^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) .. SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) .. Copyright (C) 2020, Google LLC.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) Kernel Electric-Fence (KFENCE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) ==============================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) error detector. KFENCE detects heap out-of-bounds access, use-after-free, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) invalid-free errors.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) KFENCE is designed to be enabled in production kernels, and has near zero
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) performance overhead. Compared to KASAN, KFENCE trades performance for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) precision. The main motivation behind KFENCE's design, is that with enough
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) total uptime KFENCE will detect bugs in code paths not typically exercised by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) non-production test workloads. One way to quickly achieve a large enough total
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) uptime is when the tool is deployed across a large fleet of machines.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) Usage
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) -----
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) To enable KFENCE, configure the kernel with::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) CONFIG_KFENCE=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) To build a kernel with KFENCE support, but disabled by default (to enable, set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) ``kfence.sample_interval`` to non-zero value), configure the kernel with::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) CONFIG_KFENCE=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) CONFIG_KFENCE_SAMPLE_INTERVAL=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) KFENCE provides several other configuration options to customize behaviour (see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) the respective help text in ``lib/Kconfig.kfence`` for more info).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) Tuning performance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) ~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) The most important parameter is KFENCE's sample interval, which can be set via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) the kernel boot parameter ``kfence.sample_interval`` in milliseconds. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) sample interval determines the frequency with which heap allocations will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) guarded by KFENCE. The default is configurable via the Kconfig option
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) ``CONFIG_KFENCE_SAMPLE_INTERVAL``. Setting ``kfence.sample_interval=0``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) disables KFENCE.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) The KFENCE memory pool is of fixed size, and if the pool is exhausted, no
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) further KFENCE allocations occur. With ``CONFIG_KFENCE_NUM_OBJECTS`` (default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 255), the number of available guarded objects can be controlled. Each object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) requires 2 pages, one for the object itself and the other one used as a guard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) page; object pages are interleaved with guard pages, and every object page is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) therefore surrounded by two guard pages.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) The total memory dedicated to the KFENCE memory pool can be computed as::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) ( #objects + 1 ) * 2 * PAGE_SIZE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) Using the default config, and assuming a page size of 4 KiB, results in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) dedicating 2 MiB to the KFENCE memory pool.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) Note: On architectures that support huge pages, KFENCE will ensure that the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) pool is using pages of size ``PAGE_SIZE``. This will result in additional page
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) tables being allocated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) Error reports
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) ~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) A typical out-of-bounds access looks like this::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read+0xa3/0x22b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) Out-of-bounds read at 0xffffffffb672efff (1B left of kfence-#17):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) test_out_of_bounds_read+0xa3/0x22b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) kfence-#17 [0xffffffffb672f000-0xffffffffb672f01f, size=32, cache=kmalloc-32] allocated by task 507:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) test_alloc+0xf3/0x25b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) test_out_of_bounds_read+0x98/0x22b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) CPU: 4 PID: 107 Comm: kunit_try_catch Not tainted 5.8.0-rc6+ #7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) The header of the report provides a short summary of the function involved in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) the access. It is followed by more detailed information about the access and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) its origin. Note that, real kernel addresses are only shown when using the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) kernel command line option ``no_hash_pointers``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) Use-after-free accesses are reported as::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) BUG: KFENCE: use-after-free read in test_use_after_free_read+0xb3/0x143
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) Use-after-free read at 0xffffffffb673dfe0 (in kfence-#24):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) test_use_after_free_read+0xb3/0x143
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) kfence-#24 [0xffffffffb673dfe0-0xffffffffb673dfff, size=32, cache=kmalloc-32] allocated by task 507:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) test_alloc+0xf3/0x25b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) test_use_after_free_read+0x76/0x143
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) freed by task 507:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) test_use_after_free_read+0xa8/0x143
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) CPU: 4 PID: 109 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) KFENCE also reports on invalid frees, such as double-frees::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) BUG: KFENCE: invalid free in test_double_free+0xdc/0x171
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) Invalid free of 0xffffffffb6741000:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) test_double_free+0xdc/0x171
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) kfence-#26 [0xffffffffb6741000-0xffffffffb674101f, size=32, cache=kmalloc-32] allocated by task 507:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) test_alloc+0xf3/0x25b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) test_double_free+0x76/0x171
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) freed by task 507:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) test_double_free+0xa8/0x171
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) CPU: 4 PID: 111 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) KFENCE also uses pattern-based redzones on the other side of an object's guard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) page, to detect out-of-bounds writes on the unprotected side of the object.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) These are reported on frees::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) BUG: KFENCE: memory corruption in test_kmalloc_aligned_oob_write+0xef/0x184
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) Corrupted memory at 0xffffffffb6797ff9 [ 0xac . . . . . . ] (in kfence-#69):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) test_kmalloc_aligned_oob_write+0xef/0x184
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) kfence-#69 [0xffffffffb6797fb0-0xffffffffb6797ff8, size=73, cache=kmalloc-96] allocated by task 507:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) test_alloc+0xf3/0x25b
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) test_kmalloc_aligned_oob_write+0x57/0x184
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) CPU: 4 PID: 120 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) For such errors, the address where the corruption occurred as well as the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) invalidly written bytes (offset from the address) are shown; in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) representation, '.' denote untouched bytes. In the example above ``0xac`` is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) the value written to the invalid address at offset 0, and the remaining '.'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) denote that no following bytes have been touched. Note that, real values are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) only shown if the kernel was booted with ``no_hash_pointers``; to avoid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) information disclosure otherwise, '!' is used instead to denote invalidly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) written bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) And finally, KFENCE may also report on invalid accesses to any protected page
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) where it was not possible to determine an associated object, e.g. if adjacent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) object pages had not yet been allocated::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) BUG: KFENCE: invalid read in test_invalid_access+0x26/0xe0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) Invalid read at 0xffffffffb670b00a:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) test_invalid_access+0x26/0xe0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) kunit_try_run_case+0x51/0x85
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) kunit_generic_run_threadfn_adapter+0x16/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) kthread+0x137/0x160
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) ret_from_fork+0x22/0x30
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) CPU: 4 PID: 124 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) DebugFS interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) ~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) Some debugging information is exposed via debugfs:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) * The file ``/sys/kernel/debug/kfence/stats`` provides runtime statistics.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) * The file ``/sys/kernel/debug/kfence/objects`` provides a list of objects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) allocated via KFENCE, including those already freed but protected.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) Implementation Details
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) ----------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) Guarded allocations are set up based on the sample interval. After expiration
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) of the sample interval, the next allocation through the main allocator (SLAB or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) SLUB) returns a guarded allocation from the KFENCE object pool (allocation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) sizes up to PAGE_SIZE are supported). At this point, the timer is reset, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) the next allocation is set up after the expiration of the interval. To "gate" a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) KFENCE allocation through the main allocator's fast-path without overhead,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) KFENCE relies on static branches via the static keys infrastructure. The static
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) branch is toggled to redirect the allocation to KFENCE.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) KFENCE objects each reside on a dedicated page, at either the left or right
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) page boundaries selected at random. The pages to the left and right of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) object page are "guard pages", whose attributes are changed to a protected
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) state, and cause page faults on any attempted access. Such page faults are then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) intercepted by KFENCE, which handles the fault gracefully by reporting an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) out-of-bounds access, and marking the page as accessible so that the faulting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) code can (wrongly) continue executing (set ``panic_on_warn`` to panic instead).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) To detect out-of-bounds writes to memory within the object's page itself,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) KFENCE also uses pattern-based redzones. For each object page, a redzone is set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) up for all non-object memory. For typical alignments, the redzone is only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) required on the unguarded side of an object. Because KFENCE must honor the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) cache's requested alignment, special alignments may result in unprotected gaps
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) on either side of an object, all of which are redzoned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) The following figure illustrates the page layout::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) ---+-----------+-----------+-----------+-----------+-----------+---
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) | xxxxxxxxx | O : | xxxxxxxxx | : O | xxxxxxxxx |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) | xxxxxxxxx | B : | xxxxxxxxx | : B | xxxxxxxxx |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) | x GUARD x | J : RED- | x GUARD x | RED- : J | x GUARD x |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) | xxxxxxxxx | E : ZONE | xxxxxxxxx | ZONE : E | xxxxxxxxx |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) | xxxxxxxxx | C : | xxxxxxxxx | : C | xxxxxxxxx |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) | xxxxxxxxx | T : | xxxxxxxxx | : T | xxxxxxxxx |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) ---+-----------+-----------+-----------+-----------+-----------+---
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) Upon deallocation of a KFENCE object, the object's page is again protected and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) the object is marked as freed. Any further access to the object causes a fault
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) and KFENCE reports a use-after-free access. Freed objects are inserted at the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) tail of KFENCE's freelist, so that the least recently freed objects are reused
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) first, and the chances of detecting use-after-frees of recently freed objects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) is increased.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) Interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) ---------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) The following describes the functions which are used by allocators as well as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) page handling code to set up and deal with KFENCE allocations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) .. kernel-doc:: include/linux/kfence.h
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) :functions: is_kfence_address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) kfence_shutdown_cache
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) kfence_alloc kfence_free __kfence_free
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) kfence_ksize kfence_object_start
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) kfence_handle_page_fault
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) Related Tools
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) -------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) In userspace, a similar approach is taken by `GWP-ASan
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) <http://llvm.org/docs/GwpAsan.html>`_. GWP-ASan also relies on guard pages and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) a sampling strategy to detect memory unsafety bugs at scale. KFENCE's design is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) directly influenced by GWP-ASan, and can be seen as its kernel sibling. Another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) similar but non-sampling approach, that also inspired the name "KFENCE", can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) found in the userspace `Electric Fence Malloc Debugger
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) <https://linux.die.net/man/3/efence>`_.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) In the kernel, several tools exist to debug memory access errors, and in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) particular KASAN can detect all bug classes that KFENCE can detect. While KASAN
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) is more precise, relying on compiler instrumentation, this comes at a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) performance cost.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) It is worth highlighting that KASAN and KFENCE are complementary, with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) different target environments. For instance, KASAN is the better debugging-aid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) where test cases or reproducers exists: due to the lower chance to detect the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) error, it would require more effort using KFENCE to debug. Deployments at scale
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) that cannot afford to enable KASAN, however, would benefit from using KFENCE to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) discover bugs due to code paths not exercised by test cases or fuzzers.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags