On Fri, Jun 19, 2026 at 11:51:29AM +0200, Peter Zijlstra wrote: > > This is really rather horrible. Also, now all an attacker needs to do is > > ensure cfi_kunit_handled() unconditionally returns true. IOW, no distro > > must ever have this KUNIT crap enabled. > > Also, if this lives, the check should at least trip the cfi_warn path, > being completely silent is terrible.
If anyone actually ships kunit in production, then no, I will NAK my own patch. ;) In that case I will go back to a version I never sent, which uses Kunit's try/catch Oops checker (which doesn't work on riscv). I only did it this way (similar to the fortify kunit testing) so I could get riscv coverage. -- Kees Cook
