Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2653898imj; Mon, 11 Feb 2019 06:31:40 -0800 (PST) X-Google-Smtp-Source: AHgI3IaFfDH9p6+/aLSVLWABlgc/b4JxDKhcxXsDdrtX1lPrxdkyMyP/EszgHA83+B3TnaFj6sg+ X-Received: by 2002:a63:990a:: with SMTP id d10mr33751668pge.279.1549895500614; Mon, 11 Feb 2019 06:31:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549895500; cv=none; d=google.com; s=arc-20160816; b=Jh2tuB9/5fnKHWIVlSnBAYD5eVbQsuEenjl+oPpiXlESBuS1aksimbKYKWkOdaX0Ne C6pZ4bDNfLo16Zk+iYZCbI7lu30uZTf47zYp9Y3YGDCxy614vsEIKCK6mw7PgtSBZsLz o3sD8XWtU4R8Hg1lKybQcZDFkgC1X1L5QnVbDr8Dy9TWvCP4OT70z5rlkPN2V1jUWTYh HHoFpi1iCX3giRnNbYN/Z7zP3jZW1K/SGBQsRBAccKBvplrfkiMKrN8MeC8RKhLga0Y6 A6+KPPXK7i2SHz8hgRCQDny7q5BRRgnhKKc74ws5m/GUYUz+fNktb58o2xuTwJf3uY/3 H37Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Y666f+ygM6knI1tNEaj8Uhia7FlAE/PI3FSGhiv1A0M=; b=k7HoBKWc+wJApKEroFUkSBoLhNLWQ/qD2Sr/XEKk+BPuhbcJDP0IViw+ZyyXQTdw02 D0mya+tTae+SI+VzUJ/oq2xu6dSF0dVL8aq26+7I29PQIIOsSsZqc9pYTFoOOC+DYT46 TRx/vnsZVGj36devA97KNx+vSXQweUZO1GZnnYQN7PDROzWlMJts0+N/fSJe6DwU2gJY cm5CSBFO2xR0Lvn9EeqPfRjjQbfti9KaTdqnll0hZYPeHZfqIl7G9KxNh9X7P0iRy28a kbAC7Lm50hnUvuAe1iLTFi/XvQ2kpdgyalMdxm4nY3wCbzN1QZ3we6o0THny9HdyfVEE 6WgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AXn5VQUq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n30si926811pgb.406.2019.02.11.06.31.23; Mon, 11 Feb 2019 06:31:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AXn5VQUq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730230AbfBKObC (ORCPT + 99 others); Mon, 11 Feb 2019 09:31:02 -0500 Received: from mail.kernel.org ([198.145.29.99]:37560 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730209AbfBKOa6 (ORCPT ); Mon, 11 Feb 2019 09:30:58 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3841B20675; Mon, 11 Feb 2019 14:30:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549895457; bh=uc0lz0Cn1PiKILU515H7WncPfCO7SJaBiJkBycpTIR0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AXn5VQUqAxqNFc1M1yXbpAWLenYZuLSONTN+N+UzfoJYnxo6UhoFf2V2Pf5KIvLlu ayd/FYNd2AGk7md6oxs0A3AHI/ZSyvai3Djzxc8Yan6m6gHI7pD35JYI0D1QmEyKv/ zaUVR/GgBMXlF7bKSO1IzYFEw2pwLCzkF33zzM3s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Anand Jain , David Sterba , Sasha Levin Subject: [PATCH 4.20 180/352] btrfs: harden agaist duplicate fsid on scanned devices Date: Mon, 11 Feb 2019 15:16:47 +0100 Message-Id: <20190211141858.558639119@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190211141846.543045703@linuxfoundation.org> References: <20190211141846.543045703@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit a9261d4125c97ce8624e9941b75dee1b43ad5df9 ] It's not that impossible to imagine that a device OR a btrfs image is copied just by using the dd or the cp command. Which in case both the copies of the btrfs will have the same fsid. If on the system with automount enabled, the copied FS gets scanned. We have a known bug in btrfs, that we let the device path be changed after the device has been mounted. So using this loop hole the new copied device would appears as if its mounted immediately after it's been copied. For example: Initially.. /dev/mmcblk0p4 is mounted as / $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT mmcblk0 179:0 0 29.2G 0 disk |-mmcblk0p4 179:4 0 4G 0 part / |-mmcblk0p2 179:2 0 500M 0 part /boot |-mmcblk0p3 179:3 0 256M 0 part [SWAP] `-mmcblk0p1 179:1 0 256M 0 part /boot/efi $ btrfs fi show Label: none uuid: 07892354-ddaa-4443-90ea-f76a06accaba Total devices 1 FS bytes used 1.40GiB devid 1 size 4.00GiB used 3.00GiB path /dev/mmcblk0p4 Copy mmcblk0 to sda $ dd if=/dev/mmcblk0 of=/dev/sda And immediately after the copy completes the change in the device superblock is notified which the automount scans using btrfs device scan and the new device sda becomes the mounted root device. $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 1 14.9G 0 disk |-sda4 8:4 1 4G 0 part / |-sda2 8:2 1 500M 0 part |-sda3 8:3 1 256M 0 part `-sda1 8:1 1 256M 0 part mmcblk0 179:0 0 29.2G 0 disk |-mmcblk0p4 179:4 0 4G 0 part |-mmcblk0p2 179:2 0 500M 0 part /boot |-mmcblk0p3 179:3 0 256M 0 part [SWAP] `-mmcblk0p1 179:1 0 256M 0 part /boot/efi $ btrfs fi show / Label: none uuid: 07892354-ddaa-4443-90ea-f76a06accaba Total devices 1 FS bytes used 1.40GiB devid 1 size 4.00GiB used 3.00GiB path /dev/sda4 The bug is quite nasty that you can't either unmount /dev/sda4 or /dev/mmcblk0p4. And the problem does not get solved until you take sda out of the system on to another system to change its fsid using the 'btrfstune -u' command. Signed-off-by: Anand Jain Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/volumes.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index ea5fa9df9405..6f09f6032db3 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -850,6 +850,35 @@ static noinline struct btrfs_device *device_list_add(const char *path, return ERR_PTR(-EEXIST); } + /* + * We are going to replace the device path for a given devid, + * make sure it's the same device if the device is mounted + */ + if (device->bdev) { + struct block_device *path_bdev; + + path_bdev = lookup_bdev(path); + if (IS_ERR(path_bdev)) { + mutex_unlock(&fs_devices->device_list_mutex); + return ERR_CAST(path_bdev); + } + + if (device->bdev != path_bdev) { + bdput(path_bdev); + mutex_unlock(&fs_devices->device_list_mutex); + btrfs_warn_in_rcu(device->fs_info, + "duplicate device fsid:devid for %pU:%llu old:%s new:%s", + disk_super->fsid, devid, + rcu_str_deref(device->name), path); + return ERR_PTR(-EEXIST); + } + bdput(path_bdev); + btrfs_info_in_rcu(device->fs_info, + "device fsid %pU devid %llu moved old:%s new:%s", + disk_super->fsid, devid, + rcu_str_deref(device->name), path); + } + name = rcu_string_strdup(path, GFP_NOFS); if (!name) { mutex_unlock(&fs_devices->device_list_mutex); -- 2.19.1