| # SPDX-License-Identifier: GPL-2.0-only |
| |
| config HAVE_ARCH_KFENCE |
| bool |
| |
| menuconfig KFENCE |
| bool "KFENCE: low-overhead sampling-based memory safety error detector" |
| depends on HAVE_ARCH_KFENCE && (SLAB || SLUB) |
| select STACKTRACE |
| select IRQ_WORK |
| help |
| KFENCE is a low-overhead sampling-based detector of heap out-of-bounds |
| access, use-after-free, and invalid-free errors. KFENCE is designed |
| to have negligible cost to permit enabling it in production |
| environments. |
| |
| See <file:Documentation/dev-tools/kfence.rst> for more details. |
| |
| Note that, KFENCE is not a substitute for explicit testing with tools |
| such as KASAN. KFENCE can detect a subset of bugs that KASAN can |
| detect, albeit at very different performance profiles. If you can |
| afford to use KASAN, continue using KASAN, for example in test |
| environments. If your kernel targets production use, and cannot |
| enable KASAN due to its cost, consider using KFENCE. |
| |
| if KFENCE |
| |
| config KFENCE_SAMPLE_INTERVAL |
| int "Default sample interval in milliseconds" |
| default 100 |
| help |
| The KFENCE sample interval determines the frequency with which heap |
| allocations will be guarded by KFENCE. May be overridden via boot |
| parameter "kfence.sample_interval". |
| |
| Set this to 0 to disable KFENCE by default, in which case only |
| setting "kfence.sample_interval" to a non-zero value enables KFENCE. |
| |
| config KFENCE_NUM_OBJECTS |
| int "Number of guarded objects available" |
| range 1 65535 |
| default 255 |
| help |
| The number of guarded objects available. For each KFENCE object, 2 |
| pages are required; with one containing the object and two adjacent |
| ones used as guard pages. |
| |
| config KFENCE_DEFERRABLE |
| bool "Use a deferrable timer to trigger allocations" |
| help |
| Use a deferrable timer to trigger allocations. This avoids forcing |
| CPU wake-ups if the system is idle, at the risk of a less predictable |
| sample interval. |
| |
| Warning: The KUnit test suite fails with this option enabled - due to |
| the unpredictability of the sample interval! |
| |
| Say N if you are unsure. |
| |
| config KFENCE_STATIC_KEYS |
| bool "Use static keys to set up allocations" if EXPERT |
| depends on JUMP_LABEL |
| help |
| Use static keys (static branches) to set up KFENCE allocations. This |
| option is only recommended when using very large sample intervals, or |
| performance has carefully been evaluated with this option. |
| |
| Using static keys comes with trade-offs that need to be carefully |
| evaluated given target workloads and system architectures. Notably, |
| enabling and disabling static keys invoke IPI broadcasts, the latency |
| and impact of which is much harder to predict than a dynamic branch. |
| |
| Say N if you are unsure. |
| |
| config KFENCE_STRESS_TEST_FAULTS |
| int "Stress testing of fault handling and error reporting" if EXPERT |
| default 0 |
| help |
| The inverse probability with which to randomly protect KFENCE object |
| pages, resulting in spurious use-after-frees. The main purpose of |
| this option is to stress test KFENCE with concurrent error reports |
| and allocations/frees. A value of 0 disables stress testing logic. |
| |
| Only for KFENCE testing; set to 0 if you are not a KFENCE developer. |
| |
| config KFENCE_KUNIT_TEST |
| tristate "KFENCE integration test suite" if !KUNIT_ALL_TESTS |
| default KUNIT_ALL_TESTS |
| depends on TRACEPOINTS && KUNIT |
| help |
| Test suite for KFENCE, testing various error detection scenarios with |
| various allocation types, and checking that reports are correctly |
| output to console. |
| |
| Say Y here if you want the test to be built into the kernel and run |
| during boot; say M if you want the test to build as a module; say N |
| if you are unsure. |
| |
| endif # KFENCE |