KFence Memory Safety Error Checking Is Looking Good For Minimal Overhead On Linux 5.12

Written by Michael Larabel in Linux Kernel on 19 April 2021 at 04:16 PM EDT. 2 Comments
Of the many new features coming with Linux 5.12 is KFence, short for the Kernel Electric Fence. KFence is a low-overhead memory safety error detector/validator for the kernel with lower expected overhead costs than say the Kernel Address Sanitizer. I just wrapped up some benchmarks looking out for any overhead impact of KFence on Linux 5.12 in its near-final state.

KFence is a memory safety error detector/validator designed for use within production environments and thus is optimized for low overhead. KFence aims to be more efficient than the robust Kernel Address Sanitizer (KASAN) and that it's low overhead enough to be used on production systems where KASAN is generally avoided.

KFence aims to spot out-of-bounds, use-after-free, and invalid-free memory errors within the kernel. KFence is complementary to KASAN and hopes to uncover new bugs only showing up in real production workloads.

The pull request adding KFence to the Linux 5.12 kernel indicated it should have "near zero performance overhead" and so over the weekend I decided to test that overhead claim myself with benchmarks of it disabled and then the default sampling interval of 100 and also trying 500 as just an additional verification run.

The CONFIG_KFENCE option can be enabled with KFence disabled by default at run-time based upon the default sampling interval level. That's what the likes of Ubuntu's mainline kernel PPA is doing where KFence is enabled by default as part of their Linux 5.12+ kernel builds but set to a default value of 0, which disables KFence at run-time. Booting the new kernels then with kfence.sample_interval=100 will activate the KFence at its default sampling interval.
5900X AMD Linux 5.12 KFence Overhead Test

From Linux 5.12 benchmarks I was running on an AMD Ryzen 9 5900X box using a wide variety of benchmarks both synthetic and real-world tests, I didn't encounter any measurable hits to the performance with KFence enabled. There were some minor fluctuations within just a few tests but not enough to be statistically significant.
5900X AMD Linux 5.12 KFence Overhead Test

All of the data from this KFence comparison can be found over on OpenBenchmarking.org.

So at least from this quick testing, it jives with what the developers report in that running with KFence enabled should have near-zero overhead costs. Learn more about KFence and its capabilities via this documentation commit.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week