msdosfs: zero partially valid extended cluster

It contains arbitrary garbage, which is not cleared by vfs_bio_clrbuf()
which only zeroes invalid portions of the pages.

Reported by:	Maxim Suhanov <dfirblog@gmail.com>
Discussed with:	so
Tested by:	pho
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week

1 files changed, 8 insertions, 1 deletions

diff --git a/sys/fs/msdosfs/msdosfs_denode.c b/sys/fs/msdosfs/msdosfs_denode.c
index 7acd90c8e713..ce7058b3ae60 100644
--- a/sys/fs/msdosfs/msdosfs_denode.c
+++ b/sys/fs/msdosfs/msdosfs_denode.c
@@ -498,6 +498,7 @@ deextend(struct denode *dep, u_long length, struct ucred *cred)
 	struct msdosfsmount *pmp = dep->de_pmp;
 	struct vnode *vp = DETOV(dep);
 	struct buf *bp;
+	off_t eof_clusteroff;
 	u_long count;
 	int error;
 
@@ -536,13 +537,19 @@ deextend(struct denode *dep, u_long length, struct ucred *cred)
 	 * B_CACHE | B_DELWRI but with invalid pages, and cannot be
 	 * neither written out nor validated.
 	 *
-	 * Fix it by proactively clearing extended pages.
+	 * Fix it by proactively clearing extended pages.  Need to do
+	 * both vfs_bio_clrbuf() to mark pages valid, and to zero
+	 * actual buffer content which might exist in the tail of the
+	 * already valid cluster.
 	 */
 	error = bread(vp, de_cluster(pmp, dep->de_FileSize), pmp->pm_bpcluster,
 	    NOCRED, &bp);
 	if (error != 0)
 		goto rewind;
 	vfs_bio_clrbuf(bp);
+	eof_clusteroff = de_cn2off(pmp, de_cluster(pmp, dep->de_FileSize));
+	vfs_bio_bzero_buf(bp, dep->de_FileSize - eof_clusteroff,
+	    pmp->pm_bpcluster - dep->de_FileSize + eof_clusteroff);
 	if (!DOINGASYNC(vp))
 		(void)bwrite(bp);
 	else if (vm_page_count_severe() || buf_dirty_count_severe())