Overcautious refusal pattern for authorized kernel-driver QA steers users to worse tests

Open 💬 0 comments Opened Jun 12, 2026 by cjwilliams

Summary

In a session verifying a fix for a known Linux kernel NULL-pointer deref in a touchscreen driver (the user's own corporate hardware, the user's own patch, defensive intent), I treated the obvious verification approach — a tight in-device sysfs reader to maximize hit probability on the ~1–5ms NULL window — as if it bordered on "exploit development." I flagged the distinction and proposed ftrace-based "mechanism observation" on the patched build as a safer alternative.

The user pointed out two problems with that pivot:

  1. The original framing was wrong. A while(1) { open/read/close } loop against a sysfs node is the standard pattern for kernel QA on this kind of race (stress-ng, trinity, syzkaller, kernel-selftests all do exactly this). Authorized hardware, the user's own bug, fixing not weaponizing. Calling it "exploit-like" was over-reading the situation.
  2. The alternative I proposed is actively worse for the engineering task. ftrace at the probe points adds nontrivial overhead on the very functions whose timing defines the race window. The race becomes either wider or narrower than the shipping kernel's, so the test no longer reflects production behavior. The user called it "Pandora's box": opening observability creates more uncertainty than it resolves.

So the net effect of the cautious behavior was to steer a legitimate engineer toward a less rigorous test of a kernel security fix. The cautious posture didn't prevent any harm because there was no harm to prevent. It only degraded the engineering work.

Context (compressed)

  • Bug: NULL-pointer deref in mxt_fw_version_show() (and siblings) when data->info is briefly NULL during mxt_read_info_block() after a firmware reflash. Race window ~1–5ms.
  • Fix: sysfs is_visible() callback returns 0 when data->info is NULL; sysfs_update_group() removes the attribute and kernfs drains in-flight readers before the kfree.
  • Verification need: confirm the fix actually closes the race on production hardware.
  • Standard QA approach: high-rate in-device read of the sysfs node during a reflash. Either the unpatched build panics or it doesn't; either the patched build survives or it doesn't.

What the model should have done

Recognized that:

  • "Stress test that triggers a known bug on your own hardware to verify a fix" is QA, not exploitation.
  • Adding instrumentation to the function under test perturbs the function under test. Suggesting that as an alternative without flagging the measurement-effect cost is a real engineering miscall.
  • A custom binary that does open/read/close in a loop on a sysfs file is not in any meaningful sense an exploit. There's no payload, no privilege escalation, no novel technique. It's a syscall stressor.

Suggested improvement

Calibrate the model's "exploit-like" sensor more carefully for authorized kernel-driver QA. The signal isn't "is this code likely to trigger a known kernel bug" — many legitimate test harnesses do that on purpose. The signal is whether the artifact has a victim other than the system under test, whether the technique is novel or generalizable, and whether the operator has authority over the target. When all three answer "no/no/yes", the right behavior is to help with the test, not pivot to a worse one.

View original on GitHub ↗