[libvirt] [PATCH 7/7] security: fix deadlock with prefork
Cole Robinson
crobinso at redhat.com
Thu Jul 25 22:36:18 UTC 2013
On 07/23/2013 11:04 AM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=964358
>
> Attempts to start a domain with both SELinux and DAC security
> modules loaded will deadlock; latent problem introduced in commit
> fdb3bde and exposed in commit 29fe5d7. Basically, when recursing
> into the security manager for other driver's prefork, we have to
> undo the asymmetric lock taken at the manager level.
>
> Reported by Jiri Denemark, with diagnosis help from Dan Berrange.
>
> * src/security/security_stack.c (virSecurityStackPreFork): Undo
> extra lock grabbed during recursion.
>
> Signed-off-by: Eric Blake <eblake at redhat.com>
> (cherry picked from commit bfc183c1e377b24cebf5cede4c00f3dc0d1b3486)
> ---
> src/security/security_stack.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/src/security/security_stack.c b/src/security/security_stack.c
> index e8133c4..38fe8b5 100644
> --- a/src/security/security_stack.c
> +++ b/src/security/security_stack.c
> @@ -129,6 +129,11 @@ virSecurityStackPreFork(virSecurityManagerPtr mgr)
> rc = -1;
> break;
> }
> + /* Undo the unbalanced locking left behind after recursion; if
> + * PostFork ever delegates to driver callbacks, we'd instead
> + * need to recurse to an internal method that does not regrab
> + * a lock. */
> + virSecurityManagerPostFork(item->securityManager);
> }
>
> return rc;
>
ACK
- Cole
More information about the libvir-list
mailing list