On Wed, Apr 28, 2021 at 3:00 AM Demi Marie Obenour <d...@invisiblethingslab.com> wrote: > > When it comes to file-based block devices, the major difficulty is > the extremely bad kernel API. The only fully safe way to use loop > devices is to use LOOP_CONFIGURE with LO_FLAGS_AUTOCLEAR and hold a > file descriptor open to the device until another piece of code (either > another userspace program or the kernel) has grabbed a reference to it. > Everything else risks either using a freed loop device (that might now > be attached to a different file) or risks leaking them on unclean exit. > The only exception is if one can make certain assumptions, such as no > other program freeing loop devices for the file in question. This is > a reasonable assumption for Qubes dom0, but neither for Qubes domU nor > for Xen dom0 in general. Nevertheless, this is effectively what the > current block script does: if I understand the code correctly, there > is a race where badly timed calls to losetup by another process could > result in the block script freeing the wrong loop device.
I posted this a while ago, but didn't get any response: https://lore.kernel.org/xen-devel/cakf6xpv-u91nf2fik7grn3sfeowwcdr5r+zck5fgoje+-d4...@mail.gmail.com/ tl;dr: AFAICT, the block script check_sharing function doesn't work for loop devices Regards, Jason
