From: Yunseong Kim <yunseong.kim@est.tech>
To: Alexander Potapenko <glider@google.com>
Cc: "Ingo Molnar" <mingo@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Juri Lelli" <juri.lelli@redhat.com>,
"Vincent Guittot" <vincent.guittot@linaro.org>,
"Dietmar Eggemann" <dietmar.eggemann@arm.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Ben Segall" <bsegall@google.com>, "Mel Gorman" <mgorman@suse.de>,
"Valentin Schneider" <vschneid@redhat.com>,
"K Prateek Nayak" <kprateek.nayak@amd.com>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Andrey Konovalov" <andreyknvl@gmail.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nick Desaulniers" <nick.desaulniers+lkml@gmail.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Nicolas Schier" <nsc@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Shuah Khan" <skhan@linuxfoundation.org>,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
llvm@lists.linux.dev, linux-kbuild@vger.kernel.org,
rust-for-linux@vger.kernel.org, workflows@vger.kernel.org,
linux-doc@vger.kernel.org, "Yunseong Kim" <ysk@kzalloc.com>
Subject: Re: [RFC PATCH v2 1/6] kcov: add per-task dataflow tracking for function arguments/return values
Date: Fri, 12 Jun 2026 09:52:19 +0200 [thread overview]
Message-ID: <dfdcaf30-5cb9-43ff-956f-99292d8cdcff@est.tech> (raw)
In-Reply-To: <CAG_fn=UMJJz+3zipowaC4uTvcbC0gvXbBRaF0UUJ_1AW+oWNGA@mail.gmail.com>
Hi Alexander,
>> - Per-task buffer: task->kcov_df_area with atomic xadd reservation
>
> I don't understand this line...
>
>> - Recursion-safe: notrace __no_sanitize_coverage noinline
>> - ERR_PTR aware: skips struct expansion for error pointers
>
> ... and this.
I updated this text at v2 patch.
>>
>> The callbacks (__sanitizer_cov_trace_args/ret) are inserted by the
>> compiler when -fsanitize-coverage=dataflow-args,dataflow-ret is used.
>> The Kconfig options depend on cc-option to verify compiler support.
>>
>> Buffer format (TLV records, all u64):
>> area[0]: atomic word count
>> [pos+0]: type_and_seq (0xE=entry, 0xF=return in upper 4 bits)
>> [pos+1]: PC
>> [pos+2]: meta (arg_idx | arg_size | ptr)
>> [pos+3..N]: field values read via copy_from_kernel_nofault()
>>
>> This is completely independent from legacy /sys/kernel/debug/kcov.
>> Existing users (syzkaller, oss-fuzz) are unaffected.
>
> Does oss-fuzz even use kcov?
Also, I removed this text at v2 patch. I mistakenly confused it with another
usage of KCOV with a other fuzzer.
https://security.googleblog.com/2024/06/hacking-for-defenders-approaches-to.html
>>
>> Signed-off-by: Yunseong Kim <yunseong.kim@est.tech>
>> ---
>> include/linux/sched.h | 8 ++
>> kernel/kcov.c | 291 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> lib/Kconfig.debug | 22 ++++
>> 3 files changed, 321 insertions(+)
>>
>> diff --git a/include/linux/sched.h b/include/linux/sched.h
>> index c4433c185ad8..03be4b495f70 100644
>> --- a/include/linux/sched.h
>> +++ b/include/linux/sched.h
>> @@ -1533,6 +1533,14 @@ struct task_struct {
>> /* KCOV sequence number: */
>> int kcov_sequence;
>>
>> + /* KCOV dataflow per-task sequence counter for TLV records: */
>> + u32 kcov_dataflow_seq;
>> +
>> + /* KCOV dataflow: separate buffer for trace-args/trace-ret */
>> + unsigned int kcov_df_size;
>> + void *kcov_df_area;
>> + bool kcov_df_enabled;
>> +
>> /* Collect coverage from softirq context: */
>> unsigned int kcov_softirq;
>> #endif
>> diff --git a/kernel/kcov.c b/kernel/kcov.c
>> index 1df373fb562b..d3c9c0efe961 100644
>> --- a/kernel/kcov.c
>> +++ b/kernel/kcov.c
>> @@ -353,6 +353,288 @@ void notrace __sanitizer_cov_trace_switch(kcov_u64 val, void *arg)
>> EXPORT_SYMBOL(__sanitizer_cov_trace_switch);
>> #endif /* ifdef CONFIG_KCOV_ENABLE_COMPARISONS */
>>
>> +#if defined(CONFIG_KCOV_DATAFLOW_ARGS) || defined(CONFIG_KCOV_DATAFLOW_RET)
>> +/*
>> + * KCOV Dataflow: /sys/kernel/debug/kcov_dataflow
>> + *
>> + * Completely separate from legacy /sys/kernel/debug/kcov.
>
> Since this code is completely separate, could it be put into a separate file?
> I think kcov.c is too big already.
Thank you again for your guide, I updated it at v2.
>> + * Own buffer, own ioctl, own mmap. No printk — buffer only.
>
> Can you please not use these long dashes in C code?
I removed all a the v2.
>> +/*
>> + * Core write function — no printk, no locks, just atomic buffer write.
>
> I think it's okay to omit what this function is not doing.
>
>
>> +
>> + /* Atomic reservation */
>> + pos = 1 + xadd((unsigned long *)&area[0], record_len);
>> + if (unlikely(pos + record_len > max_pos)) {
>> + xadd((unsigned long *)&area[0], -(long)record_len);
>> + return;
>> + }
>
> Have you tried compiling this code on ARM64?
> I am pretty sure they don't have xadd(), so it won't work.
> But why do we need an atomic increment here at all? write_comp_data()
> performs the same job, and does not need it.
> Or am I missing something?
Thank you again for pointing out. After updating to the READ_ONCE/WRITE_ONCE
atomic pattern, Testing results based on v2 on arm64 for the Rust for Linux
kernel module(eight_struct_args_rust) are as follows:
do_el0_svc({0xffffffffffffff9c, 0xffffffffffffff9c, 0xffffffff, 0x0, 0x0, 0x0})
invoke_syscall({0xffffffffffffff9c, 0xffffffffffffff9c, 0x38, 0x0, 0x0, 0x0}, 0x38)
__arm64_sys_openat({0xffffffffffffff9c, 0xffffffffffffff9c, 0x38, 0x0, 0x0, 0x0})
ksys_write(0xffff9a031231, 0x1)
fdget_pos(0x4)
0xffff000004421cc0 = fdget_pos()
0x0 = vfs_write()
vfs_write(0xffff9a031231, 0x1, 0x0)
0x0 = _RNvCsdfZGIOKgjaD_22eight_struct_args_rust13write_handler [eight_struct_args_rust]()
_RNvCsdfZGIOKgjaD_22eight_struct_args_rust13write_handler [eight_struct_args_rust](0xffff9a031231, 0x1, 0x0)
rsf_1 [eight_struct_args_rust](0x11)
0x11 = rsf_1 [eight_struct_args_rust]()
rsf_2 [eight_struct_args_rust](0x11, {0x11, 0x22})
0x33 = rsf_2 [eight_struct_args_rust]()
rsf_4 [eight_struct_args_rust](0x11, {0x11, 0x22}, {0x11, 0x22, 0x33}, {0x11, 0x22, 0x33, 0x44})
0xaa = rsf_4 [eight_struct_args_rust]()
...
Latest test results from Github CI:
https://github.com/yskzalloc/kcov-dataflow/actions/runs/27397351811/job/80967927283
Best regards,
Yunseong
next prev parent reply other threads:[~2026-06-12 7:52 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 17:43 [RFC PATCH v2 0/6] kcov: per-task dataflow extraction at kernel function boundaries Yunseong Kim
2026-06-03 17:43 ` [RFC PATCH v2 1/6] kcov: add per-task dataflow tracking for function arguments/return values Yunseong Kim
2026-06-03 19:25 ` Nicolas Schier
2026-06-04 8:41 ` Peter Zijlstra
2026-06-12 7:55 ` Yunseong Kim
2026-06-05 16:05 ` Alexander Potapenko
2026-06-12 7:52 ` Yunseong Kim [this message]
2026-06-03 17:43 ` [RFC PATCH v2 2/6] kcov: add build system support for dataflow instrumentation Yunseong Kim
2026-06-04 8:45 ` Peter Zijlstra
2026-06-04 21:48 ` Nathan Chancellor
2026-06-05 15:29 ` Alexander Potapenko
2026-06-03 17:43 ` [RFC PATCH v2 3/6] kcov: add CONFIG_KCOV_DATAFLOW_INSTRUMENT_ALL and NO_INLINE Yunseong Kim
2026-06-04 8:46 ` Peter Zijlstra
2026-06-03 17:43 ` [RFC PATCH v2 4/6] tools/kcov-dataflow: add userspace consumer and test modules Yunseong Kim
2026-06-05 15:19 ` Alexander Potapenko
2026-06-03 17:43 ` [RFC PATCH v2 5/6] kcov: add interrupt context guard to kcov_df_write() Yunseong Kim
2026-06-04 8:48 ` Peter Zijlstra
2026-06-03 17:43 ` [RFC PATCH v2 6/6] kcov: add recursion guard and documentation for kcov-dataflow Yunseong Kim
2026-06-04 8:52 ` Peter Zijlstra
2026-06-04 8:40 ` [RFC PATCH v2 0/6] kcov: per-task dataflow extraction at kernel function boundaries Peter Zijlstra
2026-06-12 7:37 ` Yunseong Kim
2026-06-12 7:38 ` Peter Zijlstra
2026-06-04 9:29 ` Yunseong Kim
2026-06-05 16:20 ` Alexander Potapenko
2026-06-12 7:33 ` Yunseong Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dfdcaf30-5cb9-43ff-956f-99292d8cdcff@est.tech \
--to=yunseong.kim@est.tech \
--cc=a.hindborg@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=aliceryhl@google.com \
--cc=andreyknvl@gmail.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=bsegall@google.com \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dietmar.eggemann@arm.com \
--cc=dvyukov@google.com \
--cc=gary@garyguo.net \
--cc=glider@google.com \
--cc=juri.lelli@redhat.com \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kprateek.nayak@amd.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=lossin@kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nsc@kernel.org \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=tmgross@umich.edu \
--cc=vincent.guittot@linaro.org \
--cc=vschneid@redhat.com \
--cc=workflows@vger.kernel.org \
--cc=ysk@kzalloc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox