libfuse_fs/passthrough/

mod.rs

use config::{CachePolicy, Config};
use file_handle::{FileHandle, OpenableFileHandle};

use futures::executor::block_on;
use inode_store::{InodeId, InodeStore};
use libc::{self, statx_timestamp};

use moka::future::Cache;
use rfuse3::{Errno, raw::reply::ReplyEntry};
use uuid::Uuid;

use crate::passthrough::mmap::{MmapCachedValue, MmapChunkKey};
use crate::util::convert_stat64_to_file_attr;
use mount_fd::MountFds;
use statx::StatExt;
use std::cmp;
use std::io::Result;
use std::ops::DerefMut;
use std::os::unix::ffi::OsStrExt;
use std::path::Path;
use tracing::error;
use tracing::{debug, warn};

use std::sync::atomic::{AtomicBool, AtomicU32};
use std::{
    collections::{BTreeMap, btree_map},
    ffi::{CStr, CString, OsString},
    fs::File,
    io::{self, Error},
    marker::PhantomData,
    os::{
        fd::{AsFd, AsRawFd, BorrowedFd, RawFd},
        unix::ffi::OsStringExt,
    },
    path::PathBuf,
    sync::Arc,
    sync::atomic::{AtomicU64, Ordering},
    time::Duration,
};
use util::{
    UniqueInodeGenerator, ebadf, is_dir, openat, reopen_fd_through_proc, stat_fd,
    validate_path_component,
};

use vm_memory::bitmap::BitmapSlice;

use nix::sys::resource::{Resource, getrlimit};

mod async_io;
mod config;
mod file_handle;
mod inode_store;
mod mmap;
mod mount_fd;
pub mod newlogfs;
mod os_compat;
mod statx;
mod util;

/// Current directory
pub const CURRENT_DIR_CSTR: &[u8] = b".\0";
/// Parent directory
pub const PARENT_DIR_CSTR: &[u8] = b"..\0";
pub const VFS_MAX_INO: u64 = 0xff_ffff_ffff_ffff;
const MOUNT_INFO_FILE: &str = "/proc/self/mountinfo";
pub const EMPTY_CSTR: &[u8] = b"\0";
pub const PROC_SELF_FD_CSTR: &[u8] = b"/proc/self/fd\0";
pub const ROOT_ID: u64 = 1;
use tokio::sync::{Mutex, MutexGuard, RwLock};

#[derive(Debug, Clone)]
pub struct PassthroughArgs<P, M>
where
    P: AsRef<Path>,
    M: AsRef<str>,
{
    pub root_dir: P,
    pub mapping: Option<M>,
}

pub async fn new_passthroughfs_layer<P: AsRef<Path>, M: AsRef<str>>(
    args: PassthroughArgs<P, M>,
) -> Result<PassthroughFs> {
    let mut config = Config {
        root_dir: args.root_dir.as_ref().to_path_buf(),
        // enable xattr
        xattr: true,
        do_import: true,
        ..Default::default()
    };
    if let Some(mapping) = args.mapping {
        config.mapping = mapping
            .as_ref()
            .parse()
            .map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidInput, e))?;
    }

    let fs = PassthroughFs::<()>::new(config)?;

    fs.import().await?;
    Ok(fs)
}

type Inode = u64;
type Handle = u64;

/// Maximum host inode number supported by passthroughfs
const MAX_HOST_INO: u64 = 0x7fff_ffff_ffff;

/**
 * Represents the file associated with an inode (`InodeData`).
 *
 * When obtaining such a file, it may either be a new file (the `Owned` variant), in which case the
 * object's lifetime is static, or it may reference `InodeData.file` (the `Ref` variant), in which
 * case the object's lifetime is that of the respective `InodeData` object.
 */
#[derive(Debug)]
enum InodeFile<'a> {
    Owned(File),
    Ref(&'a File),
}

impl AsRawFd for InodeFile<'_> {
    /// Return a file descriptor for this file
    /// Note: This fd is only valid as long as the `InodeFile` exists.
    fn as_raw_fd(&self) -> RawFd {
        match self {
            Self::Owned(file) => file.as_raw_fd(),
            Self::Ref(file_ref) => file_ref.as_raw_fd(),
        }
    }
}

impl AsFd for InodeFile<'_> {
    fn as_fd(&self) -> BorrowedFd<'_> {
        match self {
            Self::Owned(file) => file.as_fd(),
            Self::Ref(file_ref) => file_ref.as_fd(),
        }
    }
}

#[derive(Debug)]
#[allow(dead_code)]
enum InodeHandle {
    // TODO: Remove this variant once we have a way to handle files that are not
    File(File),
    Handle(Arc<OpenableFileHandle>),
}

impl InodeHandle {
    fn file_handle(&self) -> Option<&FileHandle> {
        match self {
            InodeHandle::File(_) => None,
            InodeHandle::Handle(h) => Some(h.file_handle()),
        }
    }

    fn get_file(&self) -> Result<InodeFile<'_>> {
        match self {
            InodeHandle::File(f) => Ok(InodeFile::Ref(f)),
            InodeHandle::Handle(h) => {
                let f = h.open(libc::O_PATH)?;
                Ok(InodeFile::Owned(f))
            }
        }
    }

    fn open_file(&self, flags: libc::c_int, proc_self_fd: &File) -> Result<File> {
        match self {
            InodeHandle::File(f) => reopen_fd_through_proc(f, flags, proc_self_fd),
            InodeHandle::Handle(h) => h.open(flags),
        }
    }

    fn stat(&self) -> Result<libc::stat64> {
        match self {
            InodeHandle::File(f) => stat_fd(f, None),
            InodeHandle::Handle(_h) => {
                let file = self.get_file()?;
                stat_fd(&file, None)
            }
        }
    }
}

/// Represents an inode in `PassthroughFs`.
#[derive(Debug)]
pub struct InodeData {
    inode: Inode,
    // Most of these aren't actually files but ¯\_(ツ)_/¯.
    handle: InodeHandle,
    id: InodeId,
    refcount: AtomicU64,
    // File type and mode
    mode: u32,
    btime: statx_timestamp,
}

impl InodeData {
    fn new(
        inode: Inode,
        f: InodeHandle,
        refcount: u64,
        id: InodeId,
        mode: u32,
        btime: statx_timestamp,
    ) -> Self {
        InodeData {
            inode,
            handle: f,
            id,
            refcount: AtomicU64::new(refcount),
            mode,
            btime,
        }
    }

    fn get_file(&self) -> Result<InodeFile<'_>> {
        self.handle.get_file()
    }

    fn open_file(&self, flags: libc::c_int, proc_self_fd: &File) -> Result<File> {
        self.handle.open_file(flags, proc_self_fd)
    }
}

/// Data structures to manage accessed inodes.
struct InodeMap {
    pub inodes: RwLock<InodeStore>,
}

impl InodeMap {
    fn new() -> Self {
        InodeMap {
            inodes: RwLock::new(Default::default()),
        }
    }

    async fn clear(&self) {
        // Do not expect poisoned lock here, so safe to unwrap().
        self.inodes.write().await.clear();
    }

    async fn get(&self, inode: Inode) -> Result<Arc<InodeData>> {
        // Do not expect poisoned lock here, so safe to unwrap().
        self.inodes
            .read()
            .await
            .get(&inode)
            .cloned()
            .ok_or_else(ebadf)
    }

    fn get_inode_locked(inodes: &InodeStore, handle: &Arc<FileHandle>) -> Option<Inode> {
        inodes.inode_by_handle(handle).copied()
    }

    async fn get_alt(&self, id: &InodeId, handle: &Arc<FileHandle>) -> Option<Arc<InodeData>> {
        // Do not expect poisoned lock here, so safe to unwrap().
        let inodes = self.inodes.read().await;

        Self::get_alt_locked(&inodes, id, handle)
    }

    fn get_alt_locked(
        inodes: &InodeStore,
        id: &InodeId,
        handle: &Arc<FileHandle>,
    ) -> Option<Arc<InodeData>> {
        inodes
            .get_by_handle(handle)
            .or_else(|| {
                inodes.get_by_id(id).filter(|data| {
                    // When we have to fall back to looking up an inode by its IDs, ensure that
                    // we hit an entry that does not have a file handle.  Entries with file
                    // handles must also have a handle alt key, so if we have not found it by
                    // that handle alt key, we must have found an entry with a mismatching
                    // handle; i.e. an entry for a different file, even though it has the same
                    // inode ID.
                    // (This can happen when we look up a new file that has reused the inode ID
                    // of some previously unlinked inode we still have in `.inodes`.)
                    data.handle.file_handle().is_none()
                })
            })
            .cloned()
    }

    async fn insert(&self, data: Arc<InodeData>) {
        let mut inodes = self.inodes.write().await;

        Self::insert_locked(&mut inodes, data)
    }

    fn insert_locked(inodes: &mut InodeStore, data: Arc<InodeData>) {
        inodes.insert(data);
    }
}

struct HandleData {
    inode: Inode,
    file: File,
    lock: Mutex<()>,
    open_flags: AtomicU32,
}

impl HandleData {
    fn new(inode: Inode, file: File, flags: u32) -> Self {
        HandleData {
            inode,
            file,
            lock: Mutex::new(()),
            open_flags: AtomicU32::new(flags),
        }
    }

    fn get_file(&self) -> &File {
        &self.file
    }

    async fn get_file_mut(&self) -> (MutexGuard<'_, ()>, &File) {
        (self.lock.lock().await, &self.file)
    }

    fn borrow_fd(&self) -> BorrowedFd<'_> {
        self.file.as_fd()
    }

    async fn get_flags(&self) -> u32 {
        self.open_flags.load(Ordering::Relaxed)
    }

    async fn set_flags(&self, flags: u32) {
        self.open_flags.store(flags, Ordering::Relaxed);
    }
}

struct HandleMap {
    handles: RwLock<BTreeMap<Handle, Arc<HandleData>>>,
}

impl HandleMap {
    fn new() -> Self {
        HandleMap {
            handles: RwLock::new(BTreeMap::new()),
        }
    }

    async fn clear(&self) {
        // Do not expect poisoned lock here, so safe to unwrap().
        self.handles.write().await.clear();
    }

    async fn insert(&self, handle: Handle, data: HandleData) {
        // Do not expect poisoned lock here, so safe to unwrap().
        self.handles.write().await.insert(handle, Arc::new(data));
    }

    async fn release(&self, handle: Handle, inode: Inode) -> Result<()> {
        // Do not expect poisoned lock here, so safe to unwrap().
        let mut handles = self.handles.write().await;

        if let btree_map::Entry::Occupied(e) = handles.entry(handle)
            && e.get().inode == inode
        {
            // We don't need to close the file here because that will happen automatically when
            // the last `Arc` is dropped.
            e.remove();

            return Ok(());
        }

        Err(ebadf())
    }

    async fn get(&self, handle: Handle, inode: Inode) -> Result<Arc<HandleData>> {
        // Do not expect poisoned lock here, so safe to unwrap().
        self.handles
            .read()
            .await
            .get(&handle)
            .filter(|hd| hd.inode == inode)
            .cloned()
            .ok_or_else(ebadf)
    }
}

#[derive(Debug, Hash, Eq, PartialEq)]
struct FileUniqueKey(u64, statx_timestamp);

/// A file system that simply "passes through" all requests it receives to the underlying file
/// system.
///
/// To keep the implementation simple it servers the contents of its root directory. Users
/// that wish to serve only a specific directory should set up the environment so that that
/// directory ends up as the root of the file system process. One way to accomplish this is via a
/// combination of mount namespaces and the pivot_root system call.
pub struct PassthroughFs<S: BitmapSlice + Send + Sync = ()> {
    // File descriptors for various points in the file system tree. These fds are always opened with
    // the `O_PATH` option so they cannot be used for reading or writing any data. See the
    // documentation of the `O_PATH` flag in `open(2)` for more details on what one can and cannot
    // do with an fd opened with this flag.
    inode_map: InodeMap,
    next_inode: AtomicU64,

    // File descriptors for open files and directories. Unlike the fds in `inodes`, these _can_ be
    // used for reading and writing data.
    handle_map: HandleMap,
    next_handle: AtomicU64,

    // Use to generate unique inode
    ino_allocator: UniqueInodeGenerator,
    // Maps mount IDs to an open FD on the respective ID for the purpose of open_by_handle_at().
    mount_fds: MountFds,

    // File descriptor pointing to the `/proc/self/fd` directory. This is used to convert an fd from
    // `inodes` into one that can go into `handles`. This is accomplished by reading the
    // `/proc/self/fd/{}` symlink. We keep an open fd here in case the file system tree that we are meant
    // to be serving doesn't have access to `/proc/self/fd`.
    proc_self_fd: File,

    // Whether writeback caching is enabled for this directory. This will only be true when
    // `cfg.writeback` is true and `init` was called with `FsOptions::WRITEBACK_CACHE`.
    writeback: AtomicBool,

    // Whether no_open is enabled.
    no_open: AtomicBool,

    // Whether no_opendir is enabled.
    no_opendir: AtomicBool,

    // Whether kill_priv_v2 is enabled.
    //killpriv_v2: AtomicBool,

    // Whether no_readdir is enabled.
    no_readdir: AtomicBool,

    // Whether seal_size is enabled.
    seal_size: AtomicBool,

    // Whether per-file DAX feature is enabled.
    // Init from guest kernel Init cmd of fuse fs.
    //perfile_dax: AtomicBool,
    dir_entry_timeout: Duration,
    dir_attr_timeout: Duration,

    cfg: Config,

    _uuid: Uuid,

    phantom: PhantomData<S>,

    handle_cache: Cache<FileUniqueKey, Arc<FileHandle>>,

    mmap_chunks: Cache<MmapChunkKey, Arc<RwLock<mmap::MmapCachedValue>>>,
}

impl<S: BitmapSlice + Send + Sync> PassthroughFs<S> {
    /// Create a Passthrough file system instance.
    pub fn new(mut cfg: Config) -> Result<PassthroughFs<S>> {
        if cfg.no_open && cfg.cache_policy != CachePolicy::Always {
            warn!("passthroughfs: no_open only work with cache=always, reset to open mode");
            cfg.no_open = false;
        }
        if cfg.writeback && cfg.cache_policy == CachePolicy::Never {
            warn!(
                "passthroughfs: writeback cache conflicts with cache=none, reset to no_writeback"
            );
            cfg.writeback = false;
        }

        // Safe because this is a constant value and a valid C string.
        let proc_self_fd_cstr = unsafe { CStr::from_bytes_with_nul_unchecked(PROC_SELF_FD_CSTR) };
        let proc_self_fd = Self::open_file(
            &libc::AT_FDCWD,
            proc_self_fd_cstr,
            libc::O_PATH | libc::O_NOFOLLOW | libc::O_CLOEXEC,
            0,
        )?;

        let (dir_entry_timeout, dir_attr_timeout) =
            match (cfg.dir_entry_timeout, cfg.dir_attr_timeout) {
                (Some(e), Some(a)) => (e, a),
                (Some(e), None) => (e, cfg.attr_timeout),
                (None, Some(a)) => (cfg.entry_timeout, a),
                (None, None) => (cfg.entry_timeout, cfg.attr_timeout),
            };

        let mount_fds = MountFds::new(None)?;

        let fd_limit = match getrlimit(Resource::RLIMIT_NOFILE) {
            Ok((soft, _)) => soft,
            Err(_) => 65536,
        };

        let max_mmap_size = if cfg.use_mmap { cfg.max_mmap_size } else { 0 };

        let mmap_cache_builder = Cache::builder()
            .max_capacity(max_mmap_size)
            .weigher(
                |_key: &MmapChunkKey, value: &Arc<RwLock<mmap::MmapCachedValue>>| -> u32 {
                    let guard = block_on(value.read());
                    match &*guard {
                        MmapCachedValue::Mmap(mmap) => mmap.len() as u32,
                        MmapCachedValue::MmapMut(mmap_mut) => mmap_mut.len() as u32,
                    }
                },
            )
            .time_to_idle(Duration::from_millis(60));

        Ok(PassthroughFs {
            inode_map: InodeMap::new(),
            next_inode: AtomicU64::new(ROOT_ID + 1),
            ino_allocator: UniqueInodeGenerator::new(),

            handle_map: HandleMap::new(),
            next_handle: AtomicU64::new(1),

            mount_fds,
            proc_self_fd,

            writeback: AtomicBool::new(false),
            no_open: AtomicBool::new(false),
            no_opendir: AtomicBool::new(false),
            //killpriv_v2: AtomicBool::new(false),
            no_readdir: AtomicBool::new(cfg.no_readdir),
            seal_size: AtomicBool::new(cfg.seal_size),
            //perfile_dax: AtomicBool::new(false),
            dir_entry_timeout,
            dir_attr_timeout,
            cfg,

            _uuid: Uuid::new_v4(),

            phantom: PhantomData,

            handle_cache: moka::future::Cache::new(fd_limit),

            mmap_chunks: mmap_cache_builder.build(),
        })
    }

    /// Initialize the Passthrough file system.
    pub async fn import(&self) -> Result<()> {
        let root =
            CString::new(self.cfg.root_dir.as_os_str().as_bytes()).expect("Invalid root_dir");

        let (h, st) = Self::open_file_and_handle(self, &libc::AT_FDCWD, &root)
            .await
            .map_err(|e| {
                error!("fuse: import: failed to get file or handle: {e:?}");
                e
            })?;
        let id = InodeId::from_stat(&st);
        let handle = InodeHandle::Handle(self.to_openable_handle(h)?);

        // Safe because this doesn't modify any memory and there is no need to check the return
        // value because this system call always succeeds. We need to clear the umask here because
        // we want the client to be able to set all the bits in the mode.
        unsafe { libc::umask(0o000) };

        // Not sure why the root inode gets a refcount of 2 but that's what libfuse does.
        self.inode_map
            .insert(Arc::new(InodeData::new(
                ROOT_ID,
                handle,
                2,
                id,
                st.st.st_mode,
                st.btime
                    .ok_or_else(|| io::Error::other("birth time not available"))?,
            )))
            .await;

        Ok(())
    }

    /// Get the list of file descriptors which should be reserved across live upgrade.
    pub fn keep_fds(&self) -> Vec<RawFd> {
        vec![self.proc_self_fd.as_raw_fd()]
    }

    fn readlinkat(dfd: i32, pathname: &CStr) -> Result<PathBuf> {
        let mut buf = Vec::with_capacity(libc::PATH_MAX as usize);

        // Safe because the kernel will only write data to buf and we check the return value
        let buf_read = unsafe {
            libc::readlinkat(
                dfd,
                pathname.as_ptr(),
                buf.as_mut_ptr() as *mut libc::c_char,
                buf.capacity(),
            )
        };
        if buf_read < 0 {
            error!("fuse: readlinkat error");
            return Err(Error::last_os_error());
        }

        // Safe because we trust the value returned by kernel.
        unsafe { buf.set_len(buf_read as usize) };
        buf.shrink_to_fit();

        // Be careful:
        // - readlink() does not append a terminating null byte to buf
        // - OsString instances are not NUL terminated
        Ok(PathBuf::from(OsString::from_vec(buf)))
    }

    /// Get the file pathname corresponding to the Inode
    /// This function is used by Nydus blobfs
    pub async fn readlinkat_proc_file(&self, inode: Inode) -> Result<PathBuf> {
        let data = self.inode_map.get(inode).await?;
        let file = data.get_file()?;
        let pathname = CString::new(format!("{}", file.as_raw_fd()))
            .map_err(|e| Error::new(io::ErrorKind::InvalidData, e))?;

        Self::readlinkat(self.proc_self_fd.as_raw_fd(), &pathname)
    }

    fn create_file_excl(
        dir: &impl AsRawFd,
        pathname: &CStr,
        flags: i32,
        mode: u32,
    ) -> io::Result<Option<File>> {
        match openat(dir, pathname, flags | libc::O_CREAT | libc::O_EXCL, mode) {
            Ok(file) => Ok(Some(file)),
            Err(err) => {
                // Ignore the error if the file exists and O_EXCL is not present in `flags`.
                if err.kind() == io::ErrorKind::AlreadyExists {
                    if (flags & libc::O_EXCL) != 0 {
                        return Err(err);
                    }
                    return Ok(None);
                }
                Err(err)
            }
        }
    }

    fn open_file(dfd: &impl AsRawFd, pathname: &CStr, flags: i32, mode: u32) -> io::Result<File> {
        openat(dfd, pathname, flags, mode)
    }

    fn open_file_restricted(
        &self,
        dir: &impl AsRawFd,
        pathname: &CStr,
        flags: i32,
        mode: u32,
    ) -> io::Result<File> {
        let flags = libc::O_NOFOLLOW | libc::O_CLOEXEC | flags;

        // TODO
        //if self.os_facts.has_openat2 {
        //    oslib::do_open_relative_to(dir, pathname, flags, mode)
        //} else {
        openat(dir, pathname, flags, mode)
        //}
    }

    /// Create a File or File Handle for `name` under directory `dir_fd` to support `lookup()`.
    async fn open_file_and_handle(
        &self,
        dir: &impl AsRawFd,
        name: &CStr,
    ) -> io::Result<(Arc<FileHandle>, StatExt)> {
        let path_file = self.open_file_restricted(dir, name, libc::O_PATH, 0)?;
        let st = statx::statx(&path_file, None)?;

        let btime_is_valid = match st.btime {
            Some(ts) => ts.tv_sec != 0 || ts.tv_nsec != 0,
            None => false,
        };

        if btime_is_valid {
            let key = FileUniqueKey(st.st.st_ino, st.btime.unwrap());
            let cache = self.handle_cache.clone();
            if let Some(h) = cache.get(&key).await {
                Ok((h, st))
            } else if let Some(handle_from_fd) = FileHandle::from_fd(&path_file)? {
                let handle_arc = Arc::new(handle_from_fd);
                cache.insert(key, Arc::clone(&handle_arc)).await;
                Ok((handle_arc, st))
            } else {
                Err(Error::new(
                    io::ErrorKind::NotFound,
                    "Failed to create file handle",
                ))
            }
        } else {
            let handle = {
                if let Some(handle_from_fd) = FileHandle::from_fd(&path_file)? {
                    handle_from_fd
                } else {
                    return Err(Error::new(io::ErrorKind::NotFound, "File not found"));
                }
            };
            let handle_arc = Arc::new(handle);
            Ok((handle_arc, st))
        }
    }

    fn to_openable_handle(&self, fh: Arc<FileHandle>) -> io::Result<Arc<OpenableFileHandle>> {
        (*Arc::as_ref(&fh))
            .clone()
            .into_openable(&self.mount_fds, |fd, flags, _mode| {
                reopen_fd_through_proc(&fd, flags, &self.proc_self_fd)
            })
            .map(Arc::new)
            .map_err(|e| {
                if !e.silent() {
                    error!("{e}");
                }
                e.into_inner()
            })
    }

    async fn allocate_inode(
        &self,
        inodes: &InodeStore,
        id: &InodeId,
        handle: &Arc<FileHandle>,
    ) -> io::Result<Inode> {
        if !self.cfg.use_host_ino {
            // If the inode has already been assigned before, the new inode is not reassigned,
            // ensuring that the same file is always the same inode
            match InodeMap::get_inode_locked(inodes, handle) {
                Some(a) => Ok(a),
                None => Ok(self.next_inode.fetch_add(1, Ordering::Relaxed)),
            }
        } else {
            let inode = if id.ino > MAX_HOST_INO {
                // Prefer looking for previous mappings from memory
                match InodeMap::get_inode_locked(inodes, handle) {
                    Some(ino) => ino,
                    None => self.ino_allocator.get_unique_inode(id)?,
                }
            } else {
                self.ino_allocator.get_unique_inode(id)?
            };
            // trace!("fuse: allocate inode: {} for id: {:?}", inode, id);
            Ok(inode)
        }
    }

    async fn do_lookup(
        &self,
        parent: Inode,
        name: &CStr,
    ) -> std::result::Result<ReplyEntry, Errno> {
        let name = if parent == ROOT_ID && name.to_bytes_with_nul().starts_with(PARENT_DIR_CSTR) {
            // Safe as this is a constant value and a valid C string.
            CStr::from_bytes_with_nul(CURRENT_DIR_CSTR).unwrap()
        } else {
            name
        };

        let dir = self.inode_map.get(parent).await?;
        let dir_file = dir.get_file()?;
        let (handle_arc, st) = self.open_file_and_handle(&dir_file, name).await?;
        let id = InodeId::from_stat(&st);
        debug!(
            "do_lookup: parent: {}, name: {}, handle_arc: {:?}, id: {:?}",
            parent,
            name.to_string_lossy(),
            handle_arc,
            id
        );

        let mut found = None;
        'search: loop {
            match self.inode_map.get_alt(&id, &handle_arc).await {
                // No existing entry found
                None => break 'search,
                Some(data) => {
                    let curr = data.refcount.load(Ordering::Acquire);
                    // forgot_one() has just destroyed the entry, retry...
                    if curr == 0 {
                        continue 'search;
                    }

                    // Saturating add to avoid integer overflow, it's not realistic to saturate u64.
                    let new = curr.saturating_add(1);

                    // Synchronizes with the forgot_one()
                    if data
                        .refcount
                        .compare_exchange(curr, new, Ordering::AcqRel, Ordering::Acquire)
                        .is_ok()
                    {
                        found = Some(data.inode);
                        break;
                    }
                }
            }
        }

        let inode = if let Some(v) = found {
            v
        } else {
            // Clone handle_arc before moving it
            let handle_arc_clone = Arc::clone(&handle_arc);
            let handle_clone =
                InodeHandle::Handle(self.to_openable_handle(Arc::clone(&handle_arc))?);

            // Write guard get_alt_locked() and insert_lock() to avoid race conditions.
            let mut inodes = self.inode_map.inodes.write().await;

            // Lookup inode_map again after acquiring the inode_map lock, as there might be another
            // racing thread already added an inode with the same id while we're not holding
            // the lock. If so just use the newly added inode, otherwise the inode will be replaced
            // and results in EBADF.
            // trace!("FS {} looking up inode for id: {:?} with handle: {:?}", self.uuid, id, handle);
            match InodeMap::get_alt_locked(&inodes, &id, &handle_arc_clone) {
                Some(data) => {
                    // An inode was added concurrently while we did not hold a lock on
                    // `self.inodes_map`, so we use that instead. `handle` will be dropped.
                    // trace!("FS {} found existing inode: {}", self.uuid, data.inode);
                    data.refcount.fetch_add(1, Ordering::Relaxed);
                    data.inode
                }
                None => {
                    let inode = self.allocate_inode(&inodes, &id, &handle_arc).await?;
                    // trace!("FS {} allocated new inode: {} for id: {:?}", self.uuid, inode, id);

                    if inode > VFS_MAX_INO {
                        error!("fuse: max inode number reached: {VFS_MAX_INO}");
                        return Err(io::Error::other(format!(
                            "max inode number reached: {VFS_MAX_INO}"
                        ))
                        .into());
                    }

                    InodeMap::insert_locked(
                        inodes.deref_mut(),
                        Arc::new(InodeData::new(
                            inode,
                            handle_clone,
                            1,
                            id,
                            st.st.st_mode,
                            st.btime
                                .ok_or_else(|| io::Error::other("birth time not available"))?,
                        )),
                    );

                    inode
                }
            }
        };

        let (entry_timeout, _) = if is_dir(st.st.st_mode) {
            (self.dir_entry_timeout, self.dir_attr_timeout)
        } else {
            (self.cfg.entry_timeout, self.cfg.attr_timeout)
        };

        // // Whether to enable file DAX according to the value of dax_file_size
        // let mut attr_flags: u32 = 0;
        // if let Some(dax_file_size) = self.cfg.dax_file_size {
        //     // st.stat.st_size is i64
        //     if self.perfile_dax.load().await
        //         && st.st.st_size >= 0x0
        //         && st.st.st_size as u64 >= dax_file_size
        //     {
        //         attr_flags |= FUSE_ATTR_DAX;
        //     }
        // }
        let mut attr_temp = convert_stat64_to_file_attr(st.st);
        attr_temp.ino = inode;
        attr_temp.uid = self.cfg.mapping.find_mapping(attr_temp.uid, true, true);
        attr_temp.gid = self.cfg.mapping.find_mapping(attr_temp.gid, true, false);
        Ok(ReplyEntry {
            ttl: entry_timeout,
            attr: attr_temp,
            generation: 0,
        })
    }

    async fn forget_one(&self, inodes: &mut InodeStore, inode: Inode, count: u64) {
        // ROOT_ID should not be forgotten, or we're not able to access to files any more.
        if inode == ROOT_ID {
            return;
        }

        if let Some(data) = inodes.get(&inode) {
            // Acquiring the write lock on the inode map prevents new lookups from incrementing the
            // refcount but there is the possibility that a previous lookup already acquired a
            // reference to the inode data and is in the process of updating the refcount so we need
            // to loop here until we can decrement successfully.
            loop {
                let curr = data.refcount.load(Ordering::Acquire);

                // Saturating sub because it doesn't make sense for a refcount to go below zero and
                // we don't want misbehaving clients to cause integer overflow.
                let new = curr.saturating_sub(count);

                // Synchronizes with the acquire load in `do_lookup`.
                if data
                    .refcount
                    .compare_exchange(curr, new, Ordering::AcqRel, Ordering::Acquire)
                    .is_ok()
                {
                    if new == 0 {
                        if data.handle.file_handle().is_some()
                            && (data.btime.tv_sec != 0 || data.btime.tv_nsec != 0)
                        {
                            let key = FileUniqueKey(data.id.ino, data.btime);
                            let cache = self.handle_cache.clone();
                            cache.invalidate(&key).await;
                        }
                        // We just removed the last refcount for this inode.
                        // The allocated inode number should be kept in the map when use_host_ino
                        // is false or host inode(don't use the virtual 56bit inode) is bigger than MAX_HOST_INO.
                        let keep_mapping = !self.cfg.use_host_ino || data.id.ino > MAX_HOST_INO;
                        inodes.remove(&inode, keep_mapping);
                    }
                    break;
                }
            }
        }
    }

    async fn do_release(&self, inode: Inode, handle: Handle) -> io::Result<()> {
        self.handle_map.release(handle, inode).await
    }

    // Validate a path component, same as the one in vfs layer, but only do the validation if this
    // passthroughfs is used without vfs layer, to avoid double validation.
    fn validate_path_component(&self, name: &CStr) -> io::Result<()> {
        // !self.cfg.do_import means we're under vfs, and vfs has already done the validation
        if !self.cfg.do_import {
            return Ok(());
        }
        validate_path_component(name)
    }

    //TODO: When seal_size is set, we don't allow operations that could change file size nor allocate
    // space beyond EOF
    // fn seal_size_check(
    //     &self,
    //     opcode: Opcode,
    //     file_size: u64,
    //     offset: u64,
    //     size: u64,
    //     mode: i32,
    // ) -> io::Result<()> {
    //     if offset.checked_add(size).is_none() {
    //         error!(
    //             "fuse: {:?}: invalid `offset` + `size` ({}+{}) overflows u64::MAX",
    //             opcode, offset, size
    //         );
    //         return Err(einval());
    //     }

    //     match opcode {
    //         // write should not exceed the file size.
    //         Opcode::Write => {
    //             if size + offset > file_size {
    //                 return Err(eperm());
    //             }
    //         }

    //         Opcode::Fallocate => {
    //             let op = mode & !(libc::FALLOC_FL_KEEP_SIZE | libc::FALLOC_FL_UNSHARE_RANGE);
    //             match op {
    //                 // Allocate, punch and zero, must not change file size.
    //                 0 | libc::FALLOC_FL_PUNCH_HOLE | libc::FALLOC_FL_ZERO_RANGE => {
    //                     if size + offset > file_size {
    //                         return Err(eperm());
    //                     }
    //                 }
    //                 // collapse and insert will change file size, forbid.
    //                 libc::FALLOC_FL_COLLAPSE_RANGE | libc::FALLOC_FL_INSERT_RANGE => {
    //                     return Err(eperm());
    //                 }
    //                 // Invalid operation
    //                 _ => return Err(einval()),
    //             }
    //         }

    //         // setattr operation should be handled in setattr handler.
    //         _ => return Err(enosys()),
    //     }

    //     Ok(())
    // }

    async fn get_writeback_open_flags(&self, flags: i32) -> i32 {
        let mut new_flags = flags;
        let writeback = self.writeback.load(Ordering::Relaxed);

        // When writeback caching is enabled, the kernel may send read requests even if the
        // userspace program opened the file write-only. So we need to ensure that we have opened
        // the file for reading as well as writing.
        if writeback && flags & libc::O_ACCMODE == libc::O_WRONLY {
            new_flags &= !libc::O_ACCMODE;
            new_flags |= libc::O_RDWR;
        }

        // When writeback caching is enabled the kernel is responsible for handling `O_APPEND`.
        // However, this breaks atomicity as the file may have changed on disk, invalidating the
        // cached copy of the data in the kernel and the offset that the kernel thinks is the end of
        // the file. Just allow this for now as it is the user's responsibility to enable writeback
        // caching only for directories that are not shared. It also means that we need to clear the
        // `O_APPEND` flag.
        if writeback && flags & libc::O_APPEND != 0 {
            new_flags &= !libc::O_APPEND;
        }

        new_flags
    }

    async fn get_mmap(
        &self,
        inode: Inode,
        offset: u64,
        file: &File,
    ) -> Option<(Arc<RwLock<mmap::MmapCachedValue>>, u64)> {
        let file_size = file.metadata().unwrap().len();
        let key = MmapChunkKey::new(inode, offset, file_size);
        let aligned_offset = key.aligned_offset;

        if let Some(cached) = self.mmap_chunks.get(&key).await {
            let guard = cached.read().await;
            let cache_len = match &*guard {
                MmapCachedValue::Mmap(mmap) => mmap.len() as u64,
                MmapCachedValue::MmapMut(mmap_mut) => mmap_mut.len() as u64,
            };
            if offset < key.aligned_offset + cache_len {
                return Some((cached.clone(), key.aligned_offset));
            }
        }

        let mmap = match mmap::create_mmap(offset, file).await {
            Ok(v) => v,
            Err(e) => {
                error!("Failed to create mmap:{e}");
                return None;
            }
        };
        self.mmap_chunks.insert(key, mmap.clone()).await;
        Some((mmap, aligned_offset))
    }

    async fn read_from_mmap(
        &self,
        inode: Inode,
        offset: u64,
        size: u64,
        file: &File,
        buf: &mut [u8],
    ) -> Result<usize> {
        // check the buf size
        if buf.len() < size as usize {
            return Err(std::io::Error::new(
                std::io::ErrorKind::InvalidInput,
                format!("Buffer too small: {} < {}", buf.len(), size),
            ));
        }

        let file_size = file.metadata()?.len();

        // check the offset
        if offset >= file_size {
            return Ok(0); // offset exceeds file size, return 0 bytes read
        }

        // compute the maximum readable length
        let max_readable = file_size - offset;
        let actual_size = cmp::min(size, max_readable) as usize;

        let mut len = actual_size;
        let mut current_offset = offset;
        let mut buf_offset = 0;

        while len > 0 {
            let (chunk, chunk_start_offset) = match self.get_mmap(inode, current_offset, file).await
            {
                Some((chunk, aligned_offset)) => (chunk, aligned_offset),
                None => {
                    return Err(std::io::Error::other("Failed to get mmap chunk"));
                }
            };

            let chunk_guard = chunk.read().await;
            match &*chunk_guard {
                MmapCachedValue::Mmap(mmap) => {
                    let chunk_len = mmap.len();

                    // compute the start offset within the chunk using cached alignment
                    let copy_start = (current_offset - chunk_start_offset) as usize;

                    // ensure we don't read beyond the chunk boundary
                    let remaining_in_chunk = chunk_len - copy_start;
                    let copy_len = cmp::min(len, remaining_in_chunk);

                    // ensure we don't read beyond the buffer boundary
                    let copy_len = cmp::min(copy_len, buf.len() - buf_offset);

                    if copy_len == 0 {
                        break; // no more data to read
                    }

                    // execute data copy
                    buf[buf_offset..buf_offset + copy_len]
                        .copy_from_slice(&mmap[copy_start..copy_start + copy_len]);

                    buf_offset += copy_len;
                    len -= copy_len;
                    current_offset += copy_len as u64;
                }
                MmapCachedValue::MmapMut(mmap_mut) => {
                    let chunk_len = mmap_mut.len();

                    // compute the start offset within the chunk using cached alignment
                    let copy_start = (current_offset - chunk_start_offset) as usize;

                    // ensure we don't read beyond the chunk boundary
                    let remaining_in_chunk = chunk_len - copy_start;
                    let copy_len = cmp::min(len, remaining_in_chunk);

                    // ensure we don't read beyond the buffer boundary
                    let copy_len = cmp::min(copy_len, buf.len() - buf_offset);

                    if copy_len == 0 {
                        break; // no more data to read
                    }

                    // execute data copy
                    buf[buf_offset..buf_offset + copy_len]
                        .copy_from_slice(&mmap_mut[copy_start..copy_start + copy_len]);

                    buf_offset += copy_len;
                    len -= copy_len;
                    current_offset += copy_len as u64;
                }
            }
        }
        Ok(buf_offset)
    }

    async fn write_to_mmap(
        &self,
        inode: Inode,
        offset: u64,
        data: &[u8],
        file: &File,
    ) -> Result<usize> {
        let file_size = file.metadata()?.len();
        let len = data.len();

        // If the file needs to be extended, do so
        if offset + len as u64 > file_size {
            let raw_fd = file.as_raw_fd();
            let res = unsafe { libc::ftruncate(raw_fd, (offset + len as u64) as i64) };

            if res < 0 {
                return Err(std::io::Error::other("error to ftruncate"));
            }

            self.invalidate_mmap_cache(inode, file_size).await;
        }

        let mut remaining = len;
        let mut current_offset = offset;
        let mut data_offset = 0;

        while remaining > 0 {
            let (chunk, chunk_start_offset) = match self.get_mmap(inode, current_offset, file).await
            {
                Some((chunk, aligned_offset)) => (chunk, aligned_offset),
                None => {
                    return Err(std::io::Error::other("Failed to get mmap chunk"));
                }
            };

            let mut chunk_guard = chunk.write().await;
            match &mut *chunk_guard {
                MmapCachedValue::Mmap(_) => {
                    return Err(std::io::Error::new(
                        std::io::ErrorKind::PermissionDenied,
                        "Cannot write to read-only mmap",
                    ));
                }
                MmapCachedValue::MmapMut(mmap_mut) => {
                    let chunk_len = mmap_mut.len();

                    // Calculate the start position of the current chunk using cached alignment
                    let copy_start = (current_offset - chunk_start_offset) as usize;

                    // Ensure we don't write beyond the chunk boundary
                    let remaining_in_chunk = chunk_len - copy_start;
                    let copy_len = cmp::min(remaining, remaining_in_chunk);

                    // Ensure we don't write beyond the data boundary
                    let copy_len = cmp::min(copy_len, data.len() - data_offset);

                    if copy_len == 0 {
                        break; // No more data to write
                    }

                    // Perform data copy
                    mmap_mut[copy_start..copy_start + copy_len]
                        .copy_from_slice(&data[data_offset..data_offset + copy_len]);

                    data_offset += copy_len;
                    remaining -= copy_len;
                    current_offset += copy_len as u64;
                    mmap_mut.flush_async_range(copy_start, copy_len)?;
                }
            }
        }
        Ok(data_offset)
    }

    async fn invalidate_mmap_cache(&self, inode: Inode, old_size: u64) {
        let keys_to_remove: Vec<_> = self
            .mmap_chunks
            .iter()
            .filter(|item| {
                let key = item.0.clone();
                key.inode == inode && key.aligned_offset + mmap::MAX_WINDOW_SIZE as u64 >= old_size
            })
            .collect();

        for item in keys_to_remove {
            self.mmap_chunks.invalidate(item.0.as_ref()).await;
        }
    }
}

#[cfg(test)]
#[allow(unused_imports)]
mod tests {
    use crate::{
        passthrough::{PassthroughArgs, PassthroughFs, ROOT_ID, new_passthroughfs_layer},
        unwrap_or_skip_eperm,
    };
    use std::ffi::{CStr, OsStr, OsString};

    use nix::unistd::{Gid, Uid, getgid, getuid};
    use rfuse3::{
        MountOptions,
        raw::{Filesystem, Request, Session},
    };

    macro_rules! pass {
        () => {
            ()
        };
        ($($tt:tt)*) => {
            ()
        };
    }

    /// This test attempts to mount a passthrough filesystem. In many CI/unprivileged
    /// environments operations like `allow_other` or FUSE mounting may return
    /// EPERM/EACCES. Instead of failing the whole test suite, we skip the test
    /// gracefully in that case so logic tests in other modules still run.
    #[tokio::test]
    async fn test_passthrough() {
        let temp_dir = std::env::temp_dir().join("libfuse_passthrough_test");
        let source_dir = temp_dir.join("src");
        let mount_dir = temp_dir.join("mnt");
        let _ = std::fs::create_dir_all(&source_dir);
        let _ = std::fs::create_dir_all(&mount_dir);

        let args = PassthroughArgs {
            root_dir: source_dir.clone(),
            mapping: None::<&str>,
        };
        let fs = match super::new_passthroughfs_layer(args).await {
            Ok(fs) => fs,
            Err(e) => {
                eprintln!("skip test_passthrough: init failed: {e:?}");
                return;
            }
        };

        let uid = unsafe { libc::getuid() };
        let gid = unsafe { libc::getgid() };

        let mut mount_options = MountOptions::default();
        mount_options.force_readdir_plus(true).uid(uid).gid(gid);
        // Intentionally DO NOT call allow_other here to avoid requiring /etc/fuse.conf config.

        let mount_path = OsString::from(mount_dir.to_str().unwrap());

        let session = Session::new(mount_options);
        let mount_handle =
            unwrap_or_skip_eperm!(session.mount(fs, mount_path).await, "mount passthrough fs");

        // Immediately unmount to verify we at least mounted successfully.
        let _ = mount_handle.unmount().await; // errors ignored

        // Cleanup
        let _ = std::fs::remove_dir_all(&temp_dir);
    }

    // // Test for uid/gid mapping
    // async fn setup(
    //     mapping: Option<&str>,
    // ) -> (PassthroughFs, tempfile::TempDir, Uid, Gid, Uid, Gid) {
    //     let tmp_dir = tempfile::tempdir().unwrap();
    //     let src_dir = tmp_dir.path();

    //     let cur_uid = getuid();
    //     let cur_gid = getgid();

    //     let container_uid = Uid::from_raw(1000);
    //     let container_gid = Gid::from_raw(1000);

    //     let args = PassthroughArgs {
    //         root_dir: src_dir.to_path_buf(),
    //         mapping: mapping,
    //     };
    //     let fs = new_passthroughfs_layer(args).await.unwrap();

    //     (fs, tmp_dir, cur_uid, cur_gid, container_uid, container_gid)
    // }

    /// Tests the reverse mapping (host -> container) for `lookup` and `getattr` operations.
    ///
    /// It sets up a mapping from the current host user to a container user (UID/GID 1000).
    /// Then, it creates a file owned by the host user and verifies that when FUSE looks up
    /// or gets attributes for this file, the returned UID/GID are correctly mapped to 1000.
    ///
    /// Unfortunately, this can not work because `do_lookup` calls `to_openable_handle` which
    /// requires CAP_DAC_READ_SEARCH capability, which is not available in unprivileged test environments.
    /// So this test is commented out for now.
    #[tokio::test]
    async fn test_lookup_and_getattr() {
        pass!()
    }
    // async fn test_lookup_and_getattr() {
    //     let cur_uid = getuid().as_raw();
    //     let cur_gid = getgid().as_raw();
    //     let mapping = format!("uidmapping={cur_uid}:1000:1,gidmapping={cur_gid}:1000:1");

    //     let (fs, tmp_dir, ..) = setup(Some(&mapping)).await;
    //     let src = tmp_dir.path();

    //     // Create a file in the source directory, owned by the current host user.
    //     let file_path = src.join("test_file.txt");
    //     std::fs::File::create(&file_path).unwrap();
    //     std::os::unix::fs::chown(&file_path, Some(cur_uid), Some(cur_gid)).unwrap();

    //     // Simulate a FUSE request from the container user (UID/GID 1000).
    //     let req = Request::default();
    //     // Perform a lookup, which should trigger attribute fetching.
    //     let reply = fs
    //         .do_lookup(
    //             ROOT_ID,
    //             CStr::from_bytes_with_nul(b"test_file.txt\0").unwrap(),
    //         )
    //         .await
    //         .unwrap();

    //     // Verify that the returned attributes are mapped to the container's perspective.
    //     assert_eq!(reply.attr.uid, 1000);
    //     assert_eq!(reply.attr.gid, 1000);

    //     // Explicitly call getattr and verify the same mapping logic.
    //     let getattr_reply = fs.getattr(req, reply.attr.ino, None, 0).await.unwrap();
    //     assert_eq!(getattr_reply.attr.uid, 1000);
    //     assert_eq!(getattr_reply.attr.gid, 1000);
    // }

    /// Tests the forward mapping (container -> host) for the `create` operation.
    ///
    /// It sets up a mapping from the current host user to a container user (UID/GID 1000).
    /// It then simulates a `create` request from the container user and verifies two things:
    /// 1. The newly created file on the host filesystem is owned by the mapped host user.
    /// 2. The attributes returned in the FUSE reply are correctly mapped back to the container user's ID.
    #[tokio::test]
    async fn test_create() {
        pass!()
    }
    // #[tokio::test]
    // async fn test_create() {
    //     let cur_uid = getuid().as_raw();
    //     let cur_gid = getgid().as_raw();
    //     let mapping = format!("uidmapping={cur_uid}:1000:1,gidmapping={cur_gid}:1000:1");

    //     let (fs, tmp_dir, host_uid, host_gid, container_uid, container_gid) =
    //         setup(Some(&mapping)).await;

    //     // Simulate a request coming from the container user (1000).
    //     let mut req = Request::default();
    //     req.uid = container_uid.as_raw();
    //     req.gid = container_gid.as_raw();

    //     let file_name = OsStr::new("new_file.txt");
    //     let mode = libc::S_IFREG | 0o644;

    //     // Perform the create operation.
    //     let created_reply = fs
    //         .create(req, ROOT_ID, file_name, mode, libc::O_CREAT as u32)
    //         .await
    //         .unwrap();

    //     let file_path = tmp_dir.path().join(file_name);
    //     let metadata = std::fs::metadata(file_path).unwrap();

    //     // Verify forward mapping: the file owner on the host should be the mapped host user.
    //     use std::os::unix::fs::MetadataExt;
    //     assert_eq!(Uid::from_raw(metadata.uid()), host_uid);
    //     assert_eq!(Gid::from_raw(metadata.gid()), host_gid);

    //     // Verify reverse mapping in the reply: the attributes sent back to the container
    //     // should reflect the container's user ID.
    //     assert_eq!(created_reply.attr.uid, container_uid.as_raw());
    //     assert_eq!(created_reply.attr.gid, container_gid.as_raw());
    // }
}