On Mon, 7 Sep 2020 at 19:55, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote: > On Mon, Sep 7, 2020 at 6:33 PM Marco Elver <elver@xxxxxxxxxx> wrote: [...] > > > > +Guarded allocations are set up based on the sample interval. After expiration > > > > +of the sample interval, a guarded allocation from the KFENCE object pool is > > > > +returned to the main allocator (SLAB or SLUB). > > > > > > Only for freed allocations, right? > > > > Which "freed allocation"? What this paragraph says is that after the > > sample interval elapsed, we'll return a KFENCE allocation on kmalloc. > > It doesn't yet talk about freeing. > > It says that an allocation is returned to the main allocator, and this > is what is usually described with the word "freed". Do you mean > something else here? Ah, I see what's goin on. So the "returned to the main allocator" is ambiguous here. I meant to say "returned" as in kfence gives sl[au]b a kfence object to return for the next kmalloc. I'll reword this as it seems the phrase is overloaded in this context already. [...] > > > > +Upon deallocation of a KFENCE object, the object's page is again protected and > > > > +the object is marked as freed. Any further access to the object causes a fault > > > > +and KFENCE reports a use-after-free access. Freed objects are inserted at the > > > > +tail of KFENCE's freelist, so that the least recently freed objects are reused > > > > +first, and the chances of detecting use-after-frees of recently freed objects > > > > +is increased. > > > > > > Seems really similar to KASAN's quarantine? Is the implementation much > > > different? > > > > It's a list, and we just insert at the tail. Why does it matter? > > If the implementation is similar, we can then reuse quarantine. But I > guess it's not. The concept is similar, but the implementations are very different. Both use a list (although KASAN quarantine seems to reimplement its own singly-linked list). We just rely on a standard doubly-linked list, without any of the delayed freeing logic of the KASAN quarantine as KFENCE objects just change state to "freed" until they're reused (freed kfence objects are just inserted at the tail, and the next object to be used for an allocation is at the head). Thanks, -- Marco