Summary
On Linux 6.12+ guests, virtiofs mount succeeds but all subsequent file operations return ECONNREFUSED. The root cause is that server.rs advertises FUSE_ALLOW_IDMAP in the FUSE_INIT response without also advertising FUSE_POSIX_ACL.
Root Cause
Linux 6.12 added FUSE_ALLOW_IDMAP support (idmapped FUSE mounts). In fs/fuse/inode.c:process_init_reply, the kernel requires default_permissions (which is only set when FUSE_POSIX_ACL is in the response flags) when FUSE_ALLOW_IDMAP is present:
if (flags & FUSE_ALLOW_IDMAP) {
if (fc->default_permissions)
fm->sb->s_iflags &= ~SB_I_NOIDMAP;
else
ok = false; // ← sets conn_error = 1
}libkrun's src/devices/src/virtio/fs/server.rs (added by #456) includes ALLOW_IDMAP in supported flags but does NOT include POSIX_ACL. The macOS passthrough's init() returns only WRITEBACK_CACHE | SUBMOUNTS. So the computed response flags include ALLOW_IDMAP but not POSIX_ACL, triggering the kernel's conn_error = 1.
With conn_error set, all subsequent FUSE requests return ECONNREFUSED without being sent through the virtqueue, so the FUSE worker only ever sees the FUSE_INIT request.
How to Reproduce
- Use libkrun v1.17.0+ on macOS (Apple Silicon)
- Boot a Linux 6.12+ kernel (e.g., Docker Desktop's LinuxKit kernel 6.12.72)
- Add a virtiofs device with
krun_add_virtiofs()
- In the guest:
mount -t virtiofs <tag> /mnt succeeds
ls /mnt returns Connection refused (ECONNREFUSED)
Suggested Fix
Either:
- Remove
ALLOW_IDMAP from supported flags when the passthrough filesystem doesn't support POSIX ACLs (macOS passthrough)
- Add
POSIX_ACL to supported flags alongside ALLOW_IDMAP (requires the passthrough to actually implement POSIX ACL support)
The first option is simpler and correct since the macOS passthrough doesn't support POSIX ACLs.
Environment
- libkrun: v1.17.4 (Homebrew, macOS arm64)
- Host: macOS 15 (Apple Silicon)
- Guest kernel: Linux 6.12.72-linuxkit (Docker Desktop)
- FUSE API: 7.41
Debug Evidence
With KRUN_LOG_LEVEL_DEBUG, only one FUSE request is processed:
[devices::virtio::fs::worker] Fs: queue event: 1
[devices::virtio::fs::server] opcode: 26 # FUSE_INIT — the only request ever received
[devices::virtio::mmio[fs]] interrupt: signal_used_queue
No subsequent FUSE requests (LOOKUP, GETATTR, READDIR) arrive at the worker.
Summary
On Linux 6.12+ guests, virtiofs mount succeeds but all subsequent file operations return
ECONNREFUSED. The root cause is thatserver.rsadvertisesFUSE_ALLOW_IDMAPin the FUSE_INIT response without also advertisingFUSE_POSIX_ACL.Root Cause
Linux 6.12 added
FUSE_ALLOW_IDMAPsupport (idmapped FUSE mounts). Infs/fuse/inode.c:process_init_reply, the kernel requiresdefault_permissions(which is only set whenFUSE_POSIX_ACLis in the response flags) whenFUSE_ALLOW_IDMAPis present:libkrun's
src/devices/src/virtio/fs/server.rs(added by #456) includesALLOW_IDMAPinsupportedflags but does NOT includePOSIX_ACL. The macOS passthrough'sinit()returns onlyWRITEBACK_CACHE | SUBMOUNTS. So the computed response flags includeALLOW_IDMAPbut notPOSIX_ACL, triggering the kernel'sconn_error = 1.With
conn_errorset, all subsequent FUSE requests returnECONNREFUSEDwithout being sent through the virtqueue, so the FUSE worker only ever sees the FUSE_INIT request.How to Reproduce
krun_add_virtiofs()mount -t virtiofs <tag> /mntsucceedsls /mntreturnsConnection refused(ECONNREFUSED)Suggested Fix
Either:
ALLOW_IDMAPfromsupportedflags when the passthrough filesystem doesn't support POSIX ACLs (macOS passthrough)POSIX_ACLtosupportedflags alongsideALLOW_IDMAP(requires the passthrough to actually implement POSIX ACL support)The first option is simpler and correct since the macOS passthrough doesn't support POSIX ACLs.
Environment
Debug Evidence
With
KRUN_LOG_LEVEL_DEBUG, only one FUSE request is processed:No subsequent FUSE requests (LOOKUP, GETATTR, READDIR) arrive at the worker.