diff --git a/0006-xfs_io-fix-mread-with-length-1-mod-page-size.patch b/0006-xfs_io-fix-mread-with-length-1-mod-page-size.patch
new file mode 100644
index 0000000000000000000000000000000000000000..216dc7f1be7e618011427d064f5c56d9e5f841e2
--- /dev/null
+++ b/0006-xfs_io-fix-mread-with-length-1-mod-page-size.patch
@@ -0,0 +1,72 @@
+From 7ea701ffc7cf306a903f2966519b3f5aedfb77ea Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 11 Jun 2024 11:29:28 -0700
+Subject: xfs_io: fix mread with length 1 mod page size
+
+Fix a weird bug in mread where if you passed it a length that was 1
+modulo the page size, for example
+
+        xfs_io -r file -c "mmap -r 0 8192" -c "mread -v 0 4097"
+
+... it never reset its pointer into the buffer into which it copies the
+data from the memory map.  This caused an out-of-bounds write, which
+depending on the length passed could be very large and reliably
+segfault.  Also nothing was printed, despite the use of -v option.
+
+(I don't know if this case gets reached by any existing xfstest, but
+presumably not.  I noticed it while working on a patch to an xfstest.)
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+---
+ io/mmap.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/io/mmap.c b/io/mmap.c
+index 425957d..a5f30e0 100644
+--- a/io/mmap.c
++++ b/io/mmap.c
+@@ -472,34 +472,26 @@ mread_f(
+ 		dumplen = pagesize;
+ 
+ 	if (rflag) {
+-		for (tmp = length - 1, c = 0; tmp >= 0; tmp--, c = 1) {
+-			*bp = *(((char *)mapping->addr) + dumpoffset + tmp);
+-			cnt++;
+-			if (c && cnt == dumplen) {
++		for (tmp = length - 1; tmp >= 0; tmp--) {
++			bp[cnt++] = ((char *)mapping->addr)[dumpoffset + tmp];
++			if (cnt == dumplen) {
+ 				if (dump) {
+ 					dump_buffer(printoffset, dumplen);
+ 					printoffset += dumplen;
+ 				}
+-				bp = (char *)io_buffer;
+ 				dumplen = pagesize;
+ 				cnt = 0;
+-			} else {
+-				bp++;
+ 			}
+ 		}
+ 	} else {
+-		for (tmp = 0, c = 0; tmp < length; tmp++, c = 1) {
+-			*bp = *(((char *)mapping->addr) + dumpoffset + tmp);
+-			cnt++;
+-			if (c && cnt == dumplen) {
++		for (tmp = 0; tmp < length; tmp++) {
++			bp[cnt++] = ((char *)mapping->addr)[dumpoffset + tmp];
++			if (cnt == dumplen) {
+ 				if (dump)
+ 					dump_buffer(printoffset + tmp -
+ 						(dumplen - 1), dumplen);
+-				bp = (char *)io_buffer;
+ 				dumplen = pagesize;
+ 				cnt = 0;
+-			} else {
+-				bp++;
+ 			}
+ 		}
+ 	}
+-- 
+2.43.0
+
diff --git a/xfsprogs.spec b/xfsprogs.spec
index fcc2727194a734ad8f5caeb38ffbba0f3a4ca3e9..78563e1b8b8bf8b5b755bfc7fc26efc66641d9aa 100644
--- a/xfsprogs.spec
+++ b/xfsprogs.spec
@@ -1,6 +1,6 @@
 Name:           xfsprogs
 Version:        6.6.0
-Release:        5
+Release:        6
 Summary:        Administration and debugging tools for the XFS file system
 License:        GPL+ and LGPLv2+
 URL:            https://xfs.wiki.kernel.org
@@ -24,6 +24,7 @@ Patch2:		0002-xfs-fix-internal-error-from-AGFL-exhaustion.patch
 Patch3:		0003-xfs_db-don-t-hardcode-type-data-size-at-512b.patch
 Patch4:		0004-xfs_db-fix-leak-in-flist_find_ftyp.patch
 Patch5:		0005-xfs_db-add-helper-for-flist_find_type-for-clearer-fi.patch
+Patch6:		0006-xfs_io-fix-mread-with-length-1-mod-page-size.patch
 
 %description
 xfsprogs are the userspace utilities that manage XFS filesystems.
@@ -107,6 +108,10 @@ rm -rf %{buildroot}%{_datadir}/doc/xfsprogs/
 
 
 %changelog
+* Fri Jun 21 2024 liuh <liuhuan01@kylinos.cn> - 6.6.0-6
+- sync pathc from community
+  xfs_io: fix mread with length 1 mod page size
+
 * Tue Jun 4 2024 liuh <liuhuan01@kylinos.cn> - 6.6.0-5
 - sync patches from community