Out Of Tree Kernel Module Coverage Collection
9 views
Skip to first unread message
Alon Zahavi
Feb 19, 2026, 11:30:39 AM (4 days ago) Feb 19
to syzkaller
I am (at least trying to) fuzzing Nvidia’s open kernel modules using the following config:
```
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/home/alonza/Documents/nvidia_fuzz/workdir",
"kernel_obj": "/nvidia_fuzz/linux-6.18/",
"module_obj": [
"/nvidia_fuzz/open-gpu-kernel-modules"
],
"image": "/home/alonza/Documents/nvidia_fuzz/tests/nvidia_image/trixie.img",
"sshkey": "/home/alonza/Documents/nvidia_fuzz/tests/nvidia_image/trixie.id_rsa",
"syzkaller": "/home/alonza/Documents/nvidia_fuzz/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 1,
"kernel": "/nvidia_fuzz/linux-6.18/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 4096,
"qemu_args": "-device vfio-pci,host=0000:01:00.0 -enable-kvm",
"cmdline": "console=ttyS0 kmemleak=on nokaslr root=/dev/sda earlyprintk=serial net.ifnames=0"
},
"enable_syscalls": [
"openat$nvidiactl",
"ioctl$NV_IOCTL_XFER_ALLOC_CLIENT",
"ioctl$NV_IOCTL_XFER_ALLOC_DEVICE0",
"ioctl$NV_IOCTL_XFER_RM_ALLOC_OBJECT",
"ioctl$NV_IOCTL_XFER_RM_CONTROL",
"close"
]
}
```
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/home/alonza/Documents/nvidia_fuzz/workdir",
"kernel_obj": "/nvidia_fuzz/linux-6.18/",
"module_obj": [
"/nvidia_fuzz/open-gpu-kernel-modules"
],
"image": "/home/alonza/Documents/nvidia_fuzz/tests/nvidia_image/trixie.img",
"sshkey": "/home/alonza/Documents/nvidia_fuzz/tests/nvidia_image/trixie.id_rsa",
"syzkaller": "/home/alonza/Documents/nvidia_fuzz/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 1,
"kernel": "/nvidia_fuzz/linux-6.18/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 4096,
"qemu_args": "-device vfio-pci,host=0000:01:00.0 -enable-kvm",
"cmdline": "console=ttyS0 kmemleak=on nokaslr root=/dev/sda earlyprintk=serial net.ifnames=0"
},
"enable_syscalls": [
"openat$nvidiactl",
"ioctl$NV_IOCTL_XFER_ALLOC_CLIENT",
"ioctl$NV_IOCTL_XFER_ALLOC_DEVICE0",
"ioctl$NV_IOCTL_XFER_RM_ALLOC_OBJECT",
"ioctl$NV_IOCTL_XFER_RM_CONTROL",
"close"
]
}
```
With this config, I know for a fact I entered the following functions from the module source code: `nvidia_ioctl`, `rm_ioctl`, and `RmIoctl` (I added some kernel prints that appear in the logs when running syz-manager with -debug -vv 3).
However, when getting into the coverage page, I can’t see any highlighted code in the NVIDIA’s modules source code (You can see images 1 and 2 I added to this conversation). It is worth saying that I do see some highlighted code, but I am pretty sure it’s a mismatch and not the actual “true” coverage.
Also, as I said, I know for a fact the corpus reaches
rm_ioctl (nvidia/src/nvidia/arch/nvalloc/unix/src/osapi.c) and
RmIoctl (
nvidia/src/nvidia/arch/nvalloc/unix/src/escape.c
). However, the files are not even showing in the coverage report (see picture 3)
Have you ever encountered that? Do you know what might be the issue here?
Notes
- The modules were compiled with coverage and debug info.
- The VM kernel was compiled with no kaslr
- Both the kernel and the modules were compiled in the same exact machine.
Reply all
Reply to author
Forward
0 new messages