syz-cluster: use the virtio networking device with KMSAN

e1000 is temporarily not an option due to a boot-time bug:
https://lkml.org/lkml/2025/10/2/143

Refactor the config generation logic to accomodate merging multiple
config chunks.

Author: a-nogikh

syz-cluster/pkg/api/api.go

@@ -34,6 +34,7 @@ type FuzzConfig struct {
 	Track      string   `json:"track"` // E.g. KASAN.
 	Focus      []string `json:"focus"`
 	CorpusURLs []string `json:"corpus_urls"`
+	KMSAN      bool     `json:"kmsan"` // Needed for some temporary workarounds.
 	// Don't expect kernel coverage for the patched area.
 	SkipCoverCheck bool `json:"skip_cover_check"`
 	// Only report the bugs that match the regexp.

syz-cluster/pkg/fuzzconfig/generate.go

@@ -19,50 +19,59 @@ var baseConfigJSON []byte
 //go:embed patched.cfg
 var patchedConfigJSON []byte
 
+//go:embed kmsan.cfg
+var kmsanConfigJSON []byte
+
 // GenerateBase produces a syz-manager config for the base kernel.
 // The caller must still invoke mgrconfig.Complete.
 func GenerateBase(cfg *api.FuzzConfig) (*mgrconfig.Config, error) {
-	var baseRaw json.RawMessage
-	err := config.LoadData(baseConfigJSON, &baseRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read the base config: %w", err)
-	}
-	base, err := mgrconfig.LoadPartialData(baseRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load the config: %w", err)
-	}
-	err = applyFuzzConfig(base, cfg)
-	if err != nil {
-		return nil, err
-	}
-	return base, nil
+	return generateConfig(cfg, false)
 }
 
-// GeneratePatched produces a syz-manager config for the base kernel.
+// GeneratePatched produces a syz-manager config for the patched kernel.
 // The caller must still invoke mgrconfig.Complete.
 func GeneratePatched(cfg *api.FuzzConfig) (*mgrconfig.Config, error) {
-	var baseRaw, deltaRaw json.RawMessage
-	err := config.LoadData(baseConfigJSON, &baseRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read the base config: %w", err)
+	return generateConfig(cfg, true)
+}
+
+func generateConfig(cfg *api.FuzzConfig, patched bool) (*mgrconfig.Config, error) {
+	type patchItem struct {
+		name  string
+		patch []byte
 	}
-	err = config.LoadData(patchedConfigJSON, &deltaRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read the patched config: %w", err)
+	patchesList := []patchItem{{name: "base", patch: baseConfigJSON}}
+	if patched {
+		patchesList = append(patchesList, patchItem{name: "patched", patch: patchedConfigJSON})
 	}
-	patchedRaw, err := config.MergeJSONs(baseRaw, deltaRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to merge the configs: %w", err)
+	if cfg.KMSAN {
+		patchesList = append(patchesList, patchItem{name: "kmsan", patch: kmsanConfigJSON})
+	}
+	var raw json.RawMessage
+	for i, patch := range patchesList {
+		var next json.RawMessage
+		err := config.LoadData(patch.patch, &next)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read the %s config: %w", patch.name, err)
+		}
+		if i == 0 {
+			raw = next
+		} else {
+			var err error
+			raw, err = config.MergeJSONs(raw, next)
+			if err != nil {
+				return nil, fmt.Errorf("failed to merge the configs with %s: %w", patch.name, err)
+			}
+		}
 	}
-	patched, err := mgrconfig.LoadPartialData(patchedRaw)
+	mgrConfig, err := mgrconfig.LoadPartialData(raw)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load the config: %w", err)
 	}
-	err = applyFuzzConfig(patched, cfg)
+	err = applyFuzzConfig(mgrConfig, cfg)
 	if err != nil {
 		return nil, err
 	}
-	return patched, nil
+	return mgrConfig, nil
 }
 
 func applyFuzzConfig(mgrCfg *mgrconfig.Config, cfg *api.FuzzConfig) error {

syz-cluster/pkg/fuzzconfig/generate_test.go

@@ -46,6 +46,13 @@ func TestMultipleFocus(t *testing.T) {
 	}, filepath.Join("testdata", "mixed", "bpf_io_uring"))
 }
 
+func TestKMSANConfig(t *testing.T) {
+	runTest(t, &api.FuzzConfig{
+		Focus: []string{api.FocusBPF},
+		KMSAN: true,
+	}, filepath.Join("testdata", "mixed", "bpf_kmsan"))
+}
+
 func runTest(t *testing.T, cfg *api.FuzzConfig, baseName string) {
 	base, err := GenerateBase(cfg)
 	require.NoError(t, err)

syz-cluster/pkg/fuzzconfig/kmsan.cfg

@@ -0,0 +1,5 @@
+{
+    "vm": {
+      "network_device": "virtio-net-pci"
+    }
+}

syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_kmsan.base.cfg

@@ -0,0 +1,75 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 3,
+		"cpu": 2,
+		"kernel": "/base/kernel",
+		"mem": 7168,
+		"network_device": "virtio-net-pci",
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
+	}
+}

syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_kmsan.patched.cfg

@@ -0,0 +1,76 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"fuzzing_vms": 3,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"network_device": "virtio-net-pci",
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
+	}
+}