Don't allow spares to force faulted

tonyhutter · tonyhutter · commit f12f5ff90bda · 2026-03-04T14:47:10.000-08:00
The zpool offline man page says that you cannot use 'zpool offline'
on spares.  However, testing found that you could in fact force fault
(zpool offline -f) spares.

Add in both kernel side and libzfs side checks for this.  The libzfs
checks are a little better since they print a helpful error message.

Signed-off-by: Tony Hutter &lt;hutter2@llnl.gov&gt;
diff --git a/lib/libzfs/libzfs_pool.c b/lib/libzfs/libzfs_pool.c
@@ -3563,10 +3563,32 @@ zpool_vdev_fault(zpool_handle_t *zhp, uint64_t guid, vdev_aux_t aux)
 	zfs_cmd_t zc = {"\0"};
 	char errbuf[ERRBUFLEN];
 	libzfs_handle_t *hdl = zhp->zpool_hdl;
+	nvlist_t *vdev_nv;
+	boolean_t avail_spare, l2cache;
+	char *vdev_name;
+	char guid_str[21]; /* 64-bit num + '\0' */
 
 	(void) snprintf(errbuf, sizeof (errbuf),
 	    dgettext(TEXT_DOMAIN, "cannot fault %llu"), (u_longlong_t)guid);
 
+	snprintf(guid_str, sizeof (guid_str), "%llu", (u_longlong_t)guid);
+	if ((vdev_nv = zpool_find_vdev(zhp, guid_str, &avail_spare,
+	    &l2cache, NULL)) == NULL)
+		return (zfs_error(hdl, EZFS_NODEVICE, errbuf));
+
+	vdev_name = zpool_vdev_name(hdl, zhp, vdev_nv, 0);
+	if (vdev_name != NULL) {
+		/*
+		 * We have the actual vdev name, so use that instead of the GUID
+		 * in any error messages.
+		 */
+		(void) snprintf(errbuf, sizeof (errbuf),
+		    dgettext(TEXT_DOMAIN, "cannot fault %s"), vdev_name);
+	}
+
+	if (avail_spare)
+		return (zfs_error(hdl, EZFS_ISSPARE, errbuf));
+
 	(void) strlcpy(zc.zc_name, zhp->zpool_name, sizeof (zc.zc_name));
 	zc.zc_guid = guid;
 	zc.zc_cookie = VDEV_STATE_FAULTED;
diff --git a/module/zfs/vdev.c b/module/zfs/vdev.c
@@ -4309,6 +4309,9 @@ vdev_fault(spa_t *spa, uint64_t guid, vdev_aux_t aux)
 	if (!vd->vdev_ops->vdev_op_leaf)
 		return (spa_vdev_state_exit(spa, NULL, SET_ERROR(ENOTSUP)));
 
+	if (vd->vdev_isspare)
+		return (spa_vdev_state_exit(spa, NULL, SET_ERROR(ENOTSUP)));
+
 	tvd = vd->vdev_top;
 
 	/*
@@ -4556,8 +4559,8 @@ vdev_offline_locked(spa_t *spa, uint64_t guid, uint64_t flags)
 	if (!vd->vdev_ops->vdev_op_leaf)
 		return (spa_vdev_state_exit(spa, NULL, SET_ERROR(ENOTSUP)));
 
-	if (vd->vdev_ops == &vdev_draid_spare_ops)
-		return (spa_vdev_state_exit(spa, NULL, ENOTSUP));
+	if (vd->vdev_isspare)
+		return (spa_vdev_state_exit(spa, NULL, SET_ERROR(ENOTSUP)));
 
 	tvd = vd->vdev_top;
 	mg = tvd->vdev_mg;
diff --git a/tests/runfiles/common.run b/tests/runfiles/common.run
@@ -524,7 +524,7 @@ tags = ['functional', 'cli_root', 'zpool_initialize']
 
 [tests/functional/cli_root/zpool_offline]
 tests = ['zpool_offline_001_pos', 'zpool_offline_002_neg',
-    'zpool_offline_003_pos']
+    'zpool_offline_003_pos', 'zpool_offline_spare']
 tags = ['functional', 'cli_root', 'zpool_offline']
 
 [tests/functional/cli_root/zpool_online]
diff --git a/tests/runfiles/sanity.run b/tests/runfiles/sanity.run
@@ -323,7 +323,8 @@ pre =
 tags = ['functional', 'cli_root', 'zpool_initialize']
 
 [tests/functional/cli_root/zpool_offline]
-tests = ['zpool_offline_001_pos', 'zpool_offline_002_neg']
+tests = ['zpool_offline_001_pos', 'zpool_offline_002_neg',
+    'zpool_offline_spare']
 tags = ['functional', 'cli_root', 'zpool_offline']
 
 [tests/functional/cli_root/zpool_online]
diff --git a/tests/zfs-tests/tests/Makefile.am b/tests/zfs-tests/tests/Makefile.am
@@ -1216,6 +1216,7 @@ nobase_dist_datadir_zfs_tests_tests_SCRIPTS += \
 	functional/cli_root/zpool_offline/zpool_offline_001_pos.ksh \
 	functional/cli_root/zpool_offline/zpool_offline_002_neg.ksh \
 	functional/cli_root/zpool_offline/zpool_offline_003_pos.ksh \
+	functional/cli_root/zpool_offline/zpool_offline_spare.ksh \
 	functional/cli_root/zpool_online/cleanup.ksh \
 	functional/cli_root/zpool_online/setup.ksh \
 	functional/cli_root/zpool_online/zpool_online_001_pos.ksh \
diff --git a/tests/zfs-tests/tests/functional/cli_root/zpool_offline/zpool_offline_spare.ksh b/tests/zfs-tests/tests/functional/cli_root/zpool_offline/zpool_offline_spare.ksh
@@ -0,0 +1,65 @@
+#!/bin/ksh -p
+# SPDX-License-Identifier: CDDL-1.0
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or https://opensource.org/licenses/CDDL-1.0.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+# Copyright 2026 by Lawrence Livermore National Security, LLC.
+
+. $STF_SUITE/include/libtest.shlib
+
+#
+# DESCRIPTION:
+#	Verify we can't offline or force fault spares
+#
+# STRATEGY:
+# 	1. Create pool with traditional spare
+#	2. Verify we can't offline/fault the traditional spare
+#	3. Create draid pool with draid spare
+#	4. Verify we can't offline/fault draid spare
+
+
+TESTPOOL2=testpool2
+function cleanup
+{
+	destroy_pool $TESTPOOL2
+	log_must rm -f $TESTDIR/file-vdev-{1..3}
+}
+
+log_onexit cleanup
+verify_runnable "global"
+
+log_assert "Verify zpool offline does not work on spares"
+
+# Verify any old file vdevs are gone
+log_mustnot ls $TESTDIR/file-vdev-* &> /dev/null
+
+log_must truncate -s 100M $TESTDIR/file-vdev-{1..3}
+
+log_must zpool create $TESTPOOL2 $TESTDIR/file-vdev-1 spare $TESTDIR/file-vdev-2
+log_mustnot zpool offline $TESTPOOL2 $TESTDIR/file-vdev-2
+log_mustnot zpool offline -f $TESTPOOL2 $TESTDIR/file-vdev-2
+destroy_pool $TESTPOOL2
+
+log_must zpool create $TESTPOOL2 draid1:1d:1s:3c $TESTDIR/file-vdev-{1..3}
+log_mustnot zpool offline $TESTPOOL2 draid1-0-0
+log_mustnot zpool offline -f $TESTPOOL2 draid1-0-0
+
+log_pass "'zpool offline does not work on spares as expected"
diff --git a/tests/zfs-tests/tests/functional/fault/auto_offline_001_pos.ksh b/tests/zfs-tests/tests/functional/fault/auto_offline_001_pos.ksh
@@ -166,9 +166,8 @@ do
 
 	mntpnt=$(get_prop mountpoint /$TESTPOOL)
 
-	# 2. Fault the spare device making it unavailable
-	log_must zpool offline -f $TESTPOOL $sparedev
-	log_must wait_hotspare_state $TESTPOOL $sparedev "FAULTED"
+	# 2. Remove the spare device making it unavailable
+	log_must zpool remove $TESTPOOL $sparedev
 
 	# 3. Simulate physical removal of one device
 	remove_disk $removedev
