[PATCH] security: fix deadlock with prefork

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Attempts to start a domain with both SELinux and DAC security
modules loaded will deadlock; latent problem introduced in commit
fdb3bde and exposed in commit 29fe5d7.  Basically, when recursing
into the security manager for other driver's prefork, we have to
undo the asymmetric lock taken at the manager level.

Reported by Jiri Denemark, with diagnosis help from Dan Berrange.

* src/security/security_stack.c (virSecurityStackPreFork): Undo
extra lock grabbed during recursion.

Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
---

 src/security/security_stack.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index ed69b9c..d7e690a 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -127,6 +127,11 @@ virSecurityStackPreFork(virSecurityManagerPtr mgr)
             rc = -1;
             break;
         }
+        /* Undo the unbalanced locking left behind after recursion; if
+         * PostFork ever delegates to driver callbacks, we'd instead
+         * of to recurse to an internal method that does not regrab a
+         * lock. */
+        virSecurityManagerPostFork(item->securityManager);
     }

     return rc;
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]