CVE-2022-49706

In the Linux kernel, the following vulnerability has been resolved:

zonefs: fix zonefsiomapbegin() for reads

If a readahead is issued to a sequential zone file with an offset exactly equal to the current file size, the iomap type is set to IOMAPUNWRITTEN, which will prevent an IO, but the iomap length is calculated as 0. This causes a WARNON() in iomap_iter():

[17309.548939] WARNING: CPU: 3 PID: 2137 at fs/iomap/iter.c:34 iomapiter+0x9cf/0xe80 [...] [17309.650907] RIP: 0010:iomapiter+0x9cf/0xe80 [...] [17309.754560] Call Trace: [17309.757078] <TASK> [17309.759240] ? lockisheldtype+0xd8/0x130 [17309.763531] iomapreadahead+0x1a8/0x870 [17309.767550] ? iomapreadfolio+0x4c0/0x4c0 [17309.771817] ? lockdephardirqsonprepare+0x400/0x400 [17309.778848] ? lockrelease+0x370/0x750 [17309.784462] ? folioaddlru+0x217/0x3f0 [17309.790220] ? reacquireheldlocks+0x4e0/0x4e0 [17309.796543] readpages+0x17d/0xb60 [17309.801854] ? folioaddlru+0x238/0x3f0 [17309.807573] ? readaheadexpand+0x5f0/0x5f0 [17309.813554] ? policynode+0xb5/0x140 [17309.819018] pagecacheraunbounded+0x27d/0x450 [17309.825439] filemapgetpages+0x500/0x1450 [17309.831444] ? filemapaddfolio+0x140/0x140 [17309.837519] ? lockisheldtype+0xd8/0x130 [17309.843509] filemapread+0x28c/0x9f0 [17309.848953] ? zonefsfilereaditer+0x1ea/0x4d0 [zonefs] [17309.856162] ? tracecontentionend+0xd6/0x130 [17309.862416] ? _mutexlock+0x221/0x1480 [17309.868151] ? zonefsfilereaditer+0x166/0x4d0 [zonefs] [17309.875364] ? filemapgetpages+0x1450/0x1450 [17309.881647] ? _mutexunlockslowpath+0x15e/0x620 [17309.888248] ? waitforcompletioniotimeout+0x20/0x20 [17309.895231] ? lockisheldtype+0xd8/0x130 [17309.901115] ? lockisheldtype+0xd8/0x130 [17309.906934] zonefsfilereaditer+0x356/0x4d0 [zonefs] [17309.913750] newsyncread+0x2d8/0x520 [17309.919035] ? _x64sys_lseek+0x1d0/0x1d0

Furthermore, this causes iomapreadahead() to loop forever as iomapreadahead_iter() always returns 0, making no progress.

Fix this by treating reads after the file size as access to holes, setting the iomap type to IOMAPHOLE, the iomap addr to IOMAPNULLADDR and using the length argument as is for the iomap length. To simplify the code with this change, zonefsiomapbegin() is split into the read variant, zonefsreadiomapbegin() and zonefsreadiomapops, and the write variant, zonefswriteiomapbegin() and zonefswriteiomap_ops.