fs/fuse/readdir.c | 64 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 54 insertions(+), 10 deletions(-)
Commit dabb90391028 ("fuse: increase readdir buffer size") changed
fuse_readdir_uncached() to size its temporary buffer from ctx->count.
This is useful for overlayfs and other in-kernel callers that use
INT_MAX to indicate an unlimited directory read.
The buffer is capped by fc->max_pages converted to bytes with PAGE_SIZE.
However, fc->max_pages is a page-count limit, not a byte-sized payload
limit. READDIR is a read-side operation, so include fc->max_read in the
cap. Also keep fc->max_write in the cap: it is the daemon-advertised
byte-sized payload limit relevant to virtiofs in the failing
configuration, while fc->max_read can remain effectively unlimited there.
The larger buffer is also currently supplied as a kvec output argument.
For virtiofs, kvec arguments are copied through req->argbuf, which is
allocated with kmalloc(..., GFP_ATOMIC). A large readdir buffer can
therefore require a multi-megabyte contiguous atomic allocation and fail
with -ENOMEM.
This was observed with a 64K-page guest on a 4K-page host, using an
overlayfs mount whose lower directory is on virtiofs. Reading a merged
directory through overlayfs failed with:
ls: reading directory '<path>': Cannot allocate memory
Avoid the oversized request and the large bounce-buffer allocation by
capping the requested byte size by fc->max_pages, fc->max_read, and
fc->max_write, then backing the uncached readdir output with pages and
setting out_pages. The virtiofs transport can then pass the pages as
scatter-gather entries instead of copying the output through argbuf.
Map the pages with vm_map_ram() only while parsing the returned dirents,
so the existing parser can continue to operate on a linear kernel mapping.
Fixes: dabb90391028 ("fuse: increase readdir buffer size")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew R. Ochs <mochs@nvidia.com>
---
v3:
- Cap the requested byte size by fc->max_read in addition to fc->max_pages
and fc->max_write.
- Use clamp_t(size_t, ...) for the readdir buffer size calculation.
- Use __free(kvfree) for the temporary page pointer array.
- Use release_pages() for pages allocated by alloc_pages_bulk().
- Handle partial alloc_pages_bulk() success by shrinking the request size.
- Verified with --overlay-rwdir across 4K/64K host and guest page sizes.
- Link to v2: https://lore.kernel.org/all/20260428233028.2747981-1-mochs@nvidia.com/
v2:
- Reworked uncached readdir to use output pages and out_pages, per Miklos.
- Cap the requested byte size by both fc->max_pages and fc->max_write.
- Map pages with vm_map_ram() only while parsing returned dirents.
- Verified with --overlay-rwdir across 4K/64K host and guest page sizes.
- Link to v1: https://lore.kernel.org/all/20260428021304.2338592-1-mochs@nvidia.com/
fs/fuse/readdir.c | 64 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 54 insertions(+), 10 deletions(-)
diff --git a/fs/fuse/readdir.c b/fs/fuse/readdir.c
index db5ae8ec1030..8116688fe5b2 100644
--- a/fs/fuse/readdir.c
+++ b/fs/fuse/readdir.c
@@ -12,6 +12,7 @@
#include <linux/posix_acl.h>
#include <linux/pagemap.h>
#include <linux/highmem.h>
+#include <linux/vmalloc.h>
static bool fuse_use_readdirplus(struct inode *dir, struct dir_context *ctx)
{
@@ -343,17 +344,48 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
struct fuse_mount *fm = get_fuse_mount(inode);
struct fuse_conn *fc = fm->fc;
struct fuse_io_args ia = {};
- struct fuse_args *args = &ia.ap.args;
+ struct fuse_args_pages *ap = &ia.ap;
+ struct fuse_args *args = &ap->args;
+ struct page **pages __free(kvfree) = NULL;
void *buf;
- size_t bufsize = clamp((unsigned int) ctx->count, PAGE_SIZE, fc->max_pages << PAGE_SHIFT);
+ size_t max_bufsize = min3((size_t)fc->max_pages << PAGE_SHIFT,
+ (size_t)fc->max_read,
+ (size_t)fc->max_write);
+ size_t bufsize = clamp_t(size_t, ctx->count, PAGE_SIZE, max_bufsize);
+ unsigned int nr_pages = DIV_ROUND_UP(bufsize, PAGE_SIZE);
u64 attr_version = 0, evict_ctr = 0;
bool locked;
+ unsigned int nr_alloc;
+ unsigned int i;
- buf = kvmalloc(bufsize, GFP_KERNEL);
- if (!buf)
+ pages = kvcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
+ if (!pages)
return -ENOMEM;
- args->out_args[0].value = buf;
+ nr_alloc = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
+ if (!nr_alloc) {
+ res = -ENOMEM;
+ goto out;
+ }
+ if (nr_alloc < nr_pages) {
+ nr_pages = nr_alloc;
+ bufsize = (size_t)nr_pages << PAGE_SHIFT;
+ }
+
+ ap->folios = fuse_folios_alloc(nr_pages, GFP_KERNEL, &ap->descs);
+ if (!ap->folios) {
+ res = -ENOMEM;
+ goto out;
+ }
+
+ for (i = 0; i < nr_pages; i++) {
+ ap->folios[i] = page_folio(pages[i]);
+ ap->descs[i].length = min_t(size_t,
+ bufsize - (size_t)i * PAGE_SIZE,
+ PAGE_SIZE);
+ }
+ ap->num_folios = nr_pages;
+ args->out_pages = true;
plus = fuse_use_readdirplus(inode, ctx);
if (plus) {
@@ -372,16 +404,28 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
if (ff->open_flags & FOPEN_CACHE_DIR)
fuse_readdir_cache_end(file, ctx->pos);
- } else if (plus) {
- res = parse_dirplusfile(buf, res, file, ctx, attr_version,
- evict_ctr);
} else {
- res = parse_dirfile(buf, res, file, ctx);
+ buf = vm_map_ram(pages, nr_pages, -1);
+ if (!buf) {
+ res = -ENOMEM;
+ } else {
+ if (plus)
+ res = parse_dirplusfile(buf, res, file, ctx,
+ attr_version,
+ evict_ctr);
+ else
+ res = parse_dirfile(buf, res, file, ctx);
+
+ vm_unmap_ram(buf, nr_pages);
+ }
}
}
- kvfree(buf);
fuse_invalidate_atime(inode);
+
+out:
+ kfree(ap->folios);
+ release_pages(pages, nr_alloc);
return res;
}
--
2.50.1On Tue, 19 May 2026 at 02:47, Matthew R. Ochs <mochs@nvidia.com> wrote: > This was observed with a 64K-page guest on a 4K-page host, using an > overlayfs mount whose lower directory is on virtiofs. Reading a merged > directory through overlayfs failed with: > > ls: reading directory '<path>': Cannot allocate memory IDGI, the patch makes FUSE_READDIR supply an array of folios. Virtiofs shouldn't need to allocate a large argbuf after that. What am I missing? Thanks, Miklos
© 2016 - 2026 Red Hat, Inc.