalid address at offset 0, and the remaining '.' 213 denote that no following bytes have been touch 194 denote that no following bytes have been touched. Note that, real values are 214 only shown if the kernel was booted with ``no_ 195 only shown if the kernel was booted with ``no_hash_pointers``; to avoid 215 information disclosure otherwise, '!' is used 196 information disclosure otherwise, '!' is used instead to denote invalidly 216 written bytes. 197 written bytes. 217 198 218 And finally, KFENCE may also report on invalid 199 And finally, KFENCE may also report on invalid accesses to any protected page 219 where it was not possible to determine an asso 200 where it was not possible to determine an associated object, e.g. if adjacent 220 object pages had not yet been allocated:: 201 object pages had not yet been allocated:: 221 202 222 ========================================== 203 ================================================================== 223 BUG: KFENCE: invalid read in test_invalid_ 204 BUG: KFENCE: invalid read in test_invalid_access+0x26/0xe0 224 205 225 Invalid read at 0xffffffffb670b00a: 206 Invalid read at 0xffffffffb670b00a: 226 test_invalid_access+0x26/0xe0 207 test_invalid_access+0x26/0xe0 227 kunit_try_run_case+0x51/0x85 208 kunit_try_run_case+0x51/0x85 228 kunit_generic_run_threadfn_adapter+0x16/0 209 kunit_generic_run_threadfn_adapter+0x16/0x30 229 kthread+0x137/0x160 210 kthread+0x137/0x160 230 ret_from_fork+0x22/0x30 211 ret_from_fork+0x22/0x30 231 212 232 CPU: 4 PID: 124 Comm: kunit_try_catch Tain 213 CPU: 4 PID: 124 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7 233 Hardware name: QEMU Standard PC (i440FX + 214 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 234 ========================================== 215 ================================================================== 235 216 236 DebugFS interface 217 DebugFS interface 237 ~~~~~~~~~~~~~~~~~ 218 ~~~~~~~~~~~~~~~~~ 238 219 239 Some debugging information is exposed via debu 220 Some debugging information is exposed via debugfs: 240 221 241 * The file ``/sys/kernel/debug/kfence/stats`` 222 * The file ``/sys/kernel/debug/kfence/stats`` provides runtime statistics. 242 223 243 * The file ``/sys/kernel/debug/kfence/objects` 224 * The file ``/sys/kernel/debug/kfence/objects`` provides a list of objects 244 allocated via KFENCE, including those alread 225 allocated via KFENCE, including those already freed but protected. 245 226 246 Implementation Details 227 Implementation Details 247 ---------------------- 228 ---------------------- 248 229 249 Guarded allocations are set up based on the sa 230 Guarded allocations are set up based on the sample interval. After expiration 250 of the sample interval, the next allocation th 231 of the sample interval, the next allocation through the main allocator (SLAB or 251 SLUB) returns a guarded allocation from the KF 232 SLUB) returns a guarded allocation from the KFENCE object pool (allocation 252 sizes up to PAGE_SIZE are supported). At this 233 sizes up to PAGE_SIZE are supported). At this point, the timer is reset, and 253 the next allocation is set up after the expira 234 the next allocation is set up after the expiration of the interval. 254 235 255 When using ``CONFIG_KFENCE_STATIC_KEYS=y``, KF 236 When using ``CONFIG_KFENCE_STATIC_KEYS=y``, KFENCE allocations are "gated" 256 through the main allocator's fast-path by rely 237 through the main allocator's fast-path by relying on static branches via the 257 static keys infrastructure. The static branch 238 static keys infrastructure. The static branch is toggled to redirect the 258 allocation to KFENCE. Depending on sample inte 239 allocation to KFENCE. Depending on sample interval, target workloads, and 259 system architecture, this may perform better t 240 system architecture, this may perform better than the simple dynamic branch. 260 Careful benchmarking is recommended. 241 Careful benchmarking is recommended. 261 242 262 KFENCE objects each reside on a dedicated page 243 KFENCE objects each reside on a dedicated page, at either the left or right 263 page boundaries selected at random. The pages 244 page boundaries selected at random. The pages to the left and right of the 264 object page are "guard pages", whose attribute 245 object page are "guard pages", whose attributes are changed to a protected 265 state, and cause page faults on any attempted 246 state, and cause page faults on any attempted access. Such page faults are then 266 intercepted by KFENCE, which handles the fault 247 intercepted by KFENCE, which handles the fault gracefully by reporting an 267 out-of-bounds access, and marking the page as 248 out-of-bounds access, and marking the page as accessible so that the faulting 268 code can (wrongly) continue executing (set ``p 249 code can (wrongly) continue executing (set ``panic_on_warn`` to panic instead). 269 250 270 To detect out-of-bounds writes to memory withi 251 To detect out-of-bounds writes to memory within the object's page itself, 271 KFENCE also uses pattern-based redzones. For e 252 KFENCE also uses pattern-based redzones. For each object page, a redzone is set 272 up for all non-object memory. For typical alig 253 up for all non-object memory. For typical alignments, the redzone is only 273 required on the unguarded side of an object. B 254 required on the unguarded side of an object. Because KFENCE must honor the 274 cache's requested alignment, special alignment 255 cache's requested alignment, special alignments may result in unprotected gaps 275 on either side of an object, all of which are 256 on either side of an object, all of which are redzoned. 276 257 277 The following figure illustrates the page layo 258 The following figure illustrates the page layout:: 278 259 279 ---+-----------+-----------+-----------+-- 260 ---+-----------+-----------+-----------+-----------+-----------+--- 280 | xxxxxxxxx | O : | xxxxxxxxx | 261 | xxxxxxxxx | O : | xxxxxxxxx | : O | xxxxxxxxx | 281 | xxxxxxxxx | B : | xxxxxxxxx | 262 | xxxxxxxxx | B : | xxxxxxxxx | : B | xxxxxxxxx | 282 | x GUARD x | J : RED- | x GUARD x | R 263 | x GUARD x | J : RED- | x GUARD x | RED- : J | x GUARD x | 283 | xxxxxxxxx | E : ZONE | xxxxxxxxx | 264 | xxxxxxxxx | E : ZONE | xxxxxxxxx | ZONE : E | xxxxxxxxx | 284 | xxxxxxxxx | C : | xxxxxxxxx | 265 | xxxxxxxxx | C : | xxxxxxxxx | : C | xxxxxxxxx | 285 | xxxxxxxxx | T : | xxxxxxxxx | 266 | xxxxxxxxx | T : | xxxxxxxxx | : T | xxxxxxxxx | 286 ---+-----------+-----------+-----------+-- 267 ---+-----------+-----------+-----------+-----------+-----------+--- 287 268 288 Upon deallocation of a KFENCE object, the obje 269 Upon deallocation of a KFENCE object, the object's page is again protected and 289 the object is marked as freed. Any further acc 270 the object is marked as freed. Any further access to the object causes a fault 290 and KFENCE reports a use-after-free access. Fr 271 and KFENCE reports a use-after-free access. Freed objects are inserted at the 291 tail of KFENCE's freelist, so that the least r 272 tail of KFENCE's freelist, so that the least recently freed objects are reused 292 first, and the chances of detecting use-after- 273 first, and the chances of detecting use-after-frees of recently freed objects 293 is increased. 274 is increased. 294 275 295 If pool utilization reaches 75% (default) or a 276 If pool utilization reaches 75% (default) or above, to reduce the risk of the 296 pool eventually being fully occupied by alloca 277 pool eventually being fully occupied by allocated objects yet ensure diverse 297 coverage of allocations, KFENCE limits current 278 coverage of allocations, KFENCE limits currently covered allocations of the 298 same source from further filling up the pool. 279 same source from further filling up the pool. The "source" of an allocation is 299 based on its partial allocation stack trace. A 280 based on its partial allocation stack trace. A side-effect is that this also 300 limits frequent long-lived allocations (e.g. p 281 limits frequent long-lived allocations (e.g. pagecache) of the same source 301 filling up the pool permanently, which is the 282 filling up the pool permanently, which is the most common risk for the pool 302 becoming full and the sampled allocation rate 283 becoming full and the sampled allocation rate dropping to zero. The threshold 303 at which to start limiting currently covered a 284 at which to start limiting currently covered allocations can be configured via 304 the boot parameter ``kfence.skip_covered_thres 285 the boot parameter ``kfence.skip_covered_thresh`` (pool usage%). 305 286 306 Interface 287 Interface 307 --------- 288 --------- 308 289 309 The following describes the functions which ar 290 The following describes the functions which are used by allocators as well as 310 page handling code to set up and deal with KFE 291 page handling code to set up and deal with KFENCE allocations. 311 292 312 .. kernel-doc:: include/linux/kfence.h 293 .. kernel-doc:: include/linux/kfence.h 313 :functions: is_kfence_address 294 :functions: is_kfence_address 314 kfence_shutdown_cache 295 kfence_shutdown_cache 315 kfence_alloc kfence_free __kfen 296 kfence_alloc kfence_free __kfence_free 316 kfence_ksize kfence_object_star 297 kfence_ksize kfence_object_start 317 kfence_handle_page_fault 298 kfence_handle_page_fault 318 299 319 Related Tools 300 Related Tools 320 ------------- 301 ------------- 321 302 322 In userspace, a similar approach is taken by ` 303 In userspace, a similar approach is taken by `GWP-ASan 323 <http://llvm.org/docs/GwpAsan.html>`_. GWP-ASa 304 <http://llvm.org/docs/GwpAsan.html>`_. GWP-ASan also relies on guard pages and 324 a sampling strategy to detect memory unsafety 305 a sampling strategy to detect memory unsafety bugs at scale. KFENCE's design is 325 directly influenced by GWP-ASan, and can be se 306 directly influenced by GWP-ASan, and can be seen as its kernel sibling. Another 326 similar but non-sampling approach, that also i 307 similar but non-sampling approach, that also inspired the name "KFENCE", can be 327 found in the userspace `Electric Fence Malloc 308 found in the userspace `Electric Fence Malloc Debugger 328 <https://linux.die.net/man/3/efence>`_. 309 <https://linux.die.net/man/3/efence>`_. 329 310 330 In the kernel, several tools exist to debug me 311 In the kernel, several tools exist to debug memory access errors, and in 331 particular KASAN can detect all bug classes th 312 particular KASAN can detect all bug classes that KFENCE can detect. While KASAN 332 is more precise, relying on compiler instrumen 313 is more precise, relying on compiler instrumentation, this comes at a 333 performance cost. 314 performance cost. 334 315 335 It is worth highlighting that KASAN and KFENCE 316 It is worth highlighting that KASAN and KFENCE are complementary, with 336 different target environments. For instance, K 317 different target environments. For instance, KASAN is the better debugging-aid, 337 where test cases or reproducers exists: due to 318 where test cases or reproducers exists: due to the lower chance to detect the 338 error, it would require more effort using KFEN 319 error, it would require more effort using KFENCE to debug. Deployments at scale 339 that cannot afford to enable KASAN, however, w 320 that cannot afford to enable KASAN, however, would benefit from using KFENCE to 340 discover bugs due to code paths not exercised 321 discover bugs due to code paths not exercised by test cases or fuzzers.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.