libxfs: fix data corruption bug in libxfs_file_write

libxfs_file_write tries to initialize the entire file block buffer,
which includes zeroing the head portion if @pos is not aligned to the
filesystem block size.  However, @buf is the file data to copy in at
position @pos, not the position of the file block.  Therefore, block_off
should be added to b_addr, not buf.

Cc: <linux-xfs@vger.kernel.org> # v6.13.0
Fixes: 73fb78e5ee8940 ("mkfs: support copying in large or sparse files")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/libxfs/util.c b/libxfs/util.c
index 8dba3ef0c66139c7718edb803e3633007fa7dea0..2b1c32efc4709a0a8c3b39ffdf10f313d632435c 100644 (file)
--- a/libxfs/util.c
+++ b/libxfs/util.c
@@ -650,7 +650,8 @@ get_random_u32(void)
 
 /*
  * Write a buffer to a file on the data device.  There must not be sparse holes
- * or unwritten extents.
+ * or unwritten extents, and the blocks underneath the file range will be
+ * completely overwritten.
  */
 int
 libxfs_file_write(
@@ -697,7 +698,7 @@ libxfs_file_write(
                if (block_off > 0)
                        memset((char *)bp->b_addr, 0, block_off);
                count = min(len, XFS_FSB_TO_B(mp, map.br_blockcount));
-               memmove(bp->b_addr, buf + block_off, count);
+               memmove(bp->b_addr + block_off, buf, count);
                bcount = BBTOB(bp->b_length);
                if (count < bcount)
                        memset((char *)bp->b_addr + block_off + count, 0,