[PATCH] lxc: truncate LOOP_GET_STATUS64.lo_file_name for long loop backing paths
LXC domains with long file-backed filesystem path fail to start when the backing image path is longer than LO_NAME_SIZE (64 bytes, 63 characters plus NUL). When long file path is passed, virFileLoopDeviceAssociate() -> virStrcpy() fails and user gets missleading error and domain fails to start. Example: <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/demoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.raw'/> <target dir='/'/> </filesystem> To match losetup behavior we copy the path with virStrcpy() and allow truncation of lo_file_name only if needed, while still calling open() on the unchanged path. Finally log VIR_WARN when the path is expected to be truncated. But still report VIR_ERR_INTERNAL_ERROR for all other virStrcpy() failures. Fixes: https://gitlab.com/libvirt/libvirt/-/work_items/63 Signed-off-by: Radoslaw Smigielski <rsmigiel@redhat.com> --- src/util/virfile.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/util/virfile.c b/src/util/virfile.c index a0c6cb804862..ae33deb8d223 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -995,11 +995,18 @@ int virFileLoopDeviceAssociate(const char *file, lo.lo_flags = LO_FLAGS_AUTOCLEAR; - /* Set backing file name for LOOP_GET_STATUS64 queries */ + /* lo_file_name is loop device name, max length is LO_NAME_SIZE bytes. + * Truncate loop device name if file path is longer than LO_NAME_SIZE, + * and still use the full path to open backing file. */ if (virStrcpy((char *) lo.lo_file_name, file, LO_NAME_SIZE) < 0) { - virReportSystemError(errno, - _("Unable to set backing file %1$s"), file); - goto cleanup; + if (strlen(file) >= LO_NAME_SIZE) { + VIR_WARN("Loop backing device name %s truncated to %d bytes.", + file, LO_NAME_SIZE); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unable to set loop lo_file_name for %1$s"), file); + goto cleanup; + } } if ((fsfd = open(file, O_RDWR)) < 0) { -- 2.54.0
Please setup your git so that it formats the extra "From: " line which is needed as the mailing list mangles sender for domains having DMARC setup: https://www.libvirt.org/submitting-patches.html#git-configuration On Fri, May 29, 2026 at 13:00:22 +0200, Radoslaw Smigielski via Devel wrote:
LXC domains with long file-backed filesystem path fail to start when the backing image path is longer than LO_NAME_SIZE (64 bytes, 63 characters plus NUL). When long file path is passed, virFileLoopDeviceAssociate() -> virStrcpy() fails and user gets missleading error and domain fails to start.
Example:
<filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/demoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.raw'/> <target dir='/'/> </filesystem>
To match losetup behavior we copy the path with virStrcpy() and allow truncation of lo_file_name only if needed, while still calling open() on the unchanged path. Finally log VIR_WARN when the path is expected to be truncated. But still report VIR_ERR_INTERNAL_ERROR for all other virStrcpy() failures.
Umm, there are no other virStrcpy failures: /** * virStrcpy: * * @dest: destination buffer * @src: source buffer * @destbytes: number of bytes the destination can accommodate * * Copies @src to @dest. @dest is guaranteed to be 'nul' terminated if * destbytes is 1 or more. * * Returns: 0 on success, -1 if @src doesn't fit into @dest and was truncated. so what you have there is effectively dead code. Another issue is that if you'll have: <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/someveeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeerylongpath/a.raw'/> <target dir='/'/> </filesystem> <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/someveeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeerylongpath/b.raw'/> <target dir='/'/> </filesystem> They'll be truncated to the same string.
Fixes: https://gitlab.com/libvirt/libvirt/-/work_items/63
Signed-off-by: Radoslaw Smigielski <rsmigiel@redhat.com> --- src/util/virfile.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/util/virfile.c b/src/util/virfile.c index a0c6cb804862..ae33deb8d223 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -995,11 +995,18 @@ int virFileLoopDeviceAssociate(const char *file,
lo.lo_flags = LO_FLAGS_AUTOCLEAR;
- /* Set backing file name for LOOP_GET_STATUS64 queries */ + /* lo_file_name is loop device name, max length is LO_NAME_SIZE bytes. + * Truncate loop device name if file path is longer than LO_NAME_SIZE, + * and still use the full path to open backing file. */ if (virStrcpy((char *) lo.lo_file_name, file, LO_NAME_SIZE) < 0) { - virReportSystemError(errno, - _("Unable to set backing file %1$s"), file); - goto cleanup; + if (strlen(file) >= LO_NAME_SIZE) { + VIR_WARN("Loop backing device name %s truncated to %d bytes.", + file, LO_NAME_SIZE);
So these go only into the log. The question is if it here makes sense. In case when the user has just one truncated path which will thus never cause another error it will be forever ignored. Then if there are multiple paths, if they collide but work, why bother with warning? and if they don't work then reporting the error upfront is better.
+ } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unable to set loop lo_file_name for %1$s"), file); + goto cleanup;
This is dead code.
+ } }
if ((fsfd = open(file, O_RDWR)) < 0) { -- 2.54.0
On Fri, May 29, 2026 at 13:00:22 +0200, Radoslaw Smigielski via Devel wrote:
LXC domains with long file-backed filesystem path fail to start when the backing image path is longer than LO_NAME_SIZE (64 bytes, 63 characters plus NUL). When long file path is passed, virFileLoopDeviceAssociate() -> virStrcpy() fails and user gets missleading error and domain fails to start.
Example:
<filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/demoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.raw'/> <target dir='/'/> </filesystem>
To match losetup behavior we copy the path with virStrcpy() and allow
of lo_file_name only if needed, while still calling open() on the unchanged path. Finally log VIR_WARN when the path is expected to be truncated. But still report VIR_ERR_INTERNAL_ERROR for all other virStrcpy() failures.
Umm, there are no other virStrcpy failures:
/** * virStrcpy: * * @dest: destination buffer * @src: source buffer * @destbytes: number of bytes the destination can accommodate * * Copies @src to @dest. @dest is guaranteed to be 'nul' terminated if * destbytes is 1 or more. * * Returns: 0 on success, -1 if @src doesn't fit into @dest and was
Hi Peter, Sure will fix my git config, sorry for that. On Fri, 29 May 2026 at 13:47, Peter Krempa <pkrempa@redhat.com> wrote: truncation truncated.
so what you have there is effectively dead code.
Indeed, this would need to be removed.
Another issue is that if you'll have:
<filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/someveeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeerylongpath/a.raw'/> <target dir='/'/> </filesystem> <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/someveeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeerylongpath/b.raw'/> <target dir='/'/> </filesystem>
They'll be truncated to the same string.
So I tried to follow the same logic like losetup from util-linux uses to handle long paths: - takes the first 63 bytes of the absolute path - no intelligent path shortening (like keeping the filename and truncating middle) - adds an asterisk at position 62 to indicate the name was truncated lo->lo_file_name[LO_NAME_SIZE - 2] = '*'; // Position 62 gets '*' lo->lo_file_name[LO_NAME_SIZE - 1] = '\0'; // Position 63 is null terminator Above indeed can result in non-unique or unhelpful loop device names in the kernel's loop_info64 structure. Question if we should mimic the same logic or imlement someting smarter. Addint "*" before '\0' to indicate truncation would make it compatibile with losetup behavior. ---------------------- < Tℏanks | Radek >
On Fri, May 29, 2026 at 16:46:58 +0200, Radoslaw Smigielski wrote: [...]
Another issue is that if you'll have:
<filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/someveeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeerylongpath/a.raw'/> <target dir='/'/> </filesystem> <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/root/someveeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeerylongpath/b.raw'/> <target dir='/'/> </filesystem>
They'll be truncated to the same string.
So I tried to follow the same logic like losetup from util-linux uses to handle long paths: - takes the first 63 bytes of the absolute path - no intelligent path shortening (like keeping the filename and truncating middle) - adds an asterisk at position 62 to indicate the name was truncated
lo->lo_file_name[LO_NAME_SIZE - 2] = '*'; // Position 62 gets '*' lo->lo_file_name[LO_NAME_SIZE - 1] = '\0'; // Position 63 is null terminator
Above indeed can result in non-unique or unhelpful loop device names in the kernel's loop_info64 structure.
So ... the most important question is how the value is used (which I don't remember any more). If it's visible or used from withint the LXC instance, then we must not change it. The users are out of luck unfortunately. If it's just informative and we can change it (and based on the fact that it's being truncated so it doesn't reflect anything real) we could also replace it by a controlled string which is unable to exceed 63 chars without truncation. It could be something like: 'libvirt-$UUID-$DEVALIAS'
Question if we should mimic the same logic or imlement someting smarter.
It really depends on what the semantics are; see above. If it can be changed though I'd go for something more stable for the future.
Addint "*" before '\0' to indicate truncation would make it compatibile with losetup behavior.
I'm not sure if that's too valuable of a behaviour. It prevents you from identifying the resource. Having an indentifier allowing you to look up the path would make more sense. ... Well, now you see why this issue lingered so long. There are plenty corner cases that need to be checked and behaviour analyzed :)
Uppsss I don't know how this happened but I missed above message. And in meantime I sent a v2 patch, please ignore.
On Mon, Jun 01, 2026 at 12:48:46 -0000, Radosław Śmigielski via Devel wrote:
Uppsss I don't know how this happened but I missed above message.
Well, it happened like this: You've send your v2 patch at: Date: Mon, 1 Jun 2026 14:14:51 +0200 but I've replied to v1 at: Date: Mon, 1 Jun 2026 14:31:53 +0200 So one could say that I've missed your v2, but my reply makes more sense to be against v1 anyways.
participants (3)
-
Peter Krempa -
Radoslaw Smigielski -
Radosław Śmigielski