* [PATCH] io_uring: annotate remote tasks for kcoverage
@ 2026-05-20 15:39 Robert Femmer
2026-05-20 17:36 ` Andrey Konovalov
0 siblings, 1 reply; 9+ messages in thread
From: Robert Femmer @ 2026-05-20 15:39 UTC (permalink / raw)
To: io-uring
Cc: Jens Axboe, Dmitry Vyukov, Andrey Konovalov, kasan-dev,
Robert Femmer
Fuzzers use coverage information to guide generation of test cases
towards new or interesting code paths. Syzkaller, specifically, makes
use kcoverage (CONFIG_KCOV). Coverage information is not collected for
kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
This patch annotates io-uring's work queue and sqpoll tasks.
The value of the handle needs to be passed by userspace when enabling
remote coverage collection. I chose the cgroup ns inum, because it is
predictable and flexible enough for consumers to control which group of
processes should be included for remote coverage collection, should they
create an instance of io-uring.
Signed-off-by: Robert Femmer <robert@fmmr.tech>
---
include/linux/io_uring_types.h | 4 ++++
include/uapi/linux/kcov.h | 1 +
io_uring/io-wq.c | 4 ++++
io_uring/io_uring.c | 18 ++++++++++++++++++
io_uring/io_uring.h | 22 ++++++++++++++++++++++
io_uring/sqpoll.c | 4 ++++
kernel/kcov.c | 2 ++
7 files changed, 55 insertions(+)
diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
index 244392026c6d..b92b8e7169ea 100644
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -504,6 +504,10 @@ struct io_ring_ctx {
struct io_mapped_region ring_region;
/* used for optimised request parameter and wait argument passing */
struct io_mapped_region param_region;
+
+#ifdef CONFIG_KCOV
+ u64 kcov_handle;
+#endif
};
/*
diff --git a/include/uapi/linux/kcov.h b/include/uapi/linux/kcov.h
index ed95dba9fa37..15bbce4569b1 100644
--- a/include/uapi/linux/kcov.h
+++ b/include/uapi/linux/kcov.h
@@ -49,6 +49,7 @@ enum {
#define KCOV_SUBSYSTEM_COMMON (0x00ull << 56)
#define KCOV_SUBSYSTEM_USB (0x01ull << 56)
+#define KCOV_SUBSYSTEM_IOURING (0x02ull << 56)
#define KCOV_SUBSYSTEM_MASK (0xffull << 56)
#define KCOV_INSTANCE_MASK (0xffffffffull)
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 8cc7b47d3089..bb89d3f4b3dc 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -639,6 +639,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
/* handle a whole dependent link */
do {
struct io_wq_work *next_hashed, *linked;
+ struct io_kiocb *req;
unsigned int work_flags = atomic_read(&work->flags);
unsigned int hash = __io_wq_is_hashed(work_flags)
? __io_get_work_hash(work_flags)
@@ -649,7 +650,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
if (do_kill &&
(work_flags & IO_WQ_WORK_UNBOUND))
atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
+ req = container_of(work, struct io_kiocb, work);
+ io_kcov_remote_start(req->ctx);
io_wq_submit_work(work);
+ io_kcov_remote_stop();
io_assign_current_work(worker, NULL);
linked = io_wq_free_work(work);
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 036145ee466c..71478e6ccae4 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -222,6 +222,21 @@ static void io_free_alloc_caches(struct io_ring_ctx *ctx)
io_rsrc_cache_free(ctx);
}
+#ifdef CONFIG_KCOV
+static __cold u64 io_ring_get_kcov_handle(void)
+{
+ struct nsproxy *ns_proxy = current->nsproxy;
+ struct ns_common *ns;
+ u64 inst = 0;
+
+ if (ns_proxy) {
+ ns = to_ns_common(ns_proxy->cgroup_ns);
+ inst = ns->inum;
+ }
+ return kcov_remote_handle(KCOV_SUBSYSTEM_IOURING, inst);
+}
+#endif
+
static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
{
struct io_ring_ctx *ctx;
@@ -293,6 +308,9 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
io_napi_init(ctx);
mutex_init(&ctx->mmap_lock);
+#ifdef CONFIG_KCOV
+ ctx->kcov_handle = io_ring_get_kcov_handle();
+#endif
return ctx;
diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
index e612a66ee80e..cb03df877456 100644
--- a/io_uring/io_uring.h
+++ b/io_uring/io_uring.h
@@ -7,6 +7,7 @@
#include <linux/resume_user_mode.h>
#include <linux/poll.h>
#include <linux/io_uring_types.h>
+#include <linux/kcov.h>
#include <uapi/linux/eventpoll.h>
#include "alloc_cache.h"
#include "io-wq.h"
@@ -581,4 +582,25 @@ static inline bool io_has_work(struct io_ring_ctx *ctx)
return test_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq) ||
io_local_work_pending(ctx);
}
+
+#ifdef CONFIG_KCOV
+static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
+{
+ kcov_remote_start(ctx->kcov_handle);
+}
+
+static inline void io_kcov_remote_stop(void)
+{
+ kcov_remote_stop();
+}
+#else
+static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
+{
+}
+
+static inline void io_kcov_remote_stop(void)
+{
+}
+#endif
+
#endif
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 46c12afec73e..b244abd37a27 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -342,19 +342,23 @@ static int io_sq_thread(void *data)
cap_entries = !list_is_singular(&sqd->ctx_list);
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ io_kcov_remote_start(ctx);
int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
sqt_spin = true;
+ io_kcov_remote_stop();
}
if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
sqt_spin = true;
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ io_kcov_remote_start(ctx);
if (io_napi(ctx)) {
io_sq_start_worktime(&ist);
io_napi_sqpoll_busy_poll(ctx);
}
+ io_kcov_remote_stop();
}
io_sq_update_worktime(sqd, &ist);
diff --git a/kernel/kcov.c b/kernel/kcov.c
index 0b369e88c7c9..6df04581a126 100644
--- a/kernel/kcov.c
+++ b/kernel/kcov.c
@@ -585,6 +585,8 @@ static inline bool kcov_check_handle(u64 handle, bool common_valid,
common_valid : zero_valid;
case KCOV_SUBSYSTEM_USB:
return uncommon_valid;
+ case KCOV_SUBSYSTEM_IOURING:
+ return uncommon_valid;
default:
return false;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH] io_uring: annotate remote tasks for kcoverage
2026-05-20 15:39 [PATCH] io_uring: annotate remote tasks for kcoverage Robert Femmer
@ 2026-05-20 17:36 ` Andrey Konovalov
2026-05-20 20:43 ` [PATCH v2] " Robert Femmer
0 siblings, 1 reply; 9+ messages in thread
From: Andrey Konovalov @ 2026-05-20 17:36 UTC (permalink / raw)
To: Robert Femmer; +Cc: io-uring, Jens Axboe, Dmitry Vyukov, kasan-dev
On Wed, May 20, 2026 at 5:41 PM Robert Femmer <robert@fmmr.tech> wrote:
>
> Fuzzers use coverage information to guide generation of test cases
> towards new or interesting code paths. Syzkaller, specifically, makes
> use kcoverage (CONFIG_KCOV). Coverage information is not collected for
> kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
> This patch annotates io-uring's work queue and sqpoll tasks.
>
> The value of the handle needs to be passed by userspace when enabling
> remote coverage collection. I chose the cgroup ns inum, because it is
> predictable and flexible enough for consumers to control which group of
> processes should be included for remote coverage collection, should they
> create an instance of io-uring.
>
> Signed-off-by: Robert Femmer <robert@fmmr.tech>
> ---
> include/linux/io_uring_types.h | 4 ++++
> include/uapi/linux/kcov.h | 1 +
> io_uring/io-wq.c | 4 ++++
> io_uring/io_uring.c | 18 ++++++++++++++++++
> io_uring/io_uring.h | 22 ++++++++++++++++++++++
> io_uring/sqpoll.c | 4 ++++
> kernel/kcov.c | 2 ++
> 7 files changed, 55 insertions(+)
>
> diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
> index 244392026c6d..b92b8e7169ea 100644
> --- a/include/linux/io_uring_types.h
> +++ b/include/linux/io_uring_types.h
> @@ -504,6 +504,10 @@ struct io_ring_ctx {
> struct io_mapped_region ring_region;
> /* used for optimised request parameter and wait argument passing */
> struct io_mapped_region param_region;
> +
> +#ifdef CONFIG_KCOV
> + u64 kcov_handle;
> +#endif
> };
>
> /*
> diff --git a/include/uapi/linux/kcov.h b/include/uapi/linux/kcov.h
> index ed95dba9fa37..15bbce4569b1 100644
> --- a/include/uapi/linux/kcov.h
> +++ b/include/uapi/linux/kcov.h
> @@ -49,6 +49,7 @@ enum {
>
> #define KCOV_SUBSYSTEM_COMMON (0x00ull << 56)
> #define KCOV_SUBSYSTEM_USB (0x01ull << 56)
> +#define KCOV_SUBSYSTEM_IOURING (0x02ull << 56)
Hi Robet,
Would it be possible to use the common_handle functionality of KCOV
for io_uring?
The global KCOV handles were not the best design decision. They
arguably make sense for kernel tasks that get created during boot. But
if a kernel task gets spawned as a result of a user task actions, the
common handles are a better approach.
>
> #define KCOV_SUBSYSTEM_MASK (0xffull << 56)
> #define KCOV_INSTANCE_MASK (0xffffffffull)
> diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
> index 8cc7b47d3089..bb89d3f4b3dc 100644
> --- a/io_uring/io-wq.c
> +++ b/io_uring/io-wq.c
> @@ -639,6 +639,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
> /* handle a whole dependent link */
> do {
> struct io_wq_work *next_hashed, *linked;
> + struct io_kiocb *req;
> unsigned int work_flags = atomic_read(&work->flags);
> unsigned int hash = __io_wq_is_hashed(work_flags)
> ? __io_get_work_hash(work_flags)
> @@ -649,7 +650,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
> if (do_kill &&
> (work_flags & IO_WQ_WORK_UNBOUND))
> atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
> + req = container_of(work, struct io_kiocb, work);
> + io_kcov_remote_start(req->ctx);
> io_wq_submit_work(work);
> + io_kcov_remote_stop();
> io_assign_current_work(worker, NULL);
>
> linked = io_wq_free_work(work);
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 036145ee466c..71478e6ccae4 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -222,6 +222,21 @@ static void io_free_alloc_caches(struct io_ring_ctx *ctx)
> io_rsrc_cache_free(ctx);
> }
>
> +#ifdef CONFIG_KCOV
> +static __cold u64 io_ring_get_kcov_handle(void)
> +{
> + struct nsproxy *ns_proxy = current->nsproxy;
> + struct ns_common *ns;
> + u64 inst = 0;
> +
> + if (ns_proxy) {
> + ns = to_ns_common(ns_proxy->cgroup_ns);
> + inst = ns->inum;
> + }
> + return kcov_remote_handle(KCOV_SUBSYSTEM_IOURING, inst);
> +}
> +#endif
> +
> static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
> {
> struct io_ring_ctx *ctx;
> @@ -293,6 +308,9 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
> INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
> io_napi_init(ctx);
> mutex_init(&ctx->mmap_lock);
> +#ifdef CONFIG_KCOV
> + ctx->kcov_handle = io_ring_get_kcov_handle();
> +#endif
>
> return ctx;
>
> diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
> index e612a66ee80e..cb03df877456 100644
> --- a/io_uring/io_uring.h
> +++ b/io_uring/io_uring.h
> @@ -7,6 +7,7 @@
> #include <linux/resume_user_mode.h>
> #include <linux/poll.h>
> #include <linux/io_uring_types.h>
> +#include <linux/kcov.h>
> #include <uapi/linux/eventpoll.h>
> #include "alloc_cache.h"
> #include "io-wq.h"
> @@ -581,4 +582,25 @@ static inline bool io_has_work(struct io_ring_ctx *ctx)
> return test_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq) ||
> io_local_work_pending(ctx);
> }
> +
> +#ifdef CONFIG_KCOV
> +static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
> +{
> + kcov_remote_start(ctx->kcov_handle);
> +}
> +
> +static inline void io_kcov_remote_stop(void)
> +{
> + kcov_remote_stop();
> +}
> +#else
> +static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
> +{
> +}
> +
> +static inline void io_kcov_remote_stop(void)
> +{
> +}
> +#endif
> +
> #endif
> diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
> index 46c12afec73e..b244abd37a27 100644
> --- a/io_uring/sqpoll.c
> +++ b/io_uring/sqpoll.c
> @@ -342,19 +342,23 @@ static int io_sq_thread(void *data)
>
> cap_entries = !list_is_singular(&sqd->ctx_list);
> list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
> + io_kcov_remote_start(ctx);
> int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
>
> if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
> sqt_spin = true;
> + io_kcov_remote_stop();
> }
> if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
> sqt_spin = true;
>
> list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
> + io_kcov_remote_start(ctx);
> if (io_napi(ctx)) {
> io_sq_start_worktime(&ist);
> io_napi_sqpoll_busy_poll(ctx);
> }
> + io_kcov_remote_stop();
> }
>
> io_sq_update_worktime(sqd, &ist);
> diff --git a/kernel/kcov.c b/kernel/kcov.c
> index 0b369e88c7c9..6df04581a126 100644
> --- a/kernel/kcov.c
> +++ b/kernel/kcov.c
> @@ -585,6 +585,8 @@ static inline bool kcov_check_handle(u64 handle, bool common_valid,
> common_valid : zero_valid;
> case KCOV_SUBSYSTEM_USB:
> return uncommon_valid;
> + case KCOV_SUBSYSTEM_IOURING:
> + return uncommon_valid;
> default:
> return false;
> }
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH v2] io_uring: annotate remote tasks for kcoverage
2026-05-20 17:36 ` Andrey Konovalov
@ 2026-05-20 20:43 ` Robert Femmer
2026-05-22 16:23 ` Andrey Konovalov
0 siblings, 1 reply; 9+ messages in thread
From: Robert Femmer @ 2026-05-20 20:43 UTC (permalink / raw)
To: io-uring
Cc: Jens Axboe, Dmitry Vyukov, Andrey Konovalov, kasan-dev,
Robert Femmer
Fuzzers use coverage information to guide generation of test cases
towards new or interesting code paths. Syzkaller, specifically, makes
use kcoverage (CONFIG_KCOV). Coverage information is not collected for
kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
This patch annotates io-uring's work queue and sqpoll tasks.
Signed-off-by: Robert Femmer <robert@fmmr.tech>
---
include/linux/io_uring_types.h | 4 ++++
io_uring/io-wq.c | 4 ++++
io_uring/io_uring.c | 3 +++
io_uring/io_uring.h | 24 ++++++++++++++++++++++++
io_uring/sqpoll.c | 4 ++++
5 files changed, 39 insertions(+)
diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
index 244392026c6d..b92b8e7169ea 100644
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -504,6 +504,10 @@ struct io_ring_ctx {
struct io_mapped_region ring_region;
/* used for optimised request parameter and wait argument passing */
struct io_mapped_region param_region;
+
+#ifdef CONFIG_KCOV
+ u64 kcov_handle;
+#endif
};
/*
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 8cc7b47d3089..16af75b1cfe0 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -639,6 +639,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
/* handle a whole dependent link */
do {
struct io_wq_work *next_hashed, *linked;
+ struct io_kiocb *req;
unsigned int work_flags = atomic_read(&work->flags);
unsigned int hash = __io_wq_is_hashed(work_flags)
? __io_get_work_hash(work_flags)
@@ -649,7 +650,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
if (do_kill &&
(work_flags & IO_WQ_WORK_UNBOUND))
atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
+ req = container_of(work, struct io_kiocb, work);
+ io_kcov_remote_start(req->ctx);
io_wq_submit_work(work);
+ io_kcov_remote_stop(req->ctx);
io_assign_current_work(worker, NULL);
linked = io_wq_free_work(work);
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 036145ee466c..f38b8eca6bbb 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -293,6 +293,9 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
io_napi_init(ctx);
mutex_init(&ctx->mmap_lock);
+#ifdef CONFIG_KCOV
+ ctx->kcov_handle = current->kcov_handle;
+#endif
return ctx;
diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
index e612a66ee80e..881d43bd529c 100644
--- a/io_uring/io_uring.h
+++ b/io_uring/io_uring.h
@@ -7,6 +7,7 @@
#include <linux/resume_user_mode.h>
#include <linux/poll.h>
#include <linux/io_uring_types.h>
+#include <linux/kcov.h>
#include <uapi/linux/eventpoll.h>
#include "alloc_cache.h"
#include "io-wq.h"
@@ -581,4 +582,27 @@ static inline bool io_has_work(struct io_ring_ctx *ctx)
return test_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq) ||
io_local_work_pending(ctx);
}
+
+#ifdef CONFIG_KCOV
+static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
+{
+ if (ctx->kcov_handle)
+ kcov_remote_start(ctx->kcov_handle);
+}
+
+static inline void io_kcov_remote_stop(struct io_ring_ctx *ctx)
+{
+ if (ctx->kcov_handle)
+ kcov_remote_stop();
+}
+#else
+static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
+{
+}
+
+static inline void io_kcov_remote_stop(struct io_ring_ctx *ctx)
+{
+}
+#endif
+
#endif
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 46c12afec73e..8d2876e31acb 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -342,19 +342,23 @@ static int io_sq_thread(void *data)
cap_entries = !list_is_singular(&sqd->ctx_list);
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ io_kcov_remote_start(ctx);
int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
sqt_spin = true;
+ io_kcov_remote_stop(ctx);
}
if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
sqt_spin = true;
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ io_kcov_remote_start(ctx);
if (io_napi(ctx)) {
io_sq_start_worktime(&ist);
io_napi_sqpoll_busy_poll(ctx);
}
+ io_kcov_remote_stop(ctx);
}
io_sq_update_worktime(sqd, &ist);
--
2.54.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v2] io_uring: annotate remote tasks for kcoverage
2026-05-20 20:43 ` [PATCH v2] " Robert Femmer
@ 2026-05-22 16:23 ` Andrey Konovalov
2026-05-26 16:49 ` [PATCH v3] " Robert Femmer
0 siblings, 1 reply; 9+ messages in thread
From: Andrey Konovalov @ 2026-05-22 16:23 UTC (permalink / raw)
To: Robert Femmer; +Cc: io-uring, Jens Axboe, Dmitry Vyukov, kasan-dev, Jann Horn
On Wed, May 20, 2026 at 10:44 PM Robert Femmer <robert@fmmr.tech> wrote:
>
> Fuzzers use coverage information to guide generation of test cases
> towards new or interesting code paths. Syzkaller, specifically, makes
> use kcoverage (CONFIG_KCOV). Coverage information is not collected for
> kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
> This patch annotates io-uring's work queue and sqpoll tasks.
>
> Signed-off-by: Robert Femmer <robert@fmmr.tech>
> ---
> include/linux/io_uring_types.h | 4 ++++
> io_uring/io-wq.c | 4 ++++
> io_uring/io_uring.c | 3 +++
> io_uring/io_uring.h | 24 ++++++++++++++++++++++++
> io_uring/sqpoll.c | 4 ++++
> 5 files changed, 39 insertions(+)
>
> diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
> index 244392026c6d..b92b8e7169ea 100644
> --- a/include/linux/io_uring_types.h
> +++ b/include/linux/io_uring_types.h
> @@ -504,6 +504,10 @@ struct io_ring_ctx {
> struct io_mapped_region ring_region;
> /* used for optimised request parameter and wait argument passing */
> struct io_mapped_region param_region;
> +
> +#ifdef CONFIG_KCOV
> + u64 kcov_handle;
> +#endif
Jann recently sent a patch that added kcov_common_handle_id, I think
you can base your code on it and use that helper struct here.
https://lore.kernel.org/all/20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com/
> };
>
> /*
> diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
> index 8cc7b47d3089..16af75b1cfe0 100644
> --- a/io_uring/io-wq.c
> +++ b/io_uring/io-wq.c
> @@ -639,6 +639,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
> /* handle a whole dependent link */
> do {
> struct io_wq_work *next_hashed, *linked;
> + struct io_kiocb *req;
> unsigned int work_flags = atomic_read(&work->flags);
> unsigned int hash = __io_wq_is_hashed(work_flags)
> ? __io_get_work_hash(work_flags)
> @@ -649,7 +650,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
> if (do_kill &&
> (work_flags & IO_WQ_WORK_UNBOUND))
> atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
> + req = container_of(work, struct io_kiocb, work);
> + io_kcov_remote_start(req->ctx);
And also use kcov_remote_start_common() here.
> io_wq_submit_work(work);
> + io_kcov_remote_stop(req->ctx);
> io_assign_current_work(worker, NULL);
>
> linked = io_wq_free_work(work);
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 036145ee466c..f38b8eca6bbb 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -293,6 +293,9 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
> INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
> io_napi_init(ctx);
> mutex_init(&ctx->mmap_lock);
> +#ifdef CONFIG_KCOV
> + ctx->kcov_handle = current->kcov_handle;
> +#endif
>
> return ctx;
>
> diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
> index e612a66ee80e..881d43bd529c 100644
> --- a/io_uring/io_uring.h
> +++ b/io_uring/io_uring.h
> @@ -7,6 +7,7 @@
> #include <linux/resume_user_mode.h>
> #include <linux/poll.h>
> #include <linux/io_uring_types.h>
> +#include <linux/kcov.h>
> #include <uapi/linux/eventpoll.h>
> #include "alloc_cache.h"
> #include "io-wq.h"
> @@ -581,4 +582,27 @@ static inline bool io_has_work(struct io_ring_ctx *ctx)
> return test_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq) ||
> io_local_work_pending(ctx);
> }
> +
> +#ifdef CONFIG_KCOV
> +static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
> +{
> + if (ctx->kcov_handle)
> + kcov_remote_start(ctx->kcov_handle);
> +}
> +
> +static inline void io_kcov_remote_stop(struct io_ring_ctx *ctx)
> +{
> + if (ctx->kcov_handle)
> + kcov_remote_stop();
> +}
> +#else
> +static inline void io_kcov_remote_start(struct io_ring_ctx *ctx)
> +{
> +}
> +
> +static inline void io_kcov_remote_stop(struct io_ring_ctx *ctx)
> +{
> +}
> +#endif
> +
> #endif
> diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
> index 46c12afec73e..8d2876e31acb 100644
> --- a/io_uring/sqpoll.c
> +++ b/io_uring/sqpoll.c
> @@ -342,19 +342,23 @@ static int io_sq_thread(void *data)
>
> cap_entries = !list_is_singular(&sqd->ctx_list);
> list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
> + io_kcov_remote_start(ctx);
> int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
>
> if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
> sqt_spin = true;
> + io_kcov_remote_stop(ctx);
> }
> if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
> sqt_spin = true;
>
> list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
> + io_kcov_remote_start(ctx);
> if (io_napi(ctx)) {
> io_sq_start_worktime(&ist);
> io_napi_sqpoll_busy_poll(ctx);
> }
> + io_kcov_remote_stop(ctx);
> }
>
> io_sq_update_worktime(sqd, &ist);
> --
> 2.54.0
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/kasan-dev/20260520204303.558392-2-robert%40fmmr.tech.
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH v3] io_uring: annotate remote tasks for kcoverage
2026-05-22 16:23 ` Andrey Konovalov
@ 2026-05-26 16:49 ` Robert Femmer
2026-06-23 16:37 ` Jann Horn
0 siblings, 1 reply; 9+ messages in thread
From: Robert Femmer @ 2026-05-26 16:49 UTC (permalink / raw)
To: io-uring
Cc: Jens Axboe, Dmitry Vyukov, Andrey Konovalov, kasan-dev,
Robert Femmer
Fuzzers use coverage information to guide generation of test cases
towards new or interesting code paths. Syzkaller, specifically, makes
use kcoverage (CONFIG_KCOV). Coverage information is not collected for
kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
This patch annotates io-uring's work queue and sqpoll tasks.
Depends-on: 20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com
Signed-off-by: Robert Femmer <robert@fmmr.tech>
---
include/linux/io_uring_types.h | 2 ++
io_uring/io-wq.c | 4 ++++
io_uring/io_uring.c | 1 +
io_uring/io_uring.h | 2 ++
io_uring/sqpoll.c | 4 ++++
5 files changed, 13 insertions(+)
diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
index 244392026c6d..b6590b2b350c 100644
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -504,6 +504,8 @@ struct io_ring_ctx {
struct io_mapped_region ring_region;
/* used for optimised request parameter and wait argument passing */
struct io_mapped_region param_region;
+
+ struct kcov_common_handle_id kcov_handle;
};
/*
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 8cc7b47d3089..9ade4c4f4983 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -639,6 +639,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
/* handle a whole dependent link */
do {
struct io_wq_work *next_hashed, *linked;
+ struct io_kiocb *req;
unsigned int work_flags = atomic_read(&work->flags);
unsigned int hash = __io_wq_is_hashed(work_flags)
? __io_get_work_hash(work_flags)
@@ -649,7 +650,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
if (do_kill &&
(work_flags & IO_WQ_WORK_UNBOUND))
atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
+ req = container_of(work, struct io_kiocb, work);
+ kcov_remote_start_common(req->ctx->kcov_handle);
io_wq_submit_work(work);
+ kcov_remote_stop();
io_assign_current_work(worker, NULL);
linked = io_wq_free_work(work);
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 103b6c88f252..89cb649944d9 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -293,6 +293,7 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
io_napi_init(ctx);
mutex_init(&ctx->mmap_lock);
+ ctx->kcov_handle = kcov_common_handle();
return ctx;
diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
index e612a66ee80e..7226fbbbf9f0 100644
--- a/io_uring/io_uring.h
+++ b/io_uring/io_uring.h
@@ -7,6 +7,7 @@
#include <linux/resume_user_mode.h>
#include <linux/poll.h>
#include <linux/io_uring_types.h>
+#include <linux/kcov.h>
#include <uapi/linux/eventpoll.h>
#include "alloc_cache.h"
#include "io-wq.h"
@@ -581,4 +582,5 @@ static inline bool io_has_work(struct io_ring_ctx *ctx)
return test_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq) ||
io_local_work_pending(ctx);
}
+
#endif
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 46c12afec73e..c7b78ea98587 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -342,19 +342,23 @@ static int io_sq_thread(void *data)
cap_entries = !list_is_singular(&sqd->ctx_list);
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ kcov_remote_start_common(ctx->kcov_handle);
int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
sqt_spin = true;
+ kcov_remote_stop();
}
if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
sqt_spin = true;
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ kcov_remote_start_common(ctx->kcov_handle);
if (io_napi(ctx)) {
io_sq_start_worktime(&ist);
io_napi_sqpoll_busy_poll(ctx);
}
+ kcov_remote_stop();
}
io_sq_update_worktime(sqd, &ist);
--
2.54.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v3] io_uring: annotate remote tasks for kcoverage
2026-05-26 16:49 ` [PATCH v3] " Robert Femmer
@ 2026-06-23 16:37 ` Jann Horn
2026-06-23 16:46 ` Jann Horn
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Jann Horn @ 2026-06-23 16:37 UTC (permalink / raw)
To: robert; +Cc: io-uring, Jens Axboe, Dmitry Vyukov, Andrey Konovalov, kasan-dev
On Tue, May 26, 2026 at 6:49 PM Robert Femmer <robert@fmmr.tech> wrote:
> Fuzzers use coverage information to guide generation of test cases
> towards new or interesting code paths. Syzkaller, specifically, makes
> use kcoverage (CONFIG_KCOV). Coverage information is not collected for
> kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
> This patch annotates io-uring's work queue and sqpoll tasks.
I think this is a useful change overall.
@maintainers: For context, this should have no impact on normal builds
- "struct kcov_common_handle_id" is zero-sized in normal builds, and
all the helpers used here are empty inline functions.
> Depends-on: 20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com
> Signed-off-by: Robert Femmer <robert@fmmr.tech>
> ---
> include/linux/io_uring_types.h | 2 ++
> io_uring/io-wq.c | 4 ++++
> io_uring/io_uring.c | 1 +
> io_uring/io_uring.h | 2 ++
> io_uring/sqpoll.c | 4 ++++
> 5 files changed, 13 insertions(+)
>
> diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
> index 244392026c6d..b6590b2b350c 100644
> --- a/include/linux/io_uring_types.h
> +++ b/include/linux/io_uring_types.h
> @@ -504,6 +504,8 @@ struct io_ring_ctx {
> struct io_mapped_region ring_region;
> /* used for optimised request parameter and wait argument passing */
> struct io_mapped_region param_region;
> +
> + struct kcov_common_handle_id kcov_handle;
> };
>
> /*
> diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
> index 8cc7b47d3089..9ade4c4f4983 100644
> --- a/io_uring/io-wq.c
> +++ b/io_uring/io-wq.c
> @@ -639,6 +639,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
> /* handle a whole dependent link */
> do {
> struct io_wq_work *next_hashed, *linked;
> + struct io_kiocb *req;
> unsigned int work_flags = atomic_read(&work->flags);
> unsigned int hash = __io_wq_is_hashed(work_flags)
> ? __io_get_work_hash(work_flags)
> @@ -649,7 +650,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
> if (do_kill &&
> (work_flags & IO_WQ_WORK_UNBOUND))
> atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
> + req = container_of(work, struct io_kiocb, work);
> + kcov_remote_start_common(req->ctx->kcov_handle);
> io_wq_submit_work(work);
> + kcov_remote_stop();
> io_assign_current_work(worker, NULL);
>
> linked = io_wq_free_work(work);
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 103b6c88f252..89cb649944d9 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -293,6 +293,7 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
> INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
> io_napi_init(ctx);
> mutex_init(&ctx->mmap_lock);
> + ctx->kcov_handle = kcov_common_handle();
>
> return ctx;
>
> diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
> index e612a66ee80e..7226fbbbf9f0 100644
> --- a/io_uring/io_uring.h
> +++ b/io_uring/io_uring.h
> @@ -7,6 +7,7 @@
> #include <linux/resume_user_mode.h>
> #include <linux/poll.h>
> #include <linux/io_uring_types.h>
> +#include <linux/kcov.h>
I think instead of this, normal kernel coding style is to use includes
directly in the files where they are needed.
https://docs.kernel.org/process/submit-checklist.html says:
"If you use a facility then #include the file that defines/declares
that facility. Don’t depend on other header files pulling in ones that
you use."
> #include <uapi/linux/eventpoll.h>
> #include "alloc_cache.h"
> #include "io-wq.h"
> @@ -581,4 +582,5 @@ static inline bool io_has_work(struct io_ring_ctx *ctx)
> return test_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq) ||
> io_local_work_pending(ctx);
> }
> +
> #endif
This looks like an accidental whitespace change.
> diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
> index 46c12afec73e..c7b78ea98587 100644
> --- a/io_uring/sqpoll.c
> +++ b/io_uring/sqpoll.c
> @@ -342,19 +342,23 @@ static int io_sq_thread(void *data)
>
> cap_entries = !list_is_singular(&sqd->ctx_list);
> list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
> + kcov_remote_start_common(ctx->kcov_handle);
> int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
>
> if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
> sqt_spin = true;
> + kcov_remote_stop();
> }
> if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
> sqt_spin = true;
>
> list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
> + kcov_remote_start_common(ctx->kcov_handle);
> if (io_napi(ctx)) {
> io_sq_start_worktime(&ist);
> io_napi_sqpoll_busy_poll(ctx);
> }
> + kcov_remote_stop();
Someone who knows more about networking than me might know this area
better, but I think we probably don't want to have KCOV coverage
around the call to io_napi_sqpoll_busy_poll() for two reasons:
1. This is NAPI busypolling code, designed to busy-loop until network
packets arrive - meaning the limited KCOV coverage buffer will quickly
fill up even if no data is actually being processed.
2. As far as I know, io_napi_sqpoll_busy_poll() doesn't really process
data related to the uring instance - it (more or less) merely
busy-polls network interfaces specified by the user. Received packets
are not necessarily actually related to this uring instance.
> }
>
> io_sq_update_worktime(sqd, &ist);
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v3] io_uring: annotate remote tasks for kcoverage
2026-06-23 16:37 ` Jann Horn
@ 2026-06-23 16:46 ` Jann Horn
2026-06-24 9:01 ` [PATCH v4] " Robert Femmer
2026-06-24 14:16 ` [PATCH v3] " Jens Axboe
2 siblings, 0 replies; 9+ messages in thread
From: Jann Horn @ 2026-06-23 16:46 UTC (permalink / raw)
To: robert; +Cc: io-uring, Jens Axboe, Dmitry Vyukov, Andrey Konovalov, kasan-dev
On Tue, Jun 23, 2026 at 6:37 PM Jann Horn <jannh@google.com> wrote:
> On Tue, May 26, 2026 at 6:49 PM Robert Femmer <robert@fmmr.tech> wrote:
> > Fuzzers use coverage information to guide generation of test cases
> > towards new or interesting code paths. Syzkaller, specifically, makes
> > use kcoverage (CONFIG_KCOV). Coverage information is not collected for
> > kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
> > This patch annotates io-uring's work queue and sqpoll tasks.
>
> I think this is a useful change overall.
>
> @maintainers: For context, this should have no impact on normal builds
> - "struct kcov_common_handle_id" is zero-sized in normal builds, and
> all the helpers used here are empty inline functions.
(That was supposed to be "are empty inline functions in normal
builds". I should've re-read this before hitting send...)
> > Depends-on: 20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com
(This landed in mainline in the current merge window.)
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v4] io_uring: annotate remote tasks for kcoverage
2026-06-23 16:37 ` Jann Horn
2026-06-23 16:46 ` Jann Horn
@ 2026-06-24 9:01 ` Robert Femmer
2026-06-24 14:16 ` [PATCH v3] " Jens Axboe
2 siblings, 0 replies; 9+ messages in thread
From: Robert Femmer @ 2026-06-24 9:01 UTC (permalink / raw)
To: io-uring
Cc: Jens Axboe, Dmitry Vyukov, Andrey Konovalov, kasan-dev, Jann Horn,
Robert Femmer
Fuzzers use coverage information to guide generation of test cases
towards new or interesting code paths. Syzkaller, specifically, makes
use kcoverage (CONFIG_KCOV). Coverage information is not collected for
kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
This patch annotates io-uring's work queue and sqpoll tasks.
Depends-On: 20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com
Signed-off-by: Robert Femmer <robert@fmmr.tech>
---
include/linux/io_uring_types.h | 2 ++
io_uring/io-wq.c | 5 +++++
io_uring/io_uring.c | 2 ++
io_uring/sqpoll.c | 3 +++
4 files changed, 12 insertions(+)
diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
index 244392026c6d..b6590b2b350c 100644
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -504,6 +504,8 @@ struct io_ring_ctx {
struct io_mapped_region ring_region;
/* used for optimised request parameter and wait argument passing */
struct io_mapped_region param_region;
+
+ struct kcov_common_handle_id kcov_handle;
};
/*
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 8cc7b47d3089..173299dfc9c2 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -19,6 +19,7 @@
#include <linux/mmu_context.h>
#include <linux/sched/sysctl.h>
#include <uapi/linux/io_uring.h>
+#include <linux/kcov.h>
#include "io-wq.h"
#include "slist.h"
@@ -639,6 +640,7 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
/* handle a whole dependent link */
do {
struct io_wq_work *next_hashed, *linked;
+ struct io_kiocb *req;
unsigned int work_flags = atomic_read(&work->flags);
unsigned int hash = __io_wq_is_hashed(work_flags)
? __io_get_work_hash(work_flags)
@@ -649,7 +651,10 @@ static void io_worker_handle_work(struct io_wq_acct *acct,
if (do_kill &&
(work_flags & IO_WQ_WORK_UNBOUND))
atomic_or(IO_WQ_WORK_CANCEL, &work->flags);
+ req = container_of(work, struct io_kiocb, work);
+ kcov_remote_start_common(req->ctx->kcov_handle);
io_wq_submit_work(work);
+ kcov_remote_stop();
io_assign_current_work(worker, NULL);
linked = io_wq_free_work(work);
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 103b6c88f252..ab7c3e45e238 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -59,6 +59,7 @@
#include <linux/audit.h>
#include <linux/security.h>
#include <linux/jump_label.h>
+#include <linux/kcov.h>
#define CREATE_TRACE_POINTS
#include <trace/events/io_uring.h>
@@ -293,6 +294,7 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
INIT_HLIST_HEAD(&ctx->cancelable_uring_cmd);
io_napi_init(ctx);
mutex_init(&ctx->mmap_lock);
+ ctx->kcov_handle = kcov_common_handle();
return ctx;
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 46c12afec73e..aafb640d3b2f 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -13,6 +13,7 @@
#include <linux/cpuset.h>
#include <linux/sched/cputime.h>
#include <linux/io_uring.h>
+#include <linux/kcov.h>
#include <uapi/linux/io_uring.h>
@@ -342,10 +343,12 @@ static int io_sq_thread(void *data)
cap_entries = !list_is_singular(&sqd->ctx_list);
list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) {
+ kcov_remote_start_common(ctx->kcov_handle);
int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist);
if (!sqt_spin && (ret > 0 || !list_empty(&ctx->iopoll_list)))
sqt_spin = true;
+ kcov_remote_stop();
}
if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE))
sqt_spin = true;
--
2.54.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v3] io_uring: annotate remote tasks for kcoverage
2026-06-23 16:37 ` Jann Horn
2026-06-23 16:46 ` Jann Horn
2026-06-24 9:01 ` [PATCH v4] " Robert Femmer
@ 2026-06-24 14:16 ` Jens Axboe
2 siblings, 0 replies; 9+ messages in thread
From: Jens Axboe @ 2026-06-24 14:16 UTC (permalink / raw)
To: Jann Horn, robert; +Cc: io-uring, Dmitry Vyukov, Andrey Konovalov, kasan-dev
On 6/23/26 10:37 AM, Jann Horn wrote:
> On Tue, May 26, 2026 at 6:49 PM Robert Femmer <robert@fmmr.tech> wrote:
>> Fuzzers use coverage information to guide generation of test cases
>> towards new or interesting code paths. Syzkaller, specifically, makes
>> use kcoverage (CONFIG_KCOV). Coverage information is not collected for
>> kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
>> This patch annotates io-uring's work queue and sqpoll tasks.
>
> I think this is a useful change overall.
Agree, mostly waiting on Andrey and Robert to hash out the details and
we can get this landed for 7.3. On vacation the next weeks, not much
going on on my end, work wise.
--
Jens Axboe
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-06-24 14:16 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 15:39 [PATCH] io_uring: annotate remote tasks for kcoverage Robert Femmer
2026-05-20 17:36 ` Andrey Konovalov
2026-05-20 20:43 ` [PATCH v2] " Robert Femmer
2026-05-22 16:23 ` Andrey Konovalov
2026-05-26 16:49 ` [PATCH v3] " Robert Femmer
2026-06-23 16:37 ` Jann Horn
2026-06-23 16:46 ` Jann Horn
2026-06-24 9:01 ` [PATCH v4] " Robert Femmer
2026-06-24 14:16 ` [PATCH v3] " Jens Axboe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.