Linux 5.12 Will have A New Memory Safety Detector Called KFence
Linus Torvalds merged a new low-overhead memory validator called KFence, short for Kernel Electric Fence, into the Linux git tree in time for Linux 5.12-rc1. KFence is a low-overhead memory error detector and validator similar to the existing KASAN (Kernel Address SANitizer) suitable for production kernels.
The Linux kernel has long had a dynamic memory error detector called KASAN available as
CONFIG_KASAN. It has quite a bit of overhead and it is not entirely easy to use.
KFence will be configurable at boot time with a
kfence.sample_interval parameter that lets you choose how often, in milliseconds, it guards heap applications. This parameter can be set to
0 to disable it, which is useful if you configure a default using the new
CONFIG_KFENCE_SAMPLE_INTERVAL kernel configuration option.
KFence is said to have a very low overhead compared to KASAN. The documentation story is that it can be used on production systems with "near zero performance overhead":
"KFENCE is designed to be enabled in production kernels, and has near zero performance overhead. Compared to KASAN, KFENCE trades performance for precision. The main motivation behind KFENCE's design, is that with enough total uptime KFENCE will detect bugs in code paths not typically exercised by non-production test workloads. One way to quickly achieve a large enough total uptime is when the tool is deployed across a large fleet of machines."
The low overhead means that a segment of users who would like to help the kernel community find memory safety errors in the kernel but would never consider running a production kernel with KASAN enabled have a new option they might actually enable and use.
KFence can produce bug reports if any part of the kernel tries to access memory out-of-bounds, use already freed memory (use-after-free) or free already freed memory (double-frees) and invalid accesses to protected pages. The documentation includes several examples of what the KFence error warnings will look like including this one:
================================================================== BUG: KFENCE: invalid read in test_invalid_access+0x26/0xe0 Invalid read at 0xffffffffb670b00a: test_invalid_access+0x26/0xe0 kunit_try_run_case+0x51/0x85 kunit_generic_run_threadfn_adapter+0x16/0x30 kthread+0x137/0x160 ret_from_fork+0x22/0x30 CPU: 4 PID: 124 Comm: kunit_try_catch Tainted: G W 5.8.0-rc6+ #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 ==================================================================
KFence will by default not make the kernel panic when errors are detected, it will only produce error messages in the kernels ring buffer (what you get if you type
dmesg). It is possible to set
panic_on_warn if you really want the kernel to panic and halt when an error is detected.
KFence adds two new debugging files to the kernels debugfs:
/sys/kernel/debug/kfence/stats wills how runtime statistics, and
/sys/kernel/debug/kfence/objects provides a list of objects allocated via KFence, including freed but still protected pages.
Documentation for the new KFence memory error detector has been merged as
The first Linux 5.12 release-candidate was released today. You can get it from kernel.org if you want to try the shiny new KFence memory safety detector. The final 5.12 release won't take place for another six to eight weeks.