Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing

Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing

[kernel test robot]

:::::: 
:::::: Manual check reason: "low confidence static check warning: lib/kfuzztest/main.c:16:1: sparse: sparse: bad integer constant expression"
:::::: 

BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
In-Reply-To: <20260112192827.25989-3-ethan.w.s.graham@gmail.com>
References: <20260112192827.25989-3-ethan.w.s.graham@gmail.com>
TO: Ethan Graham <ethan.w.s.graham@gmail.com>
TO: ethan.w.s.graham@gmail.com
TO: glider@google.com
CC: akpm@linux-foundation.org
CC: andreyknvl@gmail.com
CC: andy@kernel.org
CC: andy.shevchenko@gmail.com
CC: brauner@kernel.org
CC: brendan.higgins@linux.dev
CC: davem@davemloft.net
CC: davidgow@google.com
CC: dhowells@redhat.com
CC: dvyukov@google.com
CC: ebiggers@kernel.org
CC: elver@google.com
CC: gregkh@linuxfoundation.org
CC: herbert@gondor.apana.org.au
CC: ignat@cloudflare.com
CC: jack@suse.cz
CC: jannh@google.com
CC: johannes@sipsolutions.net
CC: kasan-dev@googlegroups.com
CC: kees@kernel.org
CC: kunit-dev@googlegroups.com
CC: linux-crypto@vger.kernel.org
CC: linux-kernel@vger.kernel.org
CC: linux-mm@kvack.org
CC: lukas@wunner.de
CC: mcgrof@kernel.org
CC: rmoar@google.com
CC: shuah@kernel.org

Hi Ethan,

kernel test robot noticed the following build warnings:

[auto build test WARNING on akpm-mm/mm-nonmm-unstable]
[also build test WARNING on herbert-cryptodev-2.6/master herbert-crypto-2.6/master linus/master v6.19-rc5 next-20260113]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ethan-Graham/kfuzztest-add-user-facing-API-and-data-structures/20260113-033045
base:   https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-nonmm-unstable
patch link:    https://lore.kernel.org/r/20260112192827.25989-3-ethan.w.s.graham%40gmail.com
patch subject: [PATCH v4 2/6] kfuzztest: implement core module and input processing
:::::: branch date: 24 hours ago
:::::: commit date: 24 hours ago
config: parisc-randconfig-r122-20260113 (https://download.01.org/0day-ci/archive/20260114/202601140318.GSsavXic-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 10.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260114/202601140318.GSsavXic-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/r/202601140318.GSsavXic-lkp@intel.com/

sparse warnings: (new ones prefixed by >>)
>> lib/kfuzztest/main.c:16:1: sparse: sparse: bad integer constant expression
   lib/kfuzztest/main.c:16:1: sparse: sparse: static assertion failed: "MODULE_INFO(file, ...) contains embedded NUL byte"
>> lib/kfuzztest/main.c:16:1: sparse: sparse: bad integer constant expression
   lib/kfuzztest/main.c:16:1: sparse: sparse: static assertion failed: "MODULE_INFO(license, ...) contains embedded NUL byte"
   lib/kfuzztest/main.c:17:1: sparse: sparse: bad integer constant expression
   lib/kfuzztest/main.c:17:1: sparse: sparse: static assertion failed: "MODULE_INFO(author, ...) contains embedded NUL byte"
   lib/kfuzztest/main.c:18:1: sparse: sparse: bad integer constant expression
   lib/kfuzztest/main.c:18:1: sparse: sparse: static assertion failed: "MODULE_INFO(description, ...) contains embedded NUL byte"

vim +16 lib/kfuzztest/main.c

c4c203aad010667 Ethan Graham 2026-01-12  15  
c4c203aad010667 Ethan Graham 2026-01-12 @16  MODULE_LICENSE("GPL");
c4c203aad010667 Ethan Graham 2026-01-12  17  MODULE_AUTHOR("Ethan Graham <ethan.w.s.graham@gmail.com>");
c4c203aad010667 Ethan Graham 2026-01-12  18  MODULE_DESCRIPTION("Kernel Fuzz Testing Framework (KFuzzTest)");
c4c203aad010667 Ethan Graham 2026-01-12  19  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[PATCH v4 0/6] KFuzzTest: a new kernel fuzzing framework

[Ethan Graham]

This patch series introduces KFuzzTest, a lightweight framework for
creating in-kernel fuzz targets for internal kernel functions.

The primary motivation for KFuzzTest is to simplify the fuzzing of
low-level, relatively stateless functions (e.g., data parsers, format
converters) that are difficult to exercise effectively from the syscall
boundary. It is intended for in-situ fuzzing of kernel code without
requiring that it be built as a separate userspace library or that its
dependencies be stubbed out.

Following feedback from the Linux Plumbers Conference and mailing list
discussions, this version of the framework has been significantly
simplified. It now focuses exclusively on handling raw binary inputs,
removing the complexity of the custom serialization format and DWARF
parsing found in previous iterations.

The core design consists of two main parts:
1. The `FUZZ_TEST_SIMPLE(name)` macro, which allows developers to define
   a fuzz test that accepts a buffer and its length.
2. A simplified debugfs interface that allows userspace fuzzers (or
   simple command-line tools) to pass raw binary blobs directly to the
   target function.

To validate the framework's end-to-end effectiveness, we performed an
experiment by manually introducing an off-by-one buffer over-read into
pkcs7_parse_message, like so:

- ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);

A syzkaller instance fuzzing the new test_pkcs7_parse_message target
introduced in patch 7 successfully triggered the bug inside of
asn1_ber_decoder in under 30 seconds from a cold start. Similar
experiments on the other new fuzz targets (patches 8-9) also
successfully identified injected bugs, proving that KFuzzTest is
effective when paired with a coverage-guided fuzzing engine.

This patch series is structured as follows:
- Patch 1 introduces the core KFuzzTest API, including the main
  FUZZ_TEST_SIMPLE macro.
- Patch 2 adds the runtime implementation for the framework
- Patch 3 adds documentation.
- Patch 4 provides sample fuzz targets.
- Patch 5 defines fuzz targets for several functions in crypto/.
- Patch 6 adds maintainer information for KFuzzTest.

Changes since PR v3:
- Major simplification of the architecture, removing the complex
  `FUZZ_TEST` macro, the custom serialization format, domain
  constraints, annotations, and associated DWARF metadata regions.
- The framework now only supports `FUZZ_TEST_SIMPLE` targets, which
  accept raw binary data.
- Removed the userspace bridge tool as it is no longer required for
  serializing inputs.
- Updated documentation and samples to reflect the "simple-only"
  approach.

Ethan Graham (6):
  kfuzztest: add user-facing API and data structures
  kfuzztest: implement core module and input processing
  kfuzztest: add ReST documentation
  kfuzztest: add KFuzzTest sample fuzz targets
  crypto: implement KFuzzTest targets for PKCS7 and RSA parsing
  MAINTAINERS: add maintainer information for KFuzzTest

 Documentation/dev-tools/index.rst             |   1 +
 Documentation/dev-tools/kfuzztest.rst         | 152 ++++++++++++++++++
 MAINTAINERS                                   |   7 +
 crypto/asymmetric_keys/Makefile               |   2 +
 crypto/asymmetric_keys/tests/Makefile         |   4 +
 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c    |  18 +++
 .../asymmetric_keys/tests/rsa_helper_kfuzz.c  |  24 +++
 include/asm-generic/vmlinux.lds.h             |  14 +-
 include/linux/kfuzztest.h                     |  90 +++++++++++
 lib/Kconfig.debug                             |   1 +
 lib/Makefile                                  |   2 +
 lib/kfuzztest/Kconfig                         |  16 ++
 lib/kfuzztest/Makefile                        |   4 +
 lib/kfuzztest/input.c                         |  47 ++++++
 lib/kfuzztest/main.c                          | 142 ++++++++++++++++
 samples/Kconfig                               |   7 +
 samples/Makefile                              |   1 +
 samples/kfuzztest/Makefile                    |   3 +
 samples/kfuzztest/underflow_on_buffer.c       |  52 ++++++
 19 files changed, 586 insertions(+), 1 deletion(-)
 create mode 100644 Documentation/dev-tools/kfuzztest.rst
 create mode 100644 crypto/asymmetric_keys/tests/Makefile
 create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
 create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
 create mode 100644 include/linux/kfuzztest.h
 create mode 100644 lib/kfuzztest/Kconfig
 create mode 100644 lib/kfuzztest/Makefile
 create mode 100644 lib/kfuzztest/input.c
 create mode 100644 lib/kfuzztest/main.c
 create mode 100644 samples/kfuzztest/Makefile
 create mode 100644 samples/kfuzztest/underflow_on_buffer.c

-- 
2.51.0

[PATCH v4 2/6] kfuzztest: implement core module and input processing

[Ethan Graham]

Add the core runtime implementation for KFuzzTest. This includes the
module initialization, and the logic for receiving and processing
user-provided inputs through debugfs.

On module load, the framework discovers all of the simple test targets
(FUZZ_TEST_SIMPLE) by iterating over the .kfuzztest_simple_target
section, creating a corresponding debugfs directory with a write-only
'input_simple' file for each of them.

Writing to an 'input_simple' file triggers the following fuzzing
sequence:
1. The binary input is allocated and copied from userspace into a
   kernel buffer.
2. The buffer and its length are passed immediately to the user-defined
   test logic.
3. The kernel is tainted with TAINT_TEST to indicate that untrusted input
   has been fed directly to the internal kernel functions.

This lightweight implementation relies on the caller (e.g., a fuzzer or
script) to provide raw binary data that the target function can process.

Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>

---
PR v4:
- Remove parsing, relocation, and KASAN poisoning logic to support the
  move to a simple-only design.
- Remove the '_config' debugfs directory and associated state tracking
  (minimum alignment, invocation counts) to reduce complexity.
- Enforce zero offset in `kfuzztest_write_cb_common` to ensure inputs
  are passed down as single, contiguous blocks.
PR v3:
- Handle FUZZ_TEST_SIMPLE targets by creating a write-only
  'input_simple' under the fuzz target's directory.
- Add implementation for `kfuzztest_write_input_cb`.
PR v2:
- Fix build issues identified by the kernel test robot <lkp@intel.com>.
- Address some nits pointed out by Alexander Potapenko.
PR v1:
- Update kfuzztest/parse.c interfaces to take `unsigned char *` instead
  of `void *`, reducing the number of pointer casts.
- Expose minimum region alignment via a new debugfs file.
- Expose number of successful invocations via a new debugfs file.
- Refactor module init function, add _config directory with entries
  containing KFuzzTest state information.
- Account for kasan_poison_range() return value in input parsing logic.
- Validate alignment of payload end.
- Move static sizeof assertions into /lib/kfuzztest/main.c.
- Remove the taint in kfuzztest/main.c. We instead taint the kernel as
  soon as a fuzz test is invoked for the first time, which is done in
  the primary FUZZ_TEST macro.
RFC v2:
- The module's init function now taints the kernel with TAINT_TEST.
---
---
 lib/Makefile           |   2 +
 lib/kfuzztest/Makefile |   4 ++
 lib/kfuzztest/input.c  |  47 ++++++++++++++
 lib/kfuzztest/main.c   | 142 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 195 insertions(+)
 create mode 100644 lib/kfuzztest/Makefile
 create mode 100644 lib/kfuzztest/input.c
 create mode 100644 lib/kfuzztest/main.c

diff --git a/lib/Makefile b/lib/Makefile
index 392ff808c9b9..02789bf88499 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -325,6 +325,8 @@ obj-$(CONFIG_GENERIC_LIB_CMPDI2) += cmpdi2.o
 obj-$(CONFIG_GENERIC_LIB_UCMPDI2) += ucmpdi2.o
 obj-$(CONFIG_OBJAGG) += objagg.o
 
+obj-$(CONFIG_KFUZZTEST) += kfuzztest/
+
 # pldmfw library
 obj-$(CONFIG_PLDMFW) += pldmfw/
 
diff --git a/lib/kfuzztest/Makefile b/lib/kfuzztest/Makefile
new file mode 100644
index 000000000000..3cf5da5597a4
--- /dev/null
+++ b/lib/kfuzztest/Makefile
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0
+
+obj-$(CONFIG_KFUZZTEST) += kfuzztest.o
+kfuzztest-objs := main.o input.o
diff --git a/lib/kfuzztest/input.c b/lib/kfuzztest/input.c
new file mode 100644
index 000000000000..aae966ea76b3
--- /dev/null
+++ b/lib/kfuzztest/input.c
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * KFuzzTest input handling.
+ *
+ * Copyright 2025 Google LLC
+ */
+#include <linux/kfuzztest.h>
+
+int kfuzztest_write_cb_common(struct file *filp, const char __user *buf, size_t len, loff_t *off, void **test_buffer)
+{
+	void *buffer;
+	ssize_t ret;
+
+	/*
+	 * Enforce a zero-offset to ensure that all data is passed down in a
+	 * single contiguous blob and not fragmented across multiple write
+	 * system calls.
+	 */
+	if (*off)
+		return -EINVAL;
+
+	/*
+	 * Taint the kernel on the first fuzzing invocation. The debugfs
+	 * interface provides a high-risk entry point for userspace to
+	 * call kernel functions with untrusted input.
+	 */
+	if (!test_taint(TAINT_TEST))
+		add_taint(TAINT_TEST, LOCKDEP_STILL_OK);
+
+	if (len > KFUZZTEST_MAX_INPUT_SIZE) {
+		pr_warn("kfuzztest: user input of size %zu is too large", len);
+		return -EINVAL;
+	}
+
+	buffer = kzalloc(len, GFP_KERNEL);
+	if (!buffer)
+		return -ENOMEM;
+
+	ret = simple_write_to_buffer(buffer, len, off, buf, len);
+	if (ret != len) {
+		kfree(buffer);
+		return -EFAULT;
+	}
+
+	*test_buffer = buffer;
+	return 0;
+}
diff --git a/lib/kfuzztest/main.c b/lib/kfuzztest/main.c
new file mode 100644
index 000000000000..40a9e56c81ad
--- /dev/null
+++ b/lib/kfuzztest/main.c
@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * KFuzzTest core module initialization and debugfs interface.
+ *
+ * Copyright 2025 Google LLC
+ */
+#include <linux/atomic.h>
+#include <linux/debugfs.h>
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/kasan.h>
+#include <linux/kfuzztest.h>
+#include <linux/module.h>
+#include <linux/printk.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Ethan Graham <ethan.w.s.graham@gmail.com>");
+MODULE_DESCRIPTION("Kernel Fuzz Testing Framework (KFuzzTest)");
+
+extern const struct kfuzztest_simple_target __kfuzztest_simple_targets_start[];
+extern const struct kfuzztest_simple_target __kfuzztest_simple_targets_end[];
+
+struct target_fops {
+	struct file_operations target_simple;
+};
+
+/**
+ * struct kfuzztest_state - global state for the KFuzzTest module
+ *
+ * @kfuzztest_dir: The root debugfs directory, /sys/kernel/debug/kfuzztest/.
+ * @num_targets: number of registered targets.
+ * @target_fops: array of file operations for each registered target.
+ */
+struct kfuzztest_state {
+	struct dentry *kfuzztest_dir;
+	struct target_fops *target_fops;
+	size_t num_targets;
+};
+
+static struct kfuzztest_state state;
+
+static void cleanup_kfuzztest_state(struct kfuzztest_state *st)
+{
+	debugfs_remove_recursive(st->kfuzztest_dir);
+	st->num_targets = 0;
+	kfree(st->target_fops);
+	st->target_fops = NULL;
+}
+
+static const umode_t KFUZZTEST_INPUT_PERMS = 0222;
+
+static int initialize_target_dir(struct kfuzztest_state *st, const struct kfuzztest_simple_target *targ,
+				 struct target_fops *fops)
+{
+	struct dentry *dir, *input_simple;
+	int err = 0;
+
+	dir = debugfs_create_dir(targ->name, st->kfuzztest_dir);
+	if (!dir)
+		err = -ENOMEM;
+	else if (IS_ERR(dir))
+		err = PTR_ERR(dir);
+	if (err) {
+		pr_info("kfuzztest: failed to create /kfuzztest/%s dir", targ->name);
+		goto out;
+	}
+
+	input_simple = debugfs_create_file("input_simple", KFUZZTEST_INPUT_PERMS, dir, NULL, &fops->target_simple);
+	if (!input_simple)
+		err = -ENOMEM;
+	else if (IS_ERR(input_simple))
+		err = PTR_ERR(input_simple);
+	if (err)
+		pr_info("kfuzztest: failed to create /kfuzztest/%s/input_simple", targ->name);
+out:
+	return err;
+}
+
+/**
+ * kfuzztest_init - initializes the debug filesystem for KFuzzTest
+ *
+ * Each registered target in the ".kfuzztest_simple_target" section gets its own
+ * subdirectory under "/sys/kernel/debug/kfuzztest/<test-name>" containing one
+ * write-only "input_simple" file used for receiving binary inputs from
+ * userspace.
+ *
+ * @return 0 on success or an error
+ */
+static int __init kfuzztest_init(void)
+{
+	const struct kfuzztest_simple_target *targ;
+	int err = 0;
+	int i = 0;
+
+	state.num_targets = __kfuzztest_simple_targets_end - __kfuzztest_simple_targets_start;
+	state.target_fops = kzalloc(sizeof(struct target_fops) * state.num_targets, GFP_KERNEL);
+	if (!state.target_fops)
+		return -ENOMEM;
+
+	/* Create the main "kfuzztest" directory in /sys/kernel/debug. */
+	state.kfuzztest_dir = debugfs_create_dir("kfuzztest", NULL);
+	if (!state.kfuzztest_dir) {
+		pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory");
+		return -ENOMEM;
+	}
+	if (IS_ERR(state.kfuzztest_dir)) {
+		pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory");
+		err = PTR_ERR(state.kfuzztest_dir);
+		state.kfuzztest_dir = NULL;
+		return err;
+	}
+
+	for (targ = __kfuzztest_simple_targets_start; targ < __kfuzztest_simple_targets_end; targ++, i++) {
+		state.target_fops[i].target_simple = (struct file_operations){
+			.owner = THIS_MODULE,
+			.write = targ->write_input_cb,
+		};
+		err = initialize_target_dir(&state, targ, &state.target_fops[i]);
+		/*
+		 * Bail out if a single target fails to initialize. This avoids
+		 * partial setup, and a failure here likely indicates an issue
+		 * with debugfs.
+		 */
+		if (err)
+			goto cleanup_failure;
+		pr_info("kfuzztest: registered target %s", targ->name);
+	}
+	return 0;
+
+cleanup_failure:
+	cleanup_kfuzztest_state(&state);
+	return err;
+}
+
+static void __exit kfuzztest_exit(void)
+{
+	pr_info("kfuzztest: exiting");
+	cleanup_kfuzztest_state(&state);
+}
+
+module_init(kfuzztest_init);
+module_exit(kfuzztest_exit);
-- 
2.51.0

Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing

[Alexander Potapenko]

On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote:

> + * Copyright 2025 Google LLC
> + */
> +#include <linux/kfuzztest.h>

General comment: please include what you use.
Make sure there are headers for e.g. add_taint(), pr_warn(), kzalloc().


> +        * Taint the kernel on the first fuzzing invocation. The debugfs
> +        * interface provides a high-risk entry point for userspace to
> +        * call kernel functions with untrusted input.
> +        */
> +       if (!test_taint(TAINT_TEST))
> +               add_taint(TAINT_TEST, LOCKDEP_STILL_OK);
> +
> +       if (len > KFUZZTEST_MAX_INPUT_SIZE) {
> +               pr_warn("kfuzztest: user input of size %zu is too large", len);

Let's change it to pr_warn_ratelimited() to avoid log spamming.
Or maybe -EINVAL is enough for the userspace even without a log message?

> +               return -EINVAL;
> +       }
> +
> +       buffer = kzalloc(len, GFP_KERNEL);
> +       if (!buffer)
> +               return -ENOMEM;
> +
> +       ret = simple_write_to_buffer(buffer, len, off, buf, len);
> +       if (ret != len) {
> +               kfree(buffer);
> +               return -EFAULT;

I suggest returning `ret` here if it is < 0, and -EFAULT otherwise.


> +#include <linux/atomic.h>
> +#include <linux/debugfs.h>
> +#include <linux/err.h>
> +#include <linux/fs.h>
> +#include <linux/kasan.h>
> +#include <linux/kfuzztest.h>
> +#include <linux/module.h>
> +#include <linux/printk.h>

Missing <linux/slab.h> for the allocation functions.

> +       /* Create the main "kfuzztest" directory in /sys/kernel/debug. */
> +       state.kfuzztest_dir = debugfs_create_dir("kfuzztest", NULL);
> +       if (!state.kfuzztest_dir) {
> +               pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory");
> +               return -ENOMEM;

Note: leaking state.target_fops here.


> +       for (targ = __kfuzztest_simple_targets_start; targ < __kfuzztest_simple_targets_end; targ++, i++) {
> +               state.target_fops[i].target_simple = (struct file_operations){
> +                       .owner = THIS_MODULE,
> +                       .write = targ->write_input_cb,
> +               };
> +               err = initialize_target_dir(&state, targ, &state.target_fops[i]);
> +               /*
> +                * Bail out if a single target fails to initialize. This avoids
> +                * partial setup, and a failure here likely indicates an issue
> +                * with debugfs.
> +                */

An initialization failure could result from something as simple as a
name collision.
Do we want to bail out in such cases?