1# Linux kernel configs
2
3List of recommended kernel configs for `syzkaller`:
4
5## Syzkaller features
6
7To enable coverage collection, which is extremely important for effective fuzzing:
8```
9CONFIG_KCOV=y
10CONFIG_KCOV_INSTRUMENT_ALL=y
11CONFIG_KCOV_ENABLE_COMPARISONS=y
12CONFIG_DEBUG_FS=y
13```
14Note that `CONFIG_KCOV_ENABLE_COMPARISONS` feature also requires `gcc8+` and the following commits if you are testing an old kernel:
15```
16    kcov: support comparison operands collection
17    kcov: fix comparison callback signature
18```
19
20To show code coverage in web interface:
21```
22CONFIG_DEBUG_INFO=y
23```
24
25For detection of enabled syscalls and kernel bitness:
26```
27CONFIG_KALLSYMS=y
28CONFIG_KALLSYMS_ALL=y
29```
30
31For `namespace` sandbox:
32```
33CONFIG_NAMESPACES=y
34CONFIG_USER_NS=y
35CONFIG_UTS_NS=y
36CONFIG_IPC_NS=y
37CONFIG_PID_NS=y
38CONFIG_NET_NS=y
39```
40
41If your kernel doesn't have commits [arm64: setup: introduce kaslr_offset()](https://github.com/torvalds/linux/commit/7ede8665f27cde7da69e8b2fbeaa1ed0664879c5)
42 and [kcov: make kcov work properly with KASLR enabled](https://github.com/torvalds/linux/commit/4983f0ab7ffaad1e534b21975367429736475205), disable the following config:
43```
44# CONFIG_RANDOMIZE_BASE is not set
45```
46
47## Bug detection configs
48
49Syzkaller is meant to be used with
50[KASAN](https://kernel.org/doc/html/latest/dev-tools/kasan.html) (available upstream with `CONFIG_KASAN=y`),
51[KTSAN](https://github.com/google/ktsan) (prototype available),
52[KMSAN](https://github.com/google/kmsan) (prototype available),
53or [KUBSAN](https://kernel.org/doc/html/latest/dev-tools/ubsan.html) (available upstream with `CONFIG_UBSAN=y`).
54
55Enable `KASAN` for use-after-free and out-of-bounds detection:
56```
57CONFIG_KASAN=y
58CONFIG_KASAN_INLINE=y
59```
60
61For testing with fault injection enable the following configs (syzkaller will pick it up automatically):
62```
63CONFIG_FAULT_INJECTION=y
64CONFIG_FAULT_INJECTION_DEBUG_FS=y
65CONFIG_FAILSLAB=y
66CONFIG_FAIL_PAGE_ALLOC=y
67CONFIG_FAIL_MAKE_REQUEST=y
68CONFIG_FAIL_IO_TIMEOUT=y
69CONFIG_FAIL_FUTEX=y
70```
71Note: you also need the following commits if you are testing an old kernel:
72```
73    fault-inject: support systematic fault injection
74    fault-inject: simplify access check for fail-nth
75    fault-inject: fix wrong should_fail() decision in task context
76    fault-inject: add /proc/<pid>/fail-nth
77```
78
79Any other debugging configs, the more the better, here are some that proved to be especially useful:
80```
81CONFIG_LOCKDEP=y
82CONFIG_PROVE_LOCKING=y
83CONFIG_DEBUG_ATOMIC_SLEEP=y
84CONFIG_PROVE_RCU=y
85CONFIG_DEBUG_VM=y
86CONFIG_REFCOUNT_FULL=y
87CONFIG_FORTIFY_SOURCE=y
88CONFIG_HARDENED_USERCOPY=y
89CONFIG_LOCKUP_DETECTOR=y
90CONFIG_SOFTLOCKUP_DETECTOR=y
91CONFIG_HARDLOCKUP_DETECTOR=y
92CONFIG_DETECT_HUNG_TASK=y
93CONFIG_WQ_WATCHDOG=y
94```
95
96Increase RCU stall timeout to reduce false positive rate:
97```
98CONFIG_RCU_CPU_STALL_TIMEOUT=60
99```
100