btrfs: fix incorrect readahead expansion length

boryas · opsiff · commit 73f904f3952c · 2025-11-21T18:52:49.000+08:00
commit 8ab2fa6 upstream. The intent of btrfs_readahead_expand() was to expand to the length of the current compressed extent being read. However, "ram_bytes" is *not* that, in the case where a single physical compressed extent is used for multiple file extents. Consider this case with a large compressed extent C and then later two non-compressed extents N1 and N2 written over C, leaving C1 and C2 pointing to offset/len pairs of C: [ C ] [ N1 ][ C1 ][ N2 ][ C2 ] In such a case, ram_bytes for both C1 and C2 is the full uncompressed length of C. So starting readahead in C1 will expand the readahead past the end of C1, past N2, and into C2. This will then expand readahead again, to C2_start + ram_bytes, way past EOF. First of all, this is totally undesirable, we don't want to read the whole file in arbitrary chunks of the large underlying extent if it happens to exist. Secondly, it results in zeroing the range past the end of C2 up to ram_bytes. This is particularly unpleasant with fs-verity as it can zero and set uptodate pages in the verity virtual space past EOF. This incorrect readahead behavior can lead to verity verification errors, if we iterate in a way that happens to do the wrong readahead. Fix this by using em->len for readahead expansion, not em->ram_bytes, resulting in the expected behavior of stopping readahead at the extent boundary. Reported-by: Max Chernoff <git@maxchernoff.ca> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2399898 Fixes: 9e9ff87 ("btrfs: use readahead_expand() on compressed extents") CC: stable@vger.kernel.org # 6.17 Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Boris Burkov <boris@bur.io> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ebbf0d45be4165bf362da80dd1f9d00c674afefc)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
@@ -985,7 +985,7 @@ static void btrfs_readahead_expand(struct readahead_control *ractl,
 {
 	const u64 ra_pos = readahead_pos(ractl);
 	const u64 ra_end = ra_pos + readahead_length(ractl);
-	const u64 em_end = em->start + em->ram_bytes;
+	const u64 em_end = em->start + em->len;
 
 	/* No expansion for holes and inline extents. */
 	if (em->block_start > EXTENT_MAP_LAST_BYTE)

Original file line number	Diff line number	Diff line change
`@@ -985,7 +985,7 @@ static void btrfs_readahead_expand(struct readahead_control *ractl,`
`985`	`985`	`{`
`986`	`986`	`const u64 ra_pos = readahead_pos(ractl);`
`987`	`987`	`const u64 ra_end = ra_pos + readahead_length(ractl);`
`988`		`- const u64 em_end = em->start + em->ram_bytes;`
	`988`	`+ const u64 em_end = em->start + em->len;`
`989`	`989`
`990`	`990`	`/* No expansion for holes and inline extents. */`
`991`	`991`	`if (em->block_start > EXTENT_MAP_LAST_BYTE)`