From 5e21e7f6561a2a835c92382fdac2f112bb275b84 Mon Sep 17 00:00:00 2001
From: Rishabh Dave <ridave@redhat.com>
Date: Wed, 16 Jul 2025 21:34:18 +0530
Subject: [PATCH] client: in fcopyfile(), update len to read only leftover
 fragment

fcopyfile() reads 1 MiB of data every time but when a fragment smaller
than 1 MiB is left, it still reads 1 MiB of data, causing to never meet
the condition of "off == size". This leads to an infinity loop which
continues to write until CephFS becomes full.

Resolves: rhbz#2379716
Fixes: https://tracker.ceph.com/issues/72238
Signed-off-by: Rishabh Dave <ridave@redhat.com>
---
 src/client/Client.cc | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 84b6fb3406d..89bea2f7d54 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -18699,7 +18699,9 @@ int Client::fcopyfile(const char *spath, const char *dpath, UserPerm& perms, mod
         if (r < 0) {
           ldout(cct, 10) << "fcopyfile: error reading copy data, r=" << r << dendl;
           goto out;
-        }
+        } else {
+	  len = r;
+	}
 
         r = write(dest, in_buf, len, off);
         if (r < 0) {
@@ -18708,8 +18710,15 @@ int Client::fcopyfile(const char *spath, const char *dpath, UserPerm& perms, mod
         }
         off = off + len;
 
-        if (off == size)
+        if (off == size) {
           break;
+	} else if (off > size) {
+	  ldout(cct, 0) << __FILE__ << ",  " << __func__ << "() at " << __LINE__
+		        << " internal error: \"off\" is greater than \"size\"; "
+			" off = " << off << " size = " << size << dendl;
+	  r = -1;
+	  goto out;
+	}
       }
     }
     out:
-- 
2.39.5