From: Dmitry Vyukov <dvyukov@google.com>
To: Alexander Potapenko <glider@google.com>
Cc: quic_jiangenj@quicinc.com, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, Aleksandr Nogikh <nogikh@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Marco Elver <elver@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH v3 08/10] kcov: add ioctl(KCOV_RESET_TRACE)
Date: Tue, 29 Jul 2025 13:17:41 +0200 [thread overview]
Message-ID: <CACT4Y+aEwxFAuKK4WSU8wuAvG01n3+Ch6qBiMSdGjPqNgwscag@mail.gmail.com> (raw)
In-Reply-To: <20250728152548.3969143-9-glider@google.com>
On Mon, 28 Jul 2025 at 17:26, Alexander Potapenko <glider@google.com> wrote:
>
> Provide a mechanism to reset the coverage for the current task
> without writing directly to the coverage buffer.
> This is slower, but allows the fuzzers to map the coverage buffer
> as read-only, making it harder to corrupt.
>
> Signed-off-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
>
> ---
> v2:
> - Update code to match the new description of struct kcov_state
>
> Change-Id: I8f9e6c179d93ccbfe0296b14764e88fa837cfffe
> ---
> Documentation/dev-tools/kcov.rst | 26 ++++++++++++++++++++++++++
> include/uapi/linux/kcov.h | 1 +
> kernel/kcov.c | 15 +++++++++++++++
> 3 files changed, 42 insertions(+)
>
> diff --git a/Documentation/dev-tools/kcov.rst b/Documentation/dev-tools/kcov.rst
> index 6446887cd1c92..e215c0651e16d 100644
> --- a/Documentation/dev-tools/kcov.rst
> +++ b/Documentation/dev-tools/kcov.rst
> @@ -470,3 +470,29 @@ local tasks spawned by the process and the global task that handles USB bus #1:
> perror("close"), exit(1);
> return 0;
> }
> +
> +
> +Resetting coverage with an KCOV_RESET_TRACE
> +-------------------------------------------
> +
> +The ``KCOV_RESET_TRACE`` ioctl provides a mechanism to clear collected coverage
> +data for the current task. It resets the program counter (PC) trace and, if
> +``KCOV_UNIQUE_ENABLE`` mode is active, also zeroes the associated bitmap.
> +
> +The primary use case for this ioctl is to enhance safety during fuzzing.
> +Normally, a user could map the kcov buffer with ``PROT_READ | PROT_WRITE`` and
> +reset the trace from the user-space program. However, when fuzzing system calls,
> +the kernel itself might inadvertently write to this shared buffer, corrupting
> +the coverage data.
> +
> +To prevent this, a fuzzer can map the buffer with ``PROT_READ`` and use
> +``ioctl(fd, KCOV_RESET_TRACE, 0)`` to safely clear the buffer from the kernel
> +side before each fuzzing iteration.
> +
> +Note that:
> +
> +* This ioctl is safer but slower than directly writing to the shared memory
> + buffer due to the overhead of a system call.
> +* ``KCOV_RESET_TRACE`` is itself a system call, and its execution will be traced
> + by kcov. Consequently, immediately after the ioctl returns, cover[0] will be
> + greater than 0.
> diff --git a/include/uapi/linux/kcov.h b/include/uapi/linux/kcov.h
> index e743ee011eeca..8ab77cc3afa76 100644
> --- a/include/uapi/linux/kcov.h
> +++ b/include/uapi/linux/kcov.h
> @@ -23,6 +23,7 @@ struct kcov_remote_arg {
> #define KCOV_DISABLE _IO('c', 101)
> #define KCOV_REMOTE_ENABLE _IOW('c', 102, struct kcov_remote_arg)
> #define KCOV_UNIQUE_ENABLE _IOW('c', 103, unsigned long)
> +#define KCOV_RESET_TRACE _IO('c', 104)
>
> enum {
> /*
> diff --git a/kernel/kcov.c b/kernel/kcov.c
> index a92c848d17bce..82ed4c6150c54 100644
> --- a/kernel/kcov.c
> +++ b/kernel/kcov.c
> @@ -740,6 +740,21 @@ static int kcov_ioctl_locked(struct kcov *kcov, unsigned int cmd,
> return 0;
> case KCOV_UNIQUE_ENABLE:
> return kcov_handle_unique_enable(kcov, arg);
> + case KCOV_RESET_TRACE:
> + unused = arg;
> + if (unused != 0 || current->kcov != kcov)
> + return -EINVAL;
> + t = current;
> + if (WARN_ON(kcov->t != t))
> + return -EINVAL;
> + mode = kcov->mode;
> + if (mode < KCOV_MODE_TRACE_PC)
> + return -EINVAL;
> + if (kcov->state.bitmap)
> + bitmap_zero(kcov->state.bitmap,
> + kcov->state.bitmap_size);
> + WRITE_ONCE(kcov->state.trace[0], 0);
> + return 0;
> case KCOV_DISABLE:
> /* Disable coverage for the current task. */
> unused = arg;
> --
> 2.50.1.470.g6ba607880d-goog
>
next prev parent reply other threads:[~2025-07-29 11:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 15:25 [PATCH v3 00/10] Coverage deduplication for KCOV Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 01/10] x86: kcov: disable instrumentation of arch/x86/kernel/tsc.c Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 02/10] kcov: elaborate on using the shared buffer Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 03/10] kcov: factor out struct kcov_state Alexander Potapenko
2025-07-29 11:09 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 04/10] mm/kasan: define __asan_before_dynamic_init, __asan_after_dynamic_init Alexander Potapenko
2025-07-29 11:43 ` kernel test robot
2025-07-31 11:44 ` Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 05/10] kcov: x86: introduce CONFIG_KCOV_UNIQUE Alexander Potapenko
2025-07-29 11:11 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 06/10] kcov: add trace and trace_size to struct kcov_state Alexander Potapenko
2025-07-29 11:11 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 07/10] kcov: add ioctl(KCOV_UNIQUE_ENABLE) Alexander Potapenko
2025-07-29 11:14 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 08/10] kcov: add ioctl(KCOV_RESET_TRACE) Alexander Potapenko
2025-07-29 11:17 ` Dmitry Vyukov [this message]
2025-08-06 9:47 ` Alexander Potapenko
2025-08-06 9:59 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 09/10] kcov: selftests: add kcov_test Alexander Potapenko
2025-07-29 11:20 ` Dmitry Vyukov
2025-07-31 8:02 ` Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 10/10] kcov: use enum kcov_mode in kcov_mode_enabled() Alexander Potapenko
2025-07-29 11:20 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+aEwxFAuKK4WSU8wuAvG01n3+Ch6qBiMSdGjPqNgwscag@mail.gmail.com \
--to=dvyukov@google.com \
--cc=andreyknvl@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=jpoimboe@kernel.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nogikh@google.com \
--cc=peterz@infradead.org \
--cc=quic_jiangenj@quicinc.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).