Re: [PATCH v3 00/10] KFuzzTest: a new kernel fuzzing framework

[Wentao Zhang]

Hi Ethan,

This looks interesting!

On Thu,  4 Dec 2025 15:12:39 +0100, Ethan Graham <ethan.w.s.graham@xxxxxxxxx> wrote:
> This patch series introduces KFuzzTest, a lightweight framework for
> creating in-kernel fuzz targets for internal kernel functions.
>
> The primary motivation for KFuzzTest is to simplify the fuzzing of
> low-level, relatively stateless functions (e.g., data parsers, format

Do you have any idea how this could be extended to target more stateful
functions?

> converters) that are difficult to exercise effectively from the syscall
> boundary. It is intended for in-situ fuzzing of kernel code without
> requiring that it be built as a separate userspace library or that its
> dependencies be stubbed out. Using a simple macro-based API, developers
> can add a new fuzz target with minimal boilerplate code.
>
> The core design consists of three main parts:
> 1. The `FUZZ_TEST(name, struct_type)` and `FUZZ_TEST_SIMPLE(name)`
>    macros that allow developers to easily define a fuzz test.
> 2. A binary input format that allows a userspace fuzzer to serialize
>    complex, pointer-rich C structures into a single buffer.
> 3. Metadata for test targets, constraints, and annotations, which is
>    emitted into dedicated ELF sections to allow for discovery and
>    inspection by userspace tools. These are found in
>    ".kfuzztest_{targets, constraints, annotations}".
>
> As of September 2025, syzkaller supports KFuzzTest targets out of the
> box, and without requiring any hand-written descriptions - the fuzz

Do you happen to have some numbers on coverage, convergence time etc.
before and after KFuzzTest?

Thanks,
Wentao

> target and its constraints + annotations are the sole source of truth.
>
[snip]