Commit dabb90391028 ("fuse: increase readdir buffer size") changed
fuse_readdir_uncached() to size its temporary buffer from ctx->count.
This is useful for overlayfs and other in-kernel callers that use
INT_MAX to indicate an unlimited directory read.

The larger buffer is currently supplied as a kvec output argument. For
virtiofs, kvec arguments are copied through req->argbuf, which is
allocated with kmalloc(..., GFP_ATOMIC). A large uncached readdir buffer
can therefore require a multi-megabyte contiguous atomic allocation
before the request is queued.

Avoid the large bounce-buffer allocation by backing uncached readdir
output with pages and setting out_pages. Transports such as virtiofs can
then pass the pages as scatter-gather entries instead of copying the
output through argbuf.

Map the pages with vm_map_ram() only while parsing the returned dirents.
The existing parser can then continue to use a linear kernel mapping.

Fixes: dabb90391028 ("fuse: increase readdir buffer size")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew R. Ochs <mochs@nvidia.com>
---
v4:
- Drop the fc->max_read/fc->max_write request-size cap.
- Keep the existing uncached readdir buffer sizing logic unchanged.
- Limit this patch to backing uncached readdir output with pages.
- Update the commit message to describe only the kernel-side argbuf fix.
- The remaining 4K-host/64K-guest ENOMEM was traced to virtiofsd rejecting
  READDIR sizes larger than its MAX_BUFFER_SIZE; a virtiofsd fix is being
  handled separately.
- Link to v3: https://lore.kernel.org/all/20260519004746.3203156-1-mochs@nvidia.com/

v3:
- Cap the requested byte size by fc->max_read in addition to fc->max_pages
  and fc->max_write.
- Use clamp_t(size_t, ...) for the readdir buffer size calculation.
- Use __free(kvfree) for the temporary page pointer array.
- Use release_pages() for pages allocated by alloc_pages_bulk().
- Handle partial alloc_pages_bulk() success by shrinking the request size.
- Verified with --overlay-rwdir across 4K/64K host and guest page sizes.
- Link to v2: https://lore.kernel.org/all/20260428233028.2747981-1-mochs@nvidia.com/

v2:
- Reworked uncached readdir to use output pages and out_pages, per Miklos.
- Cap the requested byte size by both fc->max_pages and fc->max_write.
- Map pages with vm_map_ram() only while parsing returned dirents.
- Verified with --overlay-rwdir across 4K/64K host and guest page sizes.
- Link to v1: https://lore.kernel.org/all/20260428021304.2338592-1-mochs@nvidia.com/

 fs/fuse/readdir.c | 59 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 9 deletions(-)

diff --git a/fs/fuse/readdir.c b/fs/fuse/readdir.c
index db5ae8ec1030..48b5e7682e47 100644
--- a/fs/fuse/readdir.c
+++ b/fs/fuse/readdir.c
@@ -12,6 +12,7 @@
 #include <linux/posix_acl.h>
 #include <linux/pagemap.h>
 #include <linux/highmem.h>
+#include <linux/vmalloc.h>
 
 static bool fuse_use_readdirplus(struct inode *dir, struct dir_context *ctx)
 {
@@ -343,17 +344,45 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
 	struct fuse_mount *fm = get_fuse_mount(inode);
 	struct fuse_conn *fc = fm->fc;
 	struct fuse_io_args ia = {};
-	struct fuse_args *args = &ia.ap.args;
+	struct fuse_args_pages *ap = &ia.ap;
+	struct fuse_args *args = &ap->args;
+	struct page **pages __free(kvfree) = NULL;
 	void *buf;
 	size_t bufsize = clamp((unsigned int) ctx->count, PAGE_SIZE, fc->max_pages << PAGE_SHIFT);
+	unsigned int nr_pages = DIV_ROUND_UP(bufsize, PAGE_SIZE);
 	u64 attr_version = 0, evict_ctr = 0;
 	bool locked;
+	unsigned int nr_alloc;
+	unsigned int i;
 
-	buf = kvmalloc(bufsize, GFP_KERNEL);
-	if (!buf)
+	pages = kvcalloc(nr_pages, sizeof(*pages), GFP_KERNEL);
+	if (!pages)
 		return -ENOMEM;
 
-	args->out_args[0].value = buf;
+	nr_alloc = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages);
+	if (!nr_alloc) {
+		res = -ENOMEM;
+		goto out;
+	}
+	if (nr_alloc < nr_pages) {
+		nr_pages = nr_alloc;
+		bufsize = (size_t)nr_pages << PAGE_SHIFT;
+	}
+
+	ap->folios = fuse_folios_alloc(nr_pages, GFP_KERNEL, &ap->descs);
+	if (!ap->folios) {
+		res = -ENOMEM;
+		goto out;
+	}
+
+	for (i = 0; i < nr_pages; i++) {
+		ap->folios[i] = page_folio(pages[i]);
+		ap->descs[i].length = min_t(size_t,
+					    bufsize - (size_t)i * PAGE_SIZE,
+					    PAGE_SIZE);
+	}
+	ap->num_folios = nr_pages;
+	args->out_pages = true;
 
 	plus = fuse_use_readdirplus(inode, ctx);
 	if (plus) {
@@ -372,16 +401,28 @@ static int fuse_readdir_uncached(struct file *file, struct dir_context *ctx)
 
 			if (ff->open_flags & FOPEN_CACHE_DIR)
 				fuse_readdir_cache_end(file, ctx->pos);
-		} else if (plus) {
-			res = parse_dirplusfile(buf, res, file, ctx, attr_version,
-						evict_ctr);
 		} else {
-			res = parse_dirfile(buf, res, file, ctx);
+			buf = vm_map_ram(pages, nr_pages, -1);
+			if (!buf) {
+				res = -ENOMEM;
+			} else {
+				if (plus)
+					res = parse_dirplusfile(buf, res, file, ctx,
+								attr_version,
+								evict_ctr);
+				else
+					res = parse_dirfile(buf, res, file, ctx);
+
+				vm_unmap_ram(buf, nr_pages);
+			}
 		}
 	}
 
-	kvfree(buf);
 	fuse_invalidate_atime(inode);
+
+out:
+	kfree(ap->folios);
+	release_pages(pages, nr_alloc);
 	return res;
 }
 
-- 
2.50.1