From nobody Thu Oct 2 07:48:33 2025 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C001314B89 for ; Fri, 19 Sep 2025 14:58:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758293887; cv=none; b=HTvRlfn37HECVUnh/nXmIGKs41Ck4+C/3cyapnUWp78CbyIqCIS/vLYGBNsUkk+v8ooSfF44xwRhdoCJLLTk9HX0agfATHj1b+AzzVZ1oLPRDMwTZVy2kR5zZ+FmfolpEBQyL5ipEzkRw467LnPl5qyGQXpYslrucJAFaRF5rSQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758293887; c=relaxed/simple; bh=ZOuSxhMxiHfYY+cea7oBYHCr7psQOpltTrm/vr4oNVQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BEGkMEcu++myOnEVBUw2ZAQoWsYG5aiAkunVtFi5TQpjC7HfMXzc7ndXc3yUzDBMfZxwzI8Ef26m2KyUZv66oKIrySRlHktutAzwwGnyatqTkL5PYtYcp9UsT76NPZ6aTDgjP0Tg/q2FggKDjDhEDIHXBpIyNx5uCvoSXoE3N9s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Adys5oqQ; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Adys5oqQ" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-3ee15b5435bso915079f8f.0 for ; Fri, 19 Sep 2025 07:58:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1758293883; x=1758898683; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Zunbl6fvIHEqkfAd29udw7Y98ixve3unSQwmEkkt7GA=; b=Adys5oqQVB2eog04UUBB6k28n5Kd5Gk8riCfaHFkvullg8GGTMcd6BiI0J6kpqSCMl 8swcBi7QdjUFkrwEhjiuG7cqYpC1TgYB6ggaEcYx8WfhqZcdzZb0gMWv4bwQcDhigk2O nKG0E7Q1F7sUJvUXy/CuPKuEyR/HxZ7Z3TM3cIodbn//P5Rcd6kQy0h0FF01EDUCG+IE Br621H2gGHRbZzPM02FhXmQGvVtIazJYQcTpqZkiiuBFEsJYRYGSzo9IFOfNPPWIEjcQ c5IqdKAWR8nVsNDKzmSGc2sIQwWlAXRFaTrY9UrdBD+Wsr3+ciroyIAu22GTjq+1lGCb 5l7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758293883; x=1758898683; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zunbl6fvIHEqkfAd29udw7Y98ixve3unSQwmEkkt7GA=; b=LYwONCcZpYvWqXqMDxChQkwQoc8xE1Qi0ZwBjwdks64+fE/NvleKNG+KQnUNbzxyl0 ctsPbIxVxeGJWfXCaZ5VfkPWTXzkj1ZmvCHt84GReWuNskViG7spFcsft7pSnjqncT9f kgqmut5aYuL8PGmt0Ve4vHIiUUNa9zQHIEVb31kdYab71mgN4g/ziej3dy8bT5M8ZloI rzGsroAv7XJ7TbSIFRyCi/TCgcqwz1Xb9HN69Zs4nWqwGwCy+zvZy4hncs6liMaz4spN J9R8A/TaVZmDcCHA+NsZfSqYBoZijSW0eET9yBtPxmiWn5jXPsh6DyKS2AJVHjteogad N2kw== X-Forwarded-Encrypted: i=1; AJvYcCVL8HWfFRU+0bbod26w144uarfxKIe8AmGlCA6mFgPz0SXm3IUXiPh4s+qgh9Bx1YySktNux59uqZaou9k=@vger.kernel.org X-Gm-Message-State: AOJu0YygluQV73v/Y/B5g+5ZLz08MIo2aTwvFg1z8Q+K1bDErnDeSLpb VI8UgojFvuOUxqGAfyZT7i2cu/AOil37a8pmK31sV6d0ywqhfVGBPVff X-Gm-Gg: ASbGncu92qIS3UdunIX+gozKchzoEqa7PcP118jqA7rZM0D+yRRCqceRAh+r5FcmS5Q G1S1aJb1DkItJ/aW5/nKz/2NRSt1n4kAhd9S2NTJkmhmaytYzai/DenwkREnZ8x0jrcWpOc4aHm zBC9xIvrGXYOmIfnB96Vk7G0RiNgKU7nIbCfiG8bj8N+q9Y6Eo1OW6FEvA/2xkuVSMAZK71LbH/ poMfogUxWb3yqraD6g6chsja16XhafVUNMRb3hbWpJHVqM98qS3upOSmft8jVPyN3gRa0chjaKL bVbWume6mYZiqY4p+yYX54Efde4Sal6EW1hXgezEE46Aj6F5g6SlVQ+aAr5qejw5YFW/iyUpTE5 VoPLjtJFc4vM2GqmQA2YYCCtoaiRrQxa+TFGx1g1LUC2w6JTBLF4xb+Mrdi1PmsORIWQNf1M8ay vs9DUTRhdaR1wL+8A= X-Google-Smtp-Source: AGHT+IHDjt8O9vYKO4IAKnSZVCkSqLzYQnMnHfcy6YqHFSDHgfMy0UALYGdy8mo3Zt+AM86r0DMwnw== X-Received: by 2002:a05:6000:2408:b0:3ee:15b4:846c with SMTP id ffacd0b85a97d-3ee7f606f17mr3174553f8f.28.1758293882976; Fri, 19 Sep 2025 07:58:02 -0700 (PDT) Received: from xl-nested.c.googlers.com.com (124.62.78.34.bc.googleusercontent.com. [34.78.62.124]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3ee0fbc7188sm8551386f8f.37.2025.09.19.07.58.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Sep 2025 07:58:02 -0700 (PDT) From: Ethan Graham To: ethangraham@google.com, glider@google.com Cc: andreyknvl@gmail.com, andy@kernel.org, brauner@kernel.org, brendan.higgins@linux.dev, davem@davemloft.net, davidgow@google.com, dhowells@redhat.com, dvyukov@google.com, elver@google.com, herbert@gondor.apana.org.au, ignat@cloudflare.com, jack@suse.cz, jannh@google.com, johannes@sipsolutions.net, kasan-dev@googlegroups.com, kees@kernel.org, kunit-dev@googlegroups.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lukas@wunner.de, rmoar@google.com, shuah@kernel.org, sj@kernel.org, tarasmadan@google.com Subject: [PATCH v2 05/10] kfuzztest: add ReST documentation Date: Fri, 19 Sep 2025 14:57:45 +0000 Message-ID: <20250919145750.3448393-6-ethan.w.s.graham@gmail.com> X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog In-Reply-To: <20250919145750.3448393-1-ethan.w.s.graham@gmail.com> References: <20250919145750.3448393-1-ethan.w.s.graham@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ethan Graham Add Documentation/dev-tools/kfuzztest.rst and reference it in the dev-tools index. Signed-off-by: Ethan Graham Acked-by: Alexander Potapenko --- PR v2: - Update documentation to reflect new location of kfuzztest-bridge, under tools/testing. PR v1: - Fix some typos and reword some sections. - Correct kfuzztest-bridge grammar description. - Reference documentation in kfuzztest-bridge/input_parser.c header comment. RFC v2: - Add documentation for kfuzztest-bridge tool introduced in patch 4. --- --- Documentation/dev-tools/index.rst | 1 + Documentation/dev-tools/kfuzztest.rst | 385 ++++++++++++++++++ tools/testing/kfuzztest-bridge/input_parser.c | 2 + 3 files changed, 388 insertions(+) create mode 100644 Documentation/dev-tools/kfuzztest.rst diff --git a/Documentation/dev-tools/index.rst b/Documentation/dev-tools/in= dex.rst index 65c54b27a60b..00ccc4da003b 100644 --- a/Documentation/dev-tools/index.rst +++ b/Documentation/dev-tools/index.rst @@ -32,6 +32,7 @@ Documentation/process/debugging/index.rst kfence kselftest kunit/index + kfuzztest ktap checkuapi gpio-sloppy-logic-analyzer diff --git a/Documentation/dev-tools/kfuzztest.rst b/Documentation/dev-tool= s/kfuzztest.rst new file mode 100644 index 000000000000..0c74732ecf21 --- /dev/null +++ b/Documentation/dev-tools/kfuzztest.rst @@ -0,0 +1,385 @@ +.. SPDX-License-Identifier: GPL-2.0 +.. Copyright 2025 Google LLC + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Kernel Fuzz Testing Framework (KFuzzTest) +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Overview +=3D=3D=3D=3D=3D=3D=3D=3D + +The Kernel Fuzz Testing Framework (KFuzzTest) is a framework designed to e= xpose +internal kernel functions to a userspace fuzzing engine. + +It is intended for testing stateless or low-state functions that are diffi= cult +to reach from the system call interface, such as routines involved in file +format parsing or complex data transformations. This provides a method for +in-situ fuzzing of kernel code without requiring that it be built as a sep= arate +userspace library or that its dependencies be stubbed out. + +The framework consists of four main components: + +1. An API, based on the ``FUZZ_TEST`` macro, for defining test targets + directly in the kernel tree. +2. A binary serialization format for passing complex, pointer-rich data + structures from userspace to the kernel. +3. A ``debugfs`` interface through which a userspace fuzzer submits + serialized test inputs. +4. Metadata embedded in dedicated ELF sections of the ``vmlinux`` binary = to + allow for the discovery of available fuzz targets by external tooling. + +.. warning:: + KFuzzTest is a debugging and testing tool. It exposes internal kernel + functions to userspace with minimal sanitization and is designed for + use in controlled test environments only. It must **NEVER** be enabled + in production kernels. + +Supported Architectures +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +KFuzzTest is designed for generic architecture support. It has only been +explicitly tested on x86_64. + +Usage +=3D=3D=3D=3D=3D + +To enable KFuzzTest, configure the kernel with:: + + CONFIG_KFUZZTEST=3Dy + +which depends on ``CONFIG_DEBUGFS`` for receiving userspace inputs, and +``CONFIG_DEBUG_KERNEL`` as an additional guardrail for preventing KFuzzTest +from finding its way into a production build accidentally. + +The KFuzzTest sample fuzz targets can be built in with +``CONFIG_SAMPLE_KFUZZTEST``. + +KFuzzTest currently only supports targets that are built into the kernel, = as the +core module's startup process discovers fuzz targets from a dedicated ELF +section during startup. Furthermore, constraints and annotations emit meta= data +that can be scanned from a ``vmlinux`` binary by a userspace fuzzing engin= e. + +Declaring a KFuzzTest target +---------------------------- + +A fuzz target should be defined in a .c file. The recommended place to def= ine +this is under the subsystem's ``/tests`` directory in a ``_kfuz= z.c`` +file, following the convention used by KUnit. The only strict requirement = is +that the function being fuzzed is visible to the fuzz target. + +Defining a fuzz target involves three main parts: defining an input struct= ure, +writing the test body using the ``FUZZ_TEST`` macro, and optionally adding +metadata for the fuzzer. + +The following example illustrates how to create a fuzz target for a functi= on +``int process_data(const char *data, size_t len)``. + +.. code-block:: c + + /* + * 1. Define a struct to model the inputs for the function under test. + * Each field corresponds to an argument needed by the function. + */ + struct process_data_inputs { + const char *data; + size_t len; + }; + + /* + * 2. Define the fuzz target using the FUZZ_TEST macro. + * The first parameter is a unique name for the target. + * The second parameter is the input struct defined above. + */ + FUZZ_TEST(test_process_data, struct process_data_inputs) + { + /* + * Within this body, the 'arg' variable is a pointer to a + * fully initialized 'struct process_data_inputs'. + */ + + /* + * 3. (Optional) Add constraints to define preconditions. + * This check ensures 'arg->data' is not NULL. If the condition + * is not met, the test exits early. This also creates metadata + * to inform the fuzzer. + */ + KFUZZTEST_EXPECT_NOT_NULL(process_data_inputs, data); + + /* + * 4. (Optional) Add annotations to provide semantic hints to the + * fuzzer. This annotation informs the fuzzer that the 'len' field is + * the length of the buffer pointed to by 'data'. Annotations do not + * add any runtime checks. + */ + KFUZZTEST_ANNOTATE_LEN(process_data_inputs, len, data); + + /* + * 5. Call the kernel function with the provided inputs. + * Memory errors like out-of-bounds accesses on 'arg->data' will + * be detected by KASAN or other memory error detection tools. + */ + process_data(arg->data, arg->len); + } + +KFuzzTest provides two families of macros to improve the quality of fuzzin= g: + +- ``KFUZZTEST_EXPECT_*``: These macros define constraints, which are + preconditions that must be true for the test to proceed. They are enforc= ed + with a runtime check in the kernel. If a check fails, the current test r= un is + aborted. This metadata helps the userspace fuzzer avoid generating inval= id + inputs. + +- ``KFUZZTEST_ANNOTATE_*``: These macros define annotations, which are pur= ely + semantic hints for the fuzzer. They do not add any runtime checks and ex= ist + only to help the fuzzer generate more intelligent and structurally corre= ct + inputs. For example, KFUZZTEST_ANNOTATE_LEN links a size field to a poin= ter + field, which is a common pattern in C APIs. + +Metadata +-------- + +Macros ``FUZZ_TEST``, ``KFUZZTEST_EXPECT_*`` and ``KFUZZTEST_ANNOTATE_*`` = embed +metadata into several sections within the main ``.data`` section of the fi= nal +``vmlinux`` binary; ``.kfuzztest_target``, ``.kfuzztest_constraint`` and +``.kfuzztest_annotation`` respectively. + +This serves two purposes: + +1. The core module uses the ``.kfuzztest_target`` section at boot to disco= ver + every ``FUZZ_TEST`` instance and create its ``debugfs`` directory and + ``input`` file. +2. Userspace fuzzers can read this metadata from the ``vmlinux`` binary to + discover targets and learn about their rules and structure in order to + generate correct and effective inputs. + +The metadata in the ``.kfuzztest_*`` sections consists of arrays of fixed-= size C +structs (e.g., ``struct kfuzztest_target``). Fields within these structs t= hat +are pointers, such as ``name`` or ``arg_type_name``, contain addresses that +point to other locations in the ``vmlinux`` binary. A userspace tool that +parsing the ELF file must resolve these pointers to read the data that they +reference. For example, to get a target's name, a tool must: + +1. Read the ``struct kfuzztest_target`` from the ``.kfuzztest_target`` sec= tion. +2. Read the address in the ``.name`` field. +3. Use that address to locate and read null-terminated string from its pos= ition + elsewhere in the binary (e.g., ``.rodata``). + +Tooling Dependencies +-------------------- + +For userspace tools to parse the ``vmlinux`` binary and make use of emitted +KFuzzTest metadata, the kernel must be compiled with DWARF debug informati= on. +This is required for tools to understand the layout of C structs, resolve = type +information, and correctly interpret constraints and annotations. + +When using KFuzzTest with automated fuzzing tools, either +``CONFIG_DEBUG_INFO_DWARF4`` or ``CONFIG_DEBUG_INFO_DWARF5`` should be ena= bled. + +Input Format +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +KFuzzTest targets receive their inputs from userspace via a write to a ded= icated +debugfs file ``/sys/kernel/debug/kfuzztest//input``. + +The data written to this file must be a single binary blob that follows a +specific serialization format. This format is designed to allow complex, +pointer-rich C structures to be represented in a flat buffer, requiring on= ly a +single kernel allocation and copy from userspace. + +An input is first prefixed by an 8-byte header containing a magic value in= the +first four bytes, defined as ``KFUZZTEST_HEADER_MAGIC`` in +```, and a version number in the subsequent four +bytes. + +Version 0 +--------- + +In version 0 (i.e., when the version number in the 8-byte header is equal = to 0), +the input format consists of three main parts laid out sequentially: a reg= ion +array, a relocation table, and the payload.:: + + +----------------+---------------------+-----------+----------------+ + | region array | relocation table | padding | payload | + +----------------+---------------------+-----------+----------------+ + +Region Array +^^^^^^^^^^^^ + +This component is a header that describes how the raw data in the Payload = is +partitioned into logical memory regions. It consists of a count of regions +followed by an array of ``struct reloc_region``, where each entry defines a +single region with its size and offset from the start of the payload. + +.. code-block:: c + + struct reloc_region { + uint32_t offset; + uint32_t size; + }; + + struct reloc_region_array { + uint32_t num_regions; + struct reloc_region regions[]; + }; + +By convention, region 0 represents the top-level input struct that is pass= ed +as the arg variable to the ``FUZZ_TEST`` body. Subsequent regions typically +represent data buffers or structs pointed to by fields within that struct. +Region array entries must be ordered by ascending offset, and must not ove= rlap +with one another. + +Relocation Table +^^^^^^^^^^^^^^^^ + +The relocation table contains the instructions for the kernel to "hydrate"= the +payload by patching pointer fields. It contains an array of +``struct reloc_entry`` items. Each entry acts as a linking instruction, +specifying: + +- The location of a pointer that needs to be patched (identified by a regi= on + ID and an offset within that region). + +- The target region that the pointer should point to (identified by the + target's region ID) or ``KFUZZTEST_REGIONID_NULL`` if the pointer is ``N= ULL``. + +This table also specifies the amount of padding between its end and the st= art +of the payload, which should be at least 8 bytes. + +.. code-block:: c + + struct reloc_entry { + uint32_t region_id; + uint32_t region_offset; + uint32_t value; + }; + + struct reloc_table { + uint32_t num_entries; + uint32_t padding_size; + struct reloc_entry entries[]; + }; + +Payload +^^^^^^^ + +The payload contains the raw binary data for all regions, concatenated tog= ether +according to their specified offsets. + +- Region specific alignment: The data for each individual region must star= t at + an offset that is aligned to its own C type's requirements. For example,= a + ``uint64_t`` must begin on an 8-byte boundary. + +- Minimum alignment: The offset of each region, as well as the beginning o= f the + payload, must also be a multiple of the overall minimum alignment value.= This + value is determined by the greater of ``ARCH_KMALLOC_MINALIGN`` and + ``KASAN_GRANULE_SIZE`` (which is represented by ``KFUZZTEST_POISON_SIZE`= ` in + ``/include/linux/kfuzztest.h``). This minimum alignment ensures that all + function inputs respect C calling conventions. + +- Padding: The space between the end of one region's data and the beginnin= g of + the next must be sufficient for padding. The padding must also be at lea= st + the same minimum alignment value mentioned above. This is crucial for KA= SAN + builds, as it allows KFuzzTest to poison this unused space enabling prec= ise + detection of out-of-bounds memory accesses between adjacent buffers. + +The minimum alignment value is architecture-dependent and is exposed to +userspace via the read-only file +``/sys/kernel/debug/kfuzztest/_config/minalign``. The framework relies on +userspace tooling to construct the payload correctly, adhering to all thre= e of +these rules for every region. + +KFuzzTest Bridge Tool +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The ``kfuzztest-bridge`` program is a userspace utility that encodes a ran= dom +byte stream into the structured binary format expected by a KFuzzTest harn= ess. +It allows users to describe the target's input structure textually, making= it +easy to perform smoke tests or connect harnesses to blob-based fuzzing eng= ines. + +This tool is intended to be simple, both in usage and implementation. Its +structure and DSL are sufficient for simpler use-cases. For more advanced +coverage-guided fuzzing it is recommended to use +`syzkaller ` which implements deeper +support for KFuzzTest targets. + +Usage +----- + +The tool can be built with ``make tools/testing/kfuzztest-bridge``. In the= case +of libc incompatibilities, the tool will have to be linked statically or b= uilt +on the target system. + +Example: + +.. code-block:: sh + + ./tools/testing/kfuzztest-bridge \ + "foo { u32 ptr[bar] }; bar { ptr[data] len[data, u64]}; data { arr= [u8, 42] };" \ + "my-fuzz-target" /dev/urandom + +The command takes three arguments + +1. A string describing the input structure (see `Textual Format`_ sub-sec= tion). +2. The name of the target test, which corresponds to its directory in + ``/sys/kernel/debug/kfuzztest/``. +3. A path to a file providing a stream of random data, such as + ``/dev/urandom``. + +The structure string in the example corresponds to the following C data +structures: + +.. code-block:: c + + struct foo { + u32 a; + struct bar *b; + }; + + struct bar { + struct data *d; + u64 data_len; /* Equals 42. */ + }; + + struct data { + char arr[42]; + }; + +Textual Format +-------------- + +The textual format is a human-readable representation of the region-based = binary +format used by KFuzzTest. It is described by the following grammar: + +.. code-block:: text + + schema ::=3D region ( ";" region )* [";"] + region ::=3D identifier "{" type ( " " type )* "}" + type ::=3D primitive | pointer | array | length | string + primitive ::=3D "u8" | "u16" | "u32" | "u64" + pointer ::=3D "ptr" "[" identifier "]" + array ::=3D "arr" "[" primitive "," integer "]" + length ::=3D "len" "[" identifier "," primitive "]" + string ::=3D "str" "[" integer "]" + identifier ::=3D [a-zA-Z_][a-zA-Z1-9_]* + integer ::=3D [0-9]+ + +Pointers must reference a named region. + +To fuzz a raw buffer, the buffer must be defined in its own region, as sho= wn +below: + +.. code-block:: c + + struct my_struct { + char *buf; + size_t buflen; + }; + +This would correspond to the following textual description: + +.. code-block:: text + + my_struct { ptr[buf] len[buf, u64] }; buf { arr[u8, n] }; + +Here, ``n`` is some integer value defining the size of the byte array insi= de of +the ``buf`` region. diff --git a/tools/testing/kfuzztest-bridge/input_parser.c b/tools/testing/= kfuzztest-bridge/input_parser.c index b1fd8ba5217e..feaa59de49d7 100644 --- a/tools/testing/kfuzztest-bridge/input_parser.c +++ b/tools/testing/kfuzztest-bridge/input_parser.c @@ -16,6 +16,8 @@ * and its corresponding length encoded over 8 bytes, where `buf` itself * contains a 42-byte array. * + * The full grammar is documented in Documentation/dev-tools/kfuzztest.rst. + * * Copyright 2025 Google LLC */ #include --=20 2.51.0.470.ga7dc726c21-goog