From 39a3d759a8f846b014249e38a8f12580e52bacab Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 9 Oct 2023 15:56:37 +0100
Subject: [PATCH] dissect: avoid clobbering device-mapper error when activating
 verity

The device-mapper driver can return a wild variety of errors when trying
to activate the same dm-verity volume concurrently, as it might happen
with an image. There is a fallback logic in place, but the original
return code was clobbered when userspace signature check was added.
Add it back.

Follow-up for c2fa92e7e8907d9

(cherry picked from commit ace07128ac014d5e7d7d1664beb58e5f3700d59c)
(cherry picked from commit c2155c19c06dfe5dd086f7b62c30762e3e5aad92)
---
 src/shared/dissect-image.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 2c4502a7f6c..3b830970137 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -2172,7 +2172,7 @@ static int do_crypt_activate_verity(
                 const VeritySettings *verity) {
 
         bool check_signature;
-        int r;
+        int r, k;
 
         assert(cd);
         assert(name);
@@ -2202,20 +2202,23 @@ static int do_crypt_activate_verity(
                 if (r >= 0)
                         return r;
 
-                log_debug("Validation of dm-verity signature failed via the kernel, trying userspace validation instead.");
+                log_debug_errno(r, "Validation of dm-verity signature failed via the kernel, trying userspace validation instead: %m");
 #else
                 log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
                           program_invocation_short_name);
+                r = 0; /* Set for the propagation below */
 #endif
 
                 /* So this didn't work via the kernel, then let's try userspace validation instead. If that
                  * works we'll try to activate without telling the kernel the signature. */
 
-                r = validate_signature_userspace(verity);
-                if (r < 0)
-                        return r;
-                if (r == 0)
-                        return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY),
+                /* Preferably propagate the original kernel error, so that the fallback logic can work,
+                 * as the device-mapper is finicky around concurrent activations of the same volume */
+                k = validate_signature_userspace(verity);
+                if (k < 0)
+                        return r < 0 ? r : k;
+                if (k == 0)
+                        return log_debug_errno(r < 0 ? r : SYNTHETIC_ERRNO(ENOKEY),
                                                "Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
         }