syz-cluster: rewrite fuzz config generation

Instead of a predefined set of manually written syz-manager configs,
construct it dynamically from different bits.

During triage, select not just one, but all matching fuzzer
configurations and then merge them together.

Author: a-nogikh

pkg/db/db.go

@@ -346,3 +346,42 @@ func ReadCorpus(filename string, target *prog.Target) (progs []*prog.Prog, err e
 	}
 	return progs, nil
 }
+
+type DeserializeFailure struct {
+	File string
+	Err  error
+}
+
+func Merge(into string, other []string, target *prog.Target) ([]DeserializeFailure, error) {
+	dstDB, err := Open(into, false)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open database: %w", err)
+	}
+	var failed []DeserializeFailure
+	for _, add := range other {
+		addDB, err := Open(add, false)
+		if err == nil {
+			// It's a DB file.
+			for key, rec := range addDB.Records {
+				dstDB.Save(key, rec.Val, rec.Seq)
+			}
+			continue
+		}
+		if target == nil {
+			// We were not given a target, so we cannot parse it as a seed file.
+			return nil, fmt.Errorf("failed to open db %v: %w", add, err)
+		}
+		data, err := os.ReadFile(add)
+		if err != nil {
+			return nil, err
+		}
+		if _, err := target.Deserialize(data, prog.NonStrict); err != nil {
+			failed = append(failed, DeserializeFailure{add, err})
+		}
+		dstDB.Save(hash.String(data), data, 0)
+	}
+	if err := dstDB.Flush(); err != nil {
+		return nil, fmt.Errorf("failed to save db: %w", err)
+	}
+	return failed, nil
+}

syz-cluster/pkg/api/api.go

@@ -20,11 +20,20 @@ type FuzzTask struct {
 	FuzzConfig
 }
 
+const (
+	FocusNet     = "net"
+	FocusKVM     = "kvm"
+	FocusIoUring = "io_uring"
+	FocusBPF     = "bpf"
+	FocusFS      = "fs"
+)
+
 // FuzzConfig represents a set of parameters passed to the fuzz step.
+// The triage step aggregates multiple KernelFuzzConfig to construct FuzzConfig.
 type FuzzConfig struct {
-	Track     string `json:"track"`  // E.g. KASAN.
-	Config    string `json:"config"` // Refers to workflow/configs/{}.
-	CorpusURL string `json:"corpus_url"`
+	Track      string   `json:"track"` // E.g. KASAN.
+	Focus      []string `json:"focus"`
+	CorpusURLs []string `json:"corpus_urls"`
 	// Don't expect kernel coverage for the patched area.
 	SkipCoverCheck bool `json:"skip_cover_check"`
 	// Only report the bugs that match the regexp.
@@ -39,19 +48,24 @@ type Tree struct {
 	EmailLists []string `json:"email_lists"`
 }
 
+// KernelFuzzConfig is a specific fuzzing assignment.
+// Based on it, the triage step will construct FuzzTasks.
+type KernelFuzzConfig struct {
+	EmailLists     []string `json:"email_lists"`
+	Track          string   `json:"track"` // E.g. KASAN.
+	KernelConfig   string   `json:"kernel_config"`
+	Focus          string   `json:"focus"`
+	CorpusURL      string   `json:"corpus_url"`
+	SkipCoverCheck bool     `json:"skip_cover_check"`
+	BugTitleRe     string   `json:"bug_title_re"`
+}
+
 // FuzzTriageTarget is a single record in the list of supported fuzz configs.
 type FuzzTriageTarget struct {
 	EmailLists []string            `json:"email_lists"`
 	Campaigns  []*KernelFuzzConfig `json:"campaigns"`
 }
 
-// KernelFuzzConfig is a specific fuzzing assignment.
-// Based on it, the triage step will construct FuzzTasks.
-type KernelFuzzConfig struct {
-	KernelConfig string `json:"kernel_config"`
-	FuzzConfig
-}
-
 type BuildRequest struct {
 	Arch       string `json:"arch"`
 	TreeName   string `json:"tree_name"`
@@ -233,8 +247,8 @@ var DefaultTrees = []*Tree{
 const (
 	netCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-net-kasan-gce-corpus.db`
 	bpfCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-bpf-kasan-gce-corpus.db`
-	allCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-kasan-gce-root-corpus.db`
 	fsCorpusURL  = `https://storage.googleapis.com/syzkaller/corpus/ci2-upstream-fs-corpus.db`
+	allCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-kasan-gce-root-corpus.db`
 )
 
 const kasanTrack = "KASAN"
@@ -245,38 +259,32 @@ var FuzzTargets = []*FuzzTriageTarget{
 		EmailLists: []string{`kvm@vger.kernel.org`},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `kvm`,
-					CorpusURL: allCorpusURL,
-				},
+				Focus:        FocusKVM,
+				CorpusURL:    allCorpusURL,
 			},
 		},
 	},
 	{
 		EmailLists: []string{`io-uring@vger.kernel.org`},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `io-uring`,
-					CorpusURL: allCorpusURL,
-				},
+				Focus:        FocusIoUring,
+				CorpusURL:    allCorpusURL,
 			},
 		},
 	},
 	{
 		EmailLists: []string{`bpf@vger.kernel.org`},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `bpf`,
-					CorpusURL: bpfCorpusURL,
-				},
+				Focus:        FocusBPF,
+				CorpusURL:    bpfCorpusURL,
 			},
 		},
 	},
@@ -288,12 +296,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `net`,
-					CorpusURL: netCorpusURL,
-				},
+				Focus:        FocusNet,
+				CorpusURL:    netCorpusURL,
 			},
 		},
 	},
@@ -307,11 +313,9 @@ var FuzzTargets = []*FuzzTriageTarget{
 		Campaigns: []*KernelFuzzConfig{
 			{
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `fs`,
-					CorpusURL: fsCorpusURL,
-				},
+				Track:        kasanTrack,
+				Focus:        FocusFS,
+				CorpusURL:    fsCorpusURL,
 			},
 		},
 	},
@@ -320,13 +324,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		Campaigns: []*KernelFuzzConfig{
 			{
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `all`,
-					CorpusURL: allCorpusURL,
-					// Not all mm/ code is instrumented with KCOV.
-					SkipCoverCheck: true,
-				},
+				Track:        kasanTrack,
+				CorpusURL:    allCorpusURL,
+				// Not all mm/ code is instrumented with KCOV.
+				SkipCoverCheck: true,
 			},
 		},
 	},
@@ -335,11 +336,8 @@ var FuzzTargets = []*FuzzTriageTarget{
 		Campaigns: []*KernelFuzzConfig{
 			{
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `all`,
-					CorpusURL: allCorpusURL,
-				},
+				Track:        kasanTrack,
+				CorpusURL:    allCorpusURL,
 			},
 		},
 	},

syz-cluster/workflow/configs/all/base.cfg syz-cluster/pkg/fuzzconfig/base.cfgsyz-cluster/workflow/configs/all/base.cfg renamed to syz-cluster/pkg/fuzzconfig/base.cfg

@@ -7,13 +7,10 @@
     "syzkaller": "/syzkaller",
     "workdir": "/workdir",
     "type": "qemu",
-# The perf_event_open call generates too many false positive stalls.
-# The hfs/gfs mounts result in too many distracting kernel crashes that slow down diff fuzzing.
-    "disable_syscalls": [ "perf_event_open*", "syz_mount_image$hfs", "syz_mount_image$gfs*"],
     "procs": 3,
     "sandbox": "none",
     "experimental": {"cover_edges": false},
-    "vm": {    
+    "vm": {
       "count": 3,
       "cmdline": "root=/dev/sda1",
       "kernel": "/base/kernel",