From: Marco Elver <elver@google.com>
To: Qian Cai <cai@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Linux Memory Management List <linux-mm@kvack.org>,
Eric Dumazet <edumazet@google.com>,
Alexander Potapenko <glider@google.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Christoph Lameter <cl@linux.com>, Will Deacon <will@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
the arch/x86 maintainers <x86@kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>,
Ingo Molnar <mingo@redhat.com>, Vlastimil Babka <vbabka@suse.cz>,
David Rientjes <rientjes@google.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Kees Cook <keescook@chromium.org>,
"Paul E. McKenney" <paulmck@kernel.org>,
Jann Horn <jannh@google.com>,
Andrey Konovalov <andreyknvl@google.com>,
Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
Dmitry Vyukov <dvyukov@google.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Pekka Enberg <penberg@kernel.org>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>
Subject: Re: [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector
Date: Fri, 18 Sep 2020 13:59:15 +0200 [thread overview]
Message-ID: <CANpmjNMkjuW_qU+G77UUzgqGx+e2RswfhYuWTFMq2da2NwqSdA@mail.gmail.com> (raw)
In-Reply-To: <115e74b249417340b5c411f286768dbdb916fd12.camel@redhat.com>
On Fri, 18 Sep 2020 at 13:17, Qian Cai <cai@redhat.com> wrote:
>
> On Tue, 2020-09-15 at 15:20 +0200, Marco Elver wrote:
> > This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a
> > low-overhead sampling-based memory safety error detector of heap
> > use-after-free, invalid-free, and out-of-bounds access errors. This
> > series enables KFENCE for the x86 and arm64 architectures, and adds
> > KFENCE hooks to the SLAB and SLUB allocators.
> >
> > KFENCE is designed to be enabled in production kernels, and has near
> > zero performance overhead. Compared to KASAN, KFENCE trades performance
> > for precision. The main motivation behind KFENCE's design, is that with
> > enough total uptime KFENCE will detect bugs in code paths not typically
> > exercised by non-production test workloads. One way to quickly achieve a
> > large enough total uptime is when the tool is deployed across a large
> > fleet of machines.
> >
> > KFENCE objects each reside on a dedicated page, at either the left or
> > right page boundaries. The pages to the left and right of the object
> > page are "guard pages", whose attributes are changed to a protected
> > state, and cause page faults on any attempted access to them. Such page
> > faults are then intercepted by KFENCE, which handles the fault
> > gracefully by reporting a memory access error.
> >
> > Guarded allocations are set up based on a sample interval (can be set
> > via kfence.sample_interval). After expiration of the sample interval,
> > the next allocation through the main allocator (SLAB or SLUB) returns a
> > guarded allocation from the KFENCE object pool. At this point, the timer
> > is reset, and the next allocation is set up after the expiration of the
> > interval.
> >
> > To enable/disable a KFENCE allocation through the main allocator's
> > fast-path without overhead, KFENCE relies on static branches via the
> > static keys infrastructure. The static branch is toggled to redirect the
> > allocation to KFENCE.
> >
> > The KFENCE memory pool is of fixed size, and if the pool is exhausted no
> > further KFENCE allocations occur. The default config is conservative
> > with only 255 objects, resulting in a pool size of 2 MiB (with 4 KiB
> > pages).
> >
> > We have verified by running synthetic benchmarks (sysbench I/O,
> > hackbench) that a kernel with KFENCE is performance-neutral compared to
> > a non-KFENCE baseline kernel.
> >
> > KFENCE is inspired by GWP-ASan [1], a userspace tool with similar
> > properties. The name "KFENCE" is a homage to the Electric Fence Malloc
> > Debugger [2].
> >
> > For more details, see Documentation/dev-tools/kfence.rst added in the
> > series -- also viewable here:
>
> Does anybody else grow tried of all those different *imperfect* versions of in-
> kernel memory safety error detectors? KASAN-generic, KFENCE, KASAN-tag-based
> etc. Then, we have old things like page_poison, SLUB debugging, debug_pagealloc
> etc which are pretty much inefficient to detect bugs those days compared to
> KASAN. Can't we work towards having a single implementation and clean up all
> those mess?
If you have suggestions on how to get a zero-overhead, precise
("perfect") memory safety error detector without new hardware
extensions, we're open to suggestions -- many people over many years
have researched this problems, and while we're making progress for C
(and C++), the fact remains that what you're asking is likely
impossible. This might be useful background:
https://arxiv.org/pdf/1802.09517.pdf
The fact remains that requirements and environments vary across
applications and usecases. Maybe for one usecase (debugging, test env)
normal KASAN is just fine. But that doesn't work for production, where
we want to have max performance.
MTE will get us closer (no silicon yet, and ARM64 only for now), but
depending on implementation might come with small overheads, although
quite acceptable for most environments with increasing processing
power modern CPUs deliver.
Yet for other environments, where even a small performance regression
is unacceptable, and where it's infeasible to capture in tests what
the workloads execute, KFENCE is a very attractive option.
There have also been discussions on using Rust in the kernel [1], but
this is just not feasible for core kernel code in the near future
(even then, you'll still need dynamic error detection tools for all
the unsafe bits, of which there are many in an OS kernel).
[1] https://lwn.net/Articles/829858/
Thanks,
-- Marco
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
prev parent reply other threads:[~2020-09-18 12:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-15 13:20 [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector Marco Elver
2020-09-15 13:20 ` [PATCH v2 01/10] mm: add Kernel Electric-Fence infrastructure Marco Elver
2020-09-17 13:26 ` Hillf Danton
2020-09-17 13:36 ` Marco Elver
2020-09-17 23:45 ` Hillf Danton
2020-09-15 13:20 ` [PATCH v2 02/10] x86, kfence: enable KFENCE for x86 Marco Elver
2020-09-15 13:20 ` [PATCH v2 03/10] arm64, kfence: enable KFENCE for ARM64 Marco Elver
2020-09-15 13:20 ` [PATCH v2 04/10] mm, kfence: insert KFENCE hooks for SLAB Marco Elver
2020-09-17 9:37 ` Christopher Lameter
2020-09-17 9:47 ` Alexander Potapenko
2020-09-15 13:20 ` [PATCH v2 05/10] mm, kfence: insert KFENCE hooks for SLUB Marco Elver
2020-09-17 9:40 ` Christopher Lameter
2020-09-17 9:51 ` Alexander Potapenko
2020-09-15 13:20 ` [PATCH v2 06/10] kfence, kasan: make KFENCE compatible with KASAN Marco Elver
2020-09-15 13:20 ` [PATCH v2 07/10] kfence, kmemleak: make KFENCE compatible with KMEMLEAK Marco Elver
2020-09-15 13:20 ` [PATCH v2 08/10] kfence, lockdep: make KFENCE compatible with lockdep Marco Elver
2020-09-15 13:20 ` [PATCH v2 09/10] kfence, Documentation: add KFENCE documentation Marco Elver
2020-09-15 13:20 ` [PATCH v2 10/10] kfence: add test suite Marco Elver
2020-09-15 13:49 ` [PATCH v2 00/10] KFENCE: A low-overhead sampling-based memory safety error detector Dmitry Vyukov
2020-09-18 11:17 ` Qian Cai
2020-09-18 11:59 ` Marco Elver [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANpmjNMkjuW_qU+G77UUzgqGx+e2RswfhYuWTFMq2da2NwqSdA@mail.gmail.com \
--to=elver@google.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=bp@alien8.de \
--cc=cai@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=paulmck@kernel.org \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=tglx@linutronix.de \
--cc=vbabka@suse.cz \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).