include/linux/kfence.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 /*
0003  * Kernel Electric-Fence (KFENCE). Public interface for allocator and fault
0004  * handler integration. For more info see Documentation/dev-tools/kfence.rst.
0005  *
0006  * Copyright (C) 2020, Google LLC.
0007  */
0008
0009 #ifndef _LINUX_KFENCE_H
0010 #define _LINUX_KFENCE_H
0011
0012 #include <linux/mm.h>
0013 #include <linux/types.h>
0014
0015 #ifdef CONFIG_KFENCE
0016
0017 #include <linux/atomic.h>
0018 #include <linux/static_key.h>
0019
0020 extern unsigned long kfence_sample_interval;
0021
0022 /*
0023  * We allocate an even number of pages, as it simplifies calculations to map
0024  * address to metadata indices; effectively, the very first page serves as an
0025  * extended guard page, but otherwise has no special purpose.
0026  */
0027 #define KFENCE_POOL_SIZE ((CONFIG_KFENCE_NUM_OBJECTS + 1) * 2 * PAGE_SIZE)
0028 extern char *__kfence_pool;
0029
0030 DECLARE_STATIC_KEY_FALSE(kfence_allocation_key);
0031 extern atomic_t kfence_allocation_gate;
0032
0033 /**
0034  * is_kfence_address() - check if an address belongs to KFENCE pool
0035  * @addr: address to check
0036  *
0037  * Return: true or false depending on whether the address is within the KFENCE
0038  * object range.
0039  *
0040  * KFENCE objects live in a separate page range and are not to be intermixed
0041  * with regular heap objects (e.g. KFENCE objects must never be added to the
0042  * allocator freelists). Failing to do so may and will result in heap
0043  * corruptions, therefore is_kfence_address() must be used to check whether
0044  * an object requires specific handling.
0045  *
0046  * Note: This function may be used in fast-paths, and is performance critical.
0047  * Future changes should take this into account; for instance, we want to avoid
0048  * introducing another load and therefore need to keep KFENCE_POOL_SIZE a
0049  * constant (until immediate patching support is added to the kernel).
0050  */
0051 static __always_inline bool is_kfence_address(const void *addr)
0052 {
0053     /*
0054      * The __kfence_pool != NULL check is required to deal with the case
0055      * where __kfence_pool == NULL && addr < KFENCE_POOL_SIZE. Keep it in
0056      * the slow-path after the range-check!
0057      */
0058     return unlikely((unsigned long)((char *)addr - __kfence_pool) < KFENCE_POOL_SIZE && __kfence_pool);
0059 }
0060
0061 /**
0062  * kfence_alloc_pool() - allocate the KFENCE pool via memblock
0063  */
0064 void __init kfence_alloc_pool(void);
0065
0066 /**
0067  * kfence_init() - perform KFENCE initialization at boot time
0068  *
0069  * Requires that kfence_alloc_pool() was called before. This sets up the
0070  * allocation gate timer, and requires that workqueues are available.
0071  */
0072 void __init kfence_init(void);
0073
0074 /**
0075  * kfence_shutdown_cache() - handle shutdown_cache() for KFENCE objects
0076  * @s: cache being shut down
0077  *
0078  * Before shutting down a cache, one must ensure there are no remaining objects
0079  * allocated from it. Because KFENCE objects are not referenced from the cache
0080  * directly, we need to check them here.
0081  *
0082  * Note that shutdown_cache() is internal to SL*B, and kmem_cache_destroy() does
0083  * not return if allocated objects still exist: it prints an error message and
0084  * simply aborts destruction of a cache, leaking memory.
0085  *
0086  * If the only such objects are KFENCE objects, we will not leak the entire
0087  * cache, but instead try to provide more useful debug info by making allocated
0088  * objects "zombie allocations". Objects may then still be used or freed (which
0089  * is handled gracefully), but usage will result in showing KFENCE error reports
0090  * which include stack traces to the user of the object, the original allocation
0091  * site, and caller to shutdown_cache().
0092  */
0093 void kfence_shutdown_cache(struct kmem_cache *s);
0094
0095 /*
0096  * Allocate a KFENCE object. Allocators must not call this function directly,
0097  * use kfence_alloc() instead.
0098  */
0099 void *__kfence_alloc(struct kmem_cache *s, size_t size, gfp_t flags);
0100
0101 /**
0102  * kfence_alloc() - allocate a KFENCE object with a low probability
0103  * @s:     struct kmem_cache with object requirements
0104  * @size:  exact size of the object to allocate (can be less than @s->size
0105  *         e.g. for kmalloc caches)
0106  * @flags: GFP flags
0107  *
0108  * Return:
0109  * * NULL     - must proceed with allocating as usual,
0110  * * non-NULL - pointer to a KFENCE object.
0111  *
0112  * kfence_alloc() should be inserted into the heap allocation fast path,
0113  * allowing it to transparently return KFENCE-allocated objects with a low
0114  * probability using a static branch (the probability is controlled by the
0115  * kfence.sample_interval boot parameter).
0116  */
0117 static __always_inline void *kfence_alloc(struct kmem_cache *s, size_t size, gfp_t flags)
0118 {
0119 #if defined(CONFIG_KFENCE_STATIC_KEYS) || CONFIG_KFENCE_SAMPLE_INTERVAL == 0
0120     if (!static_branch_unlikely(&kfence_allocation_key))
0121         return NULL;
0122 #else
0123     if (!static_branch_likely(&kfence_allocation_key))
0124         return NULL;
0125 #endif
0126     if (likely(atomic_read(&kfence_allocation_gate)))
0127         return NULL;
0128     return __kfence_alloc(s, size, flags);
0129 }
0130
0131 /**
0132  * kfence_ksize() - get actual amount of memory allocated for a KFENCE object
0133  * @addr: pointer to a heap object
0134  *
0135  * Return:
0136  * * 0     - not a KFENCE object, must call __ksize() instead,
0137  * * non-0 - this many bytes can be accessed without causing a memory error.
0138  *
0139  * kfence_ksize() returns the number of bytes requested for a KFENCE object at
0140  * allocation time. This number may be less than the object size of the
0141  * corresponding struct kmem_cache.
0142  */
0143 size_t kfence_ksize(const void *addr);
0144
0145 /**
0146  * kfence_object_start() - find the beginning of a KFENCE object
0147  * @addr: address within a KFENCE-allocated object
0148  *
0149  * Return: address of the beginning of the object.
0150  *
0151  * SL[AU]B-allocated objects are laid out within a page one by one, so it is
0152  * easy to calculate the beginning of an object given a pointer inside it and
0153  * the object size. The same is not true for KFENCE, which places a single
0154  * object at either end of the page. This helper function is used to find the
0155  * beginning of a KFENCE-allocated object.
0156  */
0157 void *kfence_object_start(const void *addr);
0158
0159 /**
0160  * __kfence_free() - release a KFENCE heap object to KFENCE pool
0161  * @addr: object to be freed
0162  *
0163  * Requires: is_kfence_address(addr)
0164  *
0165  * Release a KFENCE object and mark it as freed.
0166  */
0167 void __kfence_free(void *addr);
0168
0169 /**
0170  * kfence_free() - try to release an arbitrary heap object to KFENCE pool
0171  * @addr: object to be freed
0172  *
0173  * Return:
0174  * * false - object doesn't belong to KFENCE pool and was ignored,
0175  * * true  - object was released to KFENCE pool.
0176  *
0177  * Release a KFENCE object and mark it as freed. May be called on any object,
0178  * even non-KFENCE objects, to simplify integration of the hooks into the
0179  * allocator's free codepath. The allocator must check the return value to
0180  * determine if it was a KFENCE object or not.
0181  */
0182 static __always_inline __must_check bool kfence_free(void *addr)
0183 {
0184     if (!is_kfence_address(addr))
0185         return false;
0186     __kfence_free(addr);
0187     return true;
0188 }
0189
0190 /**
0191  * kfence_handle_page_fault() - perform page fault handling for KFENCE pages
0192  * @addr: faulting address
0193  * @is_write: is access a write
0194  * @regs: current struct pt_regs (can be NULL, but shows full stack trace)
0195  *
0196  * Return:
0197  * * false - address outside KFENCE pool,
0198  * * true  - page fault handled by KFENCE, no additional handling required.
0199  *
0200  * A page fault inside KFENCE pool indicates a memory error, such as an
0201  * out-of-bounds access, a use-after-free or an invalid memory access. In these
0202  * cases KFENCE prints an error message and marks the offending page as
0203  * present, so that the kernel can proceed.
0204  */
0205 bool __must_check kfence_handle_page_fault(unsigned long addr, bool is_write, struct pt_regs *regs);
0206
0207 #ifdef CONFIG_PRINTK
0208 struct kmem_obj_info;
0209 /**
0210  * __kfence_obj_info() - fill kmem_obj_info struct
0211  * @kpp: kmem_obj_info to be filled
0212  * @object: the object
0213  *
0214  * Return:
0215  * * false - not a KFENCE object
0216  * * true - a KFENCE object, filled @kpp
0217  *
0218  * Copies information to @kpp for KFENCE objects.
0219  */
0220 bool __kfence_obj_info(struct kmem_obj_info *kpp, void *object, struct slab *slab);
0221 #endif
0222
0223 #else /* CONFIG_KFENCE */
0224
0225 static inline bool is_kfence_address(const void *addr) { return false; }
0226 static inline void kfence_alloc_pool(void) { }
0227 static inline void kfence_init(void) { }
0228 static inline void kfence_shutdown_cache(struct kmem_cache *s) { }
0229 static inline void *kfence_alloc(struct kmem_cache *s, size_t size, gfp_t flags) { return NULL; }
0230 static inline size_t kfence_ksize(const void *addr) { return 0; }
0231 static inline void *kfence_object_start(const void *addr) { return NULL; }
0232 static inline void __kfence_free(void *addr) { }
0233 static inline bool __must_check kfence_free(void *addr) { return false; }
0234 static inline bool __must_check kfence_handle_page_fault(unsigned long addr, bool is_write,
0235                              struct pt_regs *regs)
0236 {
0237     return false;
0238 }
0239
0240 #ifdef CONFIG_PRINTK
0241 struct kmem_obj_info;
0242 static inline bool __kfence_obj_info(struct kmem_obj_info *kpp, void *object, struct slab *slab)
0243 {
0244     return false;
0245 }
0246 #endif
0247
0248 #endif
0249
0250 #endif /* _LINUX_KFENCE_H */