Kernel Electric-Fence: Linux 5.12 merges KFence for a low-overhead memory security function

Linus Torvalds has just merged a number of patches that contain KFence. KFence, short for Kernel Electric Fence, is a low-overhead memory security fault detector / validator suitable for use in production kernel builds.

While KASAN has been around for a long time as a kernel address sanitizer for a dynamic memory error detector, with which non-recyclable and out-of-bounds errors in the Linux kernel can be detected, KFence strives to provide a solution with a lower overhead.

The Electric-Fence kernel is a sample-based memory security fault detector designed to detect similar out-of-bounds / retrospectively free / invalidated failures, but because its lower overhead can be used for production kernel builds with near zero performance, the hope is that KFence Uncover bugs that KASAN has not yet found due to the different focus of production and test / non-production workloads.

KFence can be configured with the new switch CONFIG_KFENCE Kconfig. When booting, the parameter kfence.sample_interval can be used to control the sampling interval or a value of 0 can be used to deactivate the functionality. Any errors found are reported in the kernel log. There is also a DebugFS interface for runtime statistics.

An example of a KFence report.

The kernel Electric-Fence is supported by Google engineers and, like KASAN, has so far focused on supporting x86_64 and ARM64. KFence has been under review for the past few months, while today it has been merged as part of the latest AKPM patches.

Comments are closed.