Here's a reproducer for the bug.
Requires sufficient privs to mount a loopback fs.
======
#!/bin/bash
mkdir -p mnt
umount mnt &>/dev/null
# Create 8g fs image
mkfs.xfs -f -dfile,name=fsfile.img,size=8g &>/dev/null
mount -o loop fsfile.img mnt
# Make all files w/ 1m hints; create original 2m file
xfs_io -c "extsize 1048576" mnt
xfs_io -c "cowextsize 1048576" mnt
echo "Create file mnt/b"
xfs_io -f -c "pwrite -S 0x0 0 2m" -c fsync mnt/b &>/dev/null
# Make a reflinked copy
echo "Reflink copy from mnt/b to mnt/a"
cp --reflink=always mnt/b mnt/a
echo "Contents of mnt/b"
hexdump -C mnt/b
# Cycle mount to get stuff out of cache
umount mnt
mount -o loop fsfile.img mnt
# Create a 1m-hinted IO at offset 0, then
# do another IO that overlaps but extends past the 1m hint
echo "Write to mnt/a"
xfs_io -c "pwrite -S 0xa 0k -b 4k 4k" \
-c "pwrite -S 0xa 4k -b 1m 1m" \
mnt/a &>/dev/null
xfs_io -c fsync mnt/a
echo "Contents of mnt/b now:"
hexdump -C mnt/b
umount mnt
