Advice needed: Fuzzing virtio drivers (virtio-net/blk) with Syzkaller

[黄某]

Hi Syzkaller community,

I am currently looking into fuzzing virtio-related drivers in the Linux kernel, specifically targeting generic drivers like virtio-net and virtio-blk.

I understand that Syzkaller excels at syscall fuzzing and has specialized support for subsystems like USB (via vUSB to emulate device behavior). However, I am not entirely sure about the best strategy for virtio.

I would appreciate any advice or pointers on the following:

1. Prior Art: Are there any existing descriptions (.txt files) or experimental branches that focus on virtio drivers?

2. Approach: Since virtio drivers interact heavily with the host (device emulation) via queues/rings, standard syscall fuzzing from userspace might only cover limited code paths.

   • Does Syzkaller have any mechanism to mock or emulate a virtio device from within the guest (similar to how pseudo-USB devices are handled)?

   • Or should I strictly focus on the exposed userspace interfaces (e.g., specific ioctls, configfs, or sysfs entries)?

3. Feasibility: Has anyone successfully fuzzed the initialization or data path of virtio-net using Syzkaller before?

If there are no existing implementations, I would be grateful for any suggestions on where to start looking if I were to implement support for this.

Thanks in advance for your help!