From: Alexander Potapenko <glider@google.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: quic_jiangenj@quicinc.com, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, Aleksandr Nogikh <nogikh@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Marco Elver <elver@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH v3 08/10] kcov: add ioctl(KCOV_RESET_TRACE)
Date: Wed, 6 Aug 2025 11:47:16 +0200 [thread overview]
Message-ID: <CAG_fn=XYS43pefo1EEO6jTTkPHKhB0+hpbh9KGQ5kodAJm3Ncg@mail.gmail.com> (raw)
In-Reply-To: <CACT4Y+aEwxFAuKK4WSU8wuAvG01n3+Ch6qBiMSdGjPqNgwscag@mail.gmail.com>
On Tue, Jul 29, 2025 at 1:17 PM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Mon, 28 Jul 2025 at 17:26, Alexander Potapenko <glider@google.com> wrote:
> >
> > Provide a mechanism to reset the coverage for the current task
> > without writing directly to the coverage buffer.
> > This is slower, but allows the fuzzers to map the coverage buffer
> > as read-only, making it harder to corrupt.
> >
> > Signed-off-by: Alexander Potapenko <glider@google.com>
>
> Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
>
>
> >
> > ---
> > v2:
> > - Update code to match the new description of struct kcov_state
> >
> > Change-Id: I8f9e6c179d93ccbfe0296b14764e88fa837cfffe
> > ---
> > Documentation/dev-tools/kcov.rst | 26 ++++++++++++++++++++++++++
> > include/uapi/linux/kcov.h | 1 +
> > kernel/kcov.c | 15 +++++++++++++++
> > 3 files changed, 42 insertions(+)
> >
> > diff --git a/Documentation/dev-tools/kcov.rst b/Documentation/dev-tools/kcov.rst
> > index 6446887cd1c92..e215c0651e16d 100644
> > --- a/Documentation/dev-tools/kcov.rst
> > +++ b/Documentation/dev-tools/kcov.rst
> > @@ -470,3 +470,29 @@ local tasks spawned by the process and the global task that handles USB bus #1:
> > perror("close"), exit(1);
> > return 0;
> > }
> > +
> > +
> > +Resetting coverage with an KCOV_RESET_TRACE
> > +-------------------------------------------
> > +
> > +The ``KCOV_RESET_TRACE`` ioctl provides a mechanism to clear collected coverage
> > +data for the current task. It resets the program counter (PC) trace and, if
> > +``KCOV_UNIQUE_ENABLE`` mode is active, also zeroes the associated bitmap.
> > +
> > +The primary use case for this ioctl is to enhance safety during fuzzing.
> > +Normally, a user could map the kcov buffer with ``PROT_READ | PROT_WRITE`` and
> > +reset the trace from the user-space program. However, when fuzzing system calls,
> > +the kernel itself might inadvertently write to this shared buffer, corrupting
> > +the coverage data.
> > +
> > +To prevent this, a fuzzer can map the buffer with ``PROT_READ`` and use
> > +``ioctl(fd, KCOV_RESET_TRACE, 0)`` to safely clear the buffer from the kernel
> > +side before each fuzzing iteration.
> > +
> > +Note that:
> > +
> > +* This ioctl is safer but slower than directly writing to the shared memory
> > + buffer due to the overhead of a system call.
> > +* ``KCOV_RESET_TRACE`` is itself a system call, and its execution will be traced
> > + by kcov. Consequently, immediately after the ioctl returns, cover[0] will be
> > + greater than 0.
> > diff --git a/include/uapi/linux/kcov.h b/include/uapi/linux/kcov.h
> > index e743ee011eeca..8ab77cc3afa76 100644
> > --- a/include/uapi/linux/kcov.h
> > +++ b/include/uapi/linux/kcov.h
> > @@ -23,6 +23,7 @@ struct kcov_remote_arg {
> > #define KCOV_DISABLE _IO('c', 101)
> > #define KCOV_REMOTE_ENABLE _IOW('c', 102, struct kcov_remote_arg)
> > #define KCOV_UNIQUE_ENABLE _IOW('c', 103, unsigned long)
> > +#define KCOV_RESET_TRACE _IO('c', 104)
> >
> > enum {
> > /*
> > diff --git a/kernel/kcov.c b/kernel/kcov.c
> > index a92c848d17bce..82ed4c6150c54 100644
> > --- a/kernel/kcov.c
> > +++ b/kernel/kcov.c
> > @@ -740,6 +740,21 @@ static int kcov_ioctl_locked(struct kcov *kcov, unsigned int cmd,
> > return 0;
> > case KCOV_UNIQUE_ENABLE:
> > return kcov_handle_unique_enable(kcov, arg);
> > + case KCOV_RESET_TRACE:
> > + unused = arg;
> > + if (unused != 0 || current->kcov != kcov)
I think this is too strict, in certain cases it should be possible to
reset the trace not belonging to the current thread, WDYT?
E.g. syzkaller does that for the extra coverage:
https://github.com/google/syzkaller/blob/ffe1dd46b97d508a7b65c279b8108eeaade66cb1/executor/executor.cc#L920
next prev parent reply other threads:[~2025-08-06 9:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 15:25 [PATCH v3 00/10] Coverage deduplication for KCOV Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 01/10] x86: kcov: disable instrumentation of arch/x86/kernel/tsc.c Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 02/10] kcov: elaborate on using the shared buffer Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 03/10] kcov: factor out struct kcov_state Alexander Potapenko
2025-07-29 11:09 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 04/10] mm/kasan: define __asan_before_dynamic_init, __asan_after_dynamic_init Alexander Potapenko
2025-07-29 11:43 ` kernel test robot
2025-07-31 11:44 ` Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 05/10] kcov: x86: introduce CONFIG_KCOV_UNIQUE Alexander Potapenko
2025-07-29 11:11 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 06/10] kcov: add trace and trace_size to struct kcov_state Alexander Potapenko
2025-07-29 11:11 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 07/10] kcov: add ioctl(KCOV_UNIQUE_ENABLE) Alexander Potapenko
2025-07-29 11:14 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 08/10] kcov: add ioctl(KCOV_RESET_TRACE) Alexander Potapenko
2025-07-29 11:17 ` Dmitry Vyukov
2025-08-06 9:47 ` Alexander Potapenko [this message]
2025-08-06 9:59 ` Dmitry Vyukov
2025-07-28 15:25 ` [PATCH v3 09/10] kcov: selftests: add kcov_test Alexander Potapenko
2025-07-29 11:20 ` Dmitry Vyukov
2025-07-31 8:02 ` Alexander Potapenko
2025-07-28 15:25 ` [PATCH v3 10/10] kcov: use enum kcov_mode in kcov_mode_enabled() Alexander Potapenko
2025-07-29 11:20 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG_fn=XYS43pefo1EEO6jTTkPHKhB0+hpbh9KGQ5kodAJm3Ncg@mail.gmail.com' \
--to=glider@google.com \
--cc=andreyknvl@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=jpoimboe@kernel.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nogikh@google.com \
--cc=peterz@infradead.org \
--cc=quic_jiangenj@quicinc.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).