From ec9b97a7317010058f968efd31a233df7987501e Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 23 Jul 2024 15:13:04 +0200
Subject: [PATCH] Fix shared activation for dm-verity devices.

CRYPT_ACTIVATE_SHARED flag was silently ignored
while activating dm-verity devices by libcryptsetup.
This was a bug.

DM verity shared activation is generaly safe (single mapped data device
in multiple DM verity tables) since all verity devices are
read only.

The CRYPT_ACTIVATE_SHARED flag also fixes a race condition
when multiple processes compete for the same DM device name
(all dm-verity) while using same backing data device.

The exclusive open check in-before verity activation could
fail DM table load for a process that otherwise successfully acquired
DM device name (succeed in creating the DM device). This could (in some
cases) result in all processes competening for the DM verity device
to fail and none would activate the DM verity device.
---
 lib/verity/verity.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/verity/verity.c b/lib/verity/verity.c
index b97593826..5fe1cf76f 100644
--- a/lib/verity/verity.c
+++ b/lib/verity/verity.c
@@ -338,7 +338,8 @@ int VERITY_activate(struct crypt_device *cd,
 	if (r)
 		goto out;
 
-	r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
+	r = device_block_adjust(cd, crypt_data_device(cd),
+				activation_flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL,
 				0, &dmd.size, &dmd.flags);
 	if (r)
 		goto out;