Calling ftruncate() in xfs_write_zeroes() is dangerous because it may yield and then discard data that parallel write requests have written past the old EOF in the meantime. We must not use it here.
Instead, return -ENOTSUP and let the more generic fallocate code handle writing zeroes past the EOF. Reported-by: Lukáš Doktor <ldok...@redhat.com> Fixes: 50ba5b2d994853b38fed10e0841b119da0f8b8e5 Cc: qemu-sta...@nongnu.org Signed-off-by: Max Reitz <mre...@redhat.com> --- block/file-posix.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/block/file-posix.c b/block/file-posix.c index fbeb0068db..b49e0784a4 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -1472,10 +1472,13 @@ static int xfs_write_zeroes(BDRVRawState *s, int64_t offset, uint64_t bytes) } if (offset + bytes > len) { - /* XFS_IOC_ZERO_RANGE does not increase the file length */ - if (ftruncate(s->fd, offset + bytes) < 0) { - return -errno; - } + /* + * XFS_IOC_ZERO_RANGE does not increase the file length, but + * the caller probably wants us to. + * Calling ftruncate() would not be safe, so let the generic + * implementation handle this case. + */ + return -ENOTSUP; } memset(&fl, 0, sizeof(fl)); @@ -1580,7 +1583,10 @@ static int handle_aiocb_write_zeroes(void *opaque) #ifdef CONFIG_XFS if (s->is_xfs) { - return xfs_write_zeroes(s, aiocb->aio_offset, aiocb->aio_nbytes); + int ret = xfs_write_zeroes(s, aiocb->aio_offset, aiocb->aio_nbytes); + if (ret != -ENOTSUP) { + return ret; + } } #endif -- 2.21.0