Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing

[Alexander Potapenko]

On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@xxxxxxxxx> wrote:

> + * Copyright 2025 Google LLC
> + */
> +#include <linux/kfuzztest.h>

General comment: please include what you use.
Make sure there are headers for e.g. add_taint(), pr_warn(), kzalloc().


> +        * Taint the kernel on the first fuzzing invocation. The debugfs
> +        * interface provides a high-risk entry point for userspace to
> +        * call kernel functions with untrusted input.
> +        */
> +       if (!test_taint(TAINT_TEST))
> +               add_taint(TAINT_TEST, LOCKDEP_STILL_OK);
> +
> +       if (len > KFUZZTEST_MAX_INPUT_SIZE) {
> +               pr_warn("kfuzztest: user input of size %zu is too large", len);

Let's change it to pr_warn_ratelimited() to avoid log spamming.
Or maybe -EINVAL is enough for the userspace even without a log message?

> +               return -EINVAL;
> +       }
> +
> +       buffer = kzalloc(len, GFP_KERNEL);
> +       if (!buffer)
> +               return -ENOMEM;
> +
> +       ret = simple_write_to_buffer(buffer, len, off, buf, len);
> +       if (ret != len) {
> +               kfree(buffer);
> +               return -EFAULT;

I suggest returning `ret` here if it is < 0, and -EFAULT otherwise.


> +#include <linux/atomic.h>
> +#include <linux/debugfs.h>
> +#include <linux/err.h>
> +#include <linux/fs.h>
> +#include <linux/kasan.h>
> +#include <linux/kfuzztest.h>
> +#include <linux/module.h>
> +#include <linux/printk.h>

Missing <linux/slab.h> for the allocation functions.

> +       /* Create the main "kfuzztest" directory in /sys/kernel/debug. */
> +       state.kfuzztest_dir = debugfs_create_dir("kfuzztest", NULL);
> +       if (!state.kfuzztest_dir) {
> +               pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory");
> +               return -ENOMEM;

Note: leaking state.target_fops here.


> +       for (targ = __kfuzztest_simple_targets_start; targ < __kfuzztest_simple_targets_end; targ++, i++) {
> +               state.target_fops[i].target_simple = (struct file_operations){
> +                       .owner = THIS_MODULE,
> +                       .write = targ->write_input_cb,
> +               };
> +               err = initialize_target_dir(&state, targ, &state.target_fops[i]);
> +               /*
> +                * Bail out if a single target fails to initialize. This avoids
> +                * partial setup, and a failure here likely indicates an issue
> +                * with debugfs.
> +                */

An initialization failure could result from something as simple as a
name collision.
Do we want to bail out in such cases?