Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1268698pxb; Wed, 4 Nov 2020 04:40:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJwPvXtkS9uqhY3QokUA+WT4hDrwLwq8vaPtEZMjXFxgVwThF36/KuTqezaOk8DF6WOP4jAv X-Received: by 2002:a17:906:6702:: with SMTP id a2mr24098733ejp.309.1604493637541; Wed, 04 Nov 2020 04:40:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604493637; cv=none; d=google.com; s=arc-20160816; b=MGwWDfvjc1pFYDJylh5l6Nr7SB/6euu1YZn5803gMSSXdAmfQZ0ojZuVbuho7dG3eL DO2uI3nwvuv/v8Et4bQCmK52MBEA86aPEbntZNmbbdIRa916ZZqJid6hLfTHMbS/dA1I r1/FrV4/n0nhyWB4a0/bxezPze82cjiPzQ60DUq22aNrE0ib/np3pE0Jy3Alsomwbz3o OCClUkHj6+vAmpLd1+sd0Z7OTJ52G46IhIJExZ+2ML0Eu9Mosh9z7cLXAsWLrVhKscoS eQverDKyOeFimtI9EgA1kMXIhwLoRcPDjSTGhURZCDTG/voCe86pdvbYs/qoZ5LvnO5k ngjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wVb8/RbNDJYhkorSN6bimCxe79UOkbAUrQdoTOawrjk=; b=VDURu6+uUlqe3TVJLI5cSExgdGKeIctVMo8r1RFbDIAD+txwdyB/Q5+6TOI2lF4MfK 5ZDyJ7jIo0B9Vk/qaSlkymQNxwiTgfXSZ7Rz4KMzGktkeSUvcOld3Bi/y6I6zM6ToaPy 4LsmG4TL8AxtFeSsz44DB+QkHRZZnirNFhSWTO/UFg8fv943omJpZYIMz4W0Taw0JglL b33LNSMP45D7Y5JCjSZnu3HHmRu4DPWh5LCWIDPjN3nkybbDtWZpCSWBb9bPRXao/NX8 o5zFUe1/AA+pAUNet8THYsUztjhAxmlAW0vAyxNz1N9yhoDg09VKlUe3+H2+PwOXW4op uShA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=LFGjSoCf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u12si1187845edp.150.2020.11.04.04.40.14; Wed, 04 Nov 2020 04:40:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=LFGjSoCf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729436AbgKDMge (ORCPT + 99 others); Wed, 4 Nov 2020 07:36:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728066AbgKDMgd (ORCPT ); Wed, 4 Nov 2020 07:36:33 -0500 Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 011B6C0613D3 for ; Wed, 4 Nov 2020 04:36:33 -0800 (PST) Received: by mail-ot1-x342.google.com with SMTP id m26so19129760otk.11 for ; Wed, 04 Nov 2020 04:36:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wVb8/RbNDJYhkorSN6bimCxe79UOkbAUrQdoTOawrjk=; b=LFGjSoCfJkkqDGZvbx8OXBBNkxgfAedNqXIo07FnoMCHg2jlNSYzGAfU6c+xbdBL4l qDpDG1VSEc4Zi3iAO2WvytnftCJ/jmlPQVpb0zIAUDAuWFZ6HOxe1I9XgJfh4gIYomGY AcSClw4IrgDZDBGuBQbBfwdHekhheK/geQXcTnKgpwyonV3rwx2YEknxiMbtf3fZRcdV YH0ASf9BzP1CKZDamaq+wusNG13okoekcnqs3fusVijhsMMVdxHcW5jDzry9asdpdBY7 TI2lmEPXsZndrsgJDSfKG+zmdDlgyCpPm/V2fMx5mim6cBrNcQ75GR9kdPsuS9A9n/gp GNrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wVb8/RbNDJYhkorSN6bimCxe79UOkbAUrQdoTOawrjk=; b=pEyxLEj3+Nb6/6F3vKvWmq1xSAoIWxGOHufH5MpAWenGVzU3/KOrwbpKBTJpTfkgIJ NpRRK9d01y1IfRHrsdmIz3i2v0ZFP9dHR4s7iyKbT46MKkeJusAkGOW5w2DmHwQd/zlP MXYrwwwnh707Z/V8xtubkCZM9+7hDxTLJaTNXL5IkodgKq0U8NThpBg/fTrTSwFCLX3E 9GRb27BIpgXLyXChzr8VPvDEg2FgycCruNBk7uphWW2mw8GCr+Klaq92Z4t62XBBnPLo 1GYGtJyEAhkAHyeQX66aVApEIRd0X/Gfz2ILEveMbe6X6SPDtjh/SaiHjPEKRGQHZhus n5Jg== X-Gm-Message-State: AOAM532xr2/1foAJ/d2Gx4hVA4nH4NA2LVh3Bw77UNE2tLuyTtS8YRn9 5JEN6zFax25ande/rhpAzhwIqqqBV+RAN8ofe/DcVw== X-Received: by 2002:a9d:649:: with SMTP id 67mr19396919otn.233.1604493392047; Wed, 04 Nov 2020 04:36:32 -0800 (PST) MIME-Version: 1.0 References: <20201103175841.3495947-1-elver@google.com> <20201103163103.109deb9d49a140032d67434f@linux-foundation.org> In-Reply-To: <20201103163103.109deb9d49a140032d67434f@linux-foundation.org> From: Marco Elver Date: Wed, 4 Nov 2020 13:36:20 +0100 Message-ID: Subject: Re: [PATCH v7 0/9] KFENCE: A low-overhead sampling-based memory safety error detector To: Andrew Morton Cc: Alexander Potapenko , "H. Peter Anvin" , "Paul E. McKenney" , Andrey Konovalov , Andrey Ryabinin , Andy Lutomirski , Borislav Petkov , Catalin Marinas , Christoph Lameter , Dave Hansen , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Hillf Danton , Ingo Molnar , Jann Horn , Jonathan Cameron , Jonathan Corbet , Joonsoo Kim , =?UTF-8?Q?J=C3=B6rn_Engel?= , Kees Cook , Mark Rutland , Pekka Enberg , Peter Zijlstra , SeongJae Park , Thomas Gleixner , Vlastimil Babka , Will Deacon , "the arch/x86 maintainers" , "open list:DOCUMENTATION" , LKML , kasan-dev , Linux ARM , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 4 Nov 2020 at 01:31, Andrew Morton wrote: > On Tue, 3 Nov 2020 18:58:32 +0100 Marco Elver wrote: > > > This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a > > low-overhead sampling-based memory safety error detector of heap > > use-after-free, invalid-free, and out-of-bounds access errors. This > > series enables KFENCE for the x86 and arm64 architectures, and adds > > KFENCE hooks to the SLAB and SLUB allocators. > > > > KFENCE is designed to be enabled in production kernels, and has near > > zero performance overhead. Compared to KASAN, KFENCE trades performance > > for precision. The main motivation behind KFENCE's design, is that with > > enough total uptime KFENCE will detect bugs in code paths not typically > > exercised by non-production test workloads. One way to quickly achieve a > > large enough total uptime is when the tool is deployed across a large > > fleet of machines. > > Has kfence detected any kernel bugs yet? What is its track record? Not yet, but once we deploy in various production kernels, we expect to find new bugs (we'll report back with results once deployed). Especially in drivers or subsystems that syzkaller+KASAN can't touch, e.g. where real devices are required to get coverage. We expect to have first results on this within 3 months, and can start backports now that KFENCE for mainline is being finalized. This will likely also make it into Android, but deployment there will take much longer. The story is similar with the user space version of the tool (GWP-ASan), where results started to materialize once it was deployed across the fleet. > Will a kfence merge permit us to remove some other memory debugging > subsystem? We seem to have rather a lot of them. Nothing obvious I think. KFENCE is unique in that it is meant for production fleets of machines (with ~zero overhead and no new HW features), with the caveat that due to it being sampling based, it's not so suitable for single machine testing. The other debugging tools are suitable for the latter, but not former. Thanks, -- Marco