From: Marco Elver <elver@google.com>
To: elver@google.com, akpm@linux-foundation.org, glider@google.com
Cc: hpa@zytor.com, paulmck@kernel.org, andreyknvl@google.com,
aryabinin@virtuozzo.com, luto@kernel.org, bp@alien8.de,
catalin.marinas@arm.com, cl@linux.com,
dave.hansen@linux.intel.com, rientjes@google.com,
dvyukov@google.com, edumazet@google.com,
gregkh@linuxfoundation.org, mingo@redhat.com, jannh@google.com,
Jonathan.Cameron@huawei.com, corbet@lwn.net,
iamjoonsoo.kim@lge.com, keescook@chromium.org,
mark.rutland@arm.com, penberg@kernel.org, peterz@infradead.org,
cai@lca.pw, tglx@linutronix.de, vbabka@suse.cz, will@kernel.org,
x86@kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org
Subject: [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector
Date: Tue, 15 Sep 2020 15:20:36 +0200 [thread overview]
Message-ID: <20200915132046.3332537-1-elver@google.com> (raw)
This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a
low-overhead sampling-based memory safety error detector of heap
use-after-free, invalid-free, and out-of-bounds access errors. This
series enables KFENCE for the x86 and arm64 architectures, and adds
KFENCE hooks to the SLAB and SLUB allocators.
KFENCE is designed to be enabled in production kernels, and has near
zero performance overhead. Compared to KASAN, KFENCE trades performance
for precision. The main motivation behind KFENCE's design, is that with
enough total uptime KFENCE will detect bugs in code paths not typically
exercised by non-production test workloads. One way to quickly achieve a
large enough total uptime is when the tool is deployed across a large
fleet of machines.
KFENCE objects each reside on a dedicated page, at either the left or
right page boundaries. The pages to the left and right of the object
page are "guard pages", whose attributes are changed to a protected
state, and cause page faults on any attempted access to them. Such page
faults are then intercepted by KFENCE, which handles the fault
gracefully by reporting a memory access error.
Guarded allocations are set up based on a sample interval (can be set
via kfence.sample_interval). After expiration of the sample interval,
the next allocation through the main allocator (SLAB or SLUB) returns a
guarded allocation from the KFENCE object pool. At this point, the timer
is reset, and the next allocation is set up after the expiration of the
interval.
To enable/disable a KFENCE allocation through the main allocator's
fast-path without overhead, KFENCE relies on static branches via the
static keys infrastructure. The static branch is toggled to redirect the
allocation to KFENCE.
The KFENCE memory pool is of fixed size, and if the pool is exhausted no
further KFENCE allocations occur. The default config is conservative
with only 255 objects, resulting in a pool size of 2 MiB (with 4 KiB
pages).
We have verified by running synthetic benchmarks (sysbench I/O,
hackbench) that a kernel with KFENCE is performance-neutral compared to
a non-KFENCE baseline kernel.
KFENCE is inspired by GWP-ASan [1], a userspace tool with similar
properties. The name "KFENCE" is a homage to the Electric Fence Malloc
Debugger [2].
For more details, see Documentation/dev-tools/kfence.rst added in the
series -- also viewable here:
https://raw.githubusercontent.com/google/kasan/kfence/Documentation/dev-tools/kfence.rst
[1] http://llvm.org/docs/GwpAsan.html
[2] https://linux.die.net/man/3/efence
v2:
* Various comment/documentation changes (see details in patches).
* Various smaller fixes (see details in patches).
* Change all reports to reference the kfence object, "kfence-#nn".
* Skip allocation/free internals stack trace.
* Rework KMEMLEAK compatibility patch.
RFC/v1: https://lkml.kernel.org/r/20200907134055.2878499-1-elver@google.com
Alexander Potapenko (6):
mm: add Kernel Electric-Fence infrastructure
x86, kfence: enable KFENCE for x86
mm, kfence: insert KFENCE hooks for SLAB
mm, kfence: insert KFENCE hooks for SLUB
kfence, kasan: make KFENCE compatible with KASAN
kfence, kmemleak: make KFENCE compatible with KMEMLEAK
Marco Elver (4):
arm64, kfence: enable KFENCE for ARM64
kfence, lockdep: make KFENCE compatible with lockdep
kfence, Documentation: add KFENCE documentation
kfence: add test suite
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/kfence.rst | 291 +++++++++++
MAINTAINERS | 11 +
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/kfence.h | 39 ++
arch/arm64/mm/fault.c | 4 +
arch/x86/Kconfig | 2 +
arch/x86/include/asm/kfence.h | 60 +++
arch/x86/mm/fault.c | 4 +
include/linux/kfence.h | 174 +++++++
init/main.c | 2 +
kernel/locking/lockdep.c | 8 +
lib/Kconfig.debug | 1 +
lib/Kconfig.kfence | 78 +++
mm/Makefile | 1 +
mm/kasan/common.c | 7 +
mm/kfence/Makefile | 6 +
mm/kfence/core.c | 733 +++++++++++++++++++++++++++
mm/kfence/kfence.h | 102 ++++
mm/kfence/kfence_test.c | 777 +++++++++++++++++++++++++++++
mm/kfence/report.c | 219 ++++++++
mm/kmemleak.c | 6 +
mm/slab.c | 46 +-
mm/slab_common.c | 6 +-
mm/slub.c | 72 ++-
25 files changed, 2619 insertions(+), 32 deletions(-)
create mode 100644 Documentation/dev-tools/kfence.rst
create mode 100644 arch/arm64/include/asm/kfence.h
create mode 100644 arch/x86/include/asm/kfence.h
create mode 100644 include/linux/kfence.h
create mode 100644 lib/Kconfig.kfence
create mode 100644 mm/kfence/Makefile
create mode 100644 mm/kfence/core.c
create mode 100644 mm/kfence/kfence.h
create mode 100644 mm/kfence/kfence_test.c
create mode 100644 mm/kfence/report.c
--
2.28.0.618.gf4bc123cb7-goog
WARNING: multiple messages have this Message-ID (diff)
From: Marco Elver <elver@google.com>
To: elver@google.com, akpm@linux-foundation.org, glider@google.com
Cc: mark.rutland@arm.com, linux-doc@vger.kernel.org,
peterz@infradead.org, catalin.marinas@arm.com,
dave.hansen@linux.intel.com, linux-mm@kvack.org,
edumazet@google.com, hpa@zytor.com, cl@linux.com,
will@kernel.org, corbet@lwn.net, x86@kernel.org,
kasan-dev@googlegroups.com, mingo@redhat.com, vbabka@suse.cz,
rientjes@google.com, aryabinin@virtuozzo.com,
keescook@chromium.org, paulmck@kernel.org, jannh@google.com,
andreyknvl@google.com, bp@alien8.de, luto@kernel.org,
Jonathan.Cameron@huawei.com, tglx@linutronix.de,
dvyukov@google.com, linux-arm-kernel@lists.infradead.org,
gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
penberg@kernel.org, cai@lca.pw, iamjoonsoo.kim@lge.com
Subject: [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector
Date: Tue, 15 Sep 2020 15:20:36 +0200 [thread overview]
Message-ID: <20200915132046.3332537-1-elver@google.com> (raw)
This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a
low-overhead sampling-based memory safety error detector of heap
use-after-free, invalid-free, and out-of-bounds access errors. This
series enables KFENCE for the x86 and arm64 architectures, and adds
KFENCE hooks to the SLAB and SLUB allocators.
KFENCE is designed to be enabled in production kernels, and has near
zero performance overhead. Compared to KASAN, KFENCE trades performance
for precision. The main motivation behind KFENCE's design, is that with
enough total uptime KFENCE will detect bugs in code paths not typically
exercised by non-production test workloads. One way to quickly achieve a
large enough total uptime is when the tool is deployed across a large
fleet of machines.
KFENCE objects each reside on a dedicated page, at either the left or
right page boundaries. The pages to the left and right of the object
page are "guard pages", whose attributes are changed to a protected
state, and cause page faults on any attempted access to them. Such page
faults are then intercepted by KFENCE, which handles the fault
gracefully by reporting a memory access error.
Guarded allocations are set up based on a sample interval (can be set
via kfence.sample_interval). After expiration of the sample interval,
the next allocation through the main allocator (SLAB or SLUB) returns a
guarded allocation from the KFENCE object pool. At this point, the timer
is reset, and the next allocation is set up after the expiration of the
interval.
To enable/disable a KFENCE allocation through the main allocator's
fast-path without overhead, KFENCE relies on static branches via the
static keys infrastructure. The static branch is toggled to redirect the
allocation to KFENCE.
The KFENCE memory pool is of fixed size, and if the pool is exhausted no
further KFENCE allocations occur. The default config is conservative
with only 255 objects, resulting in a pool size of 2 MiB (with 4 KiB
pages).
We have verified by running synthetic benchmarks (sysbench I/O,
hackbench) that a kernel with KFENCE is performance-neutral compared to
a non-KFENCE baseline kernel.
KFENCE is inspired by GWP-ASan [1], a userspace tool with similar
properties. The name "KFENCE" is a homage to the Electric Fence Malloc
Debugger [2].
For more details, see Documentation/dev-tools/kfence.rst added in the
series -- also viewable here:
https://raw.githubusercontent.com/google/kasan/kfence/Documentation/dev-tools/kfence.rst
[1] http://llvm.org/docs/GwpAsan.html
[2] https://linux.die.net/man/3/efence
v2:
* Various comment/documentation changes (see details in patches).
* Various smaller fixes (see details in patches).
* Change all reports to reference the kfence object, "kfence-#nn".
* Skip allocation/free internals stack trace.
* Rework KMEMLEAK compatibility patch.
RFC/v1: https://lkml.kernel.org/r/20200907134055.2878499-1-elver@google.com
Alexander Potapenko (6):
mm: add Kernel Electric-Fence infrastructure
x86, kfence: enable KFENCE for x86
mm, kfence: insert KFENCE hooks for SLAB
mm, kfence: insert KFENCE hooks for SLUB
kfence, kasan: make KFENCE compatible with KASAN
kfence, kmemleak: make KFENCE compatible with KMEMLEAK
Marco Elver (4):
arm64, kfence: enable KFENCE for ARM64
kfence, lockdep: make KFENCE compatible with lockdep
kfence, Documentation: add KFENCE documentation
kfence: add test suite
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/kfence.rst | 291 +++++++++++
MAINTAINERS | 11 +
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/kfence.h | 39 ++
arch/arm64/mm/fault.c | 4 +
arch/x86/Kconfig | 2 +
arch/x86/include/asm/kfence.h | 60 +++
arch/x86/mm/fault.c | 4 +
include/linux/kfence.h | 174 +++++++
init/main.c | 2 +
kernel/locking/lockdep.c | 8 +
lib/Kconfig.debug | 1 +
lib/Kconfig.kfence | 78 +++
mm/Makefile | 1 +
mm/kasan/common.c | 7 +
mm/kfence/Makefile | 6 +
mm/kfence/core.c | 733 +++++++++++++++++++++++++++
mm/kfence/kfence.h | 102 ++++
mm/kfence/kfence_test.c | 777 +++++++++++++++++++++++++++++
mm/kfence/report.c | 219 ++++++++
mm/kmemleak.c | 6 +
mm/slab.c | 46 +-
mm/slab_common.c | 6 +-
mm/slub.c | 72 ++-
25 files changed, 2619 insertions(+), 32 deletions(-)
create mode 100644 Documentation/dev-tools/kfence.rst
create mode 100644 arch/arm64/include/asm/kfence.h
create mode 100644 arch/x86/include/asm/kfence.h
create mode 100644 include/linux/kfence.h
create mode 100644 lib/Kconfig.kfence
create mode 100644 mm/kfence/Makefile
create mode 100644 mm/kfence/core.c
create mode 100644 mm/kfence/kfence.h
create mode 100644 mm/kfence/kfence_test.c
create mode 100644 mm/kfence/report.c
--
2.28.0.618.gf4bc123cb7-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2020-09-15 13:51 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-15 13:20 Marco Elver [this message]
2020-09-15 13:20 ` [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 01/10] mm: add Kernel Electric-Fence infrastructure Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-17 13:26 ` Hillf Danton
2020-09-17 13:26 ` Hillf Danton
2020-09-17 13:36 ` Marco Elver
2020-09-17 13:36 ` Marco Elver
2020-09-17 23:45 ` Hillf Danton
2020-09-17 23:45 ` Hillf Danton
2020-09-15 13:20 ` [PATCH v2 02/10] x86, kfence: enable KFENCE for x86 Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 03/10] arm64, kfence: enable KFENCE for ARM64 Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 04/10] mm, kfence: insert KFENCE hooks for SLAB Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-17 9:37 ` Christopher Lameter
2020-09-17 9:37 ` Christopher Lameter
2020-09-17 9:37 ` Christopher Lameter
2020-09-17 9:47 ` Alexander Potapenko
2020-09-17 9:47 ` Alexander Potapenko
2020-09-17 9:47 ` Alexander Potapenko
2020-09-15 13:20 ` [PATCH v2 05/10] mm, kfence: insert KFENCE hooks for SLUB Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-17 9:40 ` Christopher Lameter
2020-09-17 9:40 ` Christopher Lameter
2020-09-17 9:40 ` Christopher Lameter
2020-09-17 9:51 ` Alexander Potapenko
2020-09-17 9:51 ` Alexander Potapenko
2020-09-17 9:51 ` Alexander Potapenko
2020-09-15 13:20 ` [PATCH v2 06/10] kfence, kasan: make KFENCE compatible with KASAN Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 07/10] kfence, kmemleak: make KFENCE compatible with KMEMLEAK Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 08/10] kfence, lockdep: make KFENCE compatible with lockdep Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 09/10] kfence, Documentation: add KFENCE documentation Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` [PATCH v2 10/10] kfence: add test suite Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-15 13:20 ` Marco Elver
2020-09-16 5:13 ` kernel test robot
2020-09-15 13:49 ` [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector Dmitry Vyukov
2020-09-15 13:49 ` Dmitry Vyukov
2020-09-15 13:49 ` Dmitry Vyukov
2020-09-18 11:17 ` Qian Cai
2020-09-18 11:17 ` Qian Cai
2020-09-18 11:17 ` Qian Cai
2020-09-18 11:59 ` Marco Elver
2020-09-18 11:59 ` Marco Elver
2020-09-18 11:59 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200915132046.3332537-1-elver@google.com \
--to=elver@google.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=bp@alien8.de \
--cc=cai@lca.pw \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=paulmck@kernel.org \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=tglx@linutronix.de \
--cc=vbabka@suse.cz \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.