kfence.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/dev-tools/kfence.rst

Lines Matching +full:page +full:- +full:based
1 .. SPDX-License-Identifier: GPL-2.0
4 Kernel Electric-Fence (KFENCE)
7 Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety
8 error detector. KFENCE detects heap out-of-bounds access, use-after-free, and
9 invalid-free errors.
15 non-production test workloads. One way to quickly achieve a large enough total
19 -----
26 ``kfence.sample_interval`` to non-zero value), configure the kernel with::
46 causes CPU wake-ups when the system is completely idle. This may be undesirable
47 on power-constrained systems. The boot parameter ``kfence.deferrable=1``
48 instead switches to a "deferrable" timer which does not force CPU wake-ups on
58 kernel boot parameter ``kfence.burst`` can be set to a non-zero value which
67 page; object pages are interleaved with guard pages, and every object page is
74 Using the default config, and assuming a page size of 4 KiB, results in
78 pool is using pages of size ``PAGE_SIZE``. This will result in additional page
84 A typical out-of-bounds access looks like this::
87     BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read+0xa6/0x234
89     Out-of-bounds read at 0xffff8c3f2e291fff (1B left of kfence-#72):
96     kfence-#72: 0xffff8c3f2e292000-0xffff8c3f2e29201f, size=32, cache=kmalloc-32
106     CPU: 0 PID: 484 Comm: kunit_try_catch Not tainted 5.13.0-rc3+ #7
107     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
115 Use-after-free accesses are reported as::
118     BUG: KFENCE: use-after-free read in test_use_after_free_read+0xb3/0x143
120     Use-after-free read at 0xffff8c3f2e2a0000 (in kfence-#79):
127     kfence-#79: 0xffff8c3f2e2a0000-0xffff8c3f2e2a001f, size=32, cache=kmalloc-32
144     CPU: 2 PID: 488 Comm: kunit_try_catch Tainted: G    B             5.13.0-rc3+ #7
145     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
148 KFENCE also reports on invalid frees, such as double-frees::
153     Invalid free of 0xffff8c3f2e2a4000 (in kfence-#81):
160     kfence-#81: 0xffff8c3f2e2a4000-0xffff8c3f2e2a401f, size=32, cache=kmalloc-32
177     CPU: 1 PID: 490 Comm: kunit_try_catch Tainted: G    B             5.13.0-rc3+ #7
178     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
181 KFENCE also uses pattern-based redzones on the other side of an object's guard
182 page, to detect out-of-bounds writes on the unprotected side of the object.
188     Corrupted memory at 0xffff8c3f2e33aff9 [ 0xac . . . . . . ] (in kfence-#156):
195     kfence-#156: 0xffff8c3f2e33afb0-0xffff8c3f2e33aff8, size=73, cache=kmalloc-96
205     CPU: 7 PID: 502 Comm: kunit_try_catch Tainted: G    B             5.13.0-rc3+ #7
206     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
218 And finally, KFENCE may also report on invalid accesses to any protected page
232     CPU: 4 PID: 124 Comm: kunit_try_catch Tainted: G        W         5.8.0-rc6+ #7
233     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
247 ----------------------
249 Guarded allocations are set up based on the sample interval. After expiration
256 through the main allocator's fast-path by relying on static branches via the
262 KFENCE objects each reside on a dedicated page, at either the left or right
263 page boundaries selected at random. The pages to the left and right of the
264 object page are "guard pages", whose attributes are changed to a protected
265 state, and cause page faults on any attempted access. Such page faults are then
267 out-of-bounds access, and marking the page as accessible so that the faulting
270 To detect out-of-bounds writes to memory within the object's page itself,
271 KFENCE also uses pattern-based redzones. For each object page, a redzone is set
272 up for all non-object memory. For typical alignments, the redzone is only
277 The following figure illustrates the page layout::
279     ---+-----------+-----------+-----------+-----------+-----------+---
282        | x GUARD x | J : RED-  | x GUARD x | RED-  : J | x GUARD x |
286     ---+-----------+-----------+-----------+-----------+-----------+---
288 Upon deallocation of a KFENCE object, the object's page is again protected and
290 and KFENCE reports a use-after-free access. Freed objects are inserted at the
292 first, and the chances of detecting use-after-frees of recently freed objects
299 based on its partial allocation stack trace. A side-effect is that this also
300 limits frequent long-lived allocations (e.g. pagecache) of the same source
307 ---------
310 page handling code to set up and deal with KFENCE allocations.
312 .. kernel-doc:: include/linux/kfence.h
320 -------------
322 In userspace, a similar approach is taken by `GWP-ASan
323 <http://llvm.org/docs/GwpAsan.html>`_. GWP-ASan also relies on guard pages and
325 directly influenced by GWP-ASan, and can be seen as its kernel sibling. Another
326 similar but non-sampling approach, that also inspired the name "KFENCE", can be
336 different target environments. For instance, KASAN is the better debugging-aid,