Merge branch 'master' into syzos-md

Author: ramosian-glider

dashboard/app/ai.go

@@ -16,6 +16,7 @@ import (
 	"github.com/google/syzkaller/dashboard/app/aidb"
 	"github.com/google/syzkaller/dashboard/dashapi"
 	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/report/crash"
 	"github.com/google/syzkaller/pkg/vcs"
 	db "google.golang.org/appengine/v2/datastore"
 )
@@ -322,6 +323,7 @@ func bugJobCreate(ctx context.Context, workflow string, typ ai.WorkflowType, bug
 		Description: bug.displayTitle(),
 		Link:        fmt.Sprintf("/bug?id=%v", bug.keyHash(ctx)),
 		Args: spanner.NullJSON{Valid: true, Value: map[string]any{
+			"BugTitle":        bug.Title,
 			"ReproOpts":       string(crash.ReproOpts),
 			"ReproSyzID":      crash.ReproSyz,
 			"ReproCID":        crash.ReproC,
@@ -423,11 +425,21 @@ const currentAIJobCheckSeq = 1
 
 func workflowsForBug(bug *Bug, manual bool) map[ai.WorkflowType]bool {
 	workflows := make(map[ai.WorkflowType]bool)
-	if strings.HasPrefix(bug.Title, "KCSAN: data-race") {
+	typ := crash.TitleToType(bug.Title)
+	// UAF bugs stuck in last but one reporting.
+	if typ.IsUAF() && len(bug.Reporting) > 1 &&
+		bug.Reporting[len(bug.Reporting)-1].Reported.IsZero() &&
+		!bug.Reporting[len(bug.Reporting)-2].Reported.IsZero() {
+		workflows[ai.WorkflowModeration] = true
+	}
+	if typ == crash.KCSANDataRace {
 		workflows[ai.WorkflowAssessmentKCSAN] = true
 	}
 	if manual {
 		// Types we don't create automatically yet, but can be created manually.
+		if typ.IsUAF() {
+			workflows[ai.WorkflowModeration] = true
+		}
 		if bug.HeadReproLevel > dashapi.ReproLevelNone {
 			workflows[ai.WorkflowPatching] = true
 		}

dashboard/app/ai_test.go

@@ -124,6 +124,7 @@ func TestAIJob(t *testing.T) {
 	require.NotEqual(t, resp.ID, "")
 	require.Equal(t, resp.Workflow, "assessment-kcsan")
 	require.Equal(t, resp.Args, map[string]any{
+		"BugTitle":        "KCSAN: data-race in foo / bar",
 		"CrashReport":     "report1",
 		"KernelRepo":      "repo1",
 		"KernelCommit":    "1111111111111111111111111111111111111111",

pkg/aflow/ai/ai.go

@@ -6,7 +6,10 @@ package ai
 
 type WorkflowType string
 
+// Note: don't change string values of these types w/o a good reason.
+// They are stored in the dashboard database as strings.
 const (
 	WorkflowPatching        = WorkflowType("patching")
+	WorkflowModeration      = WorkflowType("moderation")
 	WorkflowAssessmentKCSAN = WorkflowType("assessment-kcsan")
 )

pkg/aflow/flow/assessment/assessment.go

@@ -10,13 +10,22 @@ import (
 	"github.com/google/syzkaller/pkg/aflow/tool/codesearcher"
 )
 
-type KCSANOutputs struct {
+type kcsanInputs struct {
+	CrashReport       string
+	KernelRepo        string
+	KernelCommit      string
+	KernelConfig      string
+	CodesearchToolBin string
+}
+
+type kcsanOutputs struct {
+	Confident   bool
 	Benign      bool
 	Explanation string
 }
 
 func init() {
-	aflow.Register[Inputs, KCSANOutputs](
+	aflow.Register[kcsanInputs, kcsanOutputs](
 		ai.WorkflowAssessmentKCSAN,
 		"assess if a KCSAN report is about a benign race that only needs annotations or not",
 		&aflow.Flow{
@@ -29,11 +38,12 @@ func init() {
 						Name:  "expert",
 						Reply: "Explanation",
 						Outputs: aflow.LLMOutputs[struct {
-							Benign bool `jsonschema:"If the data race is benign or not."`
+							Confident bool `jsonschema:"If you are confident in the verdict of the analysis or not."`
+							Benign    bool `jsonschema:"If the data race is benign or not."`
 						}](),
 						Temperature: 1,
-						Instruction: instruction,
-						Prompt:      prompt,
+						Instruction: kcsanInstruction,
+						Prompt:      kcsanPrompt,
 						Tools:       codesearcher.Tools,
 					},
 				},
@@ -42,35 +52,33 @@ func init() {
 	)
 }
 
-const instruction = `
-You are an experienced Linux kernel developer tasked with determining if the given kernel bug
-report is actionable or not. Actionable means that it contains enough info to root cause
-the underlying bug, and that the report is self-consistent and makes sense, rather than
-a one-off nonsensical crash induced by a previous memory corruption.
-
-Use the provided tools to confirm any assumptions, what variables/fields being accessed, etc.
-In particular, don't make assumptions about the kernel source code,
-use codesearch tools to read the actual source code.
-
-The bug report is a data race report from KCSAN tool.
+const kcsanInstruction = `
+You are an experienced Linux kernel developer tasked with determining if the given kernel
+data race is benign or not. The data race report is from KCSAN tool.
 It contains 2 stack traces of the memory accesses that constitute a data race.
-The report would be inconsistent, if the stacks point to different subsystems,
-or if they access different fields.
-The report would be non-actionable, if the underlysing data race is "benign".
-That is, the race is on a simple int/bool or similar field, and the accesses
-are not supposed to be protected by any mutual exclusion primitives.
+
+A "benign" data races are on a simple int/bool variable or similar field,
+and the accesses are not supposed to be protected by any mutual exclusion primitives.
 Common examples of such "benign" data races are accesses to various flags fields,
-statistics counters, and similar.
-An actionable race is "harmful", that is can lead to corruption/crash even with
+statistics counters, and similar. A "benign" data race does not lead to memory corruption/crash
+with a conservative compiler that compiles memory accesses to primitive types
+effectively as atomic.
+
+A non-benign (or "harmful" data race) can lead to corruption/crash even with
 a conservative compiler that compiles memory accesses to primitive types
 effectively as atomic. A common example of a "harmful" data races is race on
 a complex container (list/hashmap/etc), where accesses are supposed to be protected
 by a mutual exclusion primitive.
-In the final reply explain why you think the report is consistent and the data race is harmful.
+
+In the final reply explain why you think the given data race is benign or is harmful.
+
+Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
+In particular, don't make assumptions about the kernel source code,
+use codesearch tools to read the actual source code.
 `
 
-const prompt = `
-The bug report is:
+const kcsanPrompt = `
+The data race report is:
 
 {{.CrashReport}}
 `

pkg/aflow/flow/assessment/kcsan.go

@@ -0,0 +1,114 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package assessmenet
+
+import (
+	"fmt"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/aflow/action/kernel"
+	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/aflow/tool/codesearcher"
+	"github.com/google/syzkaller/pkg/report/crash"
+)
+
+type moderationInputs struct {
+	BugTitle          string
+	CrashReport       string
+	KernelRepo        string
+	KernelCommit      string
+	KernelConfig      string
+	CodesearchToolBin string
+}
+
+type moderationOutputs struct {
+	Confident   bool
+	Actionable  bool
+	Explanation string
+}
+
+func init() {
+	aflow.Register[moderationInputs, moderationOutputs](
+		ai.WorkflowModeration,
+		"assess if a bug report is consistent and actionable or not",
+		&aflow.Flow{
+			Root: &aflow.Pipeline{
+				Actions: []aflow.Action{
+					aflow.NewFuncAction("extract-crash-type", extractCrashType),
+					kernel.Checkout,
+					kernel.Build,
+					codesearcher.PrepareIndex,
+					&aflow.LLMAgent{
+						Name:  "expert",
+						Reply: "Explanation",
+						Outputs: aflow.LLMOutputs[struct {
+							Confident  bool `jsonschema:"If you are confident in the verdict of the analysis or not."`
+							Actionable bool `jsonschema:"If the report is actionable or not."`
+						}](),
+						Temperature: 1,
+						Instruction: moderationInstruction,
+						Prompt:      moderationPrompt,
+						Tools:       codesearcher.Tools,
+					},
+				},
+			},
+		},
+	)
+}
+
+const moderationInstruction = `
+You are an experienced Linux kernel developer tasked with determining if the given kernel bug
+report is actionable or not. Actionable means that it contains enough info to root cause
+the underlying bug, and that the report is self-consistent and makes sense, rather than
+e.g. a one-off nonsensical crash induced by a previous memory corruption.
+
+{{if .IsUAF}}
+The bug report is about a use-after-free bug generated by KASAN tool.
+It should contain 3 stack traces: the bad memory access stack, the heap block allocation stack,
+and the heap block free stack. If the report does not contain 3 stacks, it's not actionable.
+
+All 3 stack traces should be related to the same object type,
+and usually be in the same kernel subsystem (at least leaf stack frames).
+An example of an actionable and consistent report would be: first access stack relates
+to an access to a field of struct Foo, allocation/free stacks relate to allocation/free
+of the struct Foo.
+In inconsistent/nonsensical reports an access may be to a struct Foo, but allocation
+stack allocates a different structure in a different subsystem.
+Look for other suspicious signals/inconsistencies that can make this report hard to
+debug/understand. 
+{{end}}
+
+In the final reply explain why you think the report is self-consistent and actionable,
+or why it's inconsistent and/or not actionable.
+
+Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
+In particular, don't make assumptions about the kernel source code,
+use codesearch tools to read the actual source code.
+`
+
+const moderationPrompt = `
+The bug report is:
+
+{{.CrashReport}}
+`
+
+type extractArgs struct {
+	BugTitle string
+}
+
+type extractResult struct {
+	IsUAF bool
+}
+
+func extractCrashType(ctx *aflow.Context, args extractArgs) (extractResult, error) {
+	var res extractResult
+	typ := crash.TitleToType(args.BugTitle)
+	switch {
+	case typ.IsUAF():
+		res.IsUAF = true
+	default:
+		return res, fmt.Errorf("unsupported bug type")
+	}
+	return res, nil
+}

pkg/aflow/flow/assessment/moderation.go

@@ -79,6 +79,10 @@ func (t Type) IsKASAN() bool {
 		KASANUseAfterFreeRead, KASANUseAfterFreeWrite, KASANInvalidFree, KASANUnknown}, t)
 }
 
+func (t Type) IsUAF() bool {
+	return slices.Contains([]Type{KASANUseAfterFreeRead, KASANUseAfterFreeWrite}, t)
+}
+
 func (t Type) IsKMSAN() bool {
 	return slices.Contains([]Type{
 		KMSANUninitValue, KMSANInfoLeak, KMSANUseAfterFreeRead, KMSANUnknown}, t)

pkg/report/crash/types.go

@@ -22,7 +22,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get install -y -q \
 	util-linux dosfstools ocfs2-tools reiserfsprogs xfsprogs erofs-utils \
 	exfatprogs gfs2-utils \
 	# Needed for buiding gVisor.
-	crossbuild-essential-amd64 crossbuild-essential-arm64 libbpf-dev
+	crossbuild-essential-amd64 crossbuild-essential-arm64 libbpf-dev binutils-gold
 RUN test "$(uname -m)" != x86_64 && exit 0 || \
         DEBIAN_FRONTEND=noninteractive apt-get install -y -q \
 	  libc6-dev-i386 libc6-dev-i386-amd64-cross lib32gcc-14-dev lib32stdc++-14-dev \