Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Alexander Potapenko <glider@google.com>
To: Ethan Graham <ethan.w.s.graham@gmail.com>
Cc: akpm@linux-foundation.org, andreyknvl@gmail.com, andy@kernel.org,
	 andy.shevchenko@gmail.com, brauner@kernel.org,
	brendan.higgins@linux.dev,  davem@davemloft.net,
	davidgow@google.com, dhowells@redhat.com,  dvyukov@google.com,
	ebiggers@kernel.org, elver@google.com,
	 gregkh@linuxfoundation.org, herbert@gondor.apana.org.au,
	ignat@cloudflare.com,  jack@suse.cz, jannh@google.com,
	johannes@sipsolutions.net,  kasan-dev@googlegroups.com,
	kees@kernel.org, kunit-dev@googlegroups.com,
	 linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, lukas@wunner.de, mcgrof@kernel.org,
	rmoar@google.com,  shuah@kernel.org, sj@kernel.org,
	skhan@linuxfoundation.org,  tarasmadan@google.com,
	wentaoz5@illinois.edu
Subject: Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing
Date: Tue, 20 Jan 2026 14:39:17 +0100	[thread overview]
Message-ID: <CAG_fn=VWpu6eDgumX7KV1LuRu+qYJjQzKqqYyapwyzPFWrAYXw@mail.gmail.com> (raw)
In-Reply-To: <20260112192827.25989-3-ethan.w.s.graham@gmail.com>

On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote:

> + * Copyright 2025 Google LLC
> + */
> +#include <linux/kfuzztest.h>

General comment: please include what you use.
Make sure there are headers for e.g. add_taint(), pr_warn(), kzalloc().


> +        * Taint the kernel on the first fuzzing invocation. The debugfs
> +        * interface provides a high-risk entry point for userspace to
> +        * call kernel functions with untrusted input.
> +        */
> +       if (!test_taint(TAINT_TEST))
> +               add_taint(TAINT_TEST, LOCKDEP_STILL_OK);
> +
> +       if (len > KFUZZTEST_MAX_INPUT_SIZE) {
> +               pr_warn("kfuzztest: user input of size %zu is too large", len);

Let's change it to pr_warn_ratelimited() to avoid log spamming.
Or maybe -EINVAL is enough for the userspace even without a log message?

> +               return -EINVAL;
> +       }
> +
> +       buffer = kzalloc(len, GFP_KERNEL);
> +       if (!buffer)
> +               return -ENOMEM;
> +
> +       ret = simple_write_to_buffer(buffer, len, off, buf, len);
> +       if (ret != len) {
> +               kfree(buffer);
> +               return -EFAULT;

I suggest returning `ret` here if it is < 0, and -EFAULT otherwise.


> +#include <linux/atomic.h>
> +#include <linux/debugfs.h>
> +#include <linux/err.h>
> +#include <linux/fs.h>
> +#include <linux/kasan.h>
> +#include <linux/kfuzztest.h>
> +#include <linux/module.h>
> +#include <linux/printk.h>

Missing <linux/slab.h> for the allocation functions.

> +       /* Create the main "kfuzztest" directory in /sys/kernel/debug. */
> +       state.kfuzztest_dir = debugfs_create_dir("kfuzztest", NULL);
> +       if (!state.kfuzztest_dir) {
> +               pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory");
> +               return -ENOMEM;

Note: leaking state.target_fops here.


> +       for (targ = __kfuzztest_simple_targets_start; targ < __kfuzztest_simple_targets_end; targ++, i++) {
> +               state.target_fops[i].target_simple = (struct file_operations){
> +                       .owner = THIS_MODULE,
> +                       .write = targ->write_input_cb,
> +               };
> +               err = initialize_target_dir(&state, targ, &state.target_fops[i]);
> +               /*
> +                * Bail out if a single target fails to initialize. This avoids
> +                * partial setup, and a failure here likely indicates an issue
> +                * with debugfs.
> +                */

An initialization failure could result from something as simple as a
name collision.
Do we want to bail out in such cases?

next prev parent reply	other threads:[~2026-01-20 13:39 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-12 19:28 [PATCH v4 0/6] KFuzzTest: a new kernel fuzzing framework Ethan Graham
2026-01-12 19:28 ` [PATCH v4 1/6] kfuzztest: add user-facing API and data structures Ethan Graham
2026-01-20 13:23   ` Alexander Potapenko
2026-01-12 19:28 ` [PATCH v4 2/6] kfuzztest: implement core module and input processing Ethan Graham
2026-01-20 13:39   ` Alexander Potapenko [this message]
2026-01-12 19:28 ` [PATCH v4 3/6] kfuzztest: add ReST documentation Ethan Graham
2026-01-12 19:28 ` [PATCH v4 4/6] kfuzztest: add KFuzzTest sample fuzz targets Ethan Graham
2026-01-13  2:17   ` kernel test robot
2026-01-20 14:04   ` Alexander Potapenko
2026-01-12 19:28 ` [PATCH v4 5/6] crypto: implement KFuzzTest targets for PKCS7 and RSA parsing Ethan Graham
2026-01-12 19:28 ` [PATCH v4 6/6] MAINTAINERS: add maintainer information for KFuzzTest Ethan Graham
2026-01-20 14:12   ` Alexander Potapenko
2026-01-12 19:43 ` [PATCH v4 0/6] KFuzzTest: a new kernel fuzzing framework Ethan Graham
2026-01-14 12:28 ` Ethan Graham
2026-01-14 12:37   ` Johannes Berg
2026-01-20 14:26 ` Alexander Potapenko
2026-01-30 11:13   ` Alexander Potapenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAG_fn=VWpu6eDgumX7KV1LuRu+qYJjQzKqqYyapwyzPFWrAYXw@mail.gmail.com' \
    --to=glider@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=andy.shevchenko@gmail.com \
    --cc=andy@kernel.org \
    --cc=brauner@kernel.org \
    --cc=brendan.higgins@linux.dev \
    --cc=davem@davemloft.net \
    --cc=davidgow@google.com \
    --cc=dhowells@redhat.com \
    --cc=dvyukov@google.com \
    --cc=ebiggers@kernel.org \
    --cc=elver@google.com \
    --cc=ethan.w.s.graham@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=ignat@cloudflare.com \
    --cc=jack@suse.cz \
    --cc=jannh@google.com \
    --cc=johannes@sipsolutions.net \
    --cc=kasan-dev@googlegroups.com \
    --cc=kees@kernel.org \
    --cc=kunit-dev@googlegroups.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=lukas@wunner.de \
    --cc=mcgrof@kernel.org \
    --cc=rmoar@google.com \
    --cc=shuah@kernel.org \
    --cc=sj@kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=tarasmadan@google.com \
    --cc=wentaoz5@illinois.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox