syz-cluster: rewrite fuzz config generation

Instead of a predefined set of manually written syz-manager configs, construct it dynamically from different bits. During triage, select not just one, but all matching fuzzer configurations and then merge them together.
author: Aleksandr Nogikh <nogikh@google.com> 2025-09-18 17:36:53 +0200
committer: Taras Madan <tarasmadan@google.com> 2025-10-07 15:25:13 +0000
commit: 99ed12e158687b7aba55eac142d6bad3f147d029 (patch)
tree: a9809d7c5d60f45b805e0346a9a543ba0651a9e1 /syz-cluster/pkg
parent: 790f0ffe2224829b20e4dc6556c090c503e1d161 (diff)
21 files changed, 1761 insertions, 63 deletions
diff --git a/syz-cluster/pkg/api/api.go b/syz-cluster/pkg/api/api.go
index feb06be32..8c107b8f4 100644
--- a/syz-cluster/pkg/api/api.go
+++ b/syz-cluster/pkg/api/api.go
@@ -20,11 +20,20 @@ type FuzzTask struct {
 	FuzzConfig
 }
 
+const (
+	FocusNet     = "net"
+	FocusKVM     = "kvm"
+	FocusIoUring = "io_uring"
+	FocusBPF     = "bpf"
+	FocusFS      = "fs"
+)
+
 // FuzzConfig represents a set of parameters passed to the fuzz step.
+// The triage step aggregates multiple KernelFuzzConfig to construct FuzzConfig.
 type FuzzConfig struct {
-	Track     string `json:"track"`  // E.g. KASAN.
-	Config    string `json:"config"` // Refers to workflow/configs/{}.
-	CorpusURL string `json:"corpus_url"`
+	Track      string   `json:"track"` // E.g. KASAN.
+	Focus      []string `json:"focus"`
+	CorpusURLs []string `json:"corpus_urls"`
 	// Don't expect kernel coverage for the patched area.
 	SkipCoverCheck bool `json:"skip_cover_check"`
 	// Only report the bugs that match the regexp.
@@ -39,19 +48,24 @@ type Tree struct {
 	EmailLists []string `json:"email_lists"`
 }
 
+// KernelFuzzConfig is a specific fuzzing assignment.
+// Based on it, the triage step will construct FuzzTasks.
+type KernelFuzzConfig struct {
+	EmailLists     []string `json:"email_lists"`
+	Track          string   `json:"track"` // E.g. KASAN.
+	KernelConfig   string   `json:"kernel_config"`
+	Focus          string   `json:"focus"`
+	CorpusURL      string   `json:"corpus_url"`
+	SkipCoverCheck bool     `json:"skip_cover_check"`
+	BugTitleRe     string   `json:"bug_title_re"`
+}
+
 // FuzzTriageTarget is a single record in the list of supported fuzz configs.
 type FuzzTriageTarget struct {
 	EmailLists []string            `json:"email_lists"`
 	Campaigns  []*KernelFuzzConfig `json:"campaigns"`
 }
 
-// KernelFuzzConfig is a specific fuzzing assignment.
-// Based on it, the triage step will construct FuzzTasks.
-type KernelFuzzConfig struct {
-	KernelConfig string `json:"kernel_config"`
-	FuzzConfig
-}
-
 type BuildRequest struct {
 	Arch       string `json:"arch"`
 	TreeName   string `json:"tree_name"`
@@ -233,8 +247,8 @@ var DefaultTrees = []*Tree{
 const (
 	netCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-net-kasan-gce-corpus.db`
 	bpfCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-bpf-kasan-gce-corpus.db`
-	allCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-kasan-gce-root-corpus.db`
 	fsCorpusURL  = `https://storage.googleapis.com/syzkaller/corpus/ci2-upstream-fs-corpus.db`
+	allCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-kasan-gce-root-corpus.db`
 )
 
 const kasanTrack = "KASAN"
@@ -245,12 +259,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		EmailLists: []string{`kvm@vger.kernel.org`},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `kvm`,
-					CorpusURL: allCorpusURL,
-				},
+				Focus:        FocusKVM,
+				CorpusURL:    allCorpusURL,
 			},
 		},
 	},
@@ -258,12 +270,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		EmailLists: []string{`io-uring@vger.kernel.org`},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `io-uring`,
-					CorpusURL: allCorpusURL,
-				},
+				Focus:        FocusIoUring,
+				CorpusURL:    allCorpusURL,
 			},
 		},
 	},
@@ -271,12 +281,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		EmailLists: []string{`bpf@vger.kernel.org`},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `bpf`,
-					CorpusURL: bpfCorpusURL,
-				},
+				Focus:        FocusBPF,
+				CorpusURL:    bpfCorpusURL,
 			},
 		},
 	},
@@ -288,12 +296,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		},
 		Campaigns: []*KernelFuzzConfig{
 			{
+				Track:        kasanTrack,
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `net`,
-					CorpusURL: netCorpusURL,
-				},
+				Focus:        FocusNet,
+				CorpusURL:    netCorpusURL,
 			},
 		},
 	},
@@ -307,11 +313,9 @@ var FuzzTargets = []*FuzzTriageTarget{
 		Campaigns: []*KernelFuzzConfig{
 			{
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `fs`,
-					CorpusURL: fsCorpusURL,
-				},
+				Track:        kasanTrack,
+				Focus:        FocusFS,
+				CorpusURL:    fsCorpusURL,
 			},
 		},
 	},
@@ -320,13 +324,10 @@ var FuzzTargets = []*FuzzTriageTarget{
 		Campaigns: []*KernelFuzzConfig{
 			{
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `all`,
-					CorpusURL: allCorpusURL,
-					// Not all mm/ code is instrumented with KCOV.
-					SkipCoverCheck: true,
-				},
+				Track:        kasanTrack,
+				CorpusURL:    allCorpusURL,
+				// Not all mm/ code is instrumented with KCOV.
+				SkipCoverCheck: true,
 			},
 		},
 	},
@@ -335,11 +336,8 @@ var FuzzTargets = []*FuzzTriageTarget{
 		Campaigns: []*KernelFuzzConfig{
 			{
 				KernelConfig: `upstream-apparmor-kasan.config`,
-				FuzzConfig: FuzzConfig{
-					Track:     kasanTrack,
-					Config:    `all`,
-					CorpusURL: allCorpusURL,
-				},
+				Track:        kasanTrack,
+				CorpusURL:    allCorpusURL,
 			},
 		},
 	},
diff --git a/syz-cluster/pkg/fuzzconfig/base.cfg b/syz-cluster/pkg/fuzzconfig/base.cfg
new file mode 100644
index 000000000..add1ba131
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/base.cfg
@@ -0,0 +1,21 @@
+{
+    "name": "base",
+    "target": "linux/amd64",
+    "kernel_obj": "/base/obj",
+    "kernel_build_src": "/workdir",
+    "image": "/base/image",
+    "syzkaller": "/syzkaller",
+    "workdir": "/workdir",
+    "type": "qemu",
+    "procs": 3,
+    "sandbox": "none",
+    "experimental": {"cover_edges": false},
+    "vm": {
+      "count": 3,
+      "cmdline": "root=/dev/sda1",
+      "kernel": "/base/kernel",
+      "cpu": 2,
+      "mem": 7168,
+      "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+    }
+}
diff --git a/syz-cluster/pkg/fuzzconfig/generate.go b/syz-cluster/pkg/fuzzconfig/generate.go
new file mode 100644
index 000000000..5b503e3ae
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/generate.go
@@ -0,0 +1,188 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package fuzzconfig
+
+import (
+	_ "embed"
+	"encoding/json"
+	"fmt"
+
+	"github.com/google/syzkaller/pkg/config"
+	"github.com/google/syzkaller/pkg/mgrconfig"
+	"github.com/google/syzkaller/syz-cluster/pkg/api"
+)
+
+//go:embed base.cfg
+var baseConfigJSON []byte
+
+//go:embed patched.cfg
+var patchedConfigJSON []byte
+
+// GenerateBase produces a syz-manager config for the base kernel.
+// The caller must still invoke mgrconfig.Complete.
+func GenerateBase(cfg *api.FuzzConfig) (*mgrconfig.Config, error) {
+	var baseRaw json.RawMessage
+	err := config.LoadData(baseConfigJSON, &baseRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read the base config: %w", err)
+	}
+	base, err := mgrconfig.LoadPartialData(baseRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load the config: %w", err)
+	}
+	err = applyFuzzConfig(base, cfg)
+	if err != nil {
+		return nil, err
+	}
+	return base, nil
+}
+
+// GeneratePatched produces a syz-manager config for the base kernel.
+// The caller must still invoke mgrconfig.Complete.
+func GeneratePatched(cfg *api.FuzzConfig) (*mgrconfig.Config, error) {
+	var baseRaw, deltaRaw json.RawMessage
+	err := config.LoadData(baseConfigJSON, &baseRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read the base config: %w", err)
+	}
+	err = config.LoadData(patchedConfigJSON, &deltaRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read the patched config: %w", err)
+	}
+	patchedRaw, err := config.MergeJSONs(baseRaw, deltaRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to merge the configs: %w", err)
+	}
+	patched, err := mgrconfig.LoadPartialData(patchedRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load the config: %w", err)
+	}
+	err = applyFuzzConfig(patched, cfg)
+	if err != nil {
+		return nil, err
+	}
+	return patched, nil
+}
+
+func applyFuzzConfig(mgrCfg *mgrconfig.Config, cfg *api.FuzzConfig) error {
+	if len(cfg.Focus) == 0 {
+		noFocus(mgrCfg)
+		return nil
+	}
+	for _, focus := range cfg.Focus {
+		cb := setFocus[focus]
+		if cb == nil {
+			return fmt.Errorf("unknown focus: %s", focus)
+		}
+		err := cb(mgrCfg)
+		if err != nil {
+			return fmt.Errorf("failed to apply focus %s: %w", focus, err)
+		}
+	}
+	return nil
+}
+
+// nolint: lll
+var setFocus = map[string]func(*mgrconfig.Config) error{
+	api.FocusKVM: func(mgrCfg *mgrconfig.Config) error {
+		mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls,
+			"openat$kvm",
+			"openat$sev",
+			"close",
+			"ioctl$KVM*",
+			"syz_kvm*",
+			"mmap$KVM_VCPU",
+			"munmap",
+			"syz_memcpy_off$KVM_EXIT_MMIO",
+			"syz_memcpy_off$KVM_EXIT_HYPERCALL",
+			"eventfd2",
+			"write$eventfd",
+		)
+		var err error
+		mgrCfg.VM, err = config.MergeJSONs(mgrCfg.VM, []byte(
+			`{"qemu_args": "-machine q35,nvdimm=on,accel=kvm,kernel-irqchip=split -cpu max,migratable=off -enable-kvm -smp 2,sockets=2,cores=1"}`))
+		return err
+	},
+	api.FocusNet: func(mgrCfg *mgrconfig.Config) error {
+		mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls,
+			"accept", "accept4", "bind", "close", "connect", "epoll_create",
+			"epoll_create1", "epoll_ctl", "epoll_pwait", "epoll_wait",
+			"getpeername", "getsockname", "getsockopt", "ioctl", "listen",
+			"mmap", "poll", "ppoll", "pread64", "preadv", "pselect6",
+			"pwrite64", "pwritev", "read", "readv", "recvfrom", "recvmmsg",
+			"recvmsg", "select", "sendfile", "sendmmsg", "sendmsg", "sendto",
+			"setsockopt", "shutdown", "socket", "socketpair", "splice",
+			"vmsplice", "write", "writev", "tee", "bpf", "getpid",
+			"getgid", "getuid", "gettid", "unshare", "pipe",
+			"syz_emit_ethernet", "syz_extract_tcp_res",
+			"syz_genetlink_get_family_id", "syz_init_net_socket",
+			"mkdirat$cgroup*", "openat$cgroup*", "write$cgroup*",
+			"clock_gettime", "bpf", "openat$tun", "openat$ppp",
+			"syz_open_procfs$namespace", "syz_80211_*", "nanosleep",
+			"openat$nci", "ioctl$IOCTL_GET_NCIDEV_IDX", "openat$rfkill",
+			"openat$6lowpan*", "openat$pidfd", "openat$tcp*", "openat$vhost_vsock",
+			"openat$ptp*", "ioctl$PTP*",
+		)
+		return nil
+	},
+	api.FocusFS: func(mgrCfg *mgrconfig.Config) error {
+		mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls,
+			"syz_mount_image", "open", "openat", "creat", "close", "read",
+			"pread64", "readv", "preadv", "preadv2", "write", "pwrite64",
+			"writev", "pwritev", "pwritev2", "lseek", "copy_file_range", "dup",
+			"dup2", "dup3", "tee", "splice", "vmsplice", "sendfile", "stat",
+			"lstat", "fstat", "newfstatat", "statx", "poll", "clock_gettime",
+			"ppoll", "select", "pselect6", "epoll_create", "epoll_create1",
+			"epoll_ctl", "epoll_wait", "epoll_pwait", "epoll_pwait2", "mmap",
+			"munmap", "mremap", "msync", "readahead", "fcntl", "mknod", "mknodat",
+			"chmod", "fchmod", "fchmodat", "chown", "lchown", "fchown",
+			"fchownat", "fallocate", "faccessat", "faccessat2", "utime", "utimes",
+			"futimesat", "utimensat", "link", "linkat", "symlinkat", "symlink",
+			"unlink", "unlinkat", "readlink", "readlinkat", "rename", "renameat",
+			"renameat2", "mkdir", "mkdirat", "rmdir", "truncate", "ftruncate",
+			"flock", "fsync", "fdatasync", "sync", "syncfs", "sync_file_range",
+			"getdents", "getdents64", "name_to_handle_at", "open_by_handle_at",
+			"chroot", "getcwd", "chdir", "fchdir", "quotactl", "pivot_root",
+			"statfs", "fstatfs", "syz_open_procfs", "syz_read_part_table",
+			"mount", "fsopen", "fspick", "fsconfig", "fsmount", "move_mount",
+			"open_tree", "mount_setattr", "ioctl$FS_*", "ioctl$BTRFS*",
+			"ioctl$AUTOFS*", "ioctl$EXT4*", "ioctl$F2FS*", "ioctl$FAT*",
+			"ioctl$VFAT*", "ioctl$FI*",
+		)
+		mgrCfg.NoMutateSyscalls = append(mgrCfg.NoMutateSyscalls,
+			"syz_mount_image$btrfs",
+			"syz_mount_image$ext4",
+			"syz_mount_image$f2fs",
+			"syz_mount_image$ntfs",
+			"syz_mount_image$ocfs2",
+			"syz_mount_image$xfs",
+		)
+		return nil
+	},
+	api.FocusIoUring: func(mgrCfg *mgrconfig.Config) error {
+		mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls,
+			"io_uring_*", "syz_io_uring_*", "syz_memcpy_off", "mmap", "madvise",
+			"mprotect", "eventfd", "socket", "setsockopt", "accept", "open", "close",
+			"clock_gettime", "ioctl$sock_SIOCGIFINDEX", "ioctl$IOCTL_GET_NCIDEV_IDX",
+			"openat", "epoll_create",
+		)
+		return nil
+	},
+	api.FocusBPF: func(mgrCfg *mgrconfig.Config) error {
+		mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls,
+			"bpf", "mkdir", "mount$bpf", "unlink", "close",
+			"perf_event_open*", "ioctl$PERF*", "getpid", "gettid",
+			"socketpair", "sendmsg", "recvmsg", "setsockopt$sock_attach_bpf",
+			"socket", "ioctl$sock_kcm*", "syz_clone",
+			"mkdirat$cgroup*", "openat$cgroup*", "write$cgroup*",
+			"openat$tun", "write$tun", "ioctl$TUN*", "ioctl$SIOCSIFHWADDR",
+			"openat$ppp", "syz_open_procfs$namespace", "openat$pidfd", "fstat",
+		)
+		return nil
+	},
+}
+
+func noFocus(mgrCfg *mgrconfig.Config) {
+	mgrCfg.DisabledSyscalls = []string{"perf_event_open*", "syz_mount_image$hfs", "syz_mount_image$gfs*"}
+}
diff --git a/syz-cluster/pkg/fuzzconfig/generate_test.go b/syz-cluster/pkg/fuzzconfig/generate_test.go
new file mode 100644
index 000000000..1dd143eaf
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/generate_test.go
@@ -0,0 +1,79 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package fuzzconfig
+
+import (
+	"encoding/json"
+	"flag"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/syzkaller/pkg/config"
+	"github.com/google/syzkaller/pkg/mgrconfig"
+	"github.com/google/syzkaller/syz-cluster/pkg/api"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var flagWrite = flag.Bool("write", false, "overwrite out.txt files")
+
+func TestSingularFocus(t *testing.T) {
+	focusMap := map[string]struct{}{}
+	for _, target := range api.FuzzTargets {
+		for _, campaign := range target.Campaigns {
+			if campaign.Focus != "" {
+				focusMap[campaign.Focus] = struct{}{}
+			}
+		}
+	}
+	for focus := range focusMap {
+		t.Run(focus, func(t *testing.T) {
+			cfg := &api.FuzzConfig{Focus: []string{focus}}
+			runTest(t, cfg, filepath.Join("testdata", "singular", focus))
+		})
+	}
+}
+
+func TestNoFocus(t *testing.T) {
+	runTest(t, &api.FuzzConfig{}, filepath.Join("testdata", "singular", "default"))
+}
+
+func TestMultipleFocus(t *testing.T) {
+	runTest(t, &api.FuzzConfig{
+		Focus: []string{api.FocusBPF, api.FocusIoUring},
+	}, filepath.Join("testdata", "mixed", "bpf_io_uring"))
+}
+
+func runTest(t *testing.T, cfg *api.FuzzConfig, baseName string) {
+	base, err := GenerateBase(cfg)
+	require.NoError(t, err)
+	compareOrSave(t, baseName+".base.cfg", base)
+
+	patched, err := GeneratePatched(cfg)
+	require.NoError(t, err)
+	compareOrSave(t, baseName+".patched.cfg", patched)
+}
+
+func compareOrSave(t *testing.T, fileName string, mgrCfg *mgrconfig.Config) {
+	targetJSON, err := json.MarshalIndent(mgrCfg, "", "\t")
+	require.NoError(t, err)
+	if *flagWrite {
+		err = os.WriteFile(fileName, targetJSON, 0644)
+		require.NoError(t, err)
+		return
+	}
+
+	var raw json.RawMessage
+	err = config.LoadFile(fileName, &raw)
+	require.NoError(t, err)
+
+	cfg, err := mgrconfig.LoadPartialData(raw)
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	resultJSON, err := json.MarshalIndent(cfg, "", "\t")
+	require.NoError(t, err)
+	assert.Equal(t, targetJSON, resultJSON)
+}
diff --git a/syz-cluster/pkg/fuzzconfig/patched.cfg b/syz-cluster/pkg/fuzzconfig/patched.cfg
new file mode 100644
index 000000000..8b4027891
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/patched.cfg
@@ -0,0 +1,10 @@
+{
+    "name": "patched",
+    "target": "linux/amd64",
+    "kernel_obj": "/patched/obj",
+    "image": "/patched/image",
+    "vm": {
+      "count": 9,
+      "kernel": "/patched/kernel"
+    }
+}
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg
new file mode 100644
index 000000000..6c4b3d58e
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg
@@ -0,0 +1,90 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat",
+		"io_uring_*",
+		"syz_io_uring_*",
+		"syz_memcpy_off",
+		"mmap",
+		"madvise",
+		"mprotect",
+		"eventfd",
+		"socket",
+		"setsockopt",
+		"accept",
+		"open",
+		"close",
+		"clock_gettime",
+		"ioctl$sock_SIOCGIFINDEX",
+		"ioctl$IOCTL_GET_NCIDEV_IDX",
+		"openat",
+		"epoll_create"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"count": 3,
+		"cmdline": "root=/dev/sda1",
+		"kernel": "/base/kernel",
+		"cpu": 2,
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg
new file mode 100644
index 000000000..ce1ee850a
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg
@@ -0,0 +1,90 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat",
+		"io_uring_*",
+		"syz_io_uring_*",
+		"syz_memcpy_off",
+		"mmap",
+		"madvise",
+		"mprotect",
+		"eventfd",
+		"socket",
+		"setsockopt",
+		"accept",
+		"open",
+		"close",
+		"clock_gettime",
+		"ioctl$sock_SIOCGIFINDEX",
+		"ioctl$IOCTL_GET_NCIDEV_IDX",
+		"openat",
+		"epoll_create"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg
new file mode 100644
index 000000000..79d1339c0
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg
@@ -0,0 +1,73 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"count": 3,
+		"cmdline": "root=/dev/sda1",
+		"kernel": "/base/kernel",
+		"cpu": 2,
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg
new file mode 100644
index 000000000..059b47cf0
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg
@@ -0,0 +1,73 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg
new file mode 100644
index 000000000..28c8c600d
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg
@@ -0,0 +1,49 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"disable_syscalls": [
+		"perf_event_open*",
+		"syz_mount_image$hfs",
+		"syz_mount_image$gfs*"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"count": 3,
+		"cmdline": "root=/dev/sda1",
+		"kernel": "/base/kernel",
+		"cpu": 2,
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg
new file mode 100644
index 000000000..55d699651
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg
@@ -0,0 +1,49 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"disable_syscalls": [
+		"perf_event_open*",
+		"syz_mount_image$hfs",
+		"syz_mount_image$gfs*"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg
new file mode 100644
index 000000000..8515dfe19
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg
@@ -0,0 +1,168 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"syz_mount_image",
+		"open",
+		"openat",
+		"creat",
+		"close",
+		"read",
+		"pread64",
+		"readv",
+		"preadv",
+		"preadv2",
+		"write",
+		"pwrite64",
+		"writev",
+		"pwritev",
+		"pwritev2",
+		"lseek",
+		"copy_file_range",
+		"dup",
+		"dup2",
+		"dup3",
+		"tee",
+		"splice",
+		"vmsplice",
+		"sendfile",
+		"stat",
+		"lstat",
+		"fstat",
+		"newfstatat",
+		"statx",
+		"poll",
+		"clock_gettime",
+		"ppoll",
+		"select",
+		"pselect6",
+		"epoll_create",
+		"epoll_create1",
+		"epoll_ctl",
+		"epoll_wait",
+		"epoll_pwait",
+		"epoll_pwait2",
+		"mmap",
+		"munmap",
+		"mremap",
+		"msync",
+		"readahead",
+		"fcntl",
+		"mknod",
+		"mknodat",
+		"chmod",
+		"fchmod",
+		"fchmodat",
+		"chown",
+		"lchown",
+		"fchown",
+		"fchownat",
+		"fallocate",
+		"faccessat",
+		"faccessat2",
+		"utime",
+		"utimes",
+		"futimesat",
+		"utimensat",
+		"link",
+		"linkat",
+		"symlinkat",
+		"symlink",
+		"unlink",
+		"unlinkat",
+		"readlink",
+		"readlinkat",
+		"rename",
+		"renameat",
+		"renameat2",
+		"mkdir",
+		"mkdirat",
+		"rmdir",
+		"truncate",
+		"ftruncate",
+		"flock",
+		"fsync",
+		"fdatasync",
+		"sync",
+		"syncfs",
+		"sync_file_range",
+		"getdents",
+		"getdents64",
+		"name_to_handle_at",
+		"open_by_handle_at",
+		"chroot",
+		"getcwd",
+		"chdir",
+		"fchdir",
+		"quotactl",
+		"pivot_root",
+		"statfs",
+		"fstatfs",
+		"syz_open_procfs",
+		"syz_read_part_table",
+		"mount",
+		"fsopen",
+		"fspick",
+		"fsconfig",
+		"fsmount",
+		"move_mount",
+		"open_tree",
+		"mount_setattr",
+		"ioctl$FS_*",
+		"ioctl$BTRFS*",
+		"ioctl$AUTOFS*",
+		"ioctl$EXT4*",
+		"ioctl$F2FS*",
+		"ioctl$FAT*",
+		"ioctl$VFAT*",
+		"ioctl$FI*"
+	],
+	"no_mutate_syscalls": [
+		"syz_mount_image$btrfs",
+		"syz_mount_image$ext4",
+		"syz_mount_image$f2fs",
+		"syz_mount_image$ntfs",
+		"syz_mount_image$ocfs2",
+		"syz_mount_image$xfs"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"count": 3,
+		"cmdline": "root=/dev/sda1",
+		"kernel": "/base/kernel",
+		"cpu": 2,
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg
new file mode 100644
index 000000000..9fbfaf3f6
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg
@@ -0,0 +1,168 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"syz_mount_image",
+		"open",
+		"openat",
+		"creat",
+		"close",
+		"read",
+		"pread64",
+		"readv",
+		"preadv",
+		"preadv2",
+		"write",
+		"pwrite64",
+		"writev",
+		"pwritev",
+		"pwritev2",
+		"lseek",
+		"copy_file_range",
+		"dup",
+		"dup2",
+		"dup3",
+		"tee",
+		"splice",
+		"vmsplice",
+		"sendfile",
+		"stat",
+		"lstat",
+		"fstat",
+		"newfstatat",
+		"statx",
+		"poll",
+		"clock_gettime",
+		"ppoll",
+		"select",
+		"pselect6",
+		"epoll_create",
+		"epoll_create1",
+		"epoll_ctl",
+		"epoll_wait",
+		"epoll_pwait",
+		"epoll_pwait2",
+		"mmap",
+		"munmap",
+		"mremap",
+		"msync",
+		"readahead",
+		"fcntl",
+		"mknod",
+		"mknodat",
+		"chmod",
+		"fchmod",
+		"fchmodat",
+		"chown",
+		"lchown",
+		"fchown",
+		"fchownat",
+		"fallocate",
+		"faccessat",
+		"faccessat2",
+		"utime",
+		"utimes",
+		"futimesat",
+		"utimensat",
+		"link",
+		"linkat",
+		"symlinkat",
+		"symlink",
+		"unlink",
+		"unlinkat",
+		"readlink",
+		"readlinkat",
+		"rename",
+		"renameat",
+		"renameat2",
+		"mkdir",
+		"mkdirat",
+		"rmdir",
+		"truncate",
+		"ftruncate",
+		"flock",
+		"fsync",
+		"fdatasync",
+		"sync",
+		"syncfs",
+		"sync_file_range",
+		"getdents",
+		"getdents64",
+		"name_to_handle_at",
+		"open_by_handle_at",
+		"chroot",
+		"getcwd",
+		"chdir",
+		"fchdir",
+		"quotactl",
+		"pivot_root",
+		"statfs",
+		"fstatfs",
+		"syz_open_procfs",
+		"syz_read_part_table",
+		"mount",
+		"fsopen",
+		"fspick",
+		"fsconfig",
+		"fsmount",
+		"move_mount",
+		"open_tree",
+		"mount_setattr",
+		"ioctl$FS_*",
+		"ioctl$BTRFS*",
+		"ioctl$AUTOFS*",
+		"ioctl$EXT4*",
+		"ioctl$F2FS*",
+		"ioctl$FAT*",
+		"ioctl$VFAT*",
+		"ioctl$FI*"
+	],
+	"no_mutate_syscalls": [
+		"syz_mount_image$btrfs",
+		"syz_mount_image$ext4",
+		"syz_mount_image$f2fs",
+		"syz_mount_image$ntfs",
+		"syz_mount_image$ocfs2",
+		"syz_mount_image$xfs"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg
new file mode 100644
index 000000000..94990b812
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg
@@ -0,0 +1,63 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"io_uring_*",
+		"syz_io_uring_*",
+		"syz_memcpy_off",
+		"mmap",
+		"madvise",
+		"mprotect",
+		"eventfd",
+		"socket",
+		"setsockopt",
+		"accept",
+		"open",
+		"close",
+		"clock_gettime",
+		"ioctl$sock_SIOCGIFINDEX",
+		"ioctl$IOCTL_GET_NCIDEV_IDX",
+		"openat",
+		"epoll_create"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"count": 3,
+		"cmdline": "root=/dev/sda1",
+		"kernel": "/base/kernel",
+		"cpu": 2,
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.patched.cfg
new file mode 100644
index 000000000..4fe786944
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.patched.cfg
@@ -0,0 +1,63 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"io_uring_*",
+		"syz_io_uring_*",
+		"syz_memcpy_off",
+		"mmap",
+		"madvise",
+		"mprotect",
+		"eventfd",
+		"socket",
+		"setsockopt",
+		"accept",
+		"open",
+		"close",
+		"clock_gettime",
+		"ioctl$sock_SIOCGIFINDEX",
+		"ioctl$IOCTL_GET_NCIDEV_IDX",
+		"openat",
+		"epoll_create"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.base.cfg
new file mode 100644
index 000000000..bdfe653ef
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.base.cfg
@@ -0,0 +1,57 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"openat$kvm",
+		"openat$sev",
+		"close",
+		"ioctl$KVM*",
+		"syz_kvm*",
+		"mmap$KVM_VCPU",
+		"munmap",
+		"syz_memcpy_off$KVM_EXIT_MMIO",
+		"syz_memcpy_off$KVM_EXIT_HYPERCALL",
+		"eventfd2",
+		"write$eventfd"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 3,
+		"cpu": 2,
+		"kernel": "/base/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35,nvdimm=on,accel=kvm,kernel-irqchip=split -cpu max,migratable=off -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.patched.cfg
new file mode 100644
index 000000000..86e319ac7
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.patched.cfg
@@ -0,0 +1,57 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"openat$kvm",
+		"openat$sev",
+		"close",
+		"ioctl$KVM*",
+		"syz_kvm*",
+		"mmap$KVM_VCPU",
+		"munmap",
+		"syz_memcpy_off$KVM_EXIT_MMIO",
+		"syz_memcpy_off$KVM_EXIT_HYPERCALL",
+		"eventfd2",
+		"write$eventfd"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35,nvdimm=on,accel=kvm,kernel-irqchip=split -cpu max,migratable=off -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/net.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.base.cfg
new file mode 100644
index 000000000..641241acb
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.base.cfg
@@ -0,0 +1,118 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"accept",
+		"accept4",
+		"bind",
+		"close",
+		"connect",
+		"epoll_create",
+		"epoll_create1",
+		"epoll_ctl",
+		"epoll_pwait",
+		"epoll_wait",
+		"getpeername",
+		"getsockname",
+		"getsockopt",
+		"ioctl",
+		"listen",
+		"mmap",
+		"poll",
+		"ppoll",
+		"pread64",
+		"preadv",
+		"pselect6",
+		"pwrite64",
+		"pwritev",
+		"read",
+		"readv",
+		"recvfrom",
+		"recvmmsg",
+		"recvmsg",
+		"select",
+		"sendfile",
+		"sendmmsg",
+		"sendmsg",
+		"sendto",
+		"setsockopt",
+		"shutdown",
+		"socket",
+		"socketpair",
+		"splice",
+		"vmsplice",
+		"write",
+		"writev",
+		"tee",
+		"bpf",
+		"getpid",
+		"getgid",
+		"getuid",
+		"gettid",
+		"unshare",
+		"pipe",
+		"syz_emit_ethernet",
+		"syz_extract_tcp_res",
+		"syz_genetlink_get_family_id",
+		"syz_init_net_socket",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"clock_gettime",
+		"bpf",
+		"openat$tun",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"syz_80211_*",
+		"nanosleep",
+		"openat$nci",
+		"ioctl$IOCTL_GET_NCIDEV_IDX",
+		"openat$rfkill",
+		"openat$6lowpan*",
+		"openat$pidfd",
+		"openat$tcp*",
+		"openat$vhost_vsock",
+		"openat$ptp*",
+		"ioctl$PTP*"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"count": 3,
+		"cmdline": "root=/dev/sda1",
+		"kernel": "/base/kernel",
+		"cpu": 2,
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/net.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.patched.cfg
new file mode 100644
index 000000000..985dbb9be
--- /dev/null
+++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.patched.cfg
@@ -0,0 +1,118 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"accept",
+		"accept4",
+		"bind",
+		"close",
+		"connect",
+		"epoll_create",
+		"epoll_create1",
+		"epoll_ctl",
+		"epoll_pwait",
+		"epoll_wait",
+		"getpeername",
+		"getsockname",
+		"getsockopt",
+		"ioctl",
+		"listen",
+		"mmap",
+		"poll",
+		"ppoll",
+		"pread64",
+		"preadv",
+		"pselect6",
+		"pwrite64",
+		"pwritev",
+		"read",
+		"readv",
+		"recvfrom",
+		"recvmmsg",
+		"recvmsg",
+		"select",
+		"sendfile",
+		"sendmmsg",
+		"sendmsg",
+		"sendto",
+		"setsockopt",
+		"shutdown",
+		"socket",
+		"socketpair",
+		"splice",
+		"vmsplice",
+		"write",
+		"writev",
+		"tee",
+		"bpf",
+		"getpid",
+		"getgid",
+		"getuid",
+		"gettid",
+		"unshare",
+		"pipe",
+		"syz_emit_ethernet",
+		"syz_extract_tcp_res",
+		"syz_genetlink_get_family_id",
+		"syz_init_net_socket",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"clock_gettime",
+		"bpf",
+		"openat$tun",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"syz_80211_*",
+		"nanosleep",
+		"openat$nci",
+		"ioctl$IOCTL_GET_NCIDEV_IDX",
+		"openat$rfkill",
+		"openat$6lowpan*",
+		"openat$pidfd",
+		"openat$tcp*",
+		"openat$vhost_vsock",
+		"openat$ptp*",
+		"ioctl$PTP*"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual"
+	}
+}
+\ No newline at end of file
diff --git a/syz-cluster/pkg/triage/fuzz_target.go b/syz-cluster/pkg/triage/fuzz_target.go
index 6fecc24c0..e4b6fedf3 100644
--- a/syz-cluster/pkg/triage/fuzz_target.go
+++ b/syz-cluster/pkg/triage/fuzz_target.go
@@ -4,25 +4,97 @@
 package triage
 
 import (
+	"sort"
 	"strings"
 
 	"github.com/google/syzkaller/syz-cluster/pkg/api"
 )
 
-func SelectFuzzConfig(series *api.Series, fuzzConfigs []*api.FuzzTriageTarget) *api.FuzzTriageTarget {
+func SelectFuzzConfigs(series *api.Series, fuzzConfigs []*api.FuzzTriageTarget) []*api.KernelFuzzConfig {
 	seriesCc := map[string]bool{}
 	for _, cc := range series.Cc {
 		seriesCc[strings.ToLower(cc)] = true
 	}
+	var ret, defaultRet []*api.KernelFuzzConfig
 	for _, config := range fuzzConfigs {
 		intersects := false
 		for _, cc := range config.EmailLists {
 			intersects = intersects || seriesCc[cc]
 		}
-		if len(config.EmailLists) != 0 && !intersects {
-			continue
+		if intersects {
+			ret = append(ret, config.Campaigns...)
+		} else if len(config.EmailLists) == 0 {
+			defaultRet = append(defaultRet, config.Campaigns...)
 		}
-		return config
 	}
-	return nil
+	// We want to return the fallback option only if no element matched exactly.
+	if len(ret) > 0 {
+		return ret
+	}
+	return defaultRet
+}
+
+type MergedFuzzConfig struct {
+	KernelConfig string
+	FuzzConfig   *api.FuzzConfig
+}
+
+func MergeKernelFuzzConfigs(configs []*api.KernelFuzzConfig) []*MergedFuzzConfig {
+	type groupKey struct {
+		config     string
+		track      string
+		bugTitleRe string
+	}
+	groups := map[groupKey][]*api.KernelFuzzConfig{}
+	var orderedKeys []groupKey
+	for _, config := range configs {
+		// Some of the different fuzz configs may still be merged together,
+		// e.g. if they only differ in the syscall lists and corpuses.
+		key := groupKey{config.KernelConfig, config.Track, config.BugTitleRe}
+		if _, ok := groups[key]; !ok {
+			orderedKeys = append(orderedKeys, key)
+		}
+		groups[key] = append(groups[key], config)
+	}
+	var ret []*MergedFuzzConfig
+	for _, key := range orderedKeys {
+		// TODO: is there way to auto-generate a prefix?
+		ret = append(ret, &MergedFuzzConfig{
+			KernelConfig: key.config,
+			FuzzConfig:   mergeFuzzConfigs(groups[key]),
+		})
+	}
+	return ret
+}
+
+func mergeFuzzConfigs(configs []*api.KernelFuzzConfig) *api.FuzzConfig {
+	var ret api.FuzzConfig
+	for _, config := range configs {
+		if config.Focus != "" {
+			ret.Focus = append(ret.Focus, config.Focus)
+		}
+		if config.CorpusURL != "" {
+			ret.CorpusURLs = append(ret.CorpusURLs, config.CorpusURL)
+		}
+		ret.SkipCoverCheck = ret.SkipCoverCheck || config.SkipCoverCheck
+		// Must be the same.
+		ret.BugTitleRe = config.BugTitleRe
+		ret.Track = config.Track
+	}
+	ret.Focus = unique(ret.Focus)
+	ret.CorpusURLs = unique(ret.CorpusURLs)
+	return &ret
+}
+
+func unique(list []string) []string {
+	seen := make(map[string]struct{}, len(list))
+	for _, s := range list {
+		seen[s] = struct{}{}
+	}
+	var unique []string
+	for s := range seen {
+		unique = append(unique, s)
+	}
+	sort.Strings(unique)
+	return unique
 }
diff --git a/syz-cluster/pkg/triage/fuzz_target_test.go b/syz-cluster/pkg/triage/fuzz_target_test.go
index fa7039bda..6b5111e0c 100644
--- a/syz-cluster/pkg/triage/fuzz_target_test.go
+++ b/syz-cluster/pkg/triage/fuzz_target_test.go
@@ -10,32 +10,126 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestSelectFuzzConfig(t *testing.T) {
-	bpf := &api.FuzzTriageTarget{EmailLists: []string{"bpf@list"}}
-	net := &api.FuzzTriageTarget{EmailLists: []string{"net@list"}}
-	mainline := &api.FuzzTriageTarget{EmailLists: nil}
-	configs := []*api.FuzzTriageTarget{bpf, net, mainline}
+func TestSelectFuzzConfigs(t *testing.T) {
+	bpf, bpfKmsan, net, mainline := &api.KernelFuzzConfig{},
+		&api.KernelFuzzConfig{},
+		&api.KernelFuzzConfig{},
+		&api.KernelFuzzConfig{}
+	configs := []*api.FuzzTriageTarget{
+		{
+			EmailLists: []string{"bpf@list"},
+			Campaigns:  []*api.KernelFuzzConfig{bpf, bpfKmsan},
+		},
+		{
+			EmailLists: []string{"net@list"},
+			Campaigns:  []*api.KernelFuzzConfig{net},
+		},
+		{
+			EmailLists: nil,
+			Campaigns:  []*api.KernelFuzzConfig{mainline},
+		},
+	}
 	tests := []struct {
 		testName string
-		result   *api.FuzzTriageTarget
+		result   []*api.KernelFuzzConfig
 		series   *api.Series
 	}{
 		{
-			testName: "select-first",
-			result:   bpf,
+			testName: "select-one",
+			result:   []*api.KernelFuzzConfig{net},
+			series:   &api.Series{Cc: []string{"net@list"}},
+		},
+		{
+			testName: "select-both",
+			result:   []*api.KernelFuzzConfig{bpf, bpfKmsan, net},
 			series:   &api.Series{Cc: []string{"bpf@list", "net@list"}},
 		},
 		{
 			testName: "fallback",
-			result:   mainline,
+			result:   []*api.KernelFuzzConfig{mainline},
 			series:   &api.Series{Cc: []string{"unknown@list"}},
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.testName, func(t *testing.T) {
-			ret := SelectFuzzConfig(test.series, configs)
+			ret := SelectFuzzConfigs(test.series, configs)
 			assert.Equal(t, test.result, ret)
 		})
 	}
 }
+
+func TestMergeKernelFuzzConfigs(t *testing.T) {
+	t.Run("split", func(t *testing.T) {
+		assert.Equal(t, []*MergedFuzzConfig{
+			{
+				KernelConfig: "kasan_config",
+				FuzzConfig: &api.FuzzConfig{
+					Track: "KASAN",
+					Focus: []string{"net"},
+				},
+			},
+			{
+				KernelConfig: "kmsan_config",
+				FuzzConfig: &api.FuzzConfig{
+					Track: "KMSAN",
+					Focus: []string{"net"},
+				},
+			},
+		}, MergeKernelFuzzConfigs([]*api.KernelFuzzConfig{
+			{
+				Track:        "KASAN",
+				KernelConfig: "kasan_config",
+				Focus:        "net",
+			},
+			{
+				Track:        "KMSAN",
+				KernelConfig: "kmsan_config",
+				Focus:        "net",
+			},
+		}))
+	})
+	t.Run("merge", func(t *testing.T) {
+		assert.Equal(t, []*MergedFuzzConfig{
+			{
+				KernelConfig: "kasan_config",
+				FuzzConfig: &api.FuzzConfig{
+					Track: "KASAN",
+					Focus: []string{"bpf", "net"},
+				},
+			},
+		}, MergeKernelFuzzConfigs([]*api.KernelFuzzConfig{
+			{
+				Track:        "KASAN",
+				KernelConfig: "kasan_config",
+				Focus:        "net",
+			},
+			{
+				Track:        "KASAN",
+				KernelConfig: "kasan_config",
+				Focus:        "bpf",
+			},
+		}))
+	})
+}
+
+func TestMergeFuzzConfigs(t *testing.T) {
+	assert.Equal(t, &api.FuzzConfig{
+		Focus:          []string{"bpf", "net"},
+		CorpusURLs:     []string{"url1", "url2"},
+		SkipCoverCheck: true,
+		BugTitleRe:     "regexp",
+	}, mergeFuzzConfigs([]*api.KernelFuzzConfig{
+		{
+			Focus:      "net",
+			CorpusURL:  "url2",
+			BugTitleRe: "regexp",
+		},
+		{
+			Focus:          "bpf",
+			CorpusURL:      "url1",
+			BugTitleRe:     "regexp",
+			SkipCoverCheck: true,
+		},
+	}))
+}
author	Aleksandr Nogikh <nogikh@google.com>	2025-09-18 17:36:53 +0200
committer	Taras Madan <tarasmadan@google.com>	2025-10-07 15:25:13 +0000
commit	99ed12e158687b7aba55eac142d6bad3f147d029 (patch)
tree	a9809d7c5d60f45b805e0346a9a543ba0651a9e1 /syz-cluster/pkg
parent	790f0ffe2224829b20e4dc6556c090c503e1d161 (diff)