Hi Marco, On Mon, Jul 07, 2025 at 09:08:29PM +0200, Marco Elver wrote: > > > > > Did you run the tests? Do they pass? > > > > > > > > I don't know how to run them. I've only built the kernel. If you point > > > > me to instructions on how to run them, I'll do so. Thanks! > > > > > > Should just be CONFIG_KFENCE_KUNIT_TEST=y -- then boot kernel and > > > check that the test reports "ok". > > > > Hmmm, I can't see the results. Did I miss anything? > > > > alx@debian:~$ uname -a > > Linux debian 6.15.0-seprintf-mm+ #5 SMP PREEMPT_DYNAMIC Mon Jul 7 19:16:40 CEST 2025 x86_64 GNU/Linux > > alx@debian:~$ cat /boot/config-6.15.0-seprintf-mm+ | grep KFENCE > > CONFIG_HAVE_ARCH_KFENCE=y > > CONFIG_KFENCE=y > > CONFIG_KFENCE_SAMPLE_INTERVAL=0 > > ^^ This means KFENCE is off. > > Not sure why it's 0 (distro default config?), but if you switch it to > something like: Yup, Debian default config plus what you told me. :) > > CONFIG_KFENCE_SAMPLE_INTERVAL=10 Thanks! Now I see the tests. I see no regressions. I've tested both v6.15 and my branch, and see no differences: This was generated with the kernel built from my branch: $ sudo dmesg | grep -inC2 kfence | sed 's/^....//' > tmp/log_after This was generated with a v6.15 kernel with the same exact config: $ sudo dmesg | grep -inC2 kfence | sed 's/^....//' > tmp/log_before And here's a diff, ignoring some numbers that were easy to filter out: $ diff -U999 \ <(cat tmp/log_before \ | sed 's/0x[0-9a-f]*/0x????/g' \ | sed 's/[[:digit:]]\.[[:digit:]]\+/?.?/g' \ | sed 's/#[[:digit:]]\+/#???/g') \ <(cat tmp/log_after \ | sed 's/0x[0-9a-f]*/0x????/g' \ | sed 's/[[:digit:]]\.[[:digit:]]\+/?.?/g' \ | sed 's/#[[:digit:]]\+/#???/g'); --- /dev/fd/63 2025-07-07 22:47:37.395608776 +0200 +++ /dev/fd/62 2025-07-07 22:47:37.395608776 +0200 @@ -1,303 +1,303 @@ [ ?.?] NR_IRQS: 524544, nr_irqs: 1096, preallocated irqs: 16 [ ?.?] rcu: srcu_init: Setting srcu_struct sizes based on contention. [ ?.?] kfence: initialized - using 2097152 bytes for 255 objects at 0x????(____ptrval____)-0x????(____ptrval____) [ ?.?] Console: colour dummy device 80x???? [ ?.?] printk: legacy console [tty0] enabled -- [ ?.?] ok 7 sysctl_test [ ?.?] KTAP version 1 [ ?.?] # Subtest: kfence [ ?.?] 1..27 [ ?.?] # test_out_of_bounds_read: test_alloc: size=32, gfp=cc0, policy=left, cache=0 [ ?.?] ================================================================== [ ?.?] BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read+0x????/0x???? [ ?.?] Out-of-bounds read at 0x???? (1B left of kfence-#???): [ ?.?] test_out_of_bounds_read+0x????/0x???? [ ?.?] kunit_try_run_case+0x????/0x???? -- [ ?.?] ret_from_fork_asm+0x????/0x???? [ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 -[ ?.?] allocated by task 281 on cpu 6 at ?.?s (?.?s ago): +[ ?.?] allocated by task 286 on cpu 8 at ?.?s (?.?s ago): -- [ ?.?] # test_out_of_bounds_read: test_alloc: size=32, gfp=cc0, policy=right, cache=0 [ ?.?] ================================================================== [ ?.?] BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read.cold+0x????/0x???? [ ?.?] Out-of-bounds read at 0x???? (32B right of kfence-#???): [ ?.?] test_out_of_bounds_read.cold+0x????/0x???? [ ?.?] kunit_try_run_case+0x????/0x???? -- [ ?.?] ret_from_fork_asm+0x????/0x???? [ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 -[ ?.?] allocated by task 281 on cpu 6 at ?.?s (?.?s ago): +[ ?.?] allocated by task 286 on cpu 11 at ?.?s (?.?s ago): -- [ ?.?] # test_out_of_bounds_read-memcache: test_alloc: size=32, gfp=cc0, policy=left, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read+0x????/0x???? - :[ ?.?] Out-of-bounds read at 0x???? (1B left of kfence-#???): -[ ?.?] test_out_of_bounds_read+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 284 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 289 on cpu 8 at ?.?s (?.?s ago): -- -[ ?.?] # test_out_of_bounds_read-memcache: test_alloc: size=32, gfp=cc0, policy=right, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read.cold+0x????/0x???? - :[ ?.?] Out-of-bounds read at 0x???? (32B right of kfence-#???): -[ ?.?] test_out_of_bounds_read.cold+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 284 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 289 on cpu 8 at ?.?s (?.?s ago): -- -[ ?.?] # test_out_of_bounds_write: test_alloc: size=32, gfp=cc0, policy=left, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: out-of-bounds write in test_out_of_bounds_write+0x????/0x???? - :[ ?.?] Out-of-bounds write at 0x???? (1B left of kfence-#???): -[ ?.?] test_out_of_bounds_write+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 288 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 291 on cpu 6 at ?.?s (?.?s ago): -- --[ ?.?] # test_out_of_bounds_write-memcache: test_alloc: size=32, gfp=cc0, policy=left, cache=1 -[ ?.?] ================================================================== +-[ ?.?] clocksource: tsc: mask: 0x???? max_cycles: 0x????, max_idle_ns: 881590599626 ns :[ ?.?] BUG: KFENCE: out-of-bounds write in test_out_of_bounds_write+0x????/0x???? - :[ ?.?] Out-of-bounds write at 0x???? (1B left of kfence-#???): -[ ?.?] test_out_of_bounds_write+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 290 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 293 on cpu 10 at ?.?s (?.?s ago): -- -[ ?.?] # test_use_after_free_read: test_alloc: size=32, gfp=cc0, policy=any, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: use-after-free read in test_use_after_free_read+0x????/0x???? - :[ ?.?] Use-after-free read at 0x???? (in kfence-#???): -[ ?.?] test_use_after_free_read+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 292 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 296 on cpu 10 at ?.?s (?.?s ago): -- -[ ?.?] # test_use_after_free_read-memcache: test_alloc: size=32, gfp=cc0, policy=any, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: use-after-free read in test_use_after_free_read+0x????/0x???? - :[ ?.?] Use-after-free read at 0x???? (in kfence-#???): -[ ?.?] test_use_after_free_read+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 294 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 298 on cpu 10 at ?.?s (?.?s ago): -- -[ ?.?] # test_double_free: test_alloc: size=32, gfp=cc0, policy=any, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: invalid free in test_double_free+0x????/0x???? - :[ ?.?] Invalid free of 0x???? (in kfence-#???): -[ ?.?] test_double_free+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 300 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 304 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_double_free-memcache: test_alloc: size=32, gfp=cc0, policy=any, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: invalid free in test_double_free+0x????/0x???? - :[ ?.?] Invalid free of 0x???? (in kfence-#???): -[ ?.?] test_double_free+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 302 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 306 on cpu 8 at ?.?s (?.?s ago): -- -[ ?.?] # test_invalid_addr_free: test_alloc: size=32, gfp=cc0, policy=any, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: invalid free in test_invalid_addr_free+0x????/0x???? - :[ ?.?] Invalid free of 0x???? (in kfence-#???): -[ ?.?] test_invalid_addr_free+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 304 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 308 on cpu 8 at ?.?s (?.?s ago): -- -[ ?.?] # test_invalid_addr_free-memcache: test_alloc: size=32, gfp=cc0, policy=any, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: invalid free in test_invalid_addr_free+0x????/0x???? - :[ ?.?] Invalid free of 0x???? (in kfence-#???): -[ ?.?] test_invalid_addr_free+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 306 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 310 on cpu 8 at ?.?s (?.?s ago): -- -[ ?.?] # test_corruption: test_alloc: size=32, gfp=cc0, policy=left, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: memory corruption in test_corruption+0x????/0x???? - :[ ?.?] Corrupted memory at 0x???? [ ! . . . . . . . . . . . . . . . ] (in kfence-#???): -[ ?.?] test_corruption+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 308 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 312 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_corruption: test_alloc: size=32, gfp=cc0, policy=right, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: memory corruption in test_corruption+0x????/0x???? - :[ ?.?] Corrupted memory at 0x???? [ ! ] (in kfence-#???): -[ ?.?] test_corruption+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 308 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 312 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_corruption-memcache: test_alloc: size=32, gfp=cc0, policy=left, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: memory corruption in test_corruption+0x????/0x???? - :[ ?.?] Corrupted memory at 0x???? [ ! . . . . . . . . . . . . . . . ] (in kfence-#???): -[ ?.?] test_corruption+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 310 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 314 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_corruption-memcache: test_alloc: size=32, gfp=cc0, policy=right, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: memory corruption in test_corruption+0x????/0x???? - :[ ?.?] Corrupted memory at 0x???? [ ! ] (in kfence-#???): -[ ?.?] test_corruption+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 310 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 314 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_kmalloc_aligned_oob_read: test_alloc: size=73, gfp=cc0, policy=right, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: out-of-bounds read in test_kmalloc_aligned_oob_read+0x????/0x???? - :[ ?.?] Out-of-bounds read at 0x???? (105B right of kfence-#???): -[ ?.?] test_kmalloc_aligned_oob_read+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=73, cache=kmalloc-96 - --[ ?.?] allocated by task 320 on cpu 10 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 326 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_kmalloc_aligned_oob_write: test_alloc: size=73, gfp=cc0, policy=right, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: memory corruption in test_kmalloc_aligned_oob_write+0x????/0x???? - :[ ?.?] Corrupted memory at 0x???? [ ! . . . . . . . . . . . . . . . ] (in kfence-#???): -[ ?.?] test_kmalloc_aligned_oob_write+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=73, cache=kmalloc-96 - --[ ?.?] allocated by task 326 on cpu 8 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 328 on cpu 4 at ?.?s (?.?s ago): -- -[ ?.?] ok 22 test_memcache_ctor -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: invalid read in test_invalid_access+0x????/0x???? - -[ ?.?] Invalid read at 0x????: -- -[ ?.?] # test_memcache_typesafe_by_rcu: test_alloc: size=32, gfp=cc0, policy=any, cache=1 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: use-after-free read in test_memcache_typesafe_by_rcu.cold+0x????/0x???? - :[ ?.?] Use-after-free read at 0x???? (in kfence-#???): -[ ?.?] test_memcache_typesafe_by_rcu.cold+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=test - --[ ?.?] allocated by task 336 on cpu 6 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 338 on cpu 10 at ?.?s (?.?s ago): -- -[ ?.?] # test_krealloc: test_alloc: size=32, gfp=cc0, policy=any, cache=0 -[ ?.?] ================================================================== :[ ?.?] BUG: KFENCE: use-after-free read in test_krealloc+0x????/0x???? - :[ ?.?] Use-after-free read at 0x???? (in kfence-#???): -[ ?.?] test_krealloc+0x????/0x???? -[ ?.?] kunit_try_run_case+0x????/0x???? -- -[ ?.?] ret_from_fork_asm+0x????/0x???? - :[ ?.?] kfence-#???: 0x????-0x????, size=32, cache=kmalloc-32 - --[ ?.?] allocated by task 338 on cpu 4 at ?.?s (?.?s ago): +-[ ?.?] allocated by task 340 on cpu 6 at ?.?s (?.?s ago): -- -[ ?.?] # test_memcache_alloc_bulk: setup_test_cache: size=32, ctor=0x???? -[ ?.?] ok 27 test_memcache_alloc_bulk :[ ?.?] # kfence: pass:25 fail:0 skip:2 total:27 -[ ?.?] # Totals: pass:25 fail:0 skip:2 total:27 :[ ?.?] ok 8 kfence -[ ?.?] KTAP version 1 -[ ?.?] # Subtest: damon If you'd like me to grep for something more specific, please let me know. Cheers, Alex --