Re: [RFC 0/2] fuse/passthrough: simplify daemon crash recovery

[Chunsheng Luo]

On 1/15/26 11:43 PM, Amir Goldstein wrote:
> On Thu, Jan 15, 2026 at 03:20:29PM +0800, Chunsheng Luo wrote:
> > To simplify FUSE daemon crash recovery and reduce performance overhead,
> > passthrough backing_id information is not persisted. However, this
> > approach introduces two challenges after daemon restart:
> >
> > 1. Non-persistent backing_ids prevent proper resource cleanup, leading
> >     to resource leaks.
> > 2. New backing_ids allocated for the same FUSE file cause -EIO errors
> >     due to strict fuse_backing validation in
> >     fuse_inode_uncached_io_start(), even when accessing the same
> >     backing file. This persists until all previously opened files are
> >     closed.
> >
> > There are common scenarios where reusing the cached fuse_inode->fb is
> > safe:
> >
> > Scenario 1: The same backing file (with identical inode) is
> >              re-registered after recovery.
> > Scenario 2: In a read-only FUSE filesystem, the backing file may be
> >              cleaned up and re-downloaded (resulting in a different
> >              inode, but identical content).
>
> That is just not acceptable by design, regardless of server restart.
>
> fuse passthrough may be configured per individual file open, but
> all fd referring to the same fuse inode need to passthrough to the
> same backing inode.
>
> If your server want to serve different fd of same fuse inode from
> different backing files (no matter if they claim to have the same content),
> server needs to do that with FOPEN_DIRECT_IO, it cannot do that with
> FOPEN_PASSTHROUGH.
>
> Thanks,
> Amir.

That's correct. A reference count for the backing files is certainly 
maintained before crash to prevent them from being garbage collected and 
to avoid different opens of the same fuse_inode from using different 
backing files. However, this count does not survive the crash recovery 
process. Consequently, the disk's garbage collection mechanism could 
subsequently delete these files.

In this situation, we should consider how to prevent these files from 
being mistakenly garbage collected after a crash recovery.

Thanks.
Chunsheng Luo

> > Proposed Solution:
> >
> > 1. Enhance fuse_dev_ioctl_backing_close() to support closing all
> >     backing_ids at once, enabling comprehensive resource cleanup after
> >     restart.
> >
> > 2. Introduce the FOPEN_PASSTHROUGH_INODE_CACHE flag. When set during
> >     fuse_open(), the kernel prioritizes reusing the existing
> >     fuse_backing cached in fuse_inode, falling back to the
> >     backing_id-associated fb only if the cache is empty.
> >
> > I'd appreciate any feedback on whether there are better approaches or
> > potential improvements to this solution.
> >
> > Thanks.
> > ---
> > Chunsheng Luo (2):
> >    fuse: add close all in passthrough backing close for crash recovery
> >    fuse: Add new flag to reuse the backing file of fuse_inode
> >
> >   fs/fuse/backing.c         | 14 ++++++++++++++
> >   fs/fuse/dev.c             |  5 +++++
> >   fs/fuse/fuse_i.h          |  1 +
> >   fs/fuse/iomode.c          |  2 +-
> >   fs/fuse/passthrough.c     | 11 +++++++++++
> >   include/uapi/linux/fuse.h |  2 ++
> >   6 files changed, 34 insertions(+), 1 deletion(-)
> >
> > --
> > 2.43.0