dvyukov
commented
3 months ago Wonder if it's possible to call interrupt functions directly... or can we just JMP onto the function? If it's possible to call it, then we could add a nice boot test: if KCOV config is enabled, call the interrupt function and check that kcov ignored all coverage callbacks. If not panic. Then if we have this in syzbot kernels, they will stack panicking on boot and we immediately notice.
Turns out KCOV is semi-broken on x86 since May 2020. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6368558c37107bed35950cfbd994f49de07236dc Added instrumented
kvm_set_cpu_l1tf_flush_l1d()to interrupt entry outside of the official preempt count accounting for irqs, so KCOV think this function runs in task context. This adds the PC at random places in the KCOV trace, and since we hash adjacent PCs, this produces infinite amount of false fuzzing signal.We could try to add
noinstrhere: https://elixir.bootlin.com/linux/v6.10-rc2/source/arch/x86/include/asm/hardirq.h#L72 But it's unclear if it's guaranteed to suppress all of __this_cpu_write as well for both gcc and clang.