On Fri, Jun 19, 2026 at 01:44:43PM -0700, Kees Cook wrote: > On Fri, Jun 19, 2026 at 11:51:29AM +0200, Peter Zijlstra wrote: > > > This is really rather horrible. Also, now all an attacker needs to do is > > > ensure cfi_kunit_handled() unconditionally returns true. IOW, no distro > > > must ever have this KUNIT crap enabled. > > > > Also, if this lives, the check should at least trip the cfi_warn path, > > being completely silent is terrible. > > If anyone actually ships kunit in production, then no, I will NAK my own > patch. ;) In that case I will go back to a version I never sent, which > uses Kunit's try/catch Oops checker (which doesn't work on riscv). I > only did it this way (similar to the fortify kunit testing) so I could > get riscv coverage.
Fedora and Android do appear to ship with CONFIG_KUNIT=m. Debian and Ubuntu don't from what I can see. So, yeah, NAK. I'll send v3 (really v0)... -- Kees Cook
