From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Feb 2025 12:55:30 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.129~54
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e2ad992444463b5181c8c2d25594198b88eab64;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	btrfs-fix-hole-expansion-when-writing-at-an-offset-beyond-eof.patch
---

diff --git a/queue-6.1/btrfs-fix-hole-expansion-when-writing-at-an-offset-beyond-eof.patch b/queue-6.1/btrfs-fix-hole-expansion-when-writing-at-an-offset-beyond-eof.patch
new file mode 100644
index 0000000000..8436a0553e
--- /dev/null
+++ b/queue-6.1/btrfs-fix-hole-expansion-when-writing-at-an-offset-beyond-eof.patch
@@ -0,0 +1,103 @@
+From da2dccd7451de62b175fb8f0808d644959e964c7 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 5 Feb 2025 17:36:48 +0000
+Subject: btrfs: fix hole expansion when writing at an offset beyond EOF
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit da2dccd7451de62b175fb8f0808d644959e964c7 upstream.
+
+At btrfs_write_check() if our file's i_size is not sector size aligned and
+we have a write that starts at an offset larger than the i_size that falls
+within the same page of the i_size, then we end up not zeroing the file
+range [i_size, write_offset).
+
+The code is this:
+
+    start_pos = round_down(pos, fs_info->sectorsize);
+    oldsize = i_size_read(inode);
+    if (start_pos > oldsize) {
+        /* Expand hole size to cover write data, preventing empty gap */
+        loff_t end_pos = round_up(pos + count, fs_info->sectorsize);
+
+        ret = btrfs_cont_expand(BTRFS_I(inode), oldsize, end_pos);
+        if (ret)
+            return ret;
+    }
+
+So if our file's i_size is 90269 bytes and a write at offset 90365 bytes
+comes in, we get 'start_pos' set to 90112 bytes, which is less than the
+i_size and therefore we don't zero out the range [90269, 90365) by
+calling btrfs_cont_expand().
+
+This is an old bug introduced in commit 9036c10208e1 ("Btrfs: update hole
+handling v2"), from 2008, and the buggy code got moved around over the
+years.
+
+Fix this by discarding 'start_pos' and comparing against the write offset
+('pos') without any alignment.
+
+This bug was recently exposed by test case generic/363 which tests this
+scenario by polluting ranges beyond EOF with an mmap write and than verify
+that after a file increases we get zeroes for the range which is supposed
+to be a hole and not what we wrote with the previous mmaped write.
+
+We're only seeing this exposed now because generic/363 used to run only
+on xfs until last Sunday's fstests update.
+
+The test was failing like this:
+
+   $ ./check generic/363
+   FSTYP         -- btrfs
+   PLATFORM      -- Linux/x86_64 debian0 6.13.0-rc7-btrfs-next-185+ #17 SMP PREEMPT_DYNAMIC Mon Feb  3 12:28:46 WET 2025
+   MKFS_OPTIONS  -- /dev/sdc
+   MOUNT_OPTIONS -- /dev/sdc /home/fdmanana/btrfs-tests/scratch_1
+
+   generic/363 0s ... [failed, exit status 1]- output mismatch (see /home/fdmanana/git/hub/xfstests/results//generic/363.out.bad)
+#      --- tests/generic/363.out	2025-02-05 15:31:14.013646509 +0000
+#      +++ /home/fdmanana/git/hub/xfstests/results//generic/363.out.bad	2025-02-05 17:25:33.112630781 +0000
+       @@ -1 +1,46 @@
+        QA output created by 363
+       +READ BAD DATA: offset = 0xdcad, size = 0xd921, fname = /home/fdmanana/btrfs-tests/dev/junk
+       +OFFSET      GOOD    BAD     RANGE
+       +0x1609d     0x0000  0x3104  0x0
+       +operation# (mod 256) for the bad data may be 4
+       +0x1609e     0x0000  0x0472  0x1
+       +operation# (mod 256) for the bad data may be 4
+       ...
+       (Run 'diff -u /home/fdmanana/git/hub/xfstests/tests/generic/363.out /home/fdmanana/git/hub/xfstests/results//generic/363.out.bad'  to see the entire diff)
+   Ran: generic/363
+   Failures: generic/363
+   Failed 1 of 1 tests
+
+Fixes: 9036c10208e1 ("Btrfs: update hole handling v2")
+CC: stable@vger.kernel.org
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -1122,7 +1122,6 @@ static int btrfs_write_check(struct kioc
+ 	loff_t pos = iocb->ki_pos;
+ 	int ret;
+ 	loff_t oldsize;
+-	loff_t start_pos;
+ 
+ 	/*
+ 	 * Quickly bail out on NOWAIT writes if we don't have the nodatacow or
+@@ -1147,9 +1146,8 @@ static int btrfs_write_check(struct kioc
+ 	 */
+ 	update_time_for_write(inode);
+ 
+-	start_pos = round_down(pos, fs_info->sectorsize);
+ 	oldsize = i_size_read(inode);
+-	if (start_pos > oldsize) {
++	if (pos > oldsize) {
+ 		/* Expand hole size to cover write data, preventing empty gap */
+ 		loff_t end_pos = round_up(pos + count, fs_info->sectorsize);
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index afe99dfcd1..e194c77858 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -532,3 +532,4 @@ regmap-irq-add-missing-kfree.patch
 arm64-handle-.arm.attributes-section-in-linker-scripts.patch
 mmc-mtk-sd-fix-register-settings-for-hs400-es-mode.patch
 mlxsw-add-return-value-check-for-mlxsw_sp_port_get_stats_raw.patch
+btrfs-fix-hole-expansion-when-writing-at-an-offset-beyond-eof.patch