executor/common_linux.h: open target dir inside syz_mount_image()

Refactor syz_mount_image() to support filesystems not requiring a backing device and filesystem image (e.g. FUSE). To do that, we check for the presence of the pointer to the array of struct fs_image_segment: if missingi, there is no need to setup the loop device and we can proceed directly with the mount() syscall. Add syz_mount_image$fuse() (specialization for FUSE) inside sys/linux/fs_fuse.txt.
2024-11-26 21:00:30 +00:00 · 2020-08-10 11:32:20 +00:00 · 2020-08-10 11:32:20 +00:00 · a1481759c3
commit a1481759c3
parent aa6107e60d
5 changed files with 183 additions and 163 deletions
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@ -2388,17 +2388,11 @@ struct fs_image_segment {
 #define sys_memfd_create 279
 #endif

-static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments)
+static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs)
 {
-	// Strictly saying we ought to do a nonfailing copyout of segments into a local var.
-	// But some filesystems have large number of segments (2000+),
-	// we can't allocate that much on stack and allocating elsewhere is problematic,
-	// so we just use the memory allocated by fuzzer.
-	struct fs_image_segment* segs = (struct fs_image_segment*)segments;
-
 	if (nsegs > IMAGE_MAX_SEGMENTS)
 		nsegs = IMAGE_MAX_SEGMENTS;
-	for (unsigned long i = 0; i < nsegs; i++) {
+	for (size_t i = 0; i < nsegs; i++) {
 		if (segs[i].size > IMAGE_MAX_SIZE)
 			segs[i].size = IMAGE_MAX_SIZE;
 		segs[i].offset %= IMAGE_MAX_SIZE;
@ -2411,15 +2405,17 @@ static unsigned long fs_image_segment_check(unsigned long size, unsigned long ns
 		size = IMAGE_MAX_SIZE;
 	return size;
 }
-#endif

-#if SYZ_EXECUTOR || __NR_syz_read_part_table
-// syz_read_part_table(size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]])
-static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments)
+// Setup the loop device needed for mounting a filesystem image. Takes care of
+// creating and initializing the underlying file backing the loop device and
+// returns the fds to the file and device.
+// Returns 0 on success, -1 otherwise.
+static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p)
 {
-	int err = 0, res = -1, loopfd = -1;
-	size = fs_image_segment_check(size, nsegs, segments);
-	int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0);
+	int err = 0, loopfd = -1;
+
+	size = fs_image_segment_check(size, nsegs, segs);
+	int memfd = syscall(sys_memfd_create, "syzkaller", 0);
 	if (memfd == -1) {
 		err = errno;
 		goto error;
@ -2428,14 +2424,12 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l
 		err = errno;
 		goto error_close_memfd;
 	}
-	for (unsigned long i = 0; i < nsegs; i++) {
-		struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+	for (size_t i = 0; i < nsegs; i++) {
 		if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
-			debug("syz_read_part_table: pwrite[%u] failed: %d\n", (int)i, errno);
+			debug("setup_loop_device: pwrite[%zu] failed: %d\n", i, errno);
 		}
 	}
-	char loopname[64];
-	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+
 	loopfd = open(loopname, O_RDWR);
 	if (loopfd == -1) {
 		err = errno;
@ -2453,6 +2447,33 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l
 			goto error_close_loop;
 		}
 	}
+
+	*memfd_p = memfd;
+	*loopfd_p = loopfd;
+	return 0;
+
+error_close_loop:
+	close(loopfd);
+error_close_memfd:
+	close(memfd);
+error:
+	errno = err;
+	return -1;
+}
+#endif
+
+#if SYZ_EXECUTOR || __NR_syz_read_part_table
+// syz_read_part_table(size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]])
+static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments)
+{
+	struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+	int err = 0, res = -1, loopfd = -1, memfd = -1;
+	char loopname[64];
+
+	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+	if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1)
+		return -1;
+
 	struct loop_info64 info;
 	if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) {
 		err = errno;
@ -2481,21 +2502,19 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l
 	}
 error_clear_loop:
 	ioctl(loopfd, LOOP_CLR_FD, 0);
-error_close_loop:
 	close(loopfd);
-error_close_memfd:
 	close(memfd);
-error:
 	errno = err;
 	return res;
 }
 #endif

 #if SYZ_EXECUTOR || __NR_syz_mount_image
+#include <stddef.h>
 #include <string.h>
 #include <sys/mount.h>

-// syz_mount_image(fs ptr[in, string[disk_filesystems]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]])
+// syz_mount_image(fs ptr[in, string[disk_filesystems]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]]) fd_dir
 // fs_image_segment {
 //	data	ptr[in, array[int8]]
 //	size	len[data, intptr]
@ -2503,50 +2522,32 @@ error:
 // }
 static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg)
 {
-	int err = 0, res = -1, loopfd = -1;
-	size = fs_image_segment_check(size, nsegs, segments);
-	int memfd = syscall(sys_memfd_create, "syz_mount_image", 0);
-	if (memfd == -1) {
-		err = errno;
-		goto error;
-	}
-	if (ftruncate(memfd, size)) {
-		err = errno;
-		goto error_close_memfd;
-	}
-	for (unsigned long i = 0; i < nsegs; i++) {
-		struct fs_image_segment* segs = (struct fs_image_segment*)segments;
-		if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
-			debug("syz_mount_image: pwrite[%u] failed: %d\n", (int)i, errno);
-		}
-	}
+	struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+	int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs;
+	char* mount_opts = (char*)optsarg;
+	char* target = (char*)dir;
+	char* fs = (char*)fsarg;
+	char* source = NULL;
 	char loopname[64];
-	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
-	loopfd = open(loopname, O_RDWR);
-	if (loopfd == -1) {
-		err = errno;
-		goto error_close_memfd;
+
+	if (need_loop_device) {
+		// Some filesystems (e.g. FUSE) do not need a backing device or
+		// filesystem image.
+		memset(loopname, 0, sizeof(loopname));
+		snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+		if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1)
+			return -1;
+		source = loopname;
 	}
-	if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
-		if (errno != EBUSY) {
-			err = errno;
-			goto error_close_loop;
-		}
-		ioctl(loopfd, LOOP_CLR_FD, 0);
-		usleep(1000);
-		if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
-			err = errno;
-			goto error_close_loop;
-		}
-	}
-	mkdir((char*)dir, 0777);
-	char fs[32];
-	memset(fs, 0, sizeof(fs));
-	strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
+
+	mkdir(target, 0777);
 	char opts[256];
 	memset(opts, 0, sizeof(opts));
 	// Leave some space for the additional options we append below.
-	strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
+	if (strlen(mount_opts) > (sizeof(opts) - 32)) {
+		debug("ERROR: syz_mount_image parameter optsarg bigger than internal opts\n");
+	}
+	strncpy(opts, mount_opts, sizeof(opts) - 32);
 	if (strcmp(fs, "iso9660") == 0) {
 		flags |= MS_RDONLY;
 	} else if (strncmp(fs, "ext", 3) == 0) {
@ -2559,22 +2560,28 @@ static long syz_mount_image(volatile long fsarg, volatile long dir, volatile uns
 		// and if two parallel executors mounts fs with the same uuid, second mount fails.
 		strcat(opts, ",nouuid");
 	}
-	debug("syz_mount_image: size=%llu segs=%llu loop='%s' dir='%s' fs='%s' flags=%llu opts='%s'\n", (uint64)size, (uint64)nsegs, loopname, (char*)dir, fs, (uint64)flags, opts);
+	debug("syz_mount_image: size=%llu segs=%llu loop='%s' dir='%s' fs='%s' flags=%llu opts='%s'\n", (uint64)size, (uint64)nsegs, loopname, target, fs, (uint64)flags, opts);
 #if SYZ_EXECUTOR
 	cover_reset(0);
 #endif
-	if (mount(loopname, (char*)dir, fs, flags, opts)) {
+	res = mount(source, target, fs, flags, opts);
+	if (res == -1) {
+		debug("syz_mount_image > mount error: %d\n", errno);
 		err = errno;
 		goto error_clear_loop;
 	}
-	res = 0;
+	res = open(target, O_RDONLY | O_DIRECTORY);
+	if (res == -1) {
+		debug("syz_mount_image > open error: %d\n", errno);
+		err = errno;
+	}
+
 error_clear_loop:
-	ioctl(loopfd, LOOP_CLR_FD, 0);
-error_close_loop:
-	close(loopfd);
-error_close_memfd:
-	close(memfd);
-error:
+	if (need_loop_device) {
+		ioctl(loopfd, LOOP_CLR_FD, 0);
+		close(loopfd);
+		close(memfd);
+	}
 	errno = err;
 	return res;
 }
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@ -5769,13 +5769,11 @@ struct fs_image_segment {
 #define sys_memfd_create 279
 #endif

-static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments)
+static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, struct fs_image_segment* segs)
 {
-	struct fs_image_segment* segs = (struct fs_image_segment*)segments;
-
 	if (nsegs > IMAGE_MAX_SEGMENTS)
 		nsegs = IMAGE_MAX_SEGMENTS;
-	for (unsigned long i = 0; i < nsegs; i++) {
+	for (size_t i = 0; i < nsegs; i++) {
 		if (segs[i].size > IMAGE_MAX_SIZE)
 			segs[i].size = IMAGE_MAX_SIZE;
 		segs[i].offset %= IMAGE_MAX_SIZE;
@ -5788,14 +5786,12 @@ static unsigned long fs_image_segment_check(unsigned long size, unsigned long ns
 		size = IMAGE_MAX_SIZE;
 	return size;
 }
-#endif
-
-#if SYZ_EXECUTOR || __NR_syz_read_part_table
-static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments)
+static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p)
 {
-	int err = 0, res = -1, loopfd = -1;
-	size = fs_image_segment_check(size, nsegs, segments);
-	int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0);
+	int err = 0, loopfd = -1;
+
+	size = fs_image_segment_check(size, nsegs, segs);
+	int memfd = syscall(sys_memfd_create, "syzkaller", 0);
 	if (memfd == -1) {
 		err = errno;
 		goto error;
@ -5804,14 +5800,12 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l
 		err = errno;
 		goto error_close_memfd;
 	}
-	for (unsigned long i = 0; i < nsegs; i++) {
-		struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+	for (size_t i = 0; i < nsegs; i++) {
 		if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
-			debug("syz_read_part_table: pwrite[%u] failed: %d\n", (int)i, errno);
+			debug("setup_loop_device: pwrite[%zu] failed: %d\n", i, errno);
 		}
 	}
-	char loopname[64];
-	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+
 	loopfd = open(loopname, O_RDWR);
 	if (loopfd == -1) {
 		err = errno;
@ -5829,6 +5823,32 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l
 			goto error_close_loop;
 		}
 	}
+
+	*memfd_p = memfd;
+	*loopfd_p = loopfd;
+	return 0;
+
+error_close_loop:
+	close(loopfd);
+error_close_memfd:
+	close(memfd);
+error:
+	errno = err;
+	return -1;
+}
+#endif
+
+#if SYZ_EXECUTOR || __NR_syz_read_part_table
+static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments)
+{
+	struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+	int err = 0, res = -1, loopfd = -1, memfd = -1;
+	char loopname[64];
+
+	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+	if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1)
+		return -1;
+
 	struct loop_info64 info;
 	if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) {
 		err = errno;
@ -5856,64 +5876,42 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l
 	}
 error_clear_loop:
 	ioctl(loopfd, LOOP_CLR_FD, 0);
-error_close_loop:
 	close(loopfd);
-error_close_memfd:
 	close(memfd);
-error:
 	errno = err;
 	return res;
 }
 #endif

 #if SYZ_EXECUTOR || __NR_syz_mount_image
+#include <stddef.h>
 #include <string.h>
 #include <sys/mount.h>
 static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg)
 {
-	int err = 0, res = -1, loopfd = -1;
-	size = fs_image_segment_check(size, nsegs, segments);
-	int memfd = syscall(sys_memfd_create, "syz_mount_image", 0);
-	if (memfd == -1) {
-		err = errno;
-		goto error;
-	}
-	if (ftruncate(memfd, size)) {
-		err = errno;
-		goto error_close_memfd;
-	}
-	for (unsigned long i = 0; i < nsegs; i++) {
-		struct fs_image_segment* segs = (struct fs_image_segment*)segments;
-		if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
-			debug("syz_mount_image: pwrite[%u] failed: %d\n", (int)i, errno);
-		}
-	}
+	struct fs_image_segment* segs = (struct fs_image_segment*)segments;
+	int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs;
+	char* mount_opts = (char*)optsarg;
+	char* target = (char*)dir;
+	char* fs = (char*)fsarg;
+	char* source = NULL;
 	char loopname[64];
-	snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
-	loopfd = open(loopname, O_RDWR);
-	if (loopfd == -1) {
-		err = errno;
-		goto error_close_memfd;
+
+	if (need_loop_device) {
+		memset(loopname, 0, sizeof(loopname));
+		snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
+		if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1)
+			return -1;
+		source = loopname;
 	}
-	if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
-		if (errno != EBUSY) {
-			err = errno;
-			goto error_close_loop;
-		}
-		ioctl(loopfd, LOOP_CLR_FD, 0);
-		usleep(1000);
-		if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
-			err = errno;
-			goto error_close_loop;
-		}
-	}
-	mkdir((char*)dir, 0777);
-	char fs[32];
-	memset(fs, 0, sizeof(fs));
-	strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
+
+	mkdir(target, 0777);
 	char opts[256];
 	memset(opts, 0, sizeof(opts));
-	strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
+	if (strlen(mount_opts) > (sizeof(opts) - 32)) {
+		debug("ERROR: syz_mount_image parameter optsarg bigger than internal opts\n");
+	}
+	strncpy(opts, mount_opts, sizeof(opts) - 32);
 	if (strcmp(fs, "iso9660") == 0) {
 		flags |= MS_RDONLY;
 	} else if (strncmp(fs, "ext", 3) == 0) {
@ -5922,22 +5920,28 @@ static long syz_mount_image(volatile long fsarg, volatile long dir, volatile uns
 	} else if (strcmp(fs, "xfs") == 0) {
 		strcat(opts, ",nouuid");
 	}
-	debug("syz_mount_image: size=%llu segs=%llu loop='%s' dir='%s' fs='%s' flags=%llu opts='%s'\n", (uint64)size, (uint64)nsegs, loopname, (char*)dir, fs, (uint64)flags, opts);
+	debug("syz_mount_image: size=%llu segs=%llu loop='%s' dir='%s' fs='%s' flags=%llu opts='%s'\n", (uint64)size, (uint64)nsegs, loopname, target, fs, (uint64)flags, opts);
 #if SYZ_EXECUTOR
 	cover_reset(0);
 #endif
-	if (mount(loopname, (char*)dir, fs, flags, opts)) {
+	res = mount(source, target, fs, flags, opts);
+	if (res == -1) {
+		debug("syz_mount_image > mount error: %d\n", errno);
 		err = errno;
 		goto error_clear_loop;
 	}
-	res = 0;
+	res = open(target, O_RDONLY | O_DIRECTORY);
+	if (res == -1) {
+		debug("syz_mount_image > open error: %d\n", errno);
+		err = errno;
+	}
+
 error_clear_loop:
-	ioctl(loopfd, LOOP_CLR_FD, 0);
-error_close_loop:
-	close(loopfd);
-error_close_memfd:
-	close(memfd);
-error:
+	if (need_loop_device) {
+		ioctl(loopfd, LOOP_CLR_FD, 0);
+		close(loopfd);
+		close(memfd);
+	}
 	errno = err;
 	return res;
 }
--- a/sys/linux/filesystem.txt
+++ b/sys/linux/filesystem.txt
@ -64,31 +64,31 @@ syz_read_part_table(size intptr, nsegs len[segments], segments ptr[in, array[fs_

 define SYZ_MOUNT_IMAGE_TIMEOUT	50

-syz_mount_image$vfat(fs ptr[in, string["vfat"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$msdos(fs ptr[in, string["msdos"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[msdos_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$bfs(fs ptr[in, string["bfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts const[0]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$xfs(fs ptr[in, string["xfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[xfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$minix(fs ptr[in, string["minix"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts const[0]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$reiserfs(fs ptr[in, string["reiserfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[reiserfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$hfs(fs ptr[in, string["hfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[hfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$hfsplus(fs ptr[in, string["hfsplus"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[hfsplus_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$iso9660(fs ptr[in, string["iso9660"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[iso9660_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$gfs2(fs ptr[in, string["gfs2"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[gfs2_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$jfs(fs ptr[in, string["jfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[jfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$btrfs(fs ptr[in, string["btrfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[btrfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$ntfs(fs ptr[in, string["ntfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[ntfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$ext4(fs ptr[in, string[ext4_types]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[ext4_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$f2fs(fs ptr[in, string["f2fs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[f2fs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$ocfs2(fs ptr[in, string["ocfs2"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$nfs(fs ptr[in, string["nfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$nfs4(fs ptr[in, string["nfs4"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$cifs(fs ptr[in, string["cifs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$ceph(fs ptr[in, string["ceph"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$erofs(fs ptr[in, string["erofs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[erofs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$exfat(fs ptr[in, string["exfat"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[exfat_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
-syz_mount_image$afs(fs ptr[in, string["afs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[afs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$vfat(fs ptr[in, string["vfat"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$msdos(fs ptr[in, string["msdos"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[msdos_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$bfs(fs ptr[in, string["bfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts const[0]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$xfs(fs ptr[in, string["xfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[xfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$minix(fs ptr[in, string["minix"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts const[0]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$reiserfs(fs ptr[in, string["reiserfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[reiserfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$hfs(fs ptr[in, string["hfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[hfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$hfsplus(fs ptr[in, string["hfsplus"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[hfsplus_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$iso9660(fs ptr[in, string["iso9660"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[iso9660_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$gfs2(fs ptr[in, string["gfs2"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[gfs2_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$jfs(fs ptr[in, string["jfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[jfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$btrfs(fs ptr[in, string["btrfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[btrfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$ntfs(fs ptr[in, string["ntfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[ntfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$ext4(fs ptr[in, string[ext4_types]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[ext4_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$f2fs(fs ptr[in, string["f2fs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[f2fs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$ocfs2(fs ptr[in, string["ocfs2"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$nfs(fs ptr[in, string["nfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$nfs4(fs ptr[in, string["nfs4"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$cifs(fs ptr[in, string["cifs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$ceph(fs ptr[in, string["ceph"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, string]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$erofs(fs ptr[in, string["erofs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[erofs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$exfat(fs ptr[in, string["exfat"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[exfat_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$afs(fs ptr[in, string["afs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[afs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
 # Note: tmpfs does not need an image, but we use this in tests.
-syz_mount_image$tmpfs(fs ptr[in, string["tmpfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[tmpfs_options]]) (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])
+syz_mount_image$tmpfs(fs ptr[in, string["tmpfs"]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[tmpfs_options]]) fd_dir (timeout[SYZ_MOUNT_IMAGE_TIMEOUT])

 fs_image_segment {
 	data	ptr[in, array[int8]]
--- a/sys/linux/fs_fuse.txt
+++ b/sys/linux/fs_fuse.txt
@ -41,6 +41,7 @@ write$FUSE_NOTIFY_STORE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_STORE, f
 write$FUSE_NOTIFY_RETRIEVE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_RETRIEVE, fuse_notify_retrieve_out]], len bytesize[arg])
 write$FUSE_NOTIFY_DELETE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_DELETE, fuse_notify_delete_out]], len bytesize[arg])

+syz_mount_image$fuse(fs ptr[in, string["fuse"]], dir ptr[in, filename], size const[0], nsegs const[0], segments const[0], flags flags[mount_flags], opts ptr[in, fuse_options]) fd_dir
 syz_fuse_handle_req(fd fd_fuse, buf ptr[in, read_buffer], len bytesize[buf], res ptr[in, syz_fuse_req_out])

 type fuse_ino int64[0:6]
--- a/sys/linux/test/syz_mount_image_fuse
+++ b/sys/linux/test/syz_mount_image_fuse
@ -0,0 +1,8 @@
+r0 = openat$fuse(0xffffffffffffff9c, &AUTO='/dev/fuse\x00', 0x2, 0x0)
+r1 = getuid()
+r2 = getgid()
+r3 = syz_mount_image$fuse(&AUTO='fuse\x00', &AUTO='./file0\x00', 0x0, 0x0, 0x0, 0x0, &AUTO={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x4000}, 0x2c, {'user_id', 0x3d, r1}, 0x2c, {'group_id', 0x3d, r2}, 0x2c, {[], [], 0x0}})
+# FUSE_INIT
+syz_fuse_handle_req(r0, &AUTO=""/8192, AUTO, &AUTO={&AUTO={AUTO, 0x0, 0x0, {AUTO, AUTO, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, AUTO, AUTO, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
+# FUSE_OPENDIR
+syz_fuse_handle_req(r0, &AUTO=""/8192, AUTO, &AUTO={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &AUTO={AUTO, 0x0, 0x0, {0x0, 0x0, 0x0}}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})