Linux 5.12 Will have A New Memory Safety Detector Called KFence
Linus Torvalds merged a new low-overhead memory validator called KFence, short for Kernel Electric Fence, into the Linux git tree in time for Linux 5.12-rc1. KFence is a low-overhead memory error detector and validator similar to the existing KASAN (Kernel Address SANitizer) suitable for production kernels.
written by 윤채경 (Yoon Chae-kyung) 2021-03-01 - last edited 2021-03-01. © CC BY
A screenshot of mm/kfence/core.c from Linux git as of today.
The Linux kernel has long had a dynamic memory error detector called KASAN available as CONFIG_KASAN. It has quite a bit of overhead and it is not entirely easy to use.
Linus Torvalds has merged a new alternative memory validator written by Google called KFence, or Kernel Electric Fence, into the Linux git tree. It will be available in Linux 5.12 as CONFIG_KFENCE.
KFence will be configurable at boot time with a kfence.sample_interval parameter that lets you choose how often, in milliseconds, it guards heap applications. This parameter can be set to 0 to disable it, which is useful if you configure a default using the new CONFIG_KFENCE_SAMPLE_INTERVAL kernel configuration option.
KFence is said to have a very low overhead compared to KASAN. The documentation story is that it can be used on production systems with "near zero performance overhead":
"KFENCE is designed to be enabled in production kernels, and has near zero performance overhead. Compared to KASAN, KFENCE trades performance for precision. The main motivation behind KFENCE's design, is that with enough total uptime KFENCE will detect bugs in code paths not typically exercised by non-production test workloads. One way to quickly achieve a large enough total uptime is when the tool is deployed across a large fleet of machines."
The low overhead means that a segment of users who would like to help the kernel community find memory safety errors in the kernel but would never consider running a production kernel with KASAN enabled have a new option they might actually enable and use.
KFence can produce bug reports if any part of the kernel tries to access memory out-of-bounds, use already freed memory (use-after-free) or free already freed memory (double-frees) and invalid accesses to protected pages. The documentation includes several examples of what the KFence error warnings will look like including this one:
==================================================================
BUG: KFENCE: invalid read in test_invalid_access+0x26/0xe0
Invalid read at 0xffffffffb670b00a:
test_invalid_access+0x26/0xe0
kunit_try_run_case+0x51/0x85
kunit_generic_run_threadfn_adapter+0x16/0x30
kthread+0x137/0x160
ret_from_fork+0x22/0x30
CPU: 4 PID: 124 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
==================================================================
KFence will by default not make the kernel panic when errors are detected, it will only produce error messages in the kernels ring buffer (what you get if you type dmesg). It is possible to set panic_on_warn if you really want the kernel to panic and halt when an error is detected.
KFence adds two new debugging files to the kernels debugfs:
/sys/kernel/debug/kfence/stats wills how runtime statistics, and
/sys/kernel/debug/kfence/objects provides a list of objects allocated via KFence, including freed but still protected pages.
Documentation for the new KFence memory error detector has been merged as Documentation/dev-tools/kfence.rst.
The first Linux 5.12 release-candidate was released today. You can get it from kernel.org if you want to try the shiny new KFence memory safety detector. The final 5.12 release won't take place for another six to eight weeks.
Enable comment auto-refresher