fs/fuse/readdir.c | 67 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 57 insertions(+), 10 deletions(-)
Commit dabb90391028 ("fuse: increase readdir buffer size") changed
fuse_readdir_uncached() to size its temporary buffer from ctx->count.
That is useful for overlayfs and other in-kernel callers that use
INT_MAX to indicate an unlimited directory read.
The buffer is capped by fc->max_pages converted to bytes with PAGE_SIZE.
However, fc->max_pages is a page-count limit, while fc->max_write is the
negotiated byte-sized payload limit. Using only fc->max_pages can produce
a READDIR request larger than the server is prepared to handle, especially
when the server and client use different page sizes.
The larger buffer is also currently supplied as a kvec output argument.
For virtiofs, kvec arguments are copied through req->argbuf, which is
allocated with kmalloc(..., GFP_ATOMIC). A large readdir buffer can
therefore require a multi-megabyte contiguous atomic allocation and fail
with -ENOMEM.
This was observed with a 64K-page guest on a 4K-page host, using an
overlayfs mount whose lower directory is on virtiofs. Reading a merged
directory through overlayfs failed with:
ls: reading directory '<path>': Cannot allocate memory
Avoid the oversized request and the large bounce-buffer allocation by
capping the requested byte size by both fc->max_pages and fc->max_write,
then backing the uncached readdir output with pages and setting out_pages.
The virtiofs transport can then pass the pages as scatter-gather entries
instead of copying the output through argbuf.
Map the pages with vm_map_ram() only while parsing the returned dirents,
so the existing parser can continue to operate on a linear kernel mapping.
Fixes: dabb90391028 ("fuse: increase readdir buffer size")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew R. Ochs <mochs@nvidia.com>
---
v2:
- Reworked uncached readdir to use output pages and out_pages, per Miklos.
- Cap the requested byte size by both fc->max_pages and fc->max_write.
- Map pages with vm_map_ram() only while parsing returned dirents.
- Verified with --overlay-rwdir across 4K/64K host and guest page sizes.
- Link to v1: https://lore.kernel.org/all/20260428021304.2338592-1-mochs@nvidia.com/
fs/fuse/readdir.c | 67 ++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 57 insertions(+), 10 deletions(-)
diff --git a/fs/fuse/readdir.c b/fs/fuse/readdir.c
index db5ae8ec1030..27162084a683 100644
--- a/fs/fuse/readdir.c
+++ b/fs/fuse/readdir.c
@@ -12,6 +12,7 @@
#include <linux/posix_acl.h>
#include <linux/pagemap.h>
#include <linux/highmem.h>
+#include <linux/vmalloc.h>
static bool fuse_use_readdirplus(struct inode *dir, struct dir_context *ctx)
{
@@ -343,17 +344,45 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
struct fuse_mount *fm = get_fuse_mount(inode);
struct fuse_conn *fc = fm->fc;
struct fuse_io_args ia = {};
- struct fuse_args *args = &ia.ap.args;
+ struct fuse_args_pages *ap = &ia.ap;
+ struct fuse_args *args = &ap->args;
+ struct page **pages;
void *buf;
- size_t bufsize = clamp((unsigned int) ctx->count, PAGE_SIZE, fc->max_pages << PAGE_SHIFT);
+ size_t max_bufsize = min_t(size_t, (size_t)fc->max_pages << PAGE_SHIFT,
+ fc->max_write);
+ size_t count = ctx->count > 0 ? ctx->count : PAGE_SIZE;
+ size_t bufsize = min_t(size_t, max_t(size_t, count, PAGE_SIZE),
+ max_bufsize);
+ unsigned int nr_pages = DIV_ROUND_UP(bufsize, PAGE_SIZE);
u64 attr_version = 0, evict_ctr = 0;
bool locked;
+ unsigned int nr_alloc = 0;
+ unsigned int i;
- buf = kvmalloc(bufsize, GFP_KERNEL);
- if (!buf)
+ pages = kvcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
+ if (!pages)
return -ENOMEM;
- args->out_args[0].value = buf;
+ while (nr_alloc < nr_pages) {
+ unsigned int last = nr_alloc;
+
+ nr_alloc = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
+ if (nr_alloc == last)
+ goto nomem;
+ }
+
+ ap->folios = fuse_folios_alloc(nr_pages, GFP_KERNEL, &ap->descs);
+ if (!ap->folios)
+ goto nomem;
+
+ for (i = 0; i < nr_pages; i++) {
+ ap->folios[i] = page_folio(pages[i]);
+ ap->descs[i].length = min_t(size_t,
+ bufsize - (size_t)i * PAGE_SIZE,
+ PAGE_SIZE);
+ }
+ ap->num_folios = nr_pages;
+ args->out_pages = true;
plus = fuse_use_readdirplus(inode, ctx);
if (plus) {
@@ -372,17 +401,35 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
if (ff->open_flags & FOPEN_CACHE_DIR)
fuse_readdir_cache_end(file, ctx->pos);
- } else if (plus) {
- res = parse_dirplusfile(buf, res, file, ctx, attr_version,
- evict_ctr);
} else {
- res = parse_dirfile(buf, res, file, ctx);
+ buf = vm_map_ram(pages, nr_pages, -1);
+ if (!buf) {
+ res = -ENOMEM;
+ } else {
+ if (plus)
+ res = parse_dirplusfile(buf, res, file, ctx,
+ attr_version,
+ evict_ctr);
+ else
+ res = parse_dirfile(buf, res, file, ctx);
+
+ vm_unmap_ram(buf, nr_pages);
+ }
}
}
- kvfree(buf);
fuse_invalidate_atime(inode);
+
+out:
+ kfree(ap->folios);
+ for (i = 0; i < nr_alloc; i++)
+ __free_page(pages[i]);
+ kvfree(pages);
return res;
+
+nomem:
+ res = -ENOMEM;
+ goto out;
}
enum fuse_parse_result {
--
2.50.1
On 4/29/26 01:29, Matthew R. Ochs wrote:
> [You don't often get email from mochs@nvidia.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> Commit dabb90391028 ("fuse: increase readdir buffer size") changed
> fuse_readdir_uncached() to size its temporary buffer from ctx->count.
> That is useful for overlayfs and other in-kernel callers that use
> INT_MAX to indicate an unlimited directory read.
>
> The buffer is capped by fc->max_pages converted to bytes with PAGE_SIZE.
> However, fc->max_pages is a page-count limit, while fc->max_write is the
> negotiated byte-sized payload limit. Using only fc->max_pages can produce
> a READDIR request larger than the server is prepared to handle, especially
> when the server and client use different page sizes.
>
> The larger buffer is also currently supplied as a kvec output argument.
> For virtiofs, kvec arguments are copied through req->argbuf, which is
> allocated with kmalloc(..., GFP_ATOMIC). A large readdir buffer can
> therefore require a multi-megabyte contiguous atomic allocation and fail
> with -ENOMEM.
>
> This was observed with a 64K-page guest on a 4K-page host, using an
> overlayfs mount whose lower directory is on virtiofs. Reading a merged
> directory through overlayfs failed with:
>
> ls: reading directory '<path>': Cannot allocate memory
>
> Avoid the oversized request and the large bounce-buffer allocation by
> capping the requested byte size by both fc->max_pages and fc->max_write,
> then backing the uncached readdir output with pages and setting out_pages.
> The virtiofs transport can then pass the pages as scatter-gather entries
> instead of copying the output through argbuf.
>
> Map the pages with vm_map_ram() only while parsing the returned dirents,
> so the existing parser can continue to operate on a linear kernel mapping.
>
> Fixes: dabb90391028 ("fuse: increase readdir buffer size")
> Cc: stable@vger.kernel.org
> Signed-off-by: Matthew R. Ochs <mochs@nvidia.com>
Josef and Joanne had spent quite some time to allow to use large folios
- maybe we should make use of it? Attached is a totally untested patch
and that ignores all of Miklos' comments for now. Also cannot be that
easily back ported
Thanks,
Bernd
> ---
> v2:
> - Reworked uncached readdir to use output pages and out_pages, per Miklos.
> - Cap the requested byte size by both fc->max_pages and fc->max_write.
> - Map pages with vm_map_ram() only while parsing returned dirents.
> - Verified with --overlay-rwdir across 4K/64K host and guest page sizes.
> - Link to v1: https://lore.kernel.org/all/20260428021304.2338592-1-mochs@nvidia.com/
>
> fs/fuse/readdir.c | 67 ++++++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 57 insertions(+), 10 deletions(-)
>
> diff --git a/fs/fuse/readdir.c b/fs/fuse/readdir.c
> index db5ae8ec1030..27162084a683 100644
> --- a/fs/fuse/readdir.c
> +++ b/fs/fuse/readdir.c
> @@ -12,6 +12,7 @@
> #include <linux/posix_acl.h>
> #include <linux/pagemap.h>
> #include <linux/highmem.h>
> +#include <linux/vmalloc.h>
>
> static bool fuse_use_readdirplus(struct inode *dir, struct dir_context *ctx)
> {
> @@ -343,17 +344,45 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
> struct fuse_mount *fm = get_fuse_mount(inode);
> struct fuse_conn *fc = fm->fc;
> struct fuse_io_args ia = {};
> - struct fuse_args *args = &ia.ap.args;
> + struct fuse_args_pages *ap = &ia.ap;
> + struct fuse_args *args = &ap->args;
> + struct page **pages;
> void *buf;
> - size_t bufsize = clamp((unsigned int) ctx->count, PAGE_SIZE, fc->max_pages << PAGE_SHIFT);
> + size_t max_bufsize = min_t(size_t, (size_t)fc->max_pages << PAGE_SHIFT,
> + fc->max_write);
> + size_t count = ctx->count > 0 ? ctx->count : PAGE_SIZE;
> + size_t bufsize = min_t(size_t, max_t(size_t, count, PAGE_SIZE),
> + max_bufsize);
> + unsigned int nr_pages = DIV_ROUND_UP(bufsize, PAGE_SIZE);
> u64 attr_version = 0, evict_ctr = 0;
> bool locked;
> + unsigned int nr_alloc = 0;
> + unsigned int i;
>
> - buf = kvmalloc(bufsize, GFP_KERNEL);
> - if (!buf)
> + pages = kvcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
> + if (!pages)
> return -ENOMEM;
>
> - args->out_args[0].value = buf;
> + while (nr_alloc < nr_pages) {
> + unsigned int last = nr_alloc;
> +
> + nr_alloc = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
> + if (nr_alloc == last)
> + goto nomem;
> + }
> +
> + ap->folios = fuse_folios_alloc(nr_pages, GFP_KERNEL, &ap->descs);
> + if (!ap->folios)
> + goto nomem;
> +
> + for (i = 0; i < nr_pages; i++) {
> + ap->folios[i] = page_folio(pages[i]);
> + ap->descs[i].length = min_t(size_t,
> + bufsize - (size_t)i * PAGE_SIZE,
> + PAGE_SIZE);
> + }
> + ap->num_folios = nr_pages;
> + args->out_pages = true;
>
> plus = fuse_use_readdirplus(inode, ctx);
> if (plus) {
> @@ -372,17 +401,35 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
>
> if (ff->open_flags & FOPEN_CACHE_DIR)
> fuse_readdir_cache_end(file, ctx->pos);
> - } else if (plus) {
> - res = parse_dirplusfile(buf, res, file, ctx, attr_version,
> - evict_ctr);
> } else {
> - res = parse_dirfile(buf, res, file, ctx);
> + buf = vm_map_ram(pages, nr_pages, -1);
> + if (!buf) {
> + res = -ENOMEM;
> + } else {
> + if (plus)
> + res = parse_dirplusfile(buf, res, file, ctx,
> + attr_version,
> + evict_ctr);
> + else
> + res = parse_dirfile(buf, res, file, ctx);
> +
> + vm_unmap_ram(buf, nr_pages);
> + }
> }
> }
>
> - kvfree(buf);
> fuse_invalidate_atime(inode);
> +
> +out:
> + kfree(ap->folios);
> + for (i = 0; i < nr_alloc; i++)
> + __free_page(pages[i]);
> + kvfree(pages);
> return res;
> +
> +nomem:
> + res = -ENOMEM;
> + goto out;
> }
>
> enum fuse_parse_result {
> --
> 2.50.1
>
On Wed, 29 Apr 2026 at 11:29, Bernd Schubert <bschubert@ddn.com> wrote: > Josef and Joanne had spent quite some time to allow to use large folios > - maybe we should make use of it? Attached is a totally untested patch > and that ignores all of Miklos' comments for now. Also cannot be that > easily back ported I'd be happier if the VM infrastructure for folio arrays was available first, then used in fuse. Not the other way round. Thanks, Miklos
On 4/29/26 12:38, Miklos Szeredi wrote: > On Wed, 29 Apr 2026 at 11:29, Bernd Schubert <bschubert@ddn.com> wrote: > >> Josef and Joanne had spent quite some time to allow to use large folios >> - maybe we should make use of it? Attached is a totally untested patch >> and that ignores all of Miklos' comments for now. Also cannot be that >> easily back ported > > I'd be happier if the VM infrastructure for folio arrays was available > first, then used in fuse. Not the other way round. It is only the the missing vm_map part for folios? I had found a patch https://lists.freedesktop.org/archives/dri-devel/2025-March/497993.html and added the comment therefore. Maybe we can bring it up with Matthew or someone else from mm next week. A bit a pity if there is generic support for large folios and fuse internals for random reasons then still use single pages. Thanks, Bernd
On Wed, 29 Apr 2026 at 01:30, Matthew R. Ochs <mochs@nvidia.com> wrote:
> The larger buffer is also currently supplied as a kvec output argument.
> For virtiofs, kvec arguments are copied through req->argbuf, which is
> allocated with kmalloc(..., GFP_ATOMIC). A large readdir buffer can
> therefore require a multi-megabyte contiguous atomic allocation and fail
> with -ENOMEM.
Shouldn't this be max_read? Here "read" and "write" refer to
direction of I/O on the filesystem, not on the fuse device (see
fuse/file.c)
> @@ -343,17 +344,45 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
> struct fuse_mount *fm = get_fuse_mount(inode);
> struct fuse_conn *fc = fm->fc;
> struct fuse_io_args ia = {};
> - struct fuse_args *args = &ia.ap.args;
> + struct fuse_args_pages *ap = &ia.ap;
> + struct fuse_args *args = &ap->args;
> + struct page **pages;
> void *buf;
> - size_t bufsize = clamp((unsigned int) ctx->count, PAGE_SIZE, fc->max_pages << PAGE_SHIFT);
> + size_t max_bufsize = min_t(size_t, (size_t)fc->max_pages << PAGE_SHIFT,
No need to cast if using the min_t variant.
> + fc->max_write);
> + size_t count = ctx->count > 0 ? ctx->count : PAGE_SIZE;
This is open coding the max_t(size_t, count, PAGE_SIZE) in the next
line. Just delete.
> + size_t bufsize = min_t(size_t, max_t(size_t, count, PAGE_SIZE),
> + max_bufsize);
What's wrong with the clamp() construct used originally?
> + unsigned int nr_pages = DIV_ROUND_UP(bufsize, PAGE_SIZE);
> u64 attr_version = 0, evict_ctr = 0;
> bool locked;
> + unsigned int nr_alloc = 0;
> + unsigned int i;
>
> - buf = kvmalloc(bufsize, GFP_KERNEL);
> - if (!buf)
> + pages = kvcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
struct page **pages __free(kvfree) = kvcalloc(nr_pages,
sizeof(*pages), GFP_KERNEL);
> + if (!pages)
> return -ENOMEM;
>
> - args->out_args[0].value = buf;
> + while (nr_alloc < nr_pages) {
> + unsigned int last = nr_alloc;
> +
> + nr_alloc = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
> + if (nr_alloc == last)
> + goto nomem;
> + }
I'd try this without the loop for less complexity. Falling back to a
shorter read shouldn't be a problem, as long as this doesn't happen
very often.
> +
> + ap->folios = fuse_folios_alloc(nr_pages, GFP_KERNEL, &ap->descs);
> + if (!ap->folios)
> + goto nomem;
> +
> + for (i = 0; i < nr_pages; i++) {
> + ap->folios[i] = page_folio(pages[i]);
> + ap->descs[i].length = min_t(size_t,
> + bufsize - (size_t)i * PAGE_SIZE,
> + PAGE_SIZE);
> + }
> + ap->num_folios = nr_pages;
> + args->out_pages = true;
>
> plus = fuse_use_readdirplus(inode, ctx);
> if (plus) {
> @@ -372,17 +401,35 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
>
> if (ff->open_flags & FOPEN_CACHE_DIR)
> fuse_readdir_cache_end(file, ctx->pos);
> - } else if (plus) {
> - res = parse_dirplusfile(buf, res, file, ctx, attr_version,
> - evict_ctr);
> } else {
> - res = parse_dirfile(buf, res, file, ctx);
> + buf = vm_map_ram(pages, nr_pages, -1);
> + if (!buf) {
> + res = -ENOMEM;
> + } else {
> + if (plus)
> + res = parse_dirplusfile(buf, res, file, ctx,
> + attr_version,
> + evict_ctr);
> + else
> + res = parse_dirfile(buf, res, file, ctx);
> +
> + vm_unmap_ram(buf, nr_pages);
> + }
> }
> }
>
> - kvfree(buf);
> fuse_invalidate_atime(inode);
> +
> +out:
> + kfree(ap->folios);
> + for (i = 0; i < nr_alloc; i++)
> + __free_page(pages[i]);
release_pages()
> + kvfree(pages);
> return res;
> +
> +nomem:
> + res = -ENOMEM;
> + goto out;
Usual pattern is to just do res = -ENOMEM before each goto out (or
just the first if nothing else modifies res), so no double jump unless
absolutely necessary.
Thanks,
Miklos
© 2016 - 2026 Red Hat, Inc.