i2c-aspeed testing with kunit fake and syzkaller

Dmitry Vyukov dvyukov at google.com
Wed Oct 9 01:44:08 AEDT 2019

Hi i2c/aspeed-related people,

Some time ago Brendan and myself did an experiment of testing the
i2c-aspeed driver in a qemu VM (without any hardware/emulation) using
kunit-based fake hardware. The fake allowed us to get 10 i2c devices
successfully probe and appear in /dev/. Which in turn allowed us to
test the actual driver with syzkaller.
I will just leave here some details and traces as FYI and for future
reference. I think this is an important precedent in general.

The kernel branch is here:
This is one of kunit branches with this commit on top:
This contains lots of hacks to get the fake working on x86 and leave
persistent devices initialized (rather than shutdown them after

This is the kernel config:
(some i2c configs + a bunch of debugging configs).

If you boot this kernel with the config in qemu, you should see /dev/i2c-{0,10}.

Probably any syzkaller commit will work, but I just testing on this one:
Here is syzkaller config I used:

Here is kernel coverage we achieved as the result of fuzzing:

For crashes, I've got 3 different task hangs:

INFO: task hung in i2c_transfer

INFO: task hung in i2c_smbus_xfer

INFO: task hung in aspeed_i2c_master_xfer

And some memory corruptions (non-thread-safe kunit data structures?):

KASAN: use-after-free Read in aspeed_i2c_fake_write_command_reg

KASAN: use-after-free Read in __of_find_property

general protection fault in mock_do_expect

There are probably a number of things that can be improved in kunit
platform mock, the fake driver and syzkaller i2c coverage, but this is
a starting point.


More information about the Linux-aspeed mailing list