From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 852D3C43461 for ; Tue, 15 Sep 2020 13:53:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3490520738 for ; Tue, 15 Sep 2020 13:53:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="h/IVba/6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726734AbgIONxf (ORCPT ); Tue, 15 Sep 2020 09:53:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726745AbgIONuR (ORCPT ); Tue, 15 Sep 2020 09:50:17 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD457C061352 for ; Tue, 15 Sep 2020 06:49:59 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id e7so3135382qtj.11 for ; Tue, 15 Sep 2020 06:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WtBJz+0p08+L8y6UxJF+d5EvYqNw22qJSy8aseGAB8M=; b=h/IVba/68t0qPIsX6EIwRoVuDLEC5J/mUrq1x5L0WBjdVnerhetEVq9R0g0s7eFCfj O9MZkHlzwMhYA4T5/sl5z4D4jUL3FVjs68bZqsoqKxsQ7N2fLqKbrrw1nNPetTbR3Mmb L7WffFVKpd7xlUau5b2L3sHnz7ZG1C66lcVf13tDfkSoxafm2zxUTjmKswvtH9I0yKcL o8gG3b03Y4tKDzA7bs4VqZ0I1uMs78NjVA88kpsuNzkY0AFsk0jQkPoeOvmrvw216ASn uoUSQgnG2Nai3N9rTqWHWWtvQJjLvI+h8Buc9/tBdzPP8z4yH0/7Rxq3DD4SqhPU/ILG OMNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WtBJz+0p08+L8y6UxJF+d5EvYqNw22qJSy8aseGAB8M=; b=lzizHp0tpVsfL2JXhnf4iYcAxiR/LMAk1p64lvecDg/Qr5djjw0gNSD2Z4LD30i8LB B4szzApe/uRaETyCEnLR3Ha67laRzC9/szITKXC8THSmX5KLYbLBwmu820iTJiyZ0GVb 86BsJXvruSLnkcQHv7fr6CSTvwm0lm1Ib8hM/SQ9B/dYwCp/L+tDKXYA0Ra2aZZN4sbl 8HjxMhB8dZqUdLJ/0hHLk26f+rJIT5wBKrNn/wdzZ5+LXqd1WeW4A8THQsjI39Z3NorB fy/I8cbQE9KbyfWBdZkie0A9zD7yfqViXSo0NFEWEYx7XW774R/Lxe0/Z6bDHJpid8FO uWag== X-Gm-Message-State: AOAM530Al2xwyhZ+0UdN74lQ9ODfue+jjCw9KUPPMhpaDQT2a6q6YKJH bqxttAXJqx5Le6k+33KQieqQoTq8VLmm+UOGIjKtjw== X-Google-Smtp-Source: ABdhPJzPdcIT8epev7ZwkqD39anHvjI83kLJhq+WY510/QuBLu74T6RLBAy4XlZRHUkFOEHg+aHps30lQ3JJUt2RMwk= X-Received: by 2002:ac8:4658:: with SMTP id f24mr18082864qto.158.1600177798597; Tue, 15 Sep 2020 06:49:58 -0700 (PDT) MIME-Version: 1.0 References: <20200915132046.3332537-1-elver@google.com> In-Reply-To: <20200915132046.3332537-1-elver@google.com> From: Dmitry Vyukov Date: Tue, 15 Sep 2020 15:49:47 +0200 Message-ID: Subject: Re: [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector To: Marco Elver Cc: Andrew Morton , Alexander Potapenko , "H. Peter Anvin" , "Paul E. McKenney" , Andrey Konovalov , Andrey Ryabinin , Andy Lutomirski , Borislav Petkov , Catalin Marinas , Christoph Lameter , Dave Hansen , David Rientjes , Eric Dumazet , Greg Kroah-Hartman , Ingo Molnar , Jann Horn , Jonathan.Cameron@huawei.com, Jonathan Corbet , Joonsoo Kim , Kees Cook , Mark Rutland , Pekka Enberg , Peter Zijlstra , Qian Cai , Thomas Gleixner , Vlastimil Babka , Will Deacon , "the arch/x86 maintainers" , "open list:DOCUMENTATION" , LKML , kasan-dev , Linux ARM , Linux-MM Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 15, 2020 at 3:20 PM Marco Elver wrote: > > This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a > low-overhead sampling-based memory safety error detector of heap > use-after-free, invalid-free, and out-of-bounds access errors. This > series enables KFENCE for the x86 and arm64 architectures, and adds > KFENCE hooks to the SLAB and SLUB allocators. > > KFENCE is designed to be enabled in production kernels, and has near > zero performance overhead. Compared to KASAN, KFENCE trades performance > for precision. The main motivation behind KFENCE's design, is that with > enough total uptime KFENCE will detect bugs in code paths not typically > exercised by non-production test workloads. One way to quickly achieve a > large enough total uptime is when the tool is deployed across a large > fleet of machines. > > KFENCE objects each reside on a dedicated page, at either the left or > right page boundaries. The pages to the left and right of the object > page are "guard pages", whose attributes are changed to a protected > state, and cause page faults on any attempted access to them. Such page > faults are then intercepted by KFENCE, which handles the fault > gracefully by reporting a memory access error. > > Guarded allocations are set up based on a sample interval (can be set > via kfence.sample_interval). After expiration of the sample interval, > the next allocation through the main allocator (SLAB or SLUB) returns a > guarded allocation from the KFENCE object pool. At this point, the timer > is reset, and the next allocation is set up after the expiration of the > interval. > > To enable/disable a KFENCE allocation through the main allocator's > fast-path without overhead, KFENCE relies on static branches via the > static keys infrastructure. The static branch is toggled to redirect the > allocation to KFENCE. > > The KFENCE memory pool is of fixed size, and if the pool is exhausted no > further KFENCE allocations occur. The default config is conservative > with only 255 objects, resulting in a pool size of 2 MiB (with 4 KiB > pages). > > We have verified by running synthetic benchmarks (sysbench I/O, > hackbench) that a kernel with KFENCE is performance-neutral compared to > a non-KFENCE baseline kernel. > > KFENCE is inspired by GWP-ASan [1], a userspace tool with similar > properties. The name "KFENCE" is a homage to the Electric Fence Malloc > Debugger [2]. > > For more details, see Documentation/dev-tools/kfence.rst added in the > series -- also viewable here: > > https://raw.githubusercontent.com/google/kasan/kfence/Documentation/dev-tools/kfence.rst > > [1] http://llvm.org/docs/GwpAsan.html > [2] https://linux.die.net/man/3/efence I see all of my comments from v1 are resolved. So this is: Reviewed-by: Dmitry Vyukov for the series. > v2: > * Various comment/documentation changes (see details in patches). > * Various smaller fixes (see details in patches). > * Change all reports to reference the kfence object, "kfence-#nn". > * Skip allocation/free internals stack trace. > * Rework KMEMLEAK compatibility patch. > > RFC/v1: https://lkml.kernel.org/r/20200907134055.2878499-1-elver@google.com > > Alexander Potapenko (6): > mm: add Kernel Electric-Fence infrastructure > x86, kfence: enable KFENCE for x86 > mm, kfence: insert KFENCE hooks for SLAB > mm, kfence: insert KFENCE hooks for SLUB > kfence, kasan: make KFENCE compatible with KASAN > kfence, kmemleak: make KFENCE compatible with KMEMLEAK > > Marco Elver (4): > arm64, kfence: enable KFENCE for ARM64 > kfence, lockdep: make KFENCE compatible with lockdep > kfence, Documentation: add KFENCE documentation > kfence: add test suite > > Documentation/dev-tools/index.rst | 1 + > Documentation/dev-tools/kfence.rst | 291 +++++++++++ > MAINTAINERS | 11 + > arch/arm64/Kconfig | 1 + > arch/arm64/include/asm/kfence.h | 39 ++ > arch/arm64/mm/fault.c | 4 + > arch/x86/Kconfig | 2 + > arch/x86/include/asm/kfence.h | 60 +++ > arch/x86/mm/fault.c | 4 + > include/linux/kfence.h | 174 +++++++ > init/main.c | 2 + > kernel/locking/lockdep.c | 8 + > lib/Kconfig.debug | 1 + > lib/Kconfig.kfence | 78 +++ > mm/Makefile | 1 + > mm/kasan/common.c | 7 + > mm/kfence/Makefile | 6 + > mm/kfence/core.c | 733 +++++++++++++++++++++++++++ > mm/kfence/kfence.h | 102 ++++ > mm/kfence/kfence_test.c | 777 +++++++++++++++++++++++++++++ > mm/kfence/report.c | 219 ++++++++ > mm/kmemleak.c | 6 + > mm/slab.c | 46 +- > mm/slab_common.c | 6 +- > mm/slub.c | 72 ++- > 25 files changed, 2619 insertions(+), 32 deletions(-) > create mode 100644 Documentation/dev-tools/kfence.rst > create mode 100644 arch/arm64/include/asm/kfence.h > create mode 100644 arch/x86/include/asm/kfence.h > create mode 100644 include/linux/kfence.h > create mode 100644 lib/Kconfig.kfence > create mode 100644 mm/kfence/Makefile > create mode 100644 mm/kfence/core.c > create mode 100644 mm/kfence/kfence.h > create mode 100644 mm/kfence/kfence_test.c > create mode 100644 mm/kfence/report.c > > -- > 2.28.0.618.gf4bc123cb7-goog > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F173FC433E2 for ; Tue, 15 Sep 2020 13:50:01 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6258521D24 for ; Tue, 15 Sep 2020 13:50:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="h/IVba/6" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6258521D24 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id BFA27900053; Tue, 15 Sep 2020 09:50:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B830390004C; Tue, 15 Sep 2020 09:50:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9FB47900053; Tue, 15 Sep 2020 09:50:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0175.hostedemail.com [216.40.44.175]) by kanga.kvack.org (Postfix) with ESMTP id 842F890004C for ; Tue, 15 Sep 2020 09:50:00 -0400 (EDT) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 4B1011E08 for ; Tue, 15 Sep 2020 13:50:00 +0000 (UTC) X-FDA: 77265429360.29.note05_630698727111 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin29.hostedemail.com (Postfix) with ESMTP id 0F46C180868CA for ; Tue, 15 Sep 2020 13:50:00 +0000 (UTC) X-HE-Tag: note05_630698727111 X-Filterd-Recvd-Size: 9480 Received: from mail-qt1-f193.google.com (mail-qt1-f193.google.com [209.85.160.193]) by imf14.hostedemail.com (Postfix) with ESMTP for ; Tue, 15 Sep 2020 13:49:59 +0000 (UTC) Received: by mail-qt1-f193.google.com with SMTP id n10so3196677qtv.3 for ; Tue, 15 Sep 2020 06:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WtBJz+0p08+L8y6UxJF+d5EvYqNw22qJSy8aseGAB8M=; b=h/IVba/68t0qPIsX6EIwRoVuDLEC5J/mUrq1x5L0WBjdVnerhetEVq9R0g0s7eFCfj O9MZkHlzwMhYA4T5/sl5z4D4jUL3FVjs68bZqsoqKxsQ7N2fLqKbrrw1nNPetTbR3Mmb L7WffFVKpd7xlUau5b2L3sHnz7ZG1C66lcVf13tDfkSoxafm2zxUTjmKswvtH9I0yKcL o8gG3b03Y4tKDzA7bs4VqZ0I1uMs78NjVA88kpsuNzkY0AFsk0jQkPoeOvmrvw216ASn uoUSQgnG2Nai3N9rTqWHWWtvQJjLvI+h8Buc9/tBdzPP8z4yH0/7Rxq3DD4SqhPU/ILG OMNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WtBJz+0p08+L8y6UxJF+d5EvYqNw22qJSy8aseGAB8M=; b=FQ3WiXOd4Vl+hz445tZaKAxQMkkBaVaUp+fBs5v+NFhYR46I+B6vBh9el7ypCeDMuk S/+0pvVVb7b5w5Mr7g4PUJVcQMGTvNhCRmcjovfHAuy9Jiq0+3rHh08BnLZUgn0yAc0x +w5YOg3vNw+CopR4s+k/XCyijU4SGhvEXJwkZGSBnhZ5mcpr6IB5Yun/Y6HmvGKSoae5 5TCbSguAvJNwiaRbGQxyRm14Dx8h3V6oBuAKubrqTFKZKFajHnAh/zWK2a6HFmnrCzoA Lva1CYxCMqJj1RBSKuSMb+OzjqefuilCo3UDh3QInYTgciU9F2VG4liXjurkCX6Guizz s6JA== X-Gm-Message-State: AOAM532a7plNVRT08uGxsOdfvBqTqfKUhIgtYld0oe28QbJPYH0QWwuo +DkaZedVeFvwrW5sosHpaIzKLP5R6j01mEQrWentnQ== X-Google-Smtp-Source: ABdhPJzPdcIT8epev7ZwkqD39anHvjI83kLJhq+WY510/QuBLu74T6RLBAy4XlZRHUkFOEHg+aHps30lQ3JJUt2RMwk= X-Received: by 2002:ac8:4658:: with SMTP id f24mr18082864qto.158.1600177798597; Tue, 15 Sep 2020 06:49:58 -0700 (PDT) MIME-Version: 1.0 References: <20200915132046.3332537-1-elver@google.com> In-Reply-To: <20200915132046.3332537-1-elver@google.com> From: Dmitry Vyukov Date: Tue, 15 Sep 2020 15:49:47 +0200 Message-ID: Subject: Re: [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector To: Marco Elver Cc: Andrew Morton , Alexander Potapenko , "H. Peter Anvin" , "Paul E. McKenney" , Andrey Konovalov , Andrey Ryabinin , Andy Lutomirski , Borislav Petkov , Catalin Marinas , Christoph Lameter , Dave Hansen , David Rientjes , Eric Dumazet , Greg Kroah-Hartman , Ingo Molnar , Jann Horn , Jonathan.Cameron@huawei.com, Jonathan Corbet , Joonsoo Kim , Kees Cook , Mark Rutland , Pekka Enberg , Peter Zijlstra , Qian Cai , Thomas Gleixner , Vlastimil Babka , Will Deacon , "the arch/x86 maintainers" , "open list:DOCUMENTATION" , LKML , kasan-dev , Linux ARM , Linux-MM Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 0F46C180868CA X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam05 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Sep 15, 2020 at 3:20 PM Marco Elver wrote: > > This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a > low-overhead sampling-based memory safety error detector of heap > use-after-free, invalid-free, and out-of-bounds access errors. This > series enables KFENCE for the x86 and arm64 architectures, and adds > KFENCE hooks to the SLAB and SLUB allocators. > > KFENCE is designed to be enabled in production kernels, and has near > zero performance overhead. Compared to KASAN, KFENCE trades performance > for precision. The main motivation behind KFENCE's design, is that with > enough total uptime KFENCE will detect bugs in code paths not typically > exercised by non-production test workloads. One way to quickly achieve a > large enough total uptime is when the tool is deployed across a large > fleet of machines. > > KFENCE objects each reside on a dedicated page, at either the left or > right page boundaries. The pages to the left and right of the object > page are "guard pages", whose attributes are changed to a protected > state, and cause page faults on any attempted access to them. Such page > faults are then intercepted by KFENCE, which handles the fault > gracefully by reporting a memory access error. > > Guarded allocations are set up based on a sample interval (can be set > via kfence.sample_interval). After expiration of the sample interval, > the next allocation through the main allocator (SLAB or SLUB) returns a > guarded allocation from the KFENCE object pool. At this point, the timer > is reset, and the next allocation is set up after the expiration of the > interval. > > To enable/disable a KFENCE allocation through the main allocator's > fast-path without overhead, KFENCE relies on static branches via the > static keys infrastructure. The static branch is toggled to redirect the > allocation to KFENCE. > > The KFENCE memory pool is of fixed size, and if the pool is exhausted no > further KFENCE allocations occur. The default config is conservative > with only 255 objects, resulting in a pool size of 2 MiB (with 4 KiB > pages). > > We have verified by running synthetic benchmarks (sysbench I/O, > hackbench) that a kernel with KFENCE is performance-neutral compared to > a non-KFENCE baseline kernel. > > KFENCE is inspired by GWP-ASan [1], a userspace tool with similar > properties. The name "KFENCE" is a homage to the Electric Fence Malloc > Debugger [2]. > > For more details, see Documentation/dev-tools/kfence.rst added in the > series -- also viewable here: > > https://raw.githubusercontent.com/google/kasan/kfence/Documentation/dev-tools/kfence.rst > > [1] http://llvm.org/docs/GwpAsan.html > [2] https://linux.die.net/man/3/efence I see all of my comments from v1 are resolved. So this is: Reviewed-by: Dmitry Vyukov for the series. > v2: > * Various comment/documentation changes (see details in patches). > * Various smaller fixes (see details in patches). > * Change all reports to reference the kfence object, "kfence-#nn". > * Skip allocation/free internals stack trace. > * Rework KMEMLEAK compatibility patch. > > RFC/v1: https://lkml.kernel.org/r/20200907134055.2878499-1-elver@google.com > > Alexander Potapenko (6): > mm: add Kernel Electric-Fence infrastructure > x86, kfence: enable KFENCE for x86 > mm, kfence: insert KFENCE hooks for SLAB > mm, kfence: insert KFENCE hooks for SLUB > kfence, kasan: make KFENCE compatible with KASAN > kfence, kmemleak: make KFENCE compatible with KMEMLEAK > > Marco Elver (4): > arm64, kfence: enable KFENCE for ARM64 > kfence, lockdep: make KFENCE compatible with lockdep > kfence, Documentation: add KFENCE documentation > kfence: add test suite > > Documentation/dev-tools/index.rst | 1 + > Documentation/dev-tools/kfence.rst | 291 +++++++++++ > MAINTAINERS | 11 + > arch/arm64/Kconfig | 1 + > arch/arm64/include/asm/kfence.h | 39 ++ > arch/arm64/mm/fault.c | 4 + > arch/x86/Kconfig | 2 + > arch/x86/include/asm/kfence.h | 60 +++ > arch/x86/mm/fault.c | 4 + > include/linux/kfence.h | 174 +++++++ > init/main.c | 2 + > kernel/locking/lockdep.c | 8 + > lib/Kconfig.debug | 1 + > lib/Kconfig.kfence | 78 +++ > mm/Makefile | 1 + > mm/kasan/common.c | 7 + > mm/kfence/Makefile | 6 + > mm/kfence/core.c | 733 +++++++++++++++++++++++++++ > mm/kfence/kfence.h | 102 ++++ > mm/kfence/kfence_test.c | 777 +++++++++++++++++++++++++++++ > mm/kfence/report.c | 219 ++++++++ > mm/kmemleak.c | 6 + > mm/slab.c | 46 +- > mm/slab_common.c | 6 +- > mm/slub.c | 72 ++- > 25 files changed, 2619 insertions(+), 32 deletions(-) > create mode 100644 Documentation/dev-tools/kfence.rst > create mode 100644 arch/arm64/include/asm/kfence.h > create mode 100644 arch/x86/include/asm/kfence.h > create mode 100644 include/linux/kfence.h > create mode 100644 lib/Kconfig.kfence > create mode 100644 mm/kfence/Makefile > create mode 100644 mm/kfence/core.c > create mode 100644 mm/kfence/kfence.h > create mode 100644 mm/kfence/kfence_test.c > create mode 100644 mm/kfence/report.c > > -- > 2.28.0.618.gf4bc123cb7-goog > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BC5AC43461 for ; Tue, 15 Sep 2020 13:51:26 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2C85E20770 for ; Tue, 15 Sep 2020 13:51:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="xU6R6AQS"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="h/IVba/6" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2C85E20770 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=JFxZaNrSi7AvFlqKNanYvppvvUDUaHBxQV97bCpTaJU=; b=xU6R6AQSFS3eUJgN7St8g53s0 v5eORvWgtOw6WhKq18pWTesnmH0CDiRGm76vTtOorqOuVn6FAGPxILzXec6/9wR8vXOy2W7rRumwv qxFfeViCphHItK/v4odmjD7u/S9XQZyQSvBHazQVS2bK26cVJ5dZyQU7ANw3WEYdtXQTbb6SHOIss z+ZMHh0e7ObQyy29lZz3JLvltlz6AoCh4vsBiGgD5s0wc7YSxldHAW9er+fTbmxY1CdZo51F6WLpo vfF0N+2tlGi2iQWKavpBZGtAp8+a6dfiz+nwma/wWvNeh9f4uRhEqrF8pIEmwooffn7/Bah0ZiLpa O0BSJa4VQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kIBLS-0000zH-Ae; Tue, 15 Sep 2020 13:50:06 +0000 Received: from mail-qt1-x841.google.com ([2607:f8b0:4864:20::841]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kIBLO-0000wH-RD for linux-arm-kernel@lists.infradead.org; Tue, 15 Sep 2020 13:50:04 +0000 Received: by mail-qt1-x841.google.com with SMTP id y11so3153044qtn.9 for ; Tue, 15 Sep 2020 06:50:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WtBJz+0p08+L8y6UxJF+d5EvYqNw22qJSy8aseGAB8M=; b=h/IVba/68t0qPIsX6EIwRoVuDLEC5J/mUrq1x5L0WBjdVnerhetEVq9R0g0s7eFCfj O9MZkHlzwMhYA4T5/sl5z4D4jUL3FVjs68bZqsoqKxsQ7N2fLqKbrrw1nNPetTbR3Mmb L7WffFVKpd7xlUau5b2L3sHnz7ZG1C66lcVf13tDfkSoxafm2zxUTjmKswvtH9I0yKcL o8gG3b03Y4tKDzA7bs4VqZ0I1uMs78NjVA88kpsuNzkY0AFsk0jQkPoeOvmrvw216ASn uoUSQgnG2Nai3N9rTqWHWWtvQJjLvI+h8Buc9/tBdzPP8z4yH0/7Rxq3DD4SqhPU/ILG OMNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WtBJz+0p08+L8y6UxJF+d5EvYqNw22qJSy8aseGAB8M=; b=YLszRTIaGYJiRQNicHTT1iH8PLjTvJhZA4t0+jpkUKlxKS9ig4HNu3RcyFLZJRhtWY st2IUFNYJ4aC9fxHA3NscYwIWuYwUSzElceqzUSlvvTjrXoKP8R7/3uxeesncCA7fusm 07zyN0P5Je+geMtWVvjnu4uufX0u01kx46aD6ttu4ei606wo9WwnpqFEjM47p1nJLSJ+ cihMUPPPichcw1xcYU+oKAMskmaKjywspbZpG3PCPJWCXWid2CX7jANKdzklv4Sk+q0z koRy/CwwP1iBZ+qXinIi6DFyOMr0C04d09Rb0Ih6fZ4HIhpGyjWd0s9MCP2exH06tsSm oP1A== X-Gm-Message-State: AOAM531qngagNMGqZDVDw9q2cEc8AKfbyqBnssKAhaEfzEq5jb/tGG33 mh0+5ruuzOOwkLO+6XFRBdoGe4EjEGWAHb1pw/tuMQ== X-Google-Smtp-Source: ABdhPJzPdcIT8epev7ZwkqD39anHvjI83kLJhq+WY510/QuBLu74T6RLBAy4XlZRHUkFOEHg+aHps30lQ3JJUt2RMwk= X-Received: by 2002:ac8:4658:: with SMTP id f24mr18082864qto.158.1600177798597; Tue, 15 Sep 2020 06:49:58 -0700 (PDT) MIME-Version: 1.0 References: <20200915132046.3332537-1-elver@google.com> In-Reply-To: <20200915132046.3332537-1-elver@google.com> From: Dmitry Vyukov Date: Tue, 15 Sep 2020 15:49:47 +0200 Message-ID: Subject: Re: [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector To: Marco Elver X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200915_095002_951402_ACF55EB8 X-CRM114-Status: GOOD ( 30.20 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , "open list:DOCUMENTATION" , Peter Zijlstra , Catalin Marinas , Dave Hansen , Linux-MM , Eric Dumazet , Alexander Potapenko , "H. Peter Anvin" , Christoph Lameter , Will Deacon , Jonathan Corbet , the arch/x86 maintainers , kasan-dev , Ingo Molnar , Linux ARM , David Rientjes , Andrey Ryabinin , Kees Cook , "Paul E. McKenney" , Jann Horn , Andrey Konovalov , Borislav Petkov , Andy Lutomirski , Jonathan.Cameron@huawei.com, Thomas Gleixner , Andrew Morton , Vlastimil Babka , Greg Kroah-Hartman , LKML , Pekka Enberg , Qian Cai , Joonsoo Kim Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Sep 15, 2020 at 3:20 PM Marco Elver wrote: > > This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a > low-overhead sampling-based memory safety error detector of heap > use-after-free, invalid-free, and out-of-bounds access errors. This > series enables KFENCE for the x86 and arm64 architectures, and adds > KFENCE hooks to the SLAB and SLUB allocators. > > KFENCE is designed to be enabled in production kernels, and has near > zero performance overhead. Compared to KASAN, KFENCE trades performance > for precision. The main motivation behind KFENCE's design, is that with > enough total uptime KFENCE will detect bugs in code paths not typically > exercised by non-production test workloads. One way to quickly achieve a > large enough total uptime is when the tool is deployed across a large > fleet of machines. > > KFENCE objects each reside on a dedicated page, at either the left or > right page boundaries. The pages to the left and right of the object > page are "guard pages", whose attributes are changed to a protected > state, and cause page faults on any attempted access to them. Such page > faults are then intercepted by KFENCE, which handles the fault > gracefully by reporting a memory access error. > > Guarded allocations are set up based on a sample interval (can be set > via kfence.sample_interval). After expiration of the sample interval, > the next allocation through the main allocator (SLAB or SLUB) returns a > guarded allocation from the KFENCE object pool. At this point, the timer > is reset, and the next allocation is set up after the expiration of the > interval. > > To enable/disable a KFENCE allocation through the main allocator's > fast-path without overhead, KFENCE relies on static branches via the > static keys infrastructure. The static branch is toggled to redirect the > allocation to KFENCE. > > The KFENCE memory pool is of fixed size, and if the pool is exhausted no > further KFENCE allocations occur. The default config is conservative > with only 255 objects, resulting in a pool size of 2 MiB (with 4 KiB > pages). > > We have verified by running synthetic benchmarks (sysbench I/O, > hackbench) that a kernel with KFENCE is performance-neutral compared to > a non-KFENCE baseline kernel. > > KFENCE is inspired by GWP-ASan [1], a userspace tool with similar > properties. The name "KFENCE" is a homage to the Electric Fence Malloc > Debugger [2]. > > For more details, see Documentation/dev-tools/kfence.rst added in the > series -- also viewable here: > > https://raw.githubusercontent.com/google/kasan/kfence/Documentation/dev-tools/kfence.rst > > [1] http://llvm.org/docs/GwpAsan.html > [2] https://linux.die.net/man/3/efence I see all of my comments from v1 are resolved. So this is: Reviewed-by: Dmitry Vyukov for the series. > v2: > * Various comment/documentation changes (see details in patches). > * Various smaller fixes (see details in patches). > * Change all reports to reference the kfence object, "kfence-#nn". > * Skip allocation/free internals stack trace. > * Rework KMEMLEAK compatibility patch. > > RFC/v1: https://lkml.kernel.org/r/20200907134055.2878499-1-elver@google.com > > Alexander Potapenko (6): > mm: add Kernel Electric-Fence infrastructure > x86, kfence: enable KFENCE for x86 > mm, kfence: insert KFENCE hooks for SLAB > mm, kfence: insert KFENCE hooks for SLUB > kfence, kasan: make KFENCE compatible with KASAN > kfence, kmemleak: make KFENCE compatible with KMEMLEAK > > Marco Elver (4): > arm64, kfence: enable KFENCE for ARM64 > kfence, lockdep: make KFENCE compatible with lockdep > kfence, Documentation: add KFENCE documentation > kfence: add test suite > > Documentation/dev-tools/index.rst | 1 + > Documentation/dev-tools/kfence.rst | 291 +++++++++++ > MAINTAINERS | 11 + > arch/arm64/Kconfig | 1 + > arch/arm64/include/asm/kfence.h | 39 ++ > arch/arm64/mm/fault.c | 4 + > arch/x86/Kconfig | 2 + > arch/x86/include/asm/kfence.h | 60 +++ > arch/x86/mm/fault.c | 4 + > include/linux/kfence.h | 174 +++++++ > init/main.c | 2 + > kernel/locking/lockdep.c | 8 + > lib/Kconfig.debug | 1 + > lib/Kconfig.kfence | 78 +++ > mm/Makefile | 1 + > mm/kasan/common.c | 7 + > mm/kfence/Makefile | 6 + > mm/kfence/core.c | 733 +++++++++++++++++++++++++++ > mm/kfence/kfence.h | 102 ++++ > mm/kfence/kfence_test.c | 777 +++++++++++++++++++++++++++++ > mm/kfence/report.c | 219 ++++++++ > mm/kmemleak.c | 6 + > mm/slab.c | 46 +- > mm/slab_common.c | 6 +- > mm/slub.c | 72 ++- > 25 files changed, 2619 insertions(+), 32 deletions(-) > create mode 100644 Documentation/dev-tools/kfence.rst > create mode 100644 arch/arm64/include/asm/kfence.h > create mode 100644 arch/x86/include/asm/kfence.h > create mode 100644 include/linux/kfence.h > create mode 100644 lib/Kconfig.kfence > create mode 100644 mm/kfence/Makefile > create mode 100644 mm/kfence/core.c > create mode 100644 mm/kfence/kfence.h > create mode 100644 mm/kfence/kfence_test.c > create mode 100644 mm/kfence/report.c > > -- > 2.28.0.618.gf4bc123cb7-goog > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel