syz-cxl

Compute Express Link (CXL) enables access to memory over PCIe. This can reduce the total cost of ownership (TCO) for public cloud services through memory recycling, sharing, and tiering¹.

The concept sounded interesting to me, so I decided to build a CXL fuzzer because I believe breaking things is one of the fastest ways to learn. I extended Syzkaller to support CXL. Instead of writing the CXL syscall grammar manually, I let an LLM handle it and observed the results. The main idea was to feed libcxl source code and strace logs to an LLM, hoping they would provide enough hints. As a result, LLM (Claude Opus 4.6) generated 37 valid syscalls. Using this, Syzkaller achieved 6% CXL driver code coverage and identified two previously unknown bugs. I have published the Syzkaller patch, CXL grammar, and prompt here: https://github.com/swkim101/syz-cxl

Bugs:

https://lore.kernel.org/linux-cxl/[email protected]/
https://lore.kernel.org/linux-cxl/[email protected]/

https://www.usenix.org/system/files/osdi24-zhong-yuhong.pdf back