From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.burntcomma.com (mail2.burntcomma.com [217.169.27.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8643126E6FB for ; Tue, 16 Sep 2025 19:03:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.169.27.34 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758049432; cv=none; b=mMNeQSDBUqnzuIamWNxlvX4Ue1uP5FONWX43JOFAKURosKWKPYS2Nk24Z8NIfpc2s6BTWEepwv8ORPRPA97uuYf8Us5ljeU1jgItLvdGP5Jbu8UjaPvxoV0GLd5hk0xfWvHC2RP28yE3eKM6o4adUNtOFHX+e7oBRD2YFwNg2O4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758049432; c=relaxed/simple; bh=6T8xgcg3GJ/eyqR/4tiAb/hZshcEhhULYcSuDN8rSR4=; h=Message-ID:Date:Mime-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=qGDEelS8tqK679o4iP0oMOdQ38VNMutd4wWjnA9XyNu0TQ0ijDXkTx7iVnqijpF5U5TCE8DceRGJ0g5YVwm63CX6rH+aUUMidXxPeeILxYlO7kvqeQBVBjYYbGP2XtagdN3y2p9oHhV0cb0UIS7V3mnSXd+c3mhyMGILlUFOFaY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=harmstone.com; spf=pass smtp.mailfrom=harmstone.com; dkim=pass (1024-bit key) header.d=harmstone.com header.i=@harmstone.com header.b=XcvYHvGx; arc=none smtp.client-ip=217.169.27.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=harmstone.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=harmstone.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=harmstone.com header.i=@harmstone.com header.b="XcvYHvGx" Received: from [IPV6:2a02:8012:8cf0:0:ce28:aaff:fe0d:6db2] (beren.burntcomma.com [IPv6:2a02:8012:8cf0:0:ce28:aaff:fe0d:6db2]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "hellas", Issuer "burntcomma.com" (verified OK)) by mail.burntcomma.com (Postfix) with ESMTPS id F192E2B89E7; Tue, 16 Sep 2025 19:58:10 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harmstone.com; s=mail; t=1758049091; bh=9CRWlhepUa3NwEJD5MBsJogKriioWIexgEtfCbT/svI=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=XcvYHvGxd2OCRpYOvGIrnizNYKD5BO4LhvFX31/c4oIxs5q1i3eGU8bNRrOxLtxYe x8bm+I9pTRbOI/mEi41+UHoOGBs3OV3MFgnfhFhxiyAETQGB5cdv6n+2ul4T0H4naZ xZ6jqA+lrVrSmnDbNZ9Zg1R9DjC6YKzR7QtYlT6I= Message-ID: Date: Tue, 16 Sep 2025 19:58:10 +0100 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Subject: Re: [PATCH AUTOSEL 6.16-6.12] btrfs: don't allow adding block device of less than 1 MB To: Sasha Levin , patches@lists.linux.dev, stable@vger.kernel.org Cc: Qu Wenruo , David Sterba , clm@fb.com, linux-btrfs@vger.kernel.org References: <20250916135936.1450850-1-sashal@kernel.org> <20250916135936.1450850-7-sashal@kernel.org> Content-Language: en-US From: Mark Harmstone Autocrypt: addr=mark@harmstone.com; keydata= xsBNBFp/GMsBCACtFsuHZqHWpHtHuFkNZhMpiZMChyou4X8Ueur3XyF8KM2j6TKkZ5M/72qT EycEM0iU1TYVN/Rb39gBGtRclLFVY1bx4i+aUCzh/4naRxqHgzM2SeeLWHD0qva0gIwjvoRs FP333bWrFKPh5xUmmSXBtBCVqrW+LYX4404tDKUf5wUQ9bQd2ItFRM2mU/l6TUHVY2iMql6I s94Bz5/Zh4BVvs64CbgdyYyQuI4r2tk/Z9Z8M4IjEzQsjSOfArEmb4nj27R3GOauZTO2aKlM 8821rvBjcsMk6iE/NV4SPsfCZ1jvL2UC3CnWYshsGGnfd8m2v0aLFSHZlNd+vedQOTgnABEB AAHNI01hcmsgSGFybXN0b25lIDxtYXJrQGhhcm1zdG9uZS5jb20+wsCRBBMBCAA7AhsvBQsJ CAcCBhUICQoLAgQWAgMBAh4BAheAFiEEG2JgKYgV0WRwIJAqbKyhHeAWK+0FAmRQOkICGQEA CgkQbKyhHeAWK+22wgf/dBOJ0pHdkDi5fNmWynlxteBsy3VCo0qC25DQzGItL1vEY95EV4uX re3+6eVRBy9gCKHBdFWk/rtLWKceWVZ86XfTMHgy+ZnIUkrD3XZa3oIV6+bzHgQ15rXXckiE A5N+6JeY/7hAQpSh/nOqqkNMmRkHAZ1ZA/8KzQITe1AEULOn+DphERBFD5S/EURvC8jJ5hEr lQj8Tt5BvA57sLNBmQCE19+IGFmq36EWRCRJuH0RU05p/MXPTZB78UN/oGT69UAIJAEzUzVe sN3jiXuUWBDvZz701dubdq3dEdwyrCiP+dmlvQcxVQqbGnqrVARsGCyhueRLnN7SCY1s5OHK ls7ATQRafxjLAQgAvkcSlqYuzsqLwPzuzoMzIiAwfvEW3AnZxmZn9bQ+ashB9WnkAy2FZCiI /BPwiiUjqgloaVS2dIrVFAYbynqSbjqhki+uwMliz7/jEporTDmxx7VGzdbcKSCe6rkE/72o 6t7KG0r55cmWnkdOWQ965aRnRAFY7Zzd+WLqlzeoseYsNj36RMaqNR7aL7x+kDWnwbw+jgiX tgNBcnKtqmJc04z/sQTa+sUX53syht1Iv4wkATN1W+ZvQySxHNXK1r4NkcDA9ZyFA3NeeIE6 ejiO7RyC0llKXk78t0VQPdGS6HspVhYGJJt21c5vwSzIeZaneKULaxXGwzgYFTroHD9n+QAR AQABwsGsBBgBCAAgFiEEG2JgKYgV0WRwIJAqbKyhHeAWK+0FAlp/GMsCGy4BQAkQbKyhHeAW K+3AdCAEGQEIAB0WIQR6bEAu0hwk2Q9ibSlt5UHXRQtUiwUCWn8YywAKCRBt5UHXRQtUiwdE B/9OpyjmrshY40kwpmPwUfode2Azufd3QRdthnNPAY8Tv9erwsMS3sMh+M9EP+iYJh+AIRO7 fDN/u0AWIqZhHFzCndqZp8JRYULnspXSKPmVSVRIagylKew406XcAVFpEjloUtDhziBN7ykk srAMoLASaBHZpAfp8UAGDrr8Fx1on46rDxsWbh1K1h4LEmkkVooDELjsbN9jvxr8ym8Bkt54 FcpypTOd8jkt/lJRvnKXoL3rZ83HFiUFtp/ZkveZKi53ANUaqy5/U5v0Q0Ppz9ujcRA9I/V3 B66DKMg1UjiigJG6espeIPjXjw0n9BCa9jqGICyJTIZhnbEs1yEpsM87eUIH/0UFLv0b8IZe pL/3QfiFoYSqMEAwCVDFkCt4uUVFZczKTDXTFkwm7zflvRHdy5QyVFDWMyGnTN+Bq48Gwn1M uRT/Sg37LIjAUmKRJPDkVr/DQDbyL6rTvNbA3hTBu392v0CXFsvpgRNYaT8oz7DDBUUWj2Ny 6bZCBtwr/O+CwVVqWRzKDQgVo4t1xk2ts1F0R1uHHLsX7mIgfXBYdo/y4UgFBAJH5NYUcBR+ QQcOgUUZeF2MC9i0oUaHJOIuuN2q+m9eMpnJdxVKAUQcZxDDvNjZwZh+ejsgG4Ejd2XR/T0y XFoR/dLFIhf2zxRylN1xq27M9P2t1xfQFocuYToPsVk= In-Reply-To: <20250916135936.1450850-7-sashal@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit There's no real security angle here as you need to be root to call the ioctl, but that aside the LLM analysis is impressively good. On 16/09/2025 2.59 pm, Sasha Levin wrote: > From: Mark Harmstone > > [ Upstream commit 3d1267475b94b3df7a61e4ea6788c7c5d9e473c4 ] > > Commit 15ae0410c37a79 ("btrfs-progs: add error handling for > device_get_partition_size_fd_stat()") in btrfs-progs inadvertently > changed it so that if the BLKGETSIZE64 ioctl on a block device returned > a size of 0, this was no longer seen as an error condition. > > Unfortunately this is how disconnected NBD devices behave, meaning that > with btrfs-progs 6.16 it's now possible to add a device you can't > remove: > > # btrfs device add /dev/nbd0 /root/temp > # btrfs device remove /dev/nbd0 /root/temp > ERROR: error removing device '/dev/nbd0': Invalid argument > > This check should always have been done kernel-side anyway, so add a > check in btrfs_init_new_device() that the new device doesn't have a size > less than BTRFS_DEVICE_RANGE_RESERVED (i.e. 1 MB). > > Reviewed-by: Qu Wenruo > Signed-off-by: Mark Harmstone > Reviewed-by: David Sterba > Signed-off-by: David Sterba > Signed-off-by: Sasha Levin > --- > > LLM Generated explanations, may be completely bogus: > > Based on my extensive investigation using multiple specialized agents > and deep code analysis, here is my determination: > > ## **Backport Status: YES** > > This commit MUST be backported to stable kernel trees. Here's the > comprehensive analysis: > > ### **1. Critical Bug Fix** > The commit fixes a severe bug where block devices smaller than 1MB > (including 0-size NBD devices) can be added to a btrfs filesystem but > **cannot be removed**, leaving the filesystem in a permanently degraded > state. The specific error users encounter: > ``` > ERROR: error removing device '/dev/nbd0': Invalid argument > ``` > > ### **2. Real User Impact** > - **Unrecoverable filesystem state**: Once a small/zero-size device is > added, it cannot be removed without recreating the entire filesystem > - **Data migration required**: Users must backup all data and recreate > the filesystem to resolve > - **NBD vulnerability**: Disconnected NBD devices report 0 size, making > this easy to trigger accidentally > - **No workaround available**: There is no way to force-remove the stuck > device > > ### **3. Root Cause Analysis** > The kernel-code-researcher agent found: > - The kernel **never had this validation** - it always relied on > userspace (btrfs-progs) to check > - Btrfs-progs commit 15ae0410c37a79 in version 6.16 inadvertently > removed the size check for 0-byte devices > - The kernel reserves the first 1MB (`BTRFS_DEVICE_RANGE_RESERVED = > SZ_1M`) for bootloader safety > - Device removal fails because shrinking calculations become invalid > when device size ≤ 1MB > > ### **4. Security Implications** > The security-auditor agent identified: > - **Medium severity DoS vulnerability** (CVSS 6.0) > - **Security boundary violation**: Privileged operations creating > irreversible states > - **Container/cloud impact**: Affects modern deployment scenarios with > device passthrough > - **No CVE assigned yet**: This is an unreported vulnerability > > ### **5. Code Change Analysis** > The fix is minimal and safe: > ```c > + if (bdev_nr_bytes(file_bdev(bdev_file)) <= > BTRFS_DEVICE_RANGE_RESERVED) { > + ret = -EINVAL; > + goto error; > + } > ``` > - **5 lines added** in `btrfs_init_new_device()` > - **No complexity**: Simple size check before device initialization > - **Zero regression risk**: Only blocks operations that would fail > anyway > - **Clear error path**: Uses existing error handling > > ### **6. Stable Tree Criteria Met** > ✅ **Fixes a real bug**: Users cannot remove devices, filesystem stuck > ✅ **Small and contained**: 5-line change in one function > ✅ **No new features**: Pure bug fix, no functional changes > ✅ **Minimal regression risk**: Only blocks already-broken operations > ✅ **Clear side effects**: None - prevents invalid state creation > ✅ **Important for users**: Prevents unrecoverable filesystem states > ✅ **Maintainer reviewed**: Approved by Qu Wenruo and David Sterba > > ### **7. Version Applicability** > The search-specialist agent found: > - **No prior bug reports**: This is a newly discovered issue > - **Affects all kernel versions** when used with btrfs-progs 6.16+ > - Should be backported to **all actively maintained stable branches** > (4.19, 5.4, 5.10, 5.15, 6.1, 6.6, 6.11) > > ### **8. Testing Verification** > The fix can be easily verified: > ```bash > # Without patch: succeeds but creates stuck device > btrfs device add /dev/zero_size_device /mnt > btrfs device remove /dev/zero_size_device /mnt # Fails with -EINVAL > > # With patch: properly rejects at add time > btrfs device add /dev/zero_size_device /mnt # Fails with -EINVAL > ``` > > ### **Conclusion** > This is a textbook example of a commit that should be backported to > stable: > - Fixes a real, user-impacting bug with no workaround > - Minimal, safe change with clear benefits > - Prevents filesystem corruption/stuck states > - Has security implications (DoS) > - Already reviewed by subsystem maintainers > > The absence of this validation in the kernel combined with the recent > btrfs-progs change creates a critical gap that leaves users vulnerable > to unrecoverable filesystem states. This fix closes that gap with > minimal risk. > > fs/btrfs/volumes.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c > index f475b4b7c4578..817d3ef501ec4 100644 > --- a/fs/btrfs/volumes.c > +++ b/fs/btrfs/volumes.c > @@ -2714,6 +2714,11 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path > goto error; > } > > + if (bdev_nr_bytes(file_bdev(bdev_file)) <= BTRFS_DEVICE_RANGE_RESERVED) { > + ret = -EINVAL; > + goto error; > + } > + > if (fs_devices->seeding) { > seeding_dev = true; > down_write(&sb->s_umount);