sys/linux: updated fuse fs specifications

Author: Sablin Viacheslav

executor/common_linux.h

@@ -1506,26 +1506,26 @@ static void initialize_netdevices(void)
 		const char* type;
 		const char* dev;
 	} devtypes[] = {
-		// Note: ip6erspan device can't be added if ip6gretap exists in the same namespace.
-		{"ip6gretap", "ip6gretap0"},
-		{"bridge", "bridge0"},
-		{"vcan", "vcan0"},
-		{"bond", "bond0"},
-		{"team", "team0"},
-		{"dummy", "dummy0"},
+	    // Note: ip6erspan device can't be added if ip6gretap exists in the same namespace.
+	    {"ip6gretap", "ip6gretap0"},
+	    {"bridge", "bridge0"},
+	    {"vcan", "vcan0"},
+	    {"bond", "bond0"},
+	    {"team", "team0"},
+	    {"dummy", "dummy0"},
 #if SYZ_EXECUTOR || SYZ_NIC_VF
-		{"nicvf", "nicvf0"},
-#endif
-		{"nlmon", "nlmon0"},
-		{"caif", "caif0"},
-		{"batadv", "batadv0"},
-		// Note: this adds vxcan0/vxcan1 pair, similar to veth (creating vxcan0 would fail).
-		{"vxcan", "vxcan1"},
-		// This adds connected veth0 and veth1 devices.
-		{"veth", 0},
-		{"wireguard", "wg0"},
-		{"wireguard", "wg1"},
-		{"wireguard", "wg2"},
+	    {"nicvf", "nicvf0"},
+#endif
+	    {"nlmon", "nlmon0"},
+	    {"caif", "caif0"},
+	    {"batadv", "batadv0"},
+	    // Note: this adds vxcan0/vxcan1 pair, similar to veth (creating vxcan0 would fail).
+	    {"vxcan", "vxcan1"},
+	    // This adds connected veth0 and veth1 devices.
+	    {"veth", 0},
+	    {"wireguard", "wg0"},
+	    {"wireguard", "wg1"},
+	    {"wireguard", "wg2"},
 	};
 	const char* devmasters[] = {"bridge", "bond", "team", "batadv"};
 	// If you extend this array, also update netdev_addr_id in vnet.txt
@@ -1535,67 +1535,67 @@ static void initialize_netdevices(void)
 		int macsize;
 		bool noipv6;
 	} devices[] = {
-		{"lo", ETH_ALEN},
-		{"sit0", 0},
-		{"bridge0", ETH_ALEN},
-		{"vcan0", 0, true},
-		{"tunl0", 0},
-		{"gre0", 0},
-		{"gretap0", ETH_ALEN},
-		{"ip_vti0", 0},
-		{"ip6_vti0", 0},
-		{"ip6tnl0", 0},
-		{"ip6gre0", 0},
-		{"ip6gretap0", ETH_ALEN},
-		{"erspan0", ETH_ALEN},
-		{"bond0", ETH_ALEN},
-		{"veth0", ETH_ALEN},
-		{"veth1", ETH_ALEN},
-		{"team0", ETH_ALEN},
-		{"veth0_to_bridge", ETH_ALEN},
-		{"veth1_to_bridge", ETH_ALEN},
-		{"veth0_to_bond", ETH_ALEN},
-		{"veth1_to_bond", ETH_ALEN},
-		{"veth0_to_team", ETH_ALEN},
-		{"veth1_to_team", ETH_ALEN},
-		{"veth0_to_hsr", ETH_ALEN},
-		{"veth1_to_hsr", ETH_ALEN},
-		{"hsr0", 0},
-		{"dummy0", ETH_ALEN},
+	    {"lo", ETH_ALEN},
+	    {"sit0", 0},
+	    {"bridge0", ETH_ALEN},
+	    {"vcan0", 0, true},
+	    {"tunl0", 0},
+	    {"gre0", 0},
+	    {"gretap0", ETH_ALEN},
+	    {"ip_vti0", 0},
+	    {"ip6_vti0", 0},
+	    {"ip6tnl0", 0},
+	    {"ip6gre0", 0},
+	    {"ip6gretap0", ETH_ALEN},
+	    {"erspan0", ETH_ALEN},
+	    {"bond0", ETH_ALEN},
+	    {"veth0", ETH_ALEN},
+	    {"veth1", ETH_ALEN},
+	    {"team0", ETH_ALEN},
+	    {"veth0_to_bridge", ETH_ALEN},
+	    {"veth1_to_bridge", ETH_ALEN},
+	    {"veth0_to_bond", ETH_ALEN},
+	    {"veth1_to_bond", ETH_ALEN},
+	    {"veth0_to_team", ETH_ALEN},
+	    {"veth1_to_team", ETH_ALEN},
+	    {"veth0_to_hsr", ETH_ALEN},
+	    {"veth1_to_hsr", ETH_ALEN},
+	    {"hsr0", 0},
+	    {"dummy0", ETH_ALEN},
 #if SYZ_EXECUTOR || SYZ_NIC_VF
-		{"nicvf0", 0, true},
-#endif
-		{"nlmon0", 0},
-		{"vxcan0", 0, true},
-		{"vxcan1", 0, true},
-		{"caif0", ETH_ALEN}, // TODO: up'ing caif fails with ENODEV
-		{"batadv0", ETH_ALEN},
-		{netdevsim, ETH_ALEN},
-		{"xfrm0", ETH_ALEN},
-		{"veth0_virt_wifi", ETH_ALEN},
-		{"veth1_virt_wifi", ETH_ALEN},
-		{"virt_wifi0", ETH_ALEN},
-		{"veth0_vlan", ETH_ALEN},
-		{"veth1_vlan", ETH_ALEN},
-		{"vlan0", ETH_ALEN},
-		{"vlan1", ETH_ALEN},
-		{"macvlan0", ETH_ALEN},
-		{"macvlan1", ETH_ALEN},
-		{"ipvlan0", ETH_ALEN},
-		{"ipvlan1", ETH_ALEN},
-		{"veth0_macvtap", ETH_ALEN},
-		{"veth1_macvtap", ETH_ALEN},
-		{"macvtap0", ETH_ALEN},
-		{"macsec0", ETH_ALEN},
-		{"veth0_to_batadv", ETH_ALEN},
-		{"veth1_to_batadv", ETH_ALEN},
-		{"batadv_slave_0", ETH_ALEN},
-		{"batadv_slave_1", ETH_ALEN},
-		{"geneve0", ETH_ALEN},
-		{"geneve1", ETH_ALEN},
-		{"wg0", 0},
-		{"wg1", 0},
-		{"wg2", 0},
+	    {"nicvf0", 0, true},
+#endif
+	    {"nlmon0", 0},
+	    {"vxcan0", 0, true},
+	    {"vxcan1", 0, true},
+	    {"caif0", ETH_ALEN}, // TODO: up'ing caif fails with ENODEV
+	    {"batadv0", ETH_ALEN},
+	    {netdevsim, ETH_ALEN},
+	    {"xfrm0", ETH_ALEN},
+	    {"veth0_virt_wifi", ETH_ALEN},
+	    {"veth1_virt_wifi", ETH_ALEN},
+	    {"virt_wifi0", ETH_ALEN},
+	    {"veth0_vlan", ETH_ALEN},
+	    {"veth1_vlan", ETH_ALEN},
+	    {"vlan0", ETH_ALEN},
+	    {"vlan1", ETH_ALEN},
+	    {"macvlan0", ETH_ALEN},
+	    {"macvlan1", ETH_ALEN},
+	    {"ipvlan0", ETH_ALEN},
+	    {"ipvlan1", ETH_ALEN},
+	    {"veth0_macvtap", ETH_ALEN},
+	    {"veth1_macvtap", ETH_ALEN},
+	    {"macvtap0", ETH_ALEN},
+	    {"macsec0", ETH_ALEN},
+	    {"veth0_to_batadv", ETH_ALEN},
+	    {"veth1_to_batadv", ETH_ALEN},
+	    {"batadv_slave_0", ETH_ALEN},
+	    {"batadv_slave_1", ETH_ALEN},
+	    {"geneve0", ETH_ALEN},
+	    {"geneve1", ETH_ALEN},
+	    {"wg0", 0},
+	    {"wg1", 0},
+	    {"wg2", 0},
 	};
 	int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
 	if (sock == -1)
@@ -2100,7 +2100,7 @@ struct btf_header {
 };
 
 #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f)
-#define BTF_INFO_VLEN(info) ((info)&0xffff)
+#define BTF_INFO_VLEN(info) ((info) & 0xffff)
 
 #define BTF_KIND_INT 1
 #define BTF_KIND_ARRAY 3
@@ -5114,41 +5114,41 @@ static void setup_sysctl()
 		const char* data;
 	} files[] = {
 #if GOARCH_amd64 || GOARCH_386
-		// nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
-		// It happens a lot in qemu, and the messages are frequently corrupted
-		// (intermixed with other kernel output as they are printed from NMI)
-		// and are not matched against the suppression in pkg/report.
-		// This write prevents these messages from being printed.
-		{"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"},
-#endif
-		{"/proc/sys/kernel/hung_task_check_interval_secs", "20"},
-		// bpf_jit_kallsyms and disabling bpf_jit_harden are required
-		// for unwinding through bpf functions.
-		{"/proc/sys/net/core/bpf_jit_kallsyms", "1"},
-		{"/proc/sys/net/core/bpf_jit_harden", "0"},
-		// This is to provide more useful info in crash reports.
-		{"/proc/sys/kernel/kptr_restrict", "0"},
-		{"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"},
-		// This is to restrict effects of recursive exponential mounts, for details see
-		// "mnt: Add a per mount namespace limit on the number of mounts" commit.
-		{"/proc/sys/fs/mount-max", "100"},
-		// Dumping all tasks to console can take too long.
-		{"/proc/sys/vm/oom_dump_tasks", "0"},
-		// Executor hits lots of SIGSEGVs, no point in logging them.
-		{"/proc/sys/debug/exception-trace", "0"},
-		{"/proc/sys/kernel/printk", "7 4 1 3"},
-		// Faster gc (1 second) is intended to make tests more repeatable.
-		{"/proc/sys/kernel/keys/gc_delay", "1"},
-		// We always want to prefer killing the allocating test process rather than somebody else
-		// (sshd or another random test process).
-		{"/proc/sys/vm/oom_kill_allocating_task", "1"},
-		// This blocks some of the ways the fuzzer can trigger a reboot.
-		// ctrl-alt-del=0 tells kernel to signal cad_pid instead of rebooting.
-		// We set cad_pid to a transient process pid ctrl-alt-del a no-op.
-		// Note: we need to write a live process pid.
-		// For context see: https://groups.google.com/g/syzkaller-bugs/c/WqOY4TiRnFg/m/6P9u8lWZAQAJ
-		{"/proc/sys/kernel/ctrl-alt-del", "0"},
-		{"/proc/sys/kernel/cad_pid", tmppid},
+	    // nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
+	    // It happens a lot in qemu, and the messages are frequently corrupted
+	    // (intermixed with other kernel output as they are printed from NMI)
+	    // and are not matched against the suppression in pkg/report.
+	    // This write prevents these messages from being printed.
+	    {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"},
+#endif
+	    {"/proc/sys/kernel/hung_task_check_interval_secs", "20"},
+	    // bpf_jit_kallsyms and disabling bpf_jit_harden are required
+	    // for unwinding through bpf functions.
+	    {"/proc/sys/net/core/bpf_jit_kallsyms", "1"},
+	    {"/proc/sys/net/core/bpf_jit_harden", "0"},
+	    // This is to provide more useful info in crash reports.
+	    {"/proc/sys/kernel/kptr_restrict", "0"},
+	    {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"},
+	    // This is to restrict effects of recursive exponential mounts, for details see
+	    // "mnt: Add a per mount namespace limit on the number of mounts" commit.
+	    {"/proc/sys/fs/mount-max", "100"},
+	    // Dumping all tasks to console can take too long.
+	    {"/proc/sys/vm/oom_dump_tasks", "0"},
+	    // Executor hits lots of SIGSEGVs, no point in logging them.
+	    {"/proc/sys/debug/exception-trace", "0"},
+	    {"/proc/sys/kernel/printk", "7 4 1 3"},
+	    // Faster gc (1 second) is intended to make tests more repeatable.
+	    {"/proc/sys/kernel/keys/gc_delay", "1"},
+	    // We always want to prefer killing the allocating test process rather than somebody else
+	    // (sshd or another random test process).
+	    {"/proc/sys/vm/oom_kill_allocating_task", "1"},
+	    // This blocks some of the ways the fuzzer can trigger a reboot.
+	    // ctrl-alt-del=0 tells kernel to signal cad_pid instead of rebooting.
+	    // We set cad_pid to a transient process pid ctrl-alt-del a no-op.
+	    // Note: we need to write a live process pid.
+	    // For context see: https://groups.google.com/g/syzkaller-bugs/c/WqOY4TiRnFg/m/6P9u8lWZAQAJ
+	    {"/proc/sys/kernel/ctrl-alt-del", "0"},
+	    {"/proc/sys/kernel/cad_pid", tmppid},
 
 	};
 	for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
@@ -5297,6 +5297,9 @@ enum fuse_opcode {
 	FUSE_COPY_FILE_RANGE = 47,
 	FUSE_SETUPMAPPING = 48,
 	FUSE_REMOVEMAPPING = 49,
+	FUSE_SYNCFS = 50,
+	FUSE_TMPFILE = 51,
+	FUSE_STATX = 52,
 
 	// CUSE specific operations
 	CUSE_INIT = 4096,
@@ -5348,6 +5351,7 @@ struct syz_fuse_req_out {
 	struct fuse_out_header* direntplus;
 	struct fuse_out_header* create_open;
 	struct fuse_out_header* ioctl;
+	struct fuse_out_header* statx;
 };
 
 // Link the reponse to the request and send it to /dev/fuse.
@@ -5496,6 +5500,9 @@ static volatile long syz_fuse_handle_req(volatile long a0, // /dev/fuse fd.
 	case FUSE_IOCTL:
 		out_hdr = req_out->ioctl;
 		break;
+	case FUSE_STATX:
+		out_hdr = req_out->statx;
+		break;
 	default:
 		debug("syz_fuse_handle_req: unknown FUSE opcode\n");
 		return -1;

sys/linux/fs_fuse.txt

@@ -12,6 +12,8 @@ resource fd_fuse[fd]
 openat$fuse(fd const[AT_FDCWD], file ptr[in, string["/dev/fuse"]], flags const[O_RDWR], mode const[0]) fd_fuse
 openat$cuse(fd const[AT_FDCWD], file ptr[in, string["/dev/cuse"]], flags const[O_RDWR], mode const[0]) fd_fuse
 ioctl$FUSE_DEV_IOC_CLONE(fd fd_fuse, cmd const[FUSE_DEV_IOC_CLONE], arg ptr[in, fd_fuse])
+ioctl$FUSE_DEV_IOC_BACKING_OPEN(fd fd_fuse, cmd const[FUSE_DEV_IOC_BACKING_OPEN], arg ptr[in, fuse_backing_map])
+ioctl$FUSE_DEV_IOC_BACKING_CLOSE(fd fd_fuse, cmd const[FUSE_DEV_IOC_BACKING_CLOSE], arg ptr[in, int32])
 
 type read_buffer array[int8, FUSE_MIN_READ_BUFFER]
 read$FUSE(fd fd_fuse, buf ptr[out, fuse_in[read_buffer]], len bytesize[buf])
@@ -34,12 +36,14 @@ write$FUSE_ENTRY(fd fd_fuse, arg ptr[in, fuse_out[fuse_entry_out]], len bytesize
 write$FUSE_CREATE_OPEN(fd fd_fuse, arg ptr[in, fuse_out[fuse_create_open_out]], len bytesize[arg])
 write$FUSE_DIRENT(fd fd_fuse, arg ptr[in, fuse_out[array[fuse_dirent]]], len bytesize[arg])
 write$FUSE_DIRENTPLUS(fd fd_fuse, arg ptr[in, fuse_out[array[fuse_direntplus]]], len bytesize[arg])
+write$FUSE_STATX(fd fd_fuse, arg ptr[in, fuse_out[fuse_statx_out]], len bytesize[arg])
 write$FUSE_NOTIFY_POLL(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_POLL, fuse_notify_poll_wakeup_out]], len bytesize[arg])
 write$FUSE_NOTIFY_INVAL_INODE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_INVAL_INODE, fuse_notify_inval_inode_out]], len bytesize[arg])
 write$FUSE_NOTIFY_INVAL_ENTRY(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_INVAL_ENTRY, fuse_notify_inval_entry_out]], len bytesize[arg])
 write$FUSE_NOTIFY_STORE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_STORE, fuse_notify_store_out]], len bytesize[arg])
 write$FUSE_NOTIFY_RETRIEVE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_RETRIEVE, fuse_notify_retrieve_out]], len bytesize[arg])
 write$FUSE_NOTIFY_DELETE(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_DELETE, fuse_notify_delete_out]], len bytesize[arg])
+write$FUSE_NOTIFY_RESEND(fd fd_fuse, arg ptr[in, fuse_notify[FUSE_NOTIFY_RESEND, const[0, int32]]], len bytesize[arg])
 
 syz_mount_image$fuse(fs ptr[in, string["fuse"]], dir ptr[in, filename], flags flags[mount_flags], opts ptr[in, fuse_options], chdir bool8, size const[0], img ptr[in, array[int8]]) fd_dir
 syz_fuse_handle_req(fd fd_fuse, buf ptr[in, read_buffer], len bytesize[buf], res ptr[in, syz_fuse_req_out])
@@ -93,10 +97,24 @@ fuse_init_out {
 	time_gran		int32
 	max_pages		const[0, int16]
 	map_alignment		const[0, int16]
-	unused			array[const[0, int32], 8]
+	flags2			flags[fuse_init_flags2, int32]
+	max_stack_depth		int32
+	unused			array[const[0, int32], 6]
 }
 
-fuse_init_flags = FUSE_ASYNC_READ, FUSE_POSIX_LOCKS, FUSE_FILE_OPS, FUSE_ATOMIC_O_TRUNC, FUSE_EXPORT_SUPPORT, FUSE_BIG_WRITES, FUSE_DONT_MASK, FUSE_SPLICE_WRITE, FUSE_SPLICE_MOVE, FUSE_SPLICE_READ, FUSE_FLOCK_LOCKS, FUSE_HAS_IOCTL_DIR, FUSE_AUTO_INVAL_DATA, FUSE_DO_READDIRPLUS, FUSE_READDIRPLUS_AUTO, FUSE_ASYNC_DIO, FUSE_WRITEBACK_CACHE, FUSE_NO_OPEN_SUPPORT, FUSE_PARALLEL_DIROPS, FUSE_HANDLE_KILLPRIV, FUSE_POSIX_ACL, FUSE_ABORT_ERROR, FUSE_MAX_PAGES, FUSE_CACHE_SYMLINKS, FUSE_NO_OPENDIR_SUPPORT, FUSE_EXPLICIT_INVAL_DATA
+fuse_init_flags = FUSE_ASYNC_READ, FUSE_POSIX_LOCKS, FUSE_FILE_OPS, FUSE_ATOMIC_O_TRUNC, FUSE_EXPORT_SUPPORT, FUSE_BIG_WRITES, FUSE_DONT_MASK, FUSE_SPLICE_WRITE, FUSE_SPLICE_MOVE, FUSE_SPLICE_READ, FUSE_FLOCK_LOCKS, FUSE_HAS_IOCTL_DIR, FUSE_AUTO_INVAL_DATA, FUSE_DO_READDIRPLUS, FUSE_READDIRPLUS_AUTO, FUSE_ASYNC_DIO, FUSE_WRITEBACK_CACHE, FUSE_NO_OPEN_SUPPORT, FUSE_PARALLEL_DIROPS, FUSE_HANDLE_KILLPRIV, FUSE_POSIX_ACL, FUSE_ABORT_ERROR, FUSE_MAX_PAGES, FUSE_CACHE_SYMLINKS, FUSE_NO_OPENDIR_SUPPORT, FUSE_EXPLICIT_INVAL_DATA, FUSE_MAP_ALIGNMENT, FUSE_SUBMOUNTS, FUSE_HANDLE_KILLPRIV_V2, FUSE_SETXATTR_EXT, FUSE_INIT_EXT, FUSE_INIT_RESERVED
+fuse_init_flags2 = FUSE_SECURITY_CTX_FLAG2, FUSE_HAS_INODE_DAX_FLAG2, FUSE_CREATE_SUPP_GROUP_FLAG2, FUSE_HAS_EXPIRE_ONLY_FLAG2, FUSE_DIRECT_IO_ALLOW_MMAP_FLAG2, FUSE_PASSTHROUGH_FLAG2, FUSE_NO_EXPORT_SUPPORT_FLAG2, FUSE_HAS_RESEND_FLAG2, FUSE_DIRECT_IO_RELAX_FLAG2, FUSE_ALLOW_IDMAP_FLAG2
+
+define FUSE_SECURITY_CTX_FLAG2	FUSE_SECURITY_CTX >> 32
+define FUSE_HAS_INODE_DAX_FLAG2	FUSE_HAS_INODE_DAX >> 32
+define FUSE_CREATE_SUPP_GROUP_FLAG2	FUSE_CREATE_SUPP_GROUP >> 32
+define FUSE_HAS_EXPIRE_ONLY_FLAG2	FUSE_HAS_EXPIRE_ONLY >> 32
+define FUSE_DIRECT_IO_ALLOW_MMAP_FLAG2	FUSE_DIRECT_IO_ALLOW_MMAP >> 32
+define FUSE_PASSTHROUGH_FLAG2	FUSE_PASSTHROUGH >> 32
+define FUSE_NO_EXPORT_SUPPORT_FLAG2	FUSE_NO_EXPORT_SUPPORT >> 32
+define FUSE_HAS_RESEND_FLAG2	FUSE_HAS_RESEND >> 32
+define FUSE_DIRECT_IO_RELAX_FLAG2	FUSE_DIRECT_IO_RELAX >> 32
+define FUSE_ALLOW_IDMAP_FLAG2	FUSE_ALLOW_IDMAP >> 32 
 
 fuse_lseek_out {
 	offset	int64
@@ -269,6 +287,48 @@ fuse_notify_retrieve_out {
 	padding		const[0, int32]
 } [packed]
 
+fuse_statx_out {
+	attr_valid	int64
+	attr_valid_nsec	int32
+	flags		const[0, int32]
+	spare		array[const[0, int64], 2]
+	stat		fuse_statx
+}
+
+fuse_statx {
+	mask		flags[fuse_statx_masx, int32]
+	blksize		int32
+	attributes	int64
+	nlink		int32
+	uid		uid
+	gid		gid
+	mode		flags[fuse_valid_type, int16]
+	__spare0	array[const[0, int16], 1]
+	ino		int64
+	size		int64
+	blocks		int64
+	attributes_mask	int64
+	atime		fuse_sx_time
+	btime		fuse_sx_time
+	ctime		fuse_sx_time
+	mtime		fuse_sx_time
+	rdev_major	int32
+	rdev_minor	int32
+	dev_major	int32
+	dev_minor	int32
+	__spare2	array[const[0, int64], 14]
+}
+
+fuse_statx_masx = STATX_TYPE, STATX_MODE, STATX_NLINK, STATX_UID, STATX_GID, STATX_ATIME, STATX_MTIME, STATX_CTIME, STATX_INO, STATX_SIZE, STATX_BLOCKS, STATX_BASIC_STATS, STATX_BTIME, STATX_MNT_ID, STATX_DIOALIGN, STATX_MNT_ID_UNIQUE, STATX_SUBVOL, STATX_WRITE_ATOMIC
+
+fuse_valid_type = S_IFLNK, S_IFREG, S_IFDIR, S_IFCHR, S_IFBLK, S_IFIFO, S_IFSOCK
+
+fuse_sx_time {
+	tv_sec		int64
+	tv_nsec		int32
+	__reserved	const[0, int32]
+}
+
 # Mount options.
 
 fuse_options {
@@ -311,4 +371,11 @@ syz_fuse_req_out {
 	direntplus	ptr[in, syz_fuse_out[array[fuse_direntplus]]]
 	create_open	ptr[in, syz_fuse_out[fuse_create_open_out]]
 	ioctl		ptr[in, syz_fuse_out[fuse_ioctl_out]]
+	statx		ptr[in, syz_fuse_out[fuse_statx_out]]
+}
+
+fuse_backing_map {
+	fd	fd_fuse
+	flags	const[0, int32]
+	padding	const[0, int64]
 }